Topic: Why you cannot enter an arbitrary seed in Electrum - page 2. (Read 65015 times)

(screw my claim that I'm not writing again in here )

You're probably joking, but I'm not so sure that "on body safekeeping" is necessarily worse than traditional safekeeping by hiding, or placing things into vaults.

Now I wonder if there's any research into this, how "on body" compares to "hiding" compares to "vaulting"...

You can 3D print a ring and stamp the words inside it, just an idea

@jonald_fyookball

> We should note that when brute forcing seeds, none of the preceding letters are known.

You don't need to /know/ any actual element of the password. The speed up comes from knowing - for English - the conditional probabilities of certain lexical items or characters, so you don't have to run an exhaustive search over all combinations over the dictionary, or rather: you can try the more likely combinations first, then the slightly less likely ones, etc.


> It's like trying to brute force guess all the moves of billions of chess games played between relatively strong engines.

Not really. It's closer to having a slightly better algorithm for finding the optimal move in a chess game than the next best alternative algorithm. Which sounds exactly like something you'd want to use if you plan to win at chess.

---

I said it before, I'm not an expert on password cracking algorithms, and I can't say what speedup to expect in exact numbers. But I know enough about (statistical) language models to say that I'm pretty sure it could make quite a difference if implemented right, and if the assumption is correct that you try to find not a random sequence, but something generated by "English", or "close to English".

Now then, let's see what a quick Google search comes up with...

(1)


from: https://www.trustwave.com/Resources/SpiderLabs-Blog/Hashcat-Per-Position-Markov-Chains/

Which describes (from what I can tell) an application to password cracking of Shannon's insight mentioned above.


(2)


from: http://www.wired.co.uk/news/archive/2013-05/28/password-cracking/page/2

That one is not even based on any underlying "English grammar", but it's the same principle: there's a set of conditional probabilities they can work with given that the sequence hasn't been chosen at random.

In a sense, the "grammar" here is the "grammar of previously discovered passwords".

Super slick, by the way, must admit that.


(3)


from: https://www.ma.rhul.ac.uk/static/techrep/2013/MA-2013-07.pdf on page 38

This one's probably the closest to what I had in mind. Password cracking based on Markov Chains that encode some form of "English knowledge" to guide the search. And, who would have thought, it's faster than brute forcing.

---

Sorry if this comes across as rude, but that was the last message on this topic from me.

I've made the point I believe is the one that needs to be mentioned in the context of this discussion, and that this point itself is not matter of discussion, but a mathematical certainty:

Entropy of English or near English phrases is lower than that of randomly generated sequences.

Now, admittedly, whether you think the above is worth making it more difficult for users to remember their password is a different matter. But that's a 'weighing off' decisions then, between usability and (guaranteed) safety.

And all these things considered, I think that Thomas V found an excellent solution: by default, seed generation is random, because on average, humans suck at coming up with randomness.

If however you have shown that you have a modicum of technical knowledge, you can enter your own seed, and then it's your own responsibility to ensure it is good enough.

Think of it like a "You must be this tall to ride" sign at the entrance of a roller coaster, and even placing a pair of walking stilts next to it.

If you're sure you want to roll your own, you can already do so. I don't see any need to ask Thomas to invite everyone to come up with their own seed, because the likely result is that average seed quality would decrease.

---

(EDIT) One thing, to be clear: I agree with you guys that it's hard, if not impossible, for most people to memorize the random seed. That's why you should probably write it down or print it, and find a way to store it away.

Hell, if your funds warrant that level of security, put it into a sealed envelope and place that one into an insured bank vault. The same principles of storing anything physical of great value applies here, only that in our favor (a) you rarely if ever need to get the item (only to recover your keys), and (b) the item is small, so hiding it or renting some safety box is easier than having to do so for a larger object.

Completely agree on this.
You can try guess my sentence, but you never know if the first 3 words are ok: you will have to go with all the sentences that can be realized anyway. Still huge work.
Also note that my sentence is 140 characters long and INCLUDES PUNCTUATION, thing that the random generated words do not.

But now I throw another dice on the table: HOW LARGE IS THE DICTIONARY USED TO GENERATE THE RANDOM SEED?
Have you thought about a hacker that knows there are maybe 10 or 12 available dictionaries online and uses them to generate his sequence?
Now how QUICK would that be? Or anyway, QUICKER than hacking my sentence, with EXTRA INVENTED WORDS that the commonly used dictionary hasn't, with PUNCTUATION, that the random generated seed doesn't put in for obvious reasons, with CAPS LETTERS, that the random generated seed doesn't put in.

So, is my request so bad after all? I really don't think so.
And as you force the user to learn 12 words, you can force the user to generate a sentence that is SO LONG, contains SUCH CHARACTERS like at least 2 or 3 cap letters, and at least 3 punctuation signs.

I'm still on my position with random seed:
1) very few people will learn the seed by memory.
2) I have very good memory (tested) and IQ over 140, and still I didn't want to waste energy learning that sequence of words.
3) limited dictionary probably easily exploitable by hackers
4) people will write those words down somewhere.
Result: the seed is out of the user's brain.

User defined sentence seed:
1) easier to remember because the user can generate a sentence of his/her will.
2) harder to break: no words from more or less know dictionaries, caps letters, punctuation, invented words.
3) less people will write down the sentence, and even then... it's just a sentence, maybe a sentence on a diary, nobody could spot it if it's well hidden in plain sight.

From Shannon's paper: "This method is based on a study of
the predictability of English; how well can the next letter of a text be predicted
when the preceding N letters are known"

We should note that when brute forcing seeds, none of the preceding letters are known.

Branching out in a tree-like fashion quickly yields too combinations to make use of the predictability
methods you speak of. It's like trying to brute force guess all the moves of billions of chess games
played between relatively strong engines.  Yes, only certain moves make sense,
but the combinations still branch out exponentially.

You might find marginally higher security in choosing a pure random sequence, but
I think the overwhelming factor in having a week seed isn't found in grammatical predictability,
but instead in the simple bad decision of using a previously known combination from
a book, movie, etc.

It's neither "paranoid", nor is the exact POS example I gave, and whether there can be exceptions, important. I just picked it as an example to make the problem more relatable.

To be clear: if your sequence of (dictionary) words is the output of a grammar, it is more predictable than a random sequence of dictionary items. See for example Shannon's classic paper on the entropy of English.

Note that Shannon makes no theoretical assumptions about which grammar underlies English. I'm not an expert in password cracking methods, so I can't give you any hard numbers, but I imagine that an n-gram based method (i.e. the classical SML model) would provide a relevant speed up in the search (under the assumption that the sequence is a grammatically valid sentence of English).

I don't think knowing what part of speech might come next is meaningful here.
Not only are there enough words, but there is also plenty of flexibility in
possible sentence structures. 

For example "I would like" could be followed by a noun ("I would like ice cream")
or something else

("I would like to talk to you")
("I would like two scoops of icecream")
("I would like that")
("I would like nothing more than to smash your face lol")

And the farther you go into the sentence, the less prediction you will have
from the beginning, and since you need the entire phrase, this kind of analysis
means nothing in this context.

Maybe I'm wrong, but I think we are a bit on the paranoic side of the matter now.

You can search a word like Jeenee: if it brings less than N results, you can be sure it will be in the last positions as a tried password term. Or even just passed altogether.
Also, the originality of that phrase doesn't rest on a single word, it's just ONE additional measure of security. The phrase itself is all original, or at least self produced.

Also on your assumption "the next word has to be an adjective or a noun" the paranoic is powerful in you
It's not wrong what you say, but it's a very complex programming matter imho.
I could have put Jeenee, which is a name, following in there, no nouns or adjectives or anything. Or I could have separated the adjectives with commas. Or not, no commas. As you can see there's more options that you think. Screw jumping one in your hacking code, in you can let it search up forever.

But I want to consider another factor, that I think many people forget: time.
How many tries can you do in one second?
I mean, you have the best connection out there, and you try and try and try to hack into one Bitcoin account with false credentials with your hacking routine. How many tries can be done PRACTICALLY?
NOT theorethically. PRACTICALLY.
So don't bring up IBM supercomputers, and imagine a common hacker, with common CPU power, that wants to hack a common person address.

The problem with this is that it's a grammatically well-formed sentence, not a randomly chosen sequence of items. That probably makes it easier for you to remember, but it's also easier to predict what follows next. For example, after "I loved my little ...", the next word has to be an adjective or a noun (phrase), so a search can exclude (or at least, discount) inflected verbs, prepositions, etc.

(EDIT) And the problem with "original" words is that (a) you have no guarantee that they are original, and (b) they constitute a single point of failure, i.e. if the security of your (otherwise not so secure) passphrase rests on the originality of a single word, and you are wrong about it being original, you're screwed.

again, yes, 140 characters is good but many aren't that savvy.
If you think you can convince Thomas to change electrum, go ahead and try

Look:

I loved my little furry Jeenee, got her at the beach in an afternoon of summer 1992. Now Jeenee is no more but my memory for her still lives.

You have a word that was nowhere to be found on internet before (bad spelling from my ex-girlfriend), caps, numbers, punctuation and a total of 140 characters.
What do you think about this?

Just to not let hackers waste time: those sentences have nothing to do with my passphrase

My passphrase is more than 12 words, more than 90 characters, includes punctuation and cannot be found anywhere on the internet and not even on my computer
Oh, and it's not even in english!

You can't compare an alphanumeric string to the set of 12 words automatically generated as a seed: that SURELY is more entropic than any human phrase, but maybe 1 person on 1000 can remember that string. I can remember my fiscal code that is 15 characters, and I could probably learn that string, but I still don't think that's needed.

We are talking about the possibility to let users write their own key phrase.

Btw: I'll be back when my money will be parted

This is an example of password people should use (don't use this example)

JhXb3gDtr8sDBhSmN3Pe5qwKMT3D4DgAqrYEZ8Ngqh5hW97cQEmrKuV3D
(57 character, cryptographically secure, totally random, impossible to guess & bruteforce)


It's called precaution, sure i have less than 15 bitcoins now in my posession, which arent worth alot to go through all the hassle to steal it compared to the security i put in, but one day that 1 bitcoin can be worth 1 million dollar, and then its another story.

I`m thinking ahead in the future.

I just remember some idiot had 1000 bitcoins in the blockchain.info account and he got hacked and lost it all.

There is a saying:  "A fool and his money are soon parted.And it's true."

Listen, I'm more than happy to be wrong (about anything).  And I'm not trying to put any
"obstacles" on your opinion.  Your opinion has been noted.

You do have a good point about the ease of memorization.
However, the devs are unlikely to change their opinion
as far as this:
 

(That's straight from the OP in this thread).
Forcing the users to put caps and numbers and symbols is not sufficient to create Bitcoin level entropy.

Thank you but I'm not such a coder.
So I just make present my opinion here, in the right section of the forum, in hope devs reconsider their choice.

Last but not least, your can FORCE the user to generate a high entropy passphrase.
This already happens on many websites when you make an account, they FORCE you to put caps and numbers and symbols, I'm sure you know it, so I can't understand why you keep on putting false obstacles only to keep saying that my considerations are wrong. It looks you just keep posting because you want to be right at all costs.
Anyway, because HE thought the passphrase, he will better remember it and there are more chances he won't need to store it anywhere.

Electrum is open source.  You can always make your own version with different parameters.
Or you can choose another HD wallet.

I think remembering 12 words is easier than 12 random characters, because you
can paint a mental picture with those words.  If you have "horse battery",
you can remember a horse licking a battery.  Much easier to remember than "hb".

Although human chosen passphrases with high entropy are indeed possible,
most average users do not understand enough about security and high entropy
and thus, many will make the mistake of choosing a low entropy password. 
This is why Electrum doesn't do it.  It wants to be "idiot proof".

Not everyone needs to memorize their seed.  You can write it down
and store it in a secure location.

I honestly don't know if it varies, but I know that I'm not in Rome and my connection always shows up like I'm in Rome.
Anyway, to hack my wallet, a hacker should have got my IP when I made my search at that time (years ago). I since then changed home and internet provider many, MANY times. And even if he's a "friend" and sees my IP now, he only knows part of my passphrase. I have no virus on my computer, no keylogger or anything (of course I may be wrong, but I have always updated antivirus and system, and there's firewall of course).



Anyway, my security is all off topic.

Back on topic.

I can remember EASILY my passphrase, and many people could do that as well.
It's much more difficult to remember random words, especially when those words are all in english and not all the world speaks english.
This leads to people escaping remembering those words and adopting solutions like the ones I explained.
Only security maniacs will store those words in memory at all costs.
Common people have huge difficulties remembering a password of 15 characters 5 minutes after they set it.
I KNOW THIS, because I help all friends and relatives with their fuckin accounts...
So, just to recap, not giving the chance to set up an arbitrary seed doesn't increase security.
Most common users won't store those words in memory.
People will either snapshot the screen (like I did) and send it to their email.
Or print it. Or write those words in email or in a txt document (that can be lost and/or stolen).
ALL these solutions lead to security issues and this means the mandatory random seed doesn't work as wanted, while an arbitrary seed can be better remembered and would probably be used as intended.

Now, this is my opinion, of course, and it may be wrong.
But I suggest then a poll to verify if I'm so wrong, because I may be not that far from reality.

I use computers since I was 11.
I am now 45.
I have antivirus installed since ever and always updated.
I update Windows every week.
People that find keyloggers in their pc are no tech savvy at all, they roam shitty websites and click yes on every window that pops up, then run or install everything.
That's not me.
I'm bold on this: I've never been hacked, and only got a virus in 2001 when internet here was pretty fresh.
I'm nothing special, just a user that uses antivirus and closes all the shit that pop up and install only known source software.
So thank you for your effort, but believe me: nobody is going to enter here.

dang you are paranoid.

but i would disagree that dice rolls aren't reliable.  I think any bias you could find would be far too small to exploit.

No because dice rolls are not reliable source of generating random numbers as the texture that is generated on can lower the cryptographic security of it.

But what I did was to compile random text from 3 different sources , and merged them together in a random but discretionary way and that generated my master private key.