User Controls

brain wallet cracking

  1. #1
    Merlin Houston
    Is this still feasible? A couple years back someone released a program called brainflayer which facilitates this. There doesn't seem to be a lot of talk about it besides a more recent article this year saying it's still happening. Obviously all the one word wallets are long cracked. Would it be worth the time to try longer strings, song lyrics, famous phrases etc. Or am I too late to the game. I'll probably do it anyway since I've learned about bitcoin along the way.

    Most of the early brainwallets where simply a sha256sum of some string and that was it (well that's used to generate the edcsa public key). With brainflayer you take a bunch of addresses from the blockchain, then turn that into a bloom enhancement, then you can sha256 some string and compare it against the bloom enhancement. The advantage of the bloom enhancement is that you instantly know whether the hashed value corresponds to a real address or not. From there you'd still have to check if it contained any coins.

    Getting everything setup has actually been a huge pain in the balls, which makes me think maybe it hasn't been overrun with skids. Extracting all the addresses to ~2015 from the block chain took all night and produced a 14 gig file. Stripping that text file so it contained only the relevant info again took forever and f'd up my server in the process so now I have to let the raid rebuild before I can continue. And then after all that I have to create a wordlist before running the actual brainflayer program.

    example:


    # private key
    $ echo -n "bitcoin" | sha256sum
    6b88c087247aa2f07ee1c5956b8e1a9f4c7f892a70e324f1bb3d161e05ca107b -

    # turn it into an address
    [greentext]>>> privtoaddr('6b88c087247aa2f07ee1c5956b8e1a9f4c7f892a70e324f1bb3d161e05ca107b')[/greentext]
    '1E984zyYbNmeuumzEdqT8VSL8QGJi3byAD'

    Looking that up on the blockchain:
    Total Received 0.16922077 BTC
  2. #2
    aldra JIDF Controlled Opposition
    just had a look at the theory behind it - correct me if I'm wrong - a 'brainwallet' involves generating a BTC recovery seed, and keeping that seed as a means of ownership over a BTC wallet without actually storing the wallet itself.

    the seed has to be cryptographically generated (a SHA256 hash), and a person is not going to be able to remember 256 bytes of raw ASCII so they instead remember the keyphrase used to generate the hash.

    modern 'wisdom' dictates that longer keys are better, so the logical collision between 'long keys' and 'feasible to remember' is strings of words or mnemonics representing words - because of language rules though, even though the keys are long, entropy is low and through pattern analysis popular strings and patterns can be guessed, so that the more recovery seeds are cracked, the easier it becomes to crack more in the future. the fact that there are generally accepted standards for mnemonics (https://en.bitcoin.it/wiki/Brainwallet) makes it that much easier.

    what's more, as I understand it, these recovery seeds aren't handled by a central authority; they're cryptographically meshed into public data so there's no way to rate-limit brute force or other similar attacks against it. you can simply download the data from a blockchain and attack it at will.

    I guess in terms of feasibility, it totally depends on how people are generating their keyphrases. the flaws in the system (moreover, the real flaw is relying on human input) are still there and still exploitable, but if the general userbase has moved to a more secure way of generating those phrases, you'll need to work out a new way to configure the attack (the attack itself, ie. guessing and bruteforcing keyphrases, is still viable in and of itself).
  3. #3
    Merlin Houston
    just had a look at the theory behind it - correct me if I'm wrong - a 'brainwallet' involves generating a BTC recovery seed, and keeping that seed as a means of ownership over a BTC wallet without actually storing the wallet itself.

    I guess in terms of feasibility, it totally depends on how people are generating their keyphrases. the flaws in the system (moreover, the real flaw is relying on human input) are still there and still exploitable, but if the general userbase has moved to a more secure way of generating those phrases, you'll need to work out a new way to configure the attack (the attack itself, ie. guessing and bruteforcing keyphrases, is still viable in and of itself).

    Yes exactly. Since it's ECDSA any sha256 hash can be used for the private key (idk what the standard way to generate them is, probably hashing /dev/random). And everything else can be generated from that.

    After this specific piece of sofware, brainflayer, was released the main brain wallet site, brainwallet.io I think, shutdown. So I don't think anyone is still generating keys with the old school and easy to break method, but I'd bet there's a lot of forgotten wallets. A lot of the modern coin wallets still follow the concept of using words to create the key, but they source 8-12 random words and have some other more complex method of creating keys from them. Somehow those seed words are used to create as many keys as the wallet will ever use, including the wallet generating new addresses.

    Also brainflayer does include some options for these fancy new schemes that still involve seed words. I haven't really investigated that, in theory it would work with the same bloom enhancement and word list you'd need to try different salts or something.
  4. #4
    aldra JIDF Controlled Opposition
    https://www.cryptocoinsnews.com/researchers-describe-easy-way-crack-bitcoin-wallet-passwords/

    so potentially, even standard brute-force attacks should be relatively quick - the use of that algorithm in the RNG seems to make it possible to discard a large chunk of permutations, practically allowing you to immediately rule out a large number of possible passphrases


    given the recent revelations, I would say anyone who knows what they're doing should have already abandoned the idea of brainwallets - any hash secure enough to withstand these attacks is not something most users will be able to remember. sure there may be a few still exploitable, but I'd doubt there's much profit to be made because A) a lot of people will have already stripmined the low-hanging fruit and 2) leaving BTC in a known-insecure wallet format is essentially leaving cash lying around, and people tend to be more careful with their money than almost anything else.
Jump to Top