Slashdot Mirror
Researchers Discover a Cheap Method of Breaking Bitcoin Wallet Passwords (softpedia.com)
An anonymous reader writes: Three researchers have published a paper that details a new method of cracking Bitcoin "brain wallet passwords," which is 2.5 times speedier than previous techniques and incredibly cheap to perform. The researcher revealed that by using a run-of-the-mill Amazon EC2 account, an attacker would be able to check over 500,000 Bitcoin passwords per second. For each US dollar spent on renting the EC2 server, an attacker would be able to check 17.9 billion password strings. To check a trillion passwords, it would cost the attacker only $55.86 (€49.63). In the end, they managed to crack around 18,000 passwords used for real accounts.
Why build a million dollar cluster when you can just use AWS?
Mod me down, my New Earth Global Warmingist friends!
researchers discover what criminals have known for years.
It's an offline attack. There is no server against which these passwords are checked. "Brain" wallets are wallets where all keys are derived from a memorized secret through cryptographic functions. You enter the secret password into a program and it "recreates" from that password the Bitcoin addresses and secret keys that you need in order to spend the balances associated with those addresses. In a more conventional wallet, the addresses and keys are generated randomly and stored in a file, typically encrypted with a passphrase. In that case you'd need the passphrase and the stored wallet to gain access to the keys. The advantage of a brain wallet is that you can't lose the wallet file, because there is none. The disadvantage is that it's "single factor": You only need the password/passphrase (something you know) to access it. Conventional wallets are two-factor: You need the passphrase (something you know) and the wallet file (something you have).
Again, you're not understanding how a wallet works. The wallet is nothing more than a public key, and the private key is the password, the bitcoin blockchain stores the balance/other stuff.
When you have the wallet address, you can try searching for the private key, which is supposed to takes extreme amounts of computation to find. At no point in testing these keys do you ever have to communicate with anything else outside of the l1 register in the processor searching for the key.
You might want to look up how bitcoin wallets work. The entire wallet is there. The software governing it is open, and typically compiled by the user. An attacker only has to remove the WRONG_PASSWORD check you're talking about and they're back to the races.
Or, more likely, the attacker already stripped out the code they need from the application to check the wallet (sans silly 2 second wait) and has their own software checking against it.
This isn't a case of asking your local RADIUS server if the username/password you sent is correct, where, assuming you don't own the RADIUS server you can't control how it responds. This is a case of an encrypted file on your own machine (or, in the case of an attacker, in an attackers hands). You, or the attacker, own the means of authentication. Why would you, as an attacker, make things hard on yourself?
No. Actually the method is from August 2015, but this one is faster and cheaper, from what I can read from the article and research paper PDF. Still a long shot, but if any of those 18,000 wallets holds a ton of Bitcoin, then it's worth the investment.
The story here is the fucktardedness of "brain wallets".
You have a system secured by a large ECC key of 256 bits or so.
And then you generate your 256-bit key by SHA-256ing a password that has maybe 40 bits of entropy.
And then you use it to protect all of your money.
Whoever thought of this genius "brain wallet" idea needs to be shot.
Then anyone with a botnet can stop you from authenticating forever by simply issuing a request every 2 seconds.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Then surely this is bad news for PKI in general or are we saying Bitcoins implementation of PKI is rubbish?
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
It's a brute force attack. They have their own implementation of a brain wallet create wallets from a list of passwords and check if the generated addresses have been used (i.e. are in the block chain). If you use a "brain wallet" and your passphrase is on their list of passwords, then they'll find your Bitcoin addresses and with them the keys, the same way your wallet software generates them from your passphrase. If your password is not on their list, they can't steal your coins.
Password entropy rule of thumb: 40 + log2($dollars)
Yes, I know, for some of you it really sucks to have to come up with 70 bits. But, hey, there's always charity.
Breaking the wallet has nothing to do with the blockchain or any online service. It's a local encryption stuff. If the software had a stupid limit, the hacker can just recompile it without the stupid limit so it's pointless (open source software remember). The password should be 12 to 20 words from the dictionary. Make it a billion times harder, thus a billions times more expensive to craft. The law of number make it not cost-effective. Remember brain wallet is something created to recreate your wallet, it's not the bitcoin protocol itself.
and lived happily ever after.
So one, I think bitcoin itself is pretty risky... that said if I were to accept the premise and argue from there.
I would think a 'brain wallet' would be like a 'wallet', i.e. something you have with you at any given time in case you want to spend some cash but can't get to your savings account right now. So you take on some risk on a few hundred dollars in exchange for being to spend it more easily. You move money in and out of it as needed when you get back to where your more secure setup is.
XML is like violence. If it doesn't solve the problem, use more.
In other words, Bitcoin is finally getting the attention it deserves from security researchers. And, surprise! It's full of bugs!
I would be tempted to say: "Film at 11" or even "told ya so", but the truth of the matter is, I have suspected for a long long time that Bitcoin was not as secure as its proponents have been saying all along.
I am waiting for the price of bitcoin to fall pretty freaking fast, once everyone realizes hard-earned bitcoins can be stolen from thin air extremely easily, like they have been stolen in the past.
I still think Bitcoin may yet be proven as the tulip craze of the 21st century. Some people will lose their shirts. Things never change (madness and wisdom of the crowds, yadda yadda yadda).
You can mod me down now.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Is it even possible for Slashdot to do competent reporting on a bitcoin story? I know you guys rely on "news" sites to do the actual reporting, but one thing the new management could really do to win favor from older users is to learn a little about the topics being reported so that misleading or stupid stories and headlines could be avoided now and then.
The passwords used by the bitcoin program to encrypt wallets is just fine.
What is broken is "brain wallets", which were never a good idea, and were never safe.
Any arbitrary string of the appropriate length can be a bitcoin private key. The bitcoin software tries really hard to generate them with as much entropy as possible ("randomly"). To create a "brain wallet", you start with a low entropy string, so low that you can remember it in your brain, and then you do stuff to it to expand it out to the key length.
Naturally, the "do stuff to it" part cannot add any entropy, otherwise you wouldn't end up with the same private key every time.
Now some brain wallet schemes try really hard to maximize the amount of work involved in the "do stuff to it" stage. Some of them even use highly regarded PBKDF functions.
Here is the workflow for cracking brain wallets:
1. seed phrase guess
2. derive privkey
3. derive pubkey
4. derive pubkey hash
5. scan UTXO set
Password researchers optimized step 1 years ago.
Clusters for hire in the cloud have been attacking step 2 for a while now, mitigating the work amplification in PBKDF.
What these researchers have done now is find a faster method of generating the pubkey hashes and scanning the UTXO set for coins that can be spent. (Steps 3-5)
Bitcoin remains fine. Don't use brain wallets. We told you they were a bad idea years ago, and now we have (even more) confirmation.
See that "Preview" button?
Ah so basically they are creating a list of public/private key/password combinations. So if you have someones public key you can lookup their private key and password if it's one you've already done. Sounds to me like Bitcoin are using PKI keys that are too short. Not to panic though I know banks that are still using Triple DES :|
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
I have read discussions on how to mitigate this. Perhaps some slight proof of work? Or, on the underlying protocol, use something like bcrypt and require a certain number of rounds to be run before the wallet is unlocked.
Brain wallets are useful. By having some key strengthening algorithm in place wouldn't stop brute-forcing, but it would at least slow them down.
While I won't dispute that bitcoin might get used to obscure illegal activity, and I won't even argue that it may even most often be used for such purposes, it is clearly false to suggest that it is never used for anything that is actually entirely okay.
Don't blame the owners of a tool for the actions of those who might use that tool to harm others, no matter how prolific such use might appear to be. Down that same path lies the reasoning that some governments are using to try and block strong encryption entirely.
File under 'M' for 'Manic ranting'
Because with the million-doller-cluster, the victim never will know what hit him.
Never underestimate the element of seagull.
bickerdyke
That's why I use "password12345luggage", nobody's ever going to guess it!
Oh wait... D'oh!
So... jail all politicians and lawyers?
Oh sorry, these guys are committing legal crimes.
Carry on.
Create a few billion wallets with common passphrases, each containing 1 Satoshi, then host them around the intertubes in places where malicious people willing to spend a small amount of effort will find them.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I can see using a brain wallet as a sort of traveller's check. Say one is going to a country where everything is thoroughly scrutinized, all physical papers copied and photographed, all electronic devices are searched, all data on all devices is copied off, and anything encrypted (like normal wallets) will be "decrypted" courtesy of a rubber hose and a $5 wrench. In the country, electronic communications are firewalled, so logging onto $REMOTE_STORAGE, or booting up a small live CD distro to fire up Citrix isn't possible.
Here, brain wallets would be usable. Before embarking on the trip to Lower Elbonia, create a brain wallet, transfer funds to it. Then, after passing through Elbonia's customs, use your BTC client, create a wallet, and pay as normal. When heading back to civilization, either use a brain wallet (for access in the interim), or just move the currency in the wallet created in Lower Elbonia to your secure (yet inaccessible wallet.)
There are other uses as well. Sometimes it might be useful to transfer coins with just a small piece of paper or a sentence.
*Generates key for "Letmein"*
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
I see what you did here!
You exchanged your username and your password!
It sounds like the brain wallet is simply a bad idea then. It practically reduces the security of your bitcoin wallet to nothing more than the strength of your password.
"When information is power, privacy is freedom" - Jah-Wren Ryel
I would think that the IRS, as well as Homeland Security, would both find it quite useful to follow money over the BitCoin universe. What's a criminal to do?
I believe the problem is not that the keys used by the bitcoin infrastructure are too short, but rather that the variation in brain wallet passwords is insufficient, or that it's too easy to convert a brain wallet passwords into a bitcoin public keys to check if they match. The fact that randomly generated keys are not susceptible to this attack like brain wallet passwords are is an indication that its not the infrastructure at fault, I believe.
Weak passwords are even more vulnerable with a fast hashing algorithm. Hashed password storage should use bcrypt, which is intentionally slow, and makes dictionary attacks less practical.
Worse, apparently. They can try a whole bunch of possible combinations of words from a dictionary, and for each one, check the block chain to see if the resulting address has been used. They don't have to guess anyone's password in particular, just guess a combination of words that has been used by someone, anyone at all. Instead of trying combinations of userIDs and passwords, you just have to try passwords.
Either way is a cheap method to deny someone access to their bitcoins.We could call it a DoB (denial of bitcoins attack), or if we use a botnet, a DDoB.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
To fine one particular key for one particular individual, sure. However, there's more than one individual in the blockchain. That's why they were able to crack 18,000 passwords.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Because with the million-doller-cluster, the victim never will know what hit him.
The same could potentially be said for the wrench method though if the wrench operator has brushed up on their ninja skills.
You might want to look up "brain wallet". Anyone using a "brain wallet" is an idiot.
Or try the same result on 200,000 wallets - odds are high that after a while, you'll hit several wallets with the same key phrase. You don't have to crack any specific one - it's like trying your car key on every car door at the shopping center - eventually another one will open (had that happen twice by accident).
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
It's an offline attack on publicly distributed information. This may be news to you, but BitCoin is a distributed system, not a website.
This should be the rule of thumb for any password protected file that is very likely to be accessible offline. Like password protected storage. Most people are willing to wait a few seconds to much a much more protected boot drive.