Researchers Discover a Cheap Method of Breaking Bitcoin Wallet Passwords (softpedia.com) 96
An anonymous reader writes: Three researchers have published a paper that details a new method of cracking Bitcoin "brain wallet passwords," which is 2.5 times speedier than previous techniques and incredibly cheap to perform. The researcher revealed that by using a run-of-the-mill Amazon EC2 account, an attacker would be able to check over 500,000 Bitcoin passwords per second. For each US dollar spent on renting the EC2 server, an attacker would be able to check 17.9 billion password strings. To check a trillion passwords, it would cost the attacker only $55.86 (€49.63). In the end, they managed to crack around 18,000 passwords used for real accounts.
Re: (Score:1)
Re: (Score:2)
Why build a million dollar cluster when you can just use AWS?
Re: (Score:2)
Because with the million-doller-cluster, the victim never will know what hit him.
Never underestimate the element of seagull.
Re: (Score:2)
Because with the million-doller-cluster, the victim never will know what hit him.
The same could potentially be said for the wrench method though if the wrench operator has brushed up on their ninja skills.
Re: (Score:2, Informative)
Again, you're not understanding how a wallet works. The wallet is nothing more than a public key, and the private key is the password, the bitcoin blockchain stores the balance/other stuff.
When you have the wallet address, you can try searching for the private key, which is supposed to takes extreme amounts of computation to find. At no point in testing these keys do you ever have to communicate with anything else outside of the l1 register in the processor searching for the key.
Re: (Score:2)
Re: (Score:1)
It's a brute force attack. They have their own implementation of a brain wallet create wallets from a list of passwords and check if the generated addresses have been used (i.e. are in the block chain). If you use a "brain wallet" and your passphrase is on their list of passwords, then they'll find your Bitcoin addresses and with them the keys, the same way your wallet software generates them from your passphrase. If your password is not on their list, they can't steal your coins.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It sounds like the brain wallet is simply a bad idea then. It practically reduces the security of your bitcoin wallet to nothing more than the strength of your password.
Re: (Score:1)
Worse, apparently. They can try a whole bunch of possible combinations of words from a dictionary, and for each one, check the block chain to see if the resulting address has been used. They don't have to guess anyone's password in particular, just guess a combination of words that has been used by someone, anyone at all. Instead of trying combinations of userIDs and passwords, you just have to try passwords.
Re: (Score:1)
You might want to look up how bitcoin wallets work. The entire wallet is there. The software governing it is open, and typically compiled by the user. An attacker only has to remove the WRONG_PASSWORD check you're talking about and they're back to the races.
Or, more likely, the attacker already stripped out the code they need from the application to check the wallet (sans silly 2 second wait) and has their own software checking against it.
This isn't a case of asking your local RADIUS server if the userna
Re: (Score:2)
You might want to look up "brain wallet". Anyone using a "brain wallet" is an idiot.
Re: (Score:1)
Ok. Maybe we should outlaw any kind of currency while we're at it?
Or at least that pesky cash.
Re: (Score:2)
While I won't dispute that bitcoin might get used to obscure illegal activity, and I won't even argue that it may even most often be used for such purposes, it is clearly false to suggest that it is never used for anything that is actually entirely okay.
Don't blame the owners of a tool for the actions of those who might use that tool to harm others, no matter how prolific such use might appear to be. Down that same path lies the reasoning that some governments are using to try and block strong encrypti
Re: (Score:2)
Then anyone with a botnet can stop you from authenticating forever by simply issuing a request every 2 seconds.
you can't limit the number of retry (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:I don't understand this (Score:4, Informative)
It's an offline attack. There is no server against which these passwords are checked. "Brain" wallets are wallets where all keys are derived from a memorized secret through cryptographic functions. You enter the secret password into a program and it "recreates" from that password the Bitcoin addresses and secret keys that you need in order to spend the balances associated with those addresses. In a more conventional wallet, the addresses and keys are generated randomly and stored in a file, typically encrypted with a passphrase. In that case you'd need the passphrase and the stored wallet to gain access to the keys. The advantage of a brain wallet is that you can't lose the wallet file, because there is none. The disadvantage is that it's "single factor": You only need the password/passphrase (something you know) to access it. Conventional wallets are two-factor: You need the passphrase (something you know) and the wallet file (something you have).
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
I have read discussions on how to mitigate this. Perhaps some slight proof of work? Or, on the underlying protocol, use something like bcrypt and require a certain number of rounds to be run before the wallet is unlocked.
Brain wallets are useful. By having some key strengthening algorithm in place wouldn't stop brute-forcing, but it would at least slow them down.
Re: (Score:3)
That's why I use "password12345luggage", nobody's ever going to guess it!
Re: (Score:2)
Oh wait... D'oh!
Re: (Score:2)
I see what you did here!
You exchanged your username and your password!
Re: (Score:1)
The story here is the fucktardedness of "brain wallets".
You have a system secured by a large ECC key of 256 bits or so.
And then you generate your 256-bit key by SHA-256ing a password that has maybe 40 bits of entropy.
And then you use it to protect all of your money.
Whoever thought of this genius "brain wallet" idea needs to be shot.
Well to be fair... (Score:2)
So one, I think bitcoin itself is pretty risky... that said if I were to accept the premise and argue from there.
I would think a 'brain wallet' would be like a 'wallet', i.e. something you have with you at any given time in case you want to spend some cash but can't get to your savings account right now. So you take on some risk on a few hundred dollars in exchange for being to spend it more easily. You move money in and out of it as needed when you get back to where your more secure setup is.
Re: (Score:1)
I can see using a brain wallet as a sort of traveller's check. Say one is going to a country where everything is thoroughly scrutinized, all physical papers copied and photographed, all electronic devices are searched, all data on all devices is copied off, and anything encrypted (like normal wallets) will be "decrypted" courtesy of a rubber hose and a $5 wrench. In the country, electronic communications are firewalled, so logging onto $REMOTE_STORAGE, or booting up a small live CD distro to fire up Citri
Re: (Score:1)
researchers discover what criminals have known for years.
Re: (Score:2)
So... jail all politicians and lawyers?
Oh sorry, these guys are committing legal crimes.
Carry on.
$dollars (Score:2)
Password entropy rule of thumb: 40 + log2($dollars)
Yes, I know, for some of you it really sucks to have to come up with 70 bits. But, hey, there's always charity.
And then they all retired (Score:2)
and lived happily ever after.
Wow what a surprise... (Score:2, Interesting)
In other words, Bitcoin is finally getting the attention it deserves from security researchers. And, surprise! It's full of bugs!
I would be tempted to say: "Film at 11" or even "told ya so", but the truth of the matter is, I have suspected for a long long time that Bitcoin was not as secure as its proponents have been saying all along.
I am waiting for the price of bitcoin to fall pretty freaking fast, once everyone realizes hard-earned bitcoins can be stolen from thin air extremely easily, like they have be [coindesk.com]
Re:Wow what a surprise... (Score:5, Informative)
Brain wallets are wallets where password phrases are chosen by the user. It's not Bitcoin that's vulnerable, it's humans. The standard way for wallets to be generated is based on private keys that are randomly generated, not picked by a user.
Re: (Score:2)
No, bitcoin is quite vulnerable, especially with some of the latest updates. The new transaction reverse feature is so easily abused as to be worthless. I can 'buy' something with bitcoin and then reverse the transaction. You're shit out of money, shit out of product, and shit out of luck. No real chance of recourse.
Re: (Score:1)
No, bitcoin is quite vulnerable, especially with some of the latest updates. The new transaction reverse feature is so easily abused as to be worthless. I can 'buy' something with bitcoin and then reverse the transaction. You're shit out of money, shit out of product, and shit out of luck. No real chance of recourse.
Can you link to what you are talking about? I thought the only way to actually reverse a transaction in Bitcoin would be to control 51% of the hashing power in the system. (i.e. generate a longer blockchain without that transaction which would invalidate the block with the transaction)
Use bcrypt (Score:2)
Weak passwords are even more vulnerable with a fast hashing algorithm. Hashed password storage should use bcrypt [codahale.com], which is intentionally slow, and makes dictionary attacks less practical.
Re: Wow what a surprise... (Score:2)
The trouble with merely modding down comments like these down is we don't have a "long winded, no idea what he's talking about" mod.
This is simple crypto optimization, like happens every year. It's necessary and expected, and :shudder: anticipated by the designers of bitcoin (aside: stop looking for one man, stupid magazines).
Personally, I'm intrigued as I have a very old wallet I've forgotten the password to, and commission-based cracking services have been unable to touch it. Sadly, it's not worth much
Re: (Score:2)
This won't help you recover your old wallet. It has nothing to do with bitcoin wallet passwords, which are encrypted with AES-256-CBC.
Amusingly, they appear to have applied Sipa's highly optimized ECDSA library to help find UTXOs that can be spent with their brute forced "brain wallet" privkeys.
Re: (Score:2)
"8 years of, on the long term, constant gain is a ridiculously long tulip mania"
No. Bitcoin pretty much followed the exact same pattern as any regular financial note, right down to bull runs and bear traps, on a much higher-accelerated timescale. This means that it is likely that Bitcoin will have a depression, a serious one, faster than you expect.
And as it stands, with China holding the majority of bitcoin and hashing power, (they are the ones manufacturing these ASICs and such) they effectively control t
Re: (Score:2)
and in the US once one swipe or one untrustworthy bartender/waiter away from theft from thin air (no further access to your card required).
That's only true for backwards places that still require you to swipe your card. Even the US is changing - mostly moving to the less secure chip and signature, instead of chip and pin, but it's progress.
Re: (Score:2)
Re:Wow what a surprise... (Score:5, Informative)
Not really.
If someone gets hold of your wallet enough to try passcodes, it's game over anyway.
It's like saying that credit cards are insecure because they only have 10,000 possible 4-digit PINs. Well, yes. But the general idea is to stop them getting the card in the first place, and to use other security measures to protect the card.
The stupid idea of having such emphemeral wallets that are vulnerable to these kinds of attacks was ridiculous before it started. That's not "normal" Bitcoin.
For normal Bitcoin, you make a wallet file on your machine, encrypt the wallet file with a strong passphrase, perform transactions, then store it in a safe place. You only get it back out on a secure machine where you're required to enter the passphrase again to do anything useful with it.
If someone is on the machine that you perform BitCoin transactions on, to the point that they can read your wallet file and try to enter passphrases, that's game over anyway. They could just as easily just sniff your keyboard for the passphrase.
Again - stupid security "attack" that wouldn't happen in real life unless you were a complete dope anyway, is taken as "bad news" for an unrelated technology which people like you jump on the bandwagon of disparaging without checking facts.
Hint: Word .doc passwords aren't secure either. Or old (pre-AES) ZIP file passwords. You can easily check just as many of those in the same time as this "attack" on something like EC2. The idea is that you don't let people get a file full of expensive information in the first place, or rely on such naff security if that's what you want to do. And that's exactly what BitCoin does too.
The wallet decryption is only valid if someone can copy your wallet. And that's, quite literally, like someone taking your wallet in real life. The problem is already there. That they might be able to use it to cost you money is entirely logical from that point onwards.
Re:Wow what a surprise... (Score:4, Insightful)
This attack is different then the one you describe. You are describing someone attacking an encrypted wallet file. The attack in this article is based on generating wallets that are identical to someone else's without having access to their data.
When you generate a 'standard' wallet, the computer generates a large random number and uses that as the basis for the wallet. In brainwallet, a human picks a phrase that is the basis for the wallet. Humans are monumentally poor at picking one that cannot be guessed. That is the target of this attack. If user Alice generates a brainwallet with the phrase 'i am a fish', attacker Dave can use EC2 to generate an identical wallet (and thus be able to transfer the coins elsewhere) with the base phrase 'i am a fish'.
The Bitcoin community has been aware that brainwallets are interesting-but-a-bad-idea for quite some time.
Re: (Score:2)
"It's like saying that credit cards are insecure because they only have 10,000 possible 4-digit PINs"
That has not been true for a while, now. Wells Fargo makes you pick a PIN up to 12 digits long, now. It's en like that since I got my WF account in ~2008.
Of course, 12 digits in a 10-digit numerical system makes things a bit easier to break due to necessarily repeating symbols, but oh well.
Re: (Score:2)
If bitcoins can be "stolen from thin air extremely easily" as you suggest, then today all the bitcoins would be already stolen. The MtGox fiasco was because their backend systems and code were not hardended. This was also back in the day when single-sig was used and an exchange would have full control of your coins. Today with multi-sig, it's not possible for an exchange or third party to steal your coins - they don't have control of them.
Please do some research before posting such misinformation as this
Re: (Score:1)
BitCoin will wind up between being the next best thing since sliced bread and refrigeration versus a tulip fad. It is a new sector for financial trade, and has already had its first tier of scammers and pump and dumpers.
What will happen is that it will evolve. Either BitCoin adds features, or a BTC 2.0 will come along to give more features to allow it to be used in more circumstances. Things like escrow where Charlie can independently inspect goods, then allow or decline an Alice -> Bob transaction.
Unsafe practices still unsafe (Score:5, Informative)
Is it even possible for Slashdot to do competent reporting on a bitcoin story? I know you guys rely on "news" sites to do the actual reporting, but one thing the new management could really do to win favor from older users is to learn a little about the topics being reported so that misleading or stupid stories and headlines could be avoided now and then.
The passwords used by the bitcoin program to encrypt wallets is just fine.
What is broken is "brain wallets", which were never a good idea, and were never safe.
Any arbitrary string of the appropriate length can be a bitcoin private key. The bitcoin software tries really hard to generate them with as much entropy as possible ("randomly"). To create a "brain wallet", you start with a low entropy string, so low that you can remember it in your brain, and then you do stuff to it to expand it out to the key length.
Naturally, the "do stuff to it" part cannot add any entropy, otherwise you wouldn't end up with the same private key every time.
Now some brain wallet schemes try really hard to maximize the amount of work involved in the "do stuff to it" stage. Some of them even use highly regarded PBKDF functions.
Here is the workflow for cracking brain wallets:
1. seed phrase guess
2. derive privkey
3. derive pubkey
4. derive pubkey hash
5. scan UTXO set
Password researchers optimized step 1 years ago.
Clusters for hire in the cloud have been attacking step 2 for a while now, mitigating the work amplification in PBKDF.
What these researchers have done now is find a faster method of generating the pubkey hashes and scanning the UTXO set for coins that can be spent. (Steps 3-5)
Bitcoin remains fine. Don't use brain wallets. We told you they were a bad idea years ago, and now we have (even more) confirmation.
Re: (Score:1)
"Is it even possible for Slashdot to do competent reporting on a bitcoin story?"
Is it possible for Bitcoin to be competent? Nope. Not as long as your literal backing is the price of electricity/hardware you spent to make a bitcoin instead of an actual good or service. When people figure that out and realize that they're paying hundred of dollars for something that ultimately cost a few cents to create, they're going to leave you high and dry.
The only people that approve of this new-age Ponzi Scheme are thos
Re: (Score:2)
Literal backing? What does that even mean? And are you aware that when you withdraw cash from your bank account, you are "paying hundred[s] of dollars for something that ultimately cost a few cents to" print?
Personally, if I had to pick from your three groups, I'd probably be in the first one, but that's mostly because it is no longer possible for a U.S. citizen to get through a day without committing a federal crime of some sort.
None of my bitcoin uses had anything to do with crime, or paranoia, or takin
Re: (Score:1)
I used bitcoins to purchase a rifle, for example, and it was shipped to a FFL in my state, where I filled out the 4473 and waited for the NICS check. I wouldn't have done it that way if my interest had been either crime or paranoia.
Did you pay sales tax?
Re: (Score:2)
No, but I did report it as "use tax" on my next state tax return.
I bet you've never done that, even though you are almost certainly required to whenever you buy from an out of state vendor that ships to you but doesn't collect your state's sales tax.
Re: (Score:2)
Brain wallets are not and never have been part of bitcoin (the software) or bitcoin (the protocol) or bitcoin (the network), but they are part of bitcoin (the ecosystem).
A key is just some bits, and a transaction is just a script. You can manage your keys and transactions offline, with only minimal contact to the software/network. This enables some really cool stuff, and even some really serious high security schemes.
But it also enables some really stupid bad ideas. Guess which category "Brain wallets" f
Re: (Score:2)
To create a "brain wallet", you start with a low entropy string, so low that you can remember it in your brain, and then you do stuff to it to expand it out to the key length.
To be fair, it is possible to create a "brain wallet" with enough entropy to remain secure from this sort of attack. Such wallets will have randomly generated passphrases with at least 128 bits of entropy (generally 12-24 words selected uniformly from a standardized 2000-word dictionary, yielding about 11 bits per word). A 24-word passphrase of this sort is equivalent in entropy to a standard 256-bit Bitcoin private key, and within the memorization capacity of most humans.
The problem is "brain wallets" gene
Hmm, honeypot potential??? (Score:1)
Create a few billion wallets with common passphrases, each containing 1 Satoshi, then host them around the intertubes in places where malicious people willing to spend a small amount of effort will find them.
Re: (Score:2)
Honeypots are specific. Creating billions of bitcoin wallets would be useless given the current blockchain size that you need to check against.
The IRS? (Score:2)