
How to steal Bitcoins that are protected by weak passphrases - palkeo
http://www.palkeo.com/code/stealing-bitcoin.html
======
cheesemunger
I have spent quite a lot of time (~250h) on this problem as part of my
dissertation and found ~18k brainwallets. Most of the 10k brainwallets found
by the author have probably been made by another 'researcher' who is actively
probing the network to look for thieves. There are many other similar analyses
online which have better and more interesting results than this.

Edit: I can upload some rather large and confusing transaction network
diagrams if anyone wishes to see them.

~~~
thesimpsons1022
I am interested :D

~~~
cheesemunger
Here you go: [http://i.imgur.com/XmOqvvW.jpg](http://i.imgur.com/XmOqvvW.jpg)

I have a few more but they are even more confusing. Red nodes are brainwallets
and blue nodes addresses that brainwallets transfer to. You will notice the
massive cluster on the left, that is the 'researcher' who is actively probing
the network.

The rest are standard brainwallet transactions and thefts.

The big red dot is a bug :P

Hope that was useful

~~~
lolbrainwallets
I think the cluster at the end of July/beginning of August of 2013 was me. I
am not entirely sure because it was during BlackHat/defcon and I was drunk.
Was a few thousand sampled from the rockyou list? Post a pgp key I have a
question for you.

~~~
cheesemunger
If you are referring to the big cluster, that time frame doesn't quite match
up but feel free to message me.
[http://pgp.mit.edu/pks/lookup?op=get&search=0xADC50AF9F559FA...](http://pgp.mit.edu/pks/lookup?op=get&search=0xADC50AF9F559FAB0)

~~~
lolbrainwallets
Thanks, will send you something a bit later.

~~~
cheesemunger
bump :P would be really interested to hear from you

------
nwh
Oddly enough, the website brainwallet.org which is used to create most
brainwallets seems to be in itself malicious. _nullc_ on reddit makes an
interesting comment about it.

> _" Yes, the creator of Brainwallet.org got his start with password based
> private keys by cracking them. Here is an old IRC log extract I pulled out
> for someone else who didn't believe this:
> [https://people.xiph.org/~greg/brainwallet.txt*](https://people.xiph.org/~greg/brainwallet.txt*)

More recently he really was in IRC asking for information on faster cracking
mechanisms, right after whining about needing money. But uh, he might have
just been trying to further convince himself that brainwallets really are
secure and that it's really the users fault (or a MITM on the site) when they
get robbed.

I'm less inclined to assume malice, and more inclined to assume that he's
clueless— both of the insecurity of these schemes, the acceptability of
blaming the victims when users inevitably choose poor keys, and how scammy his
own actions look. But thats just my own impression.

When you choose to use something like that you should start with the
assumption that the creator is malicious and ask yourself why its safe to use
anyways. For the Bitcoin reference software you can point to the large amount
of open public review, processes which prove the binaries agree with the
source, etc. For brainwallet.org? Not much.

So if ever you find the prospect that the creator of something might be a bit
black-hat and this concerns you thats potentially a red-flag."_

Probably more concerning, the first "random" key the website displays is
"correct horse battery staple", which people get their funds stolen from
almost constantly.

[http://blockr.io/address/info/1JwSSubhmg6iPtRjtyqhUYYH7bZg3L...](http://blockr.io/address/info/1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T)

~~~
nadaviv
"correct horse battery staple" is a reference to xkcd [0]. Its not meant to be
"random" and not meant to be used by anyone. I assume that people who send
funds to that address are fully aware that anyone can access them.

[0] [http://xkcd.com/936/](http://xkcd.com/936/)

~~~
nwh
I doubt it, they've sent almost 5BTC over 2300 transactions to that address so
far. I personally know somebody who got caught out with it, and another with
the static change address in the transaction view of the same site.

~~~
3pt14159
That is because when we explain brain wallets to people we use that phrase as
an example and then show how quickly the coins are stolen.

------
enscr
Conspiracy theory : Is directory.io phishing ?

It is possible that people would try to find their private key on directory.io
for fun. You can do that by jumping to the relevant page. Meanwhile, the
servers at directory.io would cache the GET requests and blast through the
handful of keys on that page.

The site is likely generating the pages on the fly. You can type
directory.io/<any number upto x>

x :
904625697166532776746648320380374280100293470930272690489102837043110636675

~~~
fiveturns
Author here.

Somebody did set up a website somewhere that allowed users to see if their
private key was in the "database". It would jump them to the correct page,
and, steal their private key in the process.

I didn't like them potentially stealing my revenue, so I implemented this
feature myself. The pluses beside the private key are permalinks.

For example: [http://directory.io/warning:understand-how-this-
works!/5HpHa...](http://directory.io/warning:understand-how-this-
works!/5HpHagT65TZzG1PH3CSu63k8DbpvD9KsvQVUCsn2t55TVA1jxW7)

That's the private key in Bitcoin's importprivkey format.

I purposely didn't add a search box and named the URL's path to discourage its
use.

[http://directory.io/faq](http://directory.io/faq)

(I don't actually check the logs)

~~~
enscr
Thanks for clarifying. Even though you may not have bad intentions, there are
several points of failures e.g. server logs falling into wrong hands, man-in-
the-middle-attack (using http) etc.

Maybe put a big disclaimer in red on top of every page.

------
SwellJoe
So, I've always had a bad feeling about brain wallets. They make me
uncomfortable. The fact that some folks consider them more secure than a
random private key is even more worrisome. There is the fear of an exploit of
your computer, which is valid. It's very, very common. But, if your computer
is exploited the exploiter could still obtain your brain wallet if you use it
on that computer. Cold storage of your private keys, protected with a
passphrase, on a couple of USB flash drives in two locations seems the obvious
choice for safely protecting your cryptocurrency. Yes, there are still
potential exploits. When you plug those drives into an exploited computer,
you're potentially exposing yourself.

I think we need a lot more security awareness among the general population
before Bitcoin becomes a mainstream thing. Right now, it's simply too
dangerous to use Bitcoin with most people's security practices and their
understanding of security.

~~~
LyndsySimon
Brainwallets _are_ secure, but need to be more than just words.

"foo bar baz" is a terribly passphrase, for instance. "foo bar baz
lyndsy@lyndsysimon.com" is a much better passphrase - it's trivial to use a
bit of personal information as a salt, thereby providing substantial
protection against non-targeted attacks.

------
enscr
Slightly different Q :

Say I have a private key with some money. All I have to do is type
'importprivkey <private key>' in a new client and the money shows up (am I
missing something)? If everyone randomly starts entering a couple of
completely random combinations, is there a finite possibility that someone
might simply steal a wallet? Is it like spinning a wheel of fortune?

Found a very interesting analogy here :
[http://www.reddit.com/r/BitcoinBeginners/comments/1uhuge/wha...](http://www.reddit.com/r/BitcoinBeginners/comments/1uhuge/what_is_directoryio_and_the_private_keys/ceie3aa)

" _Imagine you hide some money in a hole in the ground, and take note its GPS
coordinates. Now imagine someone publishing a list of all valid GPS
coordinates on the planet, down to 10cm resolution. In that list, there will
be also the position of your money._ "

~~~
maaku
The chance of that happening is so small it's not worth worrying about, ever.

Your brain is not equipped to handle numbers on the scale of 2^-160.

~~~
TrainedMonkey
Indeed, that is way smaller than planks length:
[https://www.wolframalpha.com/input/?i=is+2^-160+smaller+than...](https://www.wolframalpha.com/input/?i=is+2^-160+smaller+than+1.6+%C3%9710^%E2%88%9235)

~~~
roywiggins
You can't compare 2^-160 with a number with a unit attached- it's meaningless.
2^-160 meters is smaller than the planck length, but 2^-160 isn't.

If your unit is "the volume of the observable universe" you get a pretty large
volume (on a human scale, anyway):
[https://www.wolframalpha.com/input/?i=%282^-160%29+*+%28the+...](https://www.wolframalpha.com/input/?i=%282^-160%29+*+%28the+volume+of+the+observable+universe%29+)

edit: oh, the units came from the grand-parent post to yours, but wouldn't the
correct conversion be "2^-160 earth's surface-areas"? That's actually bigger
than the planck area- but still stupid small.

[https://www.wolframalpha.com/input/?i=%28The+surface+area+of...](https://www.wolframalpha.com/input/?i=%28The+surface+area+of+the+earth+%2F+%282^160%29%29+%2F+planck+area)

~~~
TrainedMonkey
Good catch, I just mentally assigned meter unit to 2^-160.

------
intelliot
The human mind can't generate enough entropy to create a secure brainwallet in
that way. However, the reverse _is_ permissible: use Bitcoin Armory or
Electrum to generate a wallet, and then you should memorize the BIP39
mnemonic:
[https://github.com/bitcoin/bips/blob/master/bip-0039.mediawi...](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki)

~~~
mpyne
Using the passphrase as _both_ the salt and password for the PBKDF2 step
strikes me as suspicious, but as I don't do crypto for my day job I'm not sure
how bad this is (or isn't).

------
joveian
The directory.io thing is really interesting. I assume the idea is that the
site does the calculation in some way that in theory produces a full set of
results and they hope that Google will index more and more of them over time,
thus allowing a search for some public keys to find the corresponding private
key. It seems like Google does index a few pages (including some higher number
ones), but not too many.

Edit: redit threads:
[http://www.reddit.com/r/Bitcoin/comments/1rua34/all_bitcoin_...](http://www.reddit.com/r/Bitcoin/comments/1rua34/all_bitcoin_private_keys_leaked/)
[http://www.reddit.com/r/Bitcoin/comments/1ruk0z/dont_panic_d...](http://www.reddit.com/r/Bitcoin/comments/1ruk0z/dont_panic_directoryio_thing_is_fake/)

Edit2: This is one of those basic security things I have trouble getting an
intuitive grasp of (but need to). How much can being able to determine a
random small part of a random large key space hurt? I've worried about this
before with 256-bit key spaces and been reassured with calculations, but I
still don't intuitively get it.

~~~
nwh
It's not interesting really, it just takes the page number and generates the
keys for that particular page on the fly. Google will most certainly never
find anything, if nothing else the CPU of the server is a severe bottleneck
when you're talking about 2^160 keys. You could load pages on that webserver
until the sun becomes a red giant and consumes the earth, and you wouldn't
have covered even the smallest percentage of the keyspace.

------
crystaln
Deterministically generating wallets is just dumb. It's the exact opposite of
randomly generating wallets. We spend all this time on making things
cryptographically secure and then mess it up by using a tiny subset of the
keyspace.

Why would anyone find this to be a good idea?

~~~
enscr
For some, P(losing key) > P(key theft)

~~~
crystaln
P(key theft) is rather hard to calculate, given the entire universe is up
against you and you have no visibility.

There are plenty of ways of avoiding losing a key, or generating pneumonics
from secure keys.

~~~
intelliot
Unless this has something to do with the lungs, you mean "mnemonics" :)

------
1brain7
Perhaps this comment will start a good discussion, or maybe people won't like
it because I'm one of the thieves mentioned. I'm the owner of the
1brain7kAZxPagLt2HRLxqyc3VgGSa1GR address.

First, for those curious, the passphrases of the wallets taken from so far:

19JsLFDRxuTsAjapE79FgoVNdNdB2hNU5M - "alfanumerico" (0.36875 BTC)

1PQiixL1SyytXoUGFBGA5ptW9uTjsBrdhX - "emergency" (0.00085 BTC)

1CqRJYoztkWifUYadFg13MHdmECx6uEdy7 - "butterfly" (0.00025 BTC)

16ga2uqnF1NqpAuQeeg7sTCAdtDUwDyJav - "password" (0.00085 BTC)

1HZwkjkeaoZfTSaJxDw6aKkxp45agDiEzN - "" (0.474972 BTC)

1HoSFymoqteYrmmr7s3jDDqmggoxacbk37 - "hello" (0.000555 BTC)

1C7zdTfnkzmr13HfA2vNm5SJYRK6nEKyq8 - "correct horse battery staple" (0.243762
BTC)

1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T - "correct horse battery staple" (0.000079
BTC)

The implementation isn't particularly exciting. I have a PostgreSQL database
containing a single `address' table storing (address, privKey, passphrase). Of
course, the passphrase doesn't actually need to be stored, but I kept it
around to satisfy my own curiosity. I run a modified bitcoind client that
checks each transaction it hears about (in CTxMemPool::accept) to see if any
of the outputs are in my database. If they are, a transaction is created,
signed and broadcast to send the same number of BTC (minus fees) to
1brain7kAZxPagLt2HRLxqyc3VgGSa1GR.

I just wanted to point out that, when I started this, it was not for financial
gain. I simply saw it as a fun and interesting exercise about the Bitcoin
protocol. I wanted to see if I was capable to "winning the race" \-- trust me
when I say there are loads of people out there "mining" brainwallets, and
whosever transaction is included in a block first tends to win and get the
Bitcoin. I never expected to gain over 1 BTC, I think I got rather lucky. My
database contains 19,412,020 passphrases (mostly single passwords, actually)
which all came from various wordlists I found online. I consider this to be a
fairly small dictionary, based on what I've read about other people doing the
same thing. I originally had plans to make the database much bigger, however
I've since moved onto other projects.

I'm happy to answer questions if people have any. There's a signed version of
this comment at [http://pastebin.com/s29kk2bb](http://pastebin.com/s29kk2bb),
which you can verify (rather ironically) at
[http://brainwallet.org/#verify](http://brainwallet.org/#verify).

------
kzrdude
Remember -- if you experiment with adding these "trivial" keys to your wallet,
some software may generate transactions that return change to those exact keys
(and it will be stolen in an instant). It's happened before.

------
TallboyOne
How does that site work which has every bitcoin address listed. Does it just
generate those on the fly based on the page number?

~~~
palkeo
Yes, I think so. It just couldn't have generated the list before, it's just
not feasible.

~~~
kapkapkap
FWIW, the footer says 'It took a lot of computing power to generate this
database. Donations welcome: 1Bv8dN7pemC5N3urfMDdAFReibefrBqCaK;'.

~~~
TallboyOne
Theres also only 10^77 atoms in the universe, and I think 10^80 bitcoin
hashes... I think that footer note is being facetious.

------
kapnobatairza
Yes, if you use a weak seed on a service like brainwallet to deterministically
generate your keypair then it is quite easy to brute force / dictionary attack
your private key. This is why clients like Electrum force you to use a long
passphrase that they themselves generate. This really isn't new or novel.

Side note: I ran this attack months ago and you would be shocked at how many
weak passphrases actually had money in them at some point.

------
pkulak
The alt-coin NXT has a big problem with this. They pretty much _only_ support
brain wallets. The clients have these giant warnings if you use a pass-phrase
shorter than 30 chars, but it still happens and a lot of new users get their
money stolen 3 seconds after they get it. Some new clients use a real wallet,
but that move can't come fast enough!

------
tlrobinson
Or: why not to use brainwallets.

~~~
Aqueous
What about a high entropy set of 4 words for the passphrase?

This should give you fairly decent security.

~~~
LocalPCGuy
Not if those 4 words are in the dictionary. Crackers are definitely aware of
this password generation technique and it isn't hard to run through 4 word
combinations from a dictionary.

In the end, the best password right now is a 16+ random password made up of
uppercase letters, lowercase letters, numbers and symbols. Use a password
manager to manage and store your passwords.

~~~
caf
It depends on the size of your dictionary. If you want to run through all
combinations of 4 words from a 131072 word dictionary you need to test 2^68
combinations.

------
sodastream
Brain wallets should never be used. Even experts fail at picking phrases with
enough entropy.

Full stop.

You should be very carefull with your Bitcoin.

I would go with one of the zero trust multisignature wallets because I like
2factor and I don't like the idea of some malware taking the funds away at
will when it finds a key in memory.

~~~
lukifer
Warp Wallet has had a 20 BTC bounty on cracking an 8-bit alphanumeric password
for a few months now, still unclaimed:
[https://keybase.io/warp](https://keybase.io/warp)

There are safe(r) ways to use a brain wallet, but it shouldn't be done without
understanding the math and the risks. At the end of the day, redundant and
physically secure paper wallets will always be the best option.

~~~
sodastream
I guess scrypt makes it much harder in memory requirements to bruteforce
dictionaries and famose phrases/documents although still risky with
keyloggers.

The most promising web wallet i've seen so far is
[https://greenaddress.it](https://greenaddress.it) which seems pretty much
like "Electrum" online but with two factor which in theory means a local
keylogger can't steal your bitcoin.

------
dutchbrit
Directory.io first of all does not contain all private keys - it's more of a
joke.

Anyway, if a brain wallet has a weak password, you have quite a good chance of
cracking it easily. But you have to know that it's a brain wallet. But using a
brain wallet is just silly.

Also, don't forget cracking private keys using weak signatures, although good
luck finding someone who has a wallet and a weak signature...

[http://www.nilsschneider.net/2013/01/28/recovering-
bitcoin-p...](http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-
private-keys.html)

EDITED - I didn't read the post correctly, my apologies.

~~~
palkeo
Of course directory.io is a joke :)

A private key IS a number :
[https://en.bitcoin.it/wiki/Private_key](https://en.bitcoin.it/wiki/Private_key)
The one you shown was just encoded in base58 !

~~~
LyndsySimon
To be really precise, it's encoded base58check.

------
cipherzero
I'm really don't know much about the technical details of bitcoin, but why is
a bitcoin address tied to a specific key pair?

Why isn't the address+balance just signed with a key pair?

That way me knowing a key pair wouldn't get me an address with a balance in
it...

is there something i'm missing?

EDIT: I guess it doesn't matter, since the address space is so large. Either
way, if i were targeting an account, i would know what key pair to attack..

~~~
maxerickson
An address is essentially just the public half of a key pair.

------
chrisBob
I have a great idea for a new alt-coin: The proof of work will be based on
finding a Bitcoin wallet with more than 1BTC in it.

------
mriou
Bitcoin wallets are surprisingly tricky to implement. Use a good one that a
lot of others are using, not the edgy one. Don't try to customize your key
pair, just use what's generated for you. Split the wallet you spend from from
the one that has real money on it. Backup the real one with a paper wallet and
keep that safe.

------
rbobby
So... hunter2 is not ok?

~~~
pavel_lishin
Seven asterisks is a really shitty password.

~~~
owenversteeg
For anyone that's confused, they're referring to
[http://bash.org/?244321](http://bash.org/?244321)

------
easy_rider
People should really understand the part "phrase" in "passphrase". Can't
really have any sympathy for people who are apparently computer savy enough to
create a bitcoin wallet and then protect them with "blah"

~~~
easy_rider
Ok, get why this is downvoted. It's a bit of a throwaway comment, and the
problem is not with the users I guess - although I do feel in this case people
should know better. but let me elaborate:

Really the only way people now get educated is by using enforced formats on
password fields [1]. That is not are not solid in any way, nor is the proposed
4 random words method (although better). But both are still better than
allowing people to use weak passwords when it's involving money.

Every bank these days has 2-factor auth to allow transactions. Sure someone
can phish your credentials from whatever, but the transaction authorization
itself is only one-time, while with Bitcoin you can transfer money if you've
stolen the wallet.dat and can bruteforce the key...

There is no protection (throtteling, locking) on bruteforcing wallets. Usually
with banks, or most 2-factor auth implementations, there is.

[1] [http://xkcd.com/936/](http://xkcd.com/936/)

~~~
easy_rider
Maybe the persons who downvote would love to comment on why? Feedback and
criticism are helpful..

~~~
mpyne
I didn't downvote either comment, but complaining about downvotes is typically
the very most effective way of ensuring your comment blends into the
background here. :P

------
Jonathan_Swift
I don't really know but speculate that Mt. Gox' receivership may well have
nothing to do with weaknesses in the BitCoin cryptosystem.

\- Magic the Gathering's BitCoin Cookbook
[http://www.warplife.com/tips/finance/money/bitcoin/mt-
gox/fo...](http://www.warplife.com/tips/finance/money/bitcoin/mt-gox/forensic-
accounting.html)

tl;dr: Forensic Accounting is the way the Feds busted Al Capone for tax
evasion; they never did pin a murder rap on him.

Even if no one is cooking the books a shop like Mt. Gox needs Forensic
Accountants anyway, because someone could always have made an honest mistake.

I myself Found Religion the day I decided I'd grown weary of a ten-cent error
in my quickbooks. I required eighteen hours to clue in to that it was two
separate errors that totalled ten cents, as well as to locate the actual
errors.

(Now I use GnuCash. There's a damn good reason for double-entry accounting;
GnuCash uses it but Quicken and QuickBooks do not!)

