Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Bitcoin Security The Almighty Buck

Researchers Discover a Cheap Method of Breaking Bitcoin Wallet Passwords (softpedia.com) 96

An anonymous reader writes: Three researchers have published a paper that details a new method of cracking Bitcoin "brain wallet passwords," which is 2.5 times speedier than previous techniques and incredibly cheap to perform. The researcher revealed that by using a run-of-the-mill Amazon EC2 account, an attacker would be able to check over 500,000 Bitcoin passwords per second. For each US dollar spent on renting the EC2 server, an attacker would be able to check 17.9 billion password strings. To check a trillion passwords, it would cost the attacker only $55.86 (€49.63). In the end, they managed to crack around 18,000 passwords used for real accounts.
This discussion has been archived. No new comments can be posted.

Researchers Discover a Cheap Method of Breaking Bitcoin Wallet Passwords

Comments Filter:
  • Password entropy rule of thumb: 40 + log2($dollars)

    Yes, I know, for some of you it really sucks to have to come up with 70 bits. But, hey, there's always charity.

  • and lived happily ever after.

  • by Noryungi ( 70322 )

    In other words, Bitcoin is finally getting the attention it deserves from security researchers. And, surprise! It's full of bugs!

    I would be tempted to say: "Film at 11" or even "told ya so", but the truth of the matter is, I have suspected for a long long time that Bitcoin was not as secure as its proponents have been saying all along.

    I am waiting for the price of bitcoin to fall pretty freaking fast, once everyone realizes hard-earned bitcoins can be stolen from thin air extremely easily, like they have be [coindesk.com]

    • by Anonymous Coward on Thursday February 11, 2016 @10:09AM (#51486531)

      Brain wallets are wallets where password phrases are chosen by the user. It's not Bitcoin that's vulnerable, it's humans. The standard way for wallets to be generated is based on private keys that are randomly generated, not picked by a user.

      • by Khyber ( 864651 )

        No, bitcoin is quite vulnerable, especially with some of the latest updates. The new transaction reverse feature is so easily abused as to be worthless. I can 'buy' something with bitcoin and then reverse the transaction. You're shit out of money, shit out of product, and shit out of luck. No real chance of recourse.

        • No, bitcoin is quite vulnerable, especially with some of the latest updates. The new transaction reverse feature is so easily abused as to be worthless. I can 'buy' something with bitcoin and then reverse the transaction. You're shit out of money, shit out of product, and shit out of luck. No real chance of recourse.

          Can you link to what you are talking about? I thought the only way to actually reverse a transaction in Bitcoin would be to control 51% of the hashing power in the system. (i.e. generate a longer blockchain without that transaction which would invalidate the block with the transaction)

      • Weak passwords are even more vulnerable with a fast hashing algorithm. Hashed password storage should use bcrypt [codahale.com], which is intentionally slow, and makes dictionary attacks less practical.

    • The trouble with merely modding down comments like these down is we don't have a "long winded, no idea what he's talking about" mod.

      This is simple crypto optimization, like happens every year. It's necessary and expected, and :shudder: anticipated by the designers of bitcoin (aside: stop looking for one man, stupid magazines).

      Personally, I'm intrigued as I have a very old wallet I've forgotten the password to, and commission-based cracking services have been unable to touch it. Sadly, it's not worth much

      • This won't help you recover your old wallet. It has nothing to do with bitcoin wallet passwords, which are encrypted with AES-256-CBC.

        Amusingly, they appear to have applied Sipa's highly optimized ECDSA library to help find UTXOs that can be spent with their brute forced "brain wallet" privkeys.

    • The overwhelming majority of the so-called Bitcoin bugs we read about are bugs affecting particular implementations. In this case, this concerns the use of common English words as a sort of mnemonic code to generate a set of Bitcoin wallet addresses. A Bitcoin wallet program not using such a security method would not be affected by this attack.
    • by ledow ( 319597 ) on Thursday February 11, 2016 @11:03AM (#51486875) Homepage

      Not really.

      If someone gets hold of your wallet enough to try passcodes, it's game over anyway.

      It's like saying that credit cards are insecure because they only have 10,000 possible 4-digit PINs. Well, yes. But the general idea is to stop them getting the card in the first place, and to use other security measures to protect the card.

      The stupid idea of having such emphemeral wallets that are vulnerable to these kinds of attacks was ridiculous before it started. That's not "normal" Bitcoin.

      For normal Bitcoin, you make a wallet file on your machine, encrypt the wallet file with a strong passphrase, perform transactions, then store it in a safe place. You only get it back out on a secure machine where you're required to enter the passphrase again to do anything useful with it.

      If someone is on the machine that you perform BitCoin transactions on, to the point that they can read your wallet file and try to enter passphrases, that's game over anyway. They could just as easily just sniff your keyboard for the passphrase.

      Again - stupid security "attack" that wouldn't happen in real life unless you were a complete dope anyway, is taken as "bad news" for an unrelated technology which people like you jump on the bandwagon of disparaging without checking facts.

      Hint: Word .doc passwords aren't secure either. Or old (pre-AES) ZIP file passwords. You can easily check just as many of those in the same time as this "attack" on something like EC2. The idea is that you don't let people get a file full of expensive information in the first place, or rely on such naff security if that's what you want to do. And that's exactly what BitCoin does too.

      The wallet decryption is only valid if someone can copy your wallet. And that's, quite literally, like someone taking your wallet in real life. The problem is already there. That they might be able to use it to cost you money is entirely logical from that point onwards.

      • by Asgard ( 60200 ) <jhmartin-s-5f7bbb@toger.us> on Thursday February 11, 2016 @12:03PM (#51487259) Homepage

        This attack is different then the one you describe. You are describing someone attacking an encrypted wallet file. The attack in this article is based on generating wallets that are identical to someone else's without having access to their data.

          When you generate a 'standard' wallet, the computer generates a large random number and uses that as the basis for the wallet. In brainwallet, a human picks a phrase that is the basis for the wallet. Humans are monumentally poor at picking one that cannot be guessed. That is the target of this attack. If user Alice generates a brainwallet with the phrase 'i am a fish', attacker Dave can use EC2 to generate an identical wallet (and thus be able to transfer the coins elsewhere) with the base phrase 'i am a fish'.

        The Bitcoin community has been aware that brainwallets are interesting-but-a-bad-idea for quite some time.

      • by Khyber ( 864651 )

        "It's like saying that credit cards are insecure because they only have 10,000 possible 4-digit PINs"

        That has not been true for a while, now. Wells Fargo makes you pick a PIN up to 12 digits long, now. It's en like that since I got my WF account in ~2008.

        Of course, 12 digits in a 10-digit numerical system makes things a bit easier to break due to necessarily repeating symbols, but oh well.

    • If bitcoins can be "stolen from thin air extremely easily" as you suggest, then today all the bitcoins would be already stolen. The MtGox fiasco was because their backend systems and code were not hardended. This was also back in the day when single-sig was used and an exchange would have full control of your coins. Today with multi-sig, it's not possible for an exchange or third party to steal your coins - they don't have control of them.

      Please do some research before posting such misinformation as this

    • BitCoin will wind up between being the next best thing since sliced bread and refrigeration versus a tulip fad. It is a new sector for financial trade, and has already had its first tier of scammers and pump and dumpers.

      What will happen is that it will evolve. Either BitCoin adds features, or a BTC 2.0 will come along to give more features to allow it to be used in more circumstances. Things like escrow where Charlie can independently inspect goods, then allow or decline an Alice -> Bob transaction.

  • by Orgasmatron ( 8103 ) on Thursday February 11, 2016 @10:24AM (#51486603)

    Is it even possible for Slashdot to do competent reporting on a bitcoin story? I know you guys rely on "news" sites to do the actual reporting, but one thing the new management could really do to win favor from older users is to learn a little about the topics being reported so that misleading or stupid stories and headlines could be avoided now and then.

    The passwords used by the bitcoin program to encrypt wallets is just fine.

    What is broken is "brain wallets", which were never a good idea, and were never safe.

    Any arbitrary string of the appropriate length can be a bitcoin private key. The bitcoin software tries really hard to generate them with as much entropy as possible ("randomly"). To create a "brain wallet", you start with a low entropy string, so low that you can remember it in your brain, and then you do stuff to it to expand it out to the key length.

    Naturally, the "do stuff to it" part cannot add any entropy, otherwise you wouldn't end up with the same private key every time.

    Now some brain wallet schemes try really hard to maximize the amount of work involved in the "do stuff to it" stage. Some of them even use highly regarded PBKDF functions.

    Here is the workflow for cracking brain wallets:

    1. seed phrase guess
    2. derive privkey
    3. derive pubkey
    4. derive pubkey hash
    5. scan UTXO set

    Password researchers optimized step 1 years ago.
    Clusters for hire in the cloud have been attacking step 2 for a while now, mitigating the work amplification in PBKDF.

    What these researchers have done now is find a faster method of generating the pubkey hashes and scanning the UTXO set for coins that can be spent. (Steps 3-5)

    Bitcoin remains fine. Don't use brain wallets. We told you they were a bad idea years ago, and now we have (even more) confirmation.

    • by Khyber ( 864651 )

      "Is it even possible for Slashdot to do competent reporting on a bitcoin story?"

      Is it possible for Bitcoin to be competent? Nope. Not as long as your literal backing is the price of electricity/hardware you spent to make a bitcoin instead of an actual good or service. When people figure that out and realize that they're paying hundred of dollars for something that ultimately cost a few cents to create, they're going to leave you high and dry.

      The only people that approve of this new-age Ponzi Scheme are thos

      • Literal backing? What does that even mean? And are you aware that when you withdraw cash from your bank account, you are "paying hundred[s] of dollars for something that ultimately cost a few cents to" print?

        Personally, if I had to pick from your three groups, I'd probably be in the first one, but that's mostly because it is no longer possible for a U.S. citizen to get through a day without committing a federal crime of some sort.

        None of my bitcoin uses had anything to do with crime, or paranoia, or takin

        • by calque ( 4296327 )

          I used bitcoins to purchase a rifle, for example, and it was shipped to a FFL in my state, where I filled out the 4473 and waited for the NICS check. I wouldn't have done it that way if my interest had been either crime or paranoia.

          Did you pay sales tax?

          • No, but I did report it as "use tax" on my next state tax return.

            I bet you've never done that, even though you are almost certainly required to whenever you buy from an out of state vendor that ships to you but doesn't collect your state's sales tax.

    • To create a "brain wallet", you start with a low entropy string, so low that you can remember it in your brain, and then you do stuff to it to expand it out to the key length.

      To be fair, it is possible to create a "brain wallet" with enough entropy to remain secure from this sort of attack. Such wallets will have randomly generated passphrases with at least 128 bits of entropy (generally 12-24 words selected uniformly from a standardized 2000-word dictionary, yielding about 11 bits per word). A 24-word passphrase of this sort is equivalent in entropy to a standard 256-bit Bitcoin private key, and within the memorization capacity of most humans.

      The problem is "brain wallets" gene

  • Create a few billion wallets with common passphrases, each containing 1 Satoshi, then host them around the intertubes in places where malicious people willing to spend a small amount of effort will find them.

    • by Khyber ( 864651 )

      Honeypots are specific. Creating billions of bitcoin wallets would be useless given the current blockchain size that you need to check against.

  • I would think that the IRS, as well as Homeland Security, would both find it quite useful to follow money over the BitCoin universe. What's a criminal to do?

If you think the system is working, ask someone who's waiting for a prompt.

Working...