Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Discover a Cheap Method of Breaking Bitcoin Wallet Passwords (softpedia.com)

Posted by timothy on from the cheap-in-what-currency? dept.

An anonymous reader writes: Three researchers have published a paper that details a new method of cracking Bitcoin "brain wallet passwords," which is 2.5 times speedier than previous techniques and incredibly cheap to perform. The researcher revealed that by using a run-of-the-mill Amazon EC2 account, an attacker would be able to check over 500,000 Bitcoin passwords per second. For each US dollar spent on renting the EC2 server, an attacker would be able to check 17.9 billion password strings. To check a trillion passwords, it would cost the attacker only $55.86 (€49.63). In the end, they managed to crack around 18,000 passwords used for real accounts.

5 of 96 comments (clear)

  1. Re:I don't understand this by Anonymous Coward · · Score: 4, Informative

    It's an offline attack. There is no server against which these passwords are checked. "Brain" wallets are wallets where all keys are derived from a memorized secret through cryptographic functions. You enter the secret password into a program and it "recreates" from that password the Bitcoin addresses and secret keys that you need in order to spend the balances associated with those addresses. In a more conventional wallet, the addresses and keys are generated randomly and stored in a file, typically encrypted with a passphrase. In that case you'd need the passphrase and the stored wallet to gain access to the keys. The advantage of a brain wallet is that you can't lose the wallet file, because there is none. The disadvantage is that it's "single factor": You only need the password/passphrase (something you know) to access it. Conventional wallets are two-factor: You need the passphrase (something you know) and the wallet file (something you have).

  2. Re:I don't understand this by Anonymous Coward · · Score: 2, Informative

    Again, you're not understanding how a wallet works. The wallet is nothing more than a public key, and the private key is the password, the bitcoin blockchain stores the balance/other stuff.

    When you have the wallet address, you can try searching for the private key, which is supposed to takes extreme amounts of computation to find. At no point in testing these keys do you ever have to communicate with anything else outside of the l1 register in the processor searching for the key.

  3. Re:Wow what a surprise... by Anonymous Coward · · Score: 5, Informative

    Brain wallets are wallets where password phrases are chosen by the user. It's not Bitcoin that's vulnerable, it's humans. The standard way for wallets to be generated is based on private keys that are randomly generated, not picked by a user.

  4. Unsafe practices still unsafe by Orgasmatron · · Score: 5, Informative

    Is it even possible for Slashdot to do competent reporting on a bitcoin story? I know you guys rely on "news" sites to do the actual reporting, but one thing the new management could really do to win favor from older users is to learn a little about the topics being reported so that misleading or stupid stories and headlines could be avoided now and then.

    The passwords used by the bitcoin program to encrypt wallets is just fine.

    What is broken is "brain wallets", which were never a good idea, and were never safe.

    Any arbitrary string of the appropriate length can be a bitcoin private key. The bitcoin software tries really hard to generate them with as much entropy as possible ("randomly"). To create a "brain wallet", you start with a low entropy string, so low that you can remember it in your brain, and then you do stuff to it to expand it out to the key length.

    Naturally, the "do stuff to it" part cannot add any entropy, otherwise you wouldn't end up with the same private key every time.

    Now some brain wallet schemes try really hard to maximize the amount of work involved in the "do stuff to it" stage. Some of them even use highly regarded PBKDF functions.

    Here is the workflow for cracking brain wallets:

    1. seed phrase guess
    2. derive privkey
    3. derive pubkey
    4. derive pubkey hash
    5. scan UTXO set

    Password researchers optimized step 1 years ago.
    Clusters for hire in the cloud have been attacking step 2 for a while now, mitigating the work amplification in PBKDF.

    What these researchers have done now is find a faster method of generating the pubkey hashes and scanning the UTXO set for coins that can be spent. (Steps 3-5)

    Bitcoin remains fine. Don't use brain wallets. We told you they were a bad idea years ago, and now we have (even more) confirmation.

    --
    See that "Preview" button?
  5. Re:Wow what a surprise... by ledow · · Score: 4, Informative

    Not really.

    If someone gets hold of your wallet enough to try passcodes, it's game over anyway.

    It's like saying that credit cards are insecure because they only have 10,000 possible 4-digit PINs. Well, yes. But the general idea is to stop them getting the card in the first place, and to use other security measures to protect the card.

    The stupid idea of having such emphemeral wallets that are vulnerable to these kinds of attacks was ridiculous before it started. That's not "normal" Bitcoin.

    For normal Bitcoin, you make a wallet file on your machine, encrypt the wallet file with a strong passphrase, perform transactions, then store it in a safe place. You only get it back out on a secure machine where you're required to enter the passphrase again to do anything useful with it.

    If someone is on the machine that you perform BitCoin transactions on, to the point that they can read your wallet file and try to enter passphrases, that's game over anyway. They could just as easily just sniff your keyboard for the passphrase.

    Again - stupid security "attack" that wouldn't happen in real life unless you were a complete dope anyway, is taken as "bad news" for an unrelated technology which people like you jump on the bandwagon of disparaging without checking facts.

    Hint: Word .doc passwords aren't secure either. Or old (pre-AES) ZIP file passwords. You can easily check just as many of those in the same time as this "attack" on something like EC2. The idea is that you don't let people get a file full of expensive information in the first place, or rely on such naff security if that's what you want to do. And that's exactly what BitCoin does too.

    The wallet decryption is only valid if someone can copy your wallet. And that's, quite literally, like someone taking your wallet in real life. The problem is already there. That they might be able to use it to cost you money is entirely logical from that point onwards.