Bitcoin Brain Wallets: A flawed, dangerous idea.
bn2b.comThere is some seriously bad misinformation in this article, and I feel like maybe the author isn't really familiar with basic information theory.
> If you literally just use 4 or 5 dictionary words, someone is going to crack it fast. Bad people can write a program to try a kabillion combinations of words and it will run fast.
Wrong. Wrong wrong wrong. If you randomly choose a sequence of 4 or 5 dictionary words you'll have a strong password. This is simple math. The author then tries to support his point with this gem:
>One of the wallets, with the password “lorem ipsum dolor sit amet” was cracked in 7 hours,
Well, "lorem ipsum dolor sit amet" isn't 5 randomly chosen dictionary words. It's an extremely common 5 word sequence and has nothing like the entropy of a random word sequence.
The most important thing about pass phrases is that you have to choose the words randomly. You can't go pulling phrases from movie lines, and you can't even come up with them yourself. You need an unbiased process like a computer or a dice roll to generate it for you.
More subtly, you shouldn't be picky about the phrase. If you keep generating new pass phrases until you find one that's memorable, you are drastically reducing the entropy of your phrase. It is plausible that an attacker could build a model that limits their search to memorable phrases, and then you'd be in bad shape.
And this last point is where pass phrases need work. What we need is a system for randomly generating passwords that guarantees some level of memorability without sacrificing entropy. Fitting them to roughly sentence formats is one possibility (e.g. adj noun verb noun), so that we can visualize something happening. But it's not an easy problem.
>>>Fitting them to roughly sentence formats is one possibility (e.g. adj noun verb noun), so that we can visualize something happening.
That "mad-libs" method does reduce entropy quite a bit. I don't know if it reduces it enough to make the password crackable, but the search space is much smaller than just 5 random words.
That's true. What I should have said was that we want to make the entropy easy to measure. If I flip through random passwords until I find one that's easy to remember, I have no idea how much entropy I've lost. But the mad-libs method should let us know exactly what our effective key length is, and allow us to make up for it with longer phrases if needed.
Edit: Another technique that I find useful is to place the four words into a more memorable sentence. For example, if I pull "frequently scared earth understanding" from passphra.se, I might have trouble remembering that raw sequence of words. But if I put it into a sentence like "I am frequently scared, but the Earth is understanding.", then I have a much more evocative sentence that I'm likely to remember. I usually will just use that whole sentence, punctuation and all, because hey, extra entropy. Dropbox's zxcvbn tool[1] estimates that pass phrase at nearly 128 bits of entropy.
That's a lousy article. Pass phrases are strong if you exclude anything that's been in print and if you use random words.
Use something like diceware. Ideally, use a 7 word phrase with a good password safe.
The article doesn't use any numbers, and so the author doesn't have a feel for just how strong a passphrase is compared to a password.
Also, the author seems to be missing the point of the xkcd comic. You can create a strong password. $xK!r88w82;)|@N?c463)fpD2SAtRNQq But very few people do this. Because of poor password policies people have a password. PASSWORD. They then modify that to conform to the policy. Must include numbers? PASSWORD89. Must include specials? !PASSWORD89
These are trivially easy to find. Firstly because the limited amount of modification available means other people would have tried it first, and those words will now be in dictionaries. Secondly, crackers can auto-substitute characters in wordlists.
>If you literally just use 4 or 5 dictionary words, someone is going to crack it fast. Bad people can write a program to try a kabillion combinations of words and it will run fast.
xkcd uses math and I don't see much wrong with it either. You're use hand waving and anecdotes. You can't just say "it will run fast." Unless computers get infinitely fast, there will always be intractable problems.
And you realize that "lorem ipsum dolor sit amet" is an extremely common phrase, right? It has no relation to the entropy in 4 random dictionary words. The thing about cracking a password is you don't have to know the exact format if what you're grasping at is a bunch of low hanging fruit.
He talks about how the XKCD article password is commonly known as if this is worrying for some reason. But it's no surprise for anyone getting started with brainwallets who has gone to brainwallet.org and noticed that the default passphrase entered into their client side generator is 'correct horse battery staple'. The chance of you coming up at random with a phrase that is the default in a popular brainwallet generator is so low as to not be worth worrying about.
The other thing is that the article completely ignores the possibility of generating a new private key in the normal way and memorizing that. It's only the same number of digits as seven phone numbers which while certainly difficult is well within the range of any moderately determined human of normal intelligence. I suspect that most people have 7 phone numbers memorised as it is.
If you're truly paranoid about security, doing that gives you just as much security as anyone else using bitcoin.
>The chance of you coming up at random with a phrase that is the default in a popular brainwallet generator is so low as to not be worth worrying about.
1 in 2^44, in fact. Unlikely enough that if you tried once per millisecond, you'd expect it to happen only once in 550 years.
The first one I tried, in similar style, was "The quick brown fox jumps over the lazy dog": http://blockexplorer.com/address/13w4Hn1BJQM4bjZZgYtXpyp4cio.... Fortunately, its balance is also now at 0.
I think I accidentally downvoted you. Sorry!
This article misses the real flaw with the pass phrase; pass phrases aren't really 2^B (where B = bits obviously) entropy. They're D^N entropy where N = number of words and D = size of the dictionary. The OED has 171K words in it, so say you're using a 7 word phrase that's ~4.3 * 10^36 possibilities. In reality most people's vocabulary is no more than 60K words whch gives us 2.8 * 10^33.
If instead you use only 16 character password with no dictionary words (i.e. completely random or sufficiently randomized memorable words) you have 3.4 * 10^38 possibilities.
3.4 * 10^38 > 4.3 * 10^36 > 2.8 * 10^33
I think everybody should use what works for them, and pass phrases are easy to remember but they have the exact same trade off that using pure dictionary words does at shorter lengths; it's easier to crack.
A couple of problems. First off:
>If instead you use only 16 character password with no dictionary words (i.e. completely random) you have 3.4 * 10^38 possibilities.
You're confusing characters and bytes. If you limit yourself to what can be typed on a typical keyboard, you're looking at a set of 95 characters, not 256. That gives you 4.4E31 possibilities (or ~105 bits of entropy). If you limit yourself to what most password fields will accept, it's more like a set of 75 characters (optimistically), giving you 1E30 possibilities (~100 bits).
Secondly, I'm not sure the comparison is fair in terms of memorability. 7 words will fit easily in my working memory. 16 characters will not. If I have an exceptional working memory, I might be able to fit 10 characters in it, and suddenly we're down to 63 bits of entropy, compared to 77 bits for a 7 word pass phrase, even if we limit ourselves to a 2000 word dictionary. And committing those 7 words to long term memory is still going to be way easier than committing the random 9 character string.
Incidentally, 77 bits is very close to the 80 bits that NIST recommends for the strongest passwords. 63 is quite a long way off.
Completely agree with the article.
Whether you realise it or not, what you want from a private key is lots of entropy.
A simple pass phrase is easily cracked, a complicated one is hard to remember (and it needs to be remembered exactly).
There may potentially be a small amount of middle ground here, particularly if your memory is very good, but what happens if you get dementia as you get older?.
If you must use a pass phrase, use it to encrypt a truly random private key, this way the only the private key is exposed to the blockchain. An attacker would need the encrypted copy of your private key to brute force it, don't keep this online unless you need to send bitcoins.
So, you're wrong about the entropy in the pass phrase. XKCD goes into the math, and for a sufficiently long phrase, there's plenty of entropy. And yes he takes into consideration there's only so many English words.
I have had this conversation before, what is "sufficiently long"?.
Remembering 10 random words in order isn't that much easier than 10 random alpha numeric chars and symbols. The words might have some mnemonic value, but the point is, if you need entropy, don't mess about, use a real private key.
You realise that a 10 word Diceware passphrase is significantly stronger than a 10 character (alphanumeric + specials) password, right?
95^10 = 5.9873694e+19
7776^10 = 8.0828128e+38
Yeah and both are weaker than a truly random private key, I give up, it's only money after all.
What do you mean by "truly random" random private key?
How much computing power is needed to attack a 7 word Diceware passphrase?
Brainwallets are good as long as your passphrase is long and very specific to what you want it to be.
Read this post https://gist.github.com/gavinandresen/3840286
Bitcoin itself is a flawed and dangerous idea. What makes the value of money is the trust you put into the economics institutions of some territory. Value of money should not be derived from some computational tricks but should be the reflect of the real economy. The other explanations including some from Wall street (remember Subprimes ?) are just big misredirections some conmen invented to take a lot of money from your pockets. Bitcoin is just a modern version of a pyramidal scheme. Think of it as pyramidal scheme 2.0
Bitcoin the system and the blockchain is brilliant. The adaptable difficulty and the hashcash chaining can be used for a lot of stuff where for various reasons you don't trust a central authority.
Bitcoin the currency is a different beast. Well if you have to rope the value of money to something - computational power is not the worst thing possible in an increasingly. digital world
I agree with you when you say "Bitcoin the system and the blockchain is brilliant." this is a brilliant misdirection like when a magician distract your attention to hide the real trick.
Why do you want to rope the value of money to something else than trust ? I know this is low tech and very old but a trust based system can work even for the digital economy. Of course to work properly a trust based system need some conditions which are not met today : transparency and dissuasive sanctions if someone cheat.
I think we need to upgrade our financial system but we need more transparency not more opacity.
Have you by any chance read the Sten (Cole, Bunch) series? There the currency is pegged to the antimatter because it is the perfect fuel and is the only thing moving the economy.
The problem with trust based systems is that trust is a fickle thing. If it was up to me I would peg a currency to the kWh. It will create dynamic equilibrium because it will be constantly consumed to create GDP.
This actually misses the worst problem. Brain wallets are essentially unsalted. You can build a gigantic rainbow table once and then watch those addresses forever after.
And you aren't attacking a single address at a time. You're attacking them all in parallel. Even if the expected time to crack one password is very long, the expected time to crack some password can be much, much smaller.
>This actually misses the worst problem. Brain wallets are essentially unsalted. You can build a gigantic rainbow table once and then watch those addresses forever after.
The phrases generated by passphra.se have 44 bits of entropy. That means your rainbow table has to be on the order of hundreds of petabytes. I have doubts that the attack you're proposing could be implemented in practice. If it were a problem, you could just tack on a few more words and take the table into the yottabyte range.
Yes, but I'm highly confident that a significant fraction of users are not using passphra.se or similar.
They're making something up, and humans are extremely bad at generating high entropy that way.
Yes, people should never come up with pass phrases out of their brains. A good entropy source is an absolute must. As I mentioned in another comment, even flipping through something like passphra.se until you find something especially memorable is shooting yourself in the foot because you're discarding an unknown amount of entropy.
So is there any safe way to store bitcoins? It's getting kind of frustrating to not have a best practice.
Excellent! The first of today's several Bitcoin threads! All board the fail train, next stop mom's basement leeching electricity with 20 badly set up graphics cards and fans.
> next stop mom's basement leeching electricity with 20 badly set up graphics cards and fans.
No one does that any more. The amount of computing power in the blockchain is impressive. FPGAs didn't last too long; people are using ASICs now.
It's a shame if all those farms of GPUs are wasted. I guess I should have looked on ebay for people selling them off cheap. Or maybe they're just being used for protein folding now.
It's interesting that by tying mining to value has driven people to create home clusters and now people have developed ASICs. It'd be cool if those could have some other use in future.
this site is called Hacker news. I'm sorry if we're boring you from our basements.
That phase is over. Currency is changing. Pay attention.