So just how insecure is a brainwallet?

[SeenBeanAKAShawnBawn]

The debate about brainwallets has been going on for many years now. Obviously, if you make a brainwallet with a short password/seed, it will be compromised quite quickly.

However, I have always been of the opinion that a long enough seed is pretty damn secure.

I just came across this article: http://www.coindesk.com/new-cracking-to ... inwallets/

In it, they state: "When this firepower is applied to ASCII passwords, ones constructed from US keyboard characters, and XKCD passwords, those comprised of four common words, Castellucci suggested a botnet could check every bitcoin address that has ever received funds in a single day."

However, this doesn't sound quite right to me. Although there are more than one million words in the English language, and the Oxford dictionary has 600,000 words, let's be generous and say you use an easy-to-find list of only 300,000 words. If you had a computer guessing 4-word combinations at 150,000 guesses/second, it would take 1.7 billion years to guess every possible combination. Even a botnet of one million machines would take 1700 years. We can even upgrade your botnet to 1.5 million guesses per second and assume the majority of hits will be found within the first half of your guesses, and it will still take 85 years. That's pretty different from checking "every bitcoin address that has ever received funds in a single day."

I know the whole argument about humans being bad at entropy, but what if you used a dice or RNG to generate 4 numbers between 1 and 300,000 and used those to determine your 4 words from the list? It'd be easy for you to remember, and still nearly impossible to brute force. Why are so many people so vocal about brainwallets being unconditionally insecure?

[BitcoinXio]

This is a very good question, and unfortunately for myself, goes beyond my technical level of expertise to really help much. Part of the issue from my understanding is of course the human element in creating words to remember. But taking humans out, like you said with a purely random phrase, why would it be so easy to crack? Here is the tool the guy from Defcon built which basically brought down brainwallet.org after he released it: https://github.com/ryancdotorg/brainflayer

[Chakra74]

I've often wondered why an approach towards brain wallets wouldn't mimic what they did with Bip 38 when it comes to difficulty. Why couldn't an algorithm be made that takes a full second to decrypt on the fastest of home machines today, and lets say 10 seconds on the average laptop. If your passphrase took 6 orders of magnitude more processing power to decrypt than the current brain wallet systems, wouldn't that vastly decrease the needed entropy of the passwords?

You'd think something like this would be super easy to create and publish, yet no one has done it.

[bitcoin]

I am a strong proponent of brainwallets, and believe that it should not be abandoned just because people use them improperly. If you have a secure enough passphrase, it's virtually impossible to brute force. The brainwallet is an incredibly useful and innovative concept, so we should embrace it.

I created https://brainwallet.io to address some of the concerns with the "traditional" brainwallet that people have been using. It uses the scrypt key derivation function to generate the keys, which is a memory and time-intensive process. Additionally, I have implemented several "salt" fields that you can enter to further strengthen your wallet. The salts are things that are effortless to remember, but add a significant amount of entropy.

[Chakra74]

I checked out your creation at brainwallet.io and I do like what I see, good job. Should I be concerned that this is proprietary, or is the software open source and can be easily saved or recreated?

Brainwallets should almost have a meeting where all of them are upgraded to something similar to this, yet continue to be backward compatible for original users. I guess my biggest concern would be inconsistency and the loss of the ability to decrypt my passphrase if there isn't a standard across all the brainwallets.

Is there a backup plan or system for if this webpage you created disappeared?

[bitcoin]

I checked out your creation at brainwallet.io and I do like what I see, good job. Should I be concerned that this is proprietary, or is the software open source and can be easily saved or recreated?

Brainwallets should almost have a meeting where all of them are upgraded to something similar to this, yet continue to be backward compatible for original users. I guess my biggest concern would be inconsistency and the loss of the ability to decrypt my passphrase if there isn't a standard across all the brainwallets.

Is there a backup plan or system for if this webpage you created disappeared?

Thanks. Brainwallet.io is open source, and provided as a self-contained, single HTML file that you can download from GitHub in the event that my site goes down. The links are at the bottom of the website.

[CryptAxe]

I think it's probably more likely that you will forget the seed and lose your coins than it is for someone to "guess" it and steal the coins.

[BitcoinXio]

I think it's probably more likely that you will forget the seed and lose your coins than it is for someone to "guess" it and steal the coins.

I like this one I just generated on the brainwallet.io site mentioned above:

throughout guess mourn freeze frost search aim flight aunt lot sure annoy

Now all I need is an annoying aunt who died in the cold and this one is a winner!

[CryptAxe]

I think it's probably more likely that you will forget the seed and lose your coins than it is for someone to "guess" it and steal the coins.

I like this one I just generated on the brainwallet.io site mentioned above:

throughout guess mourn freeze frost search aim flight aunt lot sure annoy

Now all I need is an annoying aunt who died in the cold and this one is a winner!

That's what we need, brainwallet seeds based on annoying family members!

[BitcoinXio]

I like this one I just generated on the brainwallet.io site mentioned above:


Now all I need is an annoying aunt who died in the cold and this one is a winner!

That's what we need, brainwallet seeds based on annoying family members!

LOL well you can input your own info, but then that is the human element that makes it weak. I think the "salting" of adding a username/password makes it added extra security. That's unique to that website, which makes it pretty cool.

[Chakra74]

It uses the scrypt key derivation function to generate the keys, which is a memory and time-intensive process.

This to me this is the largest upgrade to traditional brain wallet services. The only reason a password such as, "I love eating popcorn in the sun" isn't secure, is due to the fact that people can try millions of passwords a second. Realistically if you're only able to test say 10 passwords a second, would anyone really be able to guess a sentence like that?

[SeenBeanAKAShawnBawn]

The only reason a password such as, "I love eating popcorn in the sun" isn't secure, is due to the fact that people can try millions of passwords a second.

Some may think so, but take a look at the math: if you chose ONLY from the top 200 most popular words in the English language and made a 7-word sentence, it would still take 405 years to try all possibilities by guessing 1 million guesses per second.

Yes, it gets weaker by enforcing grammar rules to make it a valid sentence. But that means people would need to write an algorithm that starts with sentences that would be more logical for people to come up with, and that's not easy for a computer to do. For example, if you simply changed the "I" in your sentence to the name of your pet, your phrase would not be found by the algorithm.

People then counter-argue "oh, but then the attacker would just harvest your facebook for all the personal info they need to build a specialized word list". But if I'm being personally targeted that much, it'd be much easier for them to just look up my mother's maiden name and go social engineer my bank account.

[ryanc]

However, this doesn't sound quite right to me. Although there are more than one million words in the English language, and the Oxford dictionary has 600,000 words, let's be generous and say you use an easy-to-find list of only 300,000 words. If you had a computer guessing 4-word combinations at 150,000 guesses/second, it would take 1.7 billion years to guess every possible combination. Even a botnet of one million machines would take 1700 years. We can even upgrade your botnet to 1.5 million guesses per second and assume the majority of hits will be found within the first half of your guesses, and it will still take 85 years. That's pretty different from checking "every bitcoin address that has ever received funds in a single day."

(note - the article you reference is based on my research)

The English word list sizes you mention are unrealistic - the figures cited were assuming a 2,048 entry wordlist. The diceware list, which is the largest one I'm aware of being promoted as a wordlist for random passphrases, is only 7,776 words, and calling many of them "words" is a stretch. Most of the other common tools use a wordlist of 2,048 or 1,626 words. A typical adult native English speaker's vocabulary is somewhere in the vicinity of 20,000 words.

As an example of why using an entire dictionary is a problem, here's four random words from the system dictionary on my linux box (containing 234,937 words) produced with shuf /usr/share/dict/words | head -n 4:

Code: Select all

chromatophilic tetradactyly autoskeleton aluminothermics

I think I'd have a hard time remembering those.

If you are using random words, it's fairly easy to calculate the security - you compute "work" as log2(list size) * nWords + hardening then compare against your desired security margin (96 bits is probably fine for at least a decade). With diceware and brainwallet.io or warpwallet (both use scrypt(2¹⁸, 8, 1)), each word is a little shy of 13 bits, and scrypt is providing at least 20 bits of hardening, so 6 random diceware words should get you past the 96 bit security level. If you're really paranoid use 8 random diceware words for a ~123 bit security level.

Using a hardened kdf with your email as a salt shaves off a random word or two from what you need for good security, and requires anyone trying to steal your money to target you directly (unless you have a *trivially* weak password) at almost no cost.

Several performance improvements have been made to Brainflayer since DEFCON, and I was recently able to scan for ~743 billion passwords at a cost of $52 using EC2 spot instances.

[BitcoinNewsMagazine]

Brainwallets cracked: https://cryptojunction.com/video/def-co ... inwallets/

[SeenBeanAKAShawnBawn]

ryanc,

Thanks for the reply! I agree, the majority of words in the dictionary are going to be obscure and hard to remember. I personally would be willing to learn 4 new words for the sake of securing my savings (and if I can just remember the pronunciation, the spelling can be confirmed by looking it up in the dictionary!), but it might be hard for some people.

Although choosing 4 words from the standard wordlist is not very secure, I think things can be added which make the possibilities grow quite quickly. Nouns can be made plural, and verbs can have multiple tenses. That alone grows a 2000 word list to 4000-5000. Words could have spaces between them, be capitalized or not, or use different punctuation. A complex combination of these variations is hard to remember, but something simple like "in all caps, with spaces, ending with a period" is easy enough to remember.

A lot of people don't think about this stuff, and don't realize how insecure their brainwallet might be. I think your work is great for showing the dangers of weak brainwallets, but it also shows what types of brainwallets can be secure, which I think most people overlook. The article I linked had a sensationalist title, saying your tool "exposed a major flaw", but it was always apparent to anyone willing to do the math! I still think there is a place for brainwallets if done correctly.

[ryanc]

I agree, the majority of words in the dictionary are going to be obscure and hard to remember. I personally would be willing to learn 4 new words for the sake of securing my savings (and if I can just remember the pronunciation, the spelling can be confirmed by looking it up in the dictionary!), but it might be hard for some people.

I'm kinda curious how the difficulty of learning a weird new word compares with remembering something that came out of a pronounceable password generator.

Although choosing 4 words from the standard wordlist is not very secure, I think things can be added which make the possibilities grow quite quickly. Nouns can be made plural, and verbs can have multiple tenses. That alone grows a 2000 word list to 4000-5000. Words could have spaces between them, be capitalized or not, or use different punctuation. A complex combination of these variations is hard to remember, but something simple like "in all caps, with spaces, ending with a period" is easy enough to remember.

A lot of people don't think about this stuff, and don't realize how insecure their brainwallet might be. I think your work is great for showing the dangers of weak brainwallets, but it also shows what types of brainwallets can be secure, which I think most people overlook. The article I linked had a sensationalist title, saying your tool "exposed a major flaw", but it was always apparent to anyone willing to do the math! I still think there is a place for brainwallets if done correctly.

Four words from a list of 4000-5000 still won't be secure even with the modifications you suggest here - you're only adding 2-3 bits per word.
It's almost trivial to build a password or passphrase generator that produces output that has quantifiable cracking difficulty - the trick is balancing cracking difficulty with being friendly to human memory. This is an area needing more research.

I agree that the problems with brainwallets were always fairly obvious - the major thing I did was publicly provide some numbers on it.

[roy]

Is it safe to have a 12-word deterministic wallet with a 20 to 30 characters password? How long can the passphrase be?

[bitcoin]

Is it safe to have a 12-word deterministic wallet with a 20 to 30 characters password? How long can the passphrase be?

Yes, that would be very safe as long as your 12 words were randomly generated.

[ChrisG]

However, this doesn't sound quite right to me. Although there are more than one million words in the English language, and the Oxford dictionary has 600,000 words, let's be generous and say you use an easy-to-find list of only 300,000 words. If you had a computer guessing 4-word combinations at 150,000 guesses/second, it would take 1.7 billion years to guess every possible combination. Even a botnet of one million machines would take 1700 years. We can even upgrade your botnet to 1.5 million guesses per second and assume the majority of hits will be found within the first half of your guesses, and it will still take 85 years. That's pretty different from checking "every bitcoin address that has ever received funds in a single day."

(note - the article you reference is based on my research)

The English word list sizes you mention are unrealistic - the figures cited were assuming a 2,048 entry wordlist. The diceware list, which is the largest one I'm aware of being promoted as a wordlist for random passphrases, is only 7,776 words, and calling many of them "words" is a stretch. Most of the other common tools use a wordlist of 2,048 or 1,626 words. A typical adult native English speaker's vocabulary is somewhere in the vicinity of 20,000 words.

As an example of why using an entire dictionary is a problem, here's four random words from the system dictionary on my linux box (containing 234,937 words) produced with shuf /usr/share/dict/words | head -n 4:

Code: Select all

chromatophilic tetradactyly autoskeleton aluminothermics

I think I'd have a hard time remembering those.

If you are using random words, it's fairly easy to calculate the security - you compute "work" as log2(list size) * nWords + hardening then compare against your desired security margin (96 bits is probably fine for at least a decade). With diceware and brainwallet.io or warpwallet (both use scrypt(2¹⁸, 8, 1)), each word is a little shy of 13 bits, and scrypt is providing at least 20 bits of hardening, so 6 random diceware words should get you past the 96 bit security level. If you're really paranoid use 8 random diceware words for a ~123 bit security level.

Using a hardened kdf with your email as a salt shaves off a random word or two from what you need for good security, and requires anyone trying to steal your money to target you directly (unless you have a *trivially* weak password) at almost no cost.

Several performance improvements have been made to Brainflayer since DEFCON, and I was recently able to scan for ~743 billion passwords at a cost of $52 using EC2 spot instances.

When you have time, can you write a tutorial on how you scanned 743 billion passwords? I am interested in studying this and will give you a +1 + coin for a drink or 2.