
Bitcoin Brain Wallets: A flawed, dangerous idea. - andrewcastmate
http://www.bn2b.com/bitcoin-brain-wallets-dangerous-idea/
======
mistercow
There is some seriously bad misinformation in this article, and I feel like
maybe the author isn't really familiar with basic information theory.

> If you literally just use 4 or 5 dictionary words, someone is going to crack
> it fast. Bad people can write a program to try a kabillion combinations of
> words and it will run fast.

Wrong. Wrong wrong wrong. If you _randomly_ choose a sequence of 4 or 5
dictionary words you'll have a strong password. This is simple math. The
author then tries to support his point with this gem:

>One of the wallets, with the password “lorem ipsum dolor sit amet” was
cracked in 7 hours,

Well, "lorem ipsum dolor sit amet" _isn't_ 5 randomly chosen dictionary words.
It's an extremely common 5 word sequence and has nothing like the entropy of a
random word sequence.

The most important thing about pass phrases is that you have to choose the
words randomly. You can't go pulling phrases from movie lines, and you can't
even come up with them yourself. You need an unbiased process like a computer
or a dice roll to generate it for you.

More subtly, you shouldn't be picky about the phrase. If you keep generating
new pass phrases until you find one that's memorable, you are drastically
reducing the entropy of your phrase. It is plausible that an attacker could
build a model that limits their search to memorable phrases, and then you'd be
in bad shape.

And this last point is where pass phrases need work. What we need is a system
for randomly generating passwords that guarantees some level of memorability
without sacrificing entropy. Fitting them to roughly sentence formats is one
possibility (e.g. adj noun verb noun), so that we can visualize something
happening. But it's not an easy problem.

~~~
Fargren
>>>Fitting them to roughly sentence formats is one possibility (e.g. adj noun
verb noun), so that we can visualize something happening.

That "mad-libs" method does reduce entropy quite a bit. I don't know if it
reduces it enough to make the password crackable, but the search space is much
smaller than just 5 random words.

~~~
mistercow
That's true. What I should have said was that we want to make the entropy easy
to measure. If I flip through random passwords until I find one that's easy to
remember, I have no idea how much entropy I've lost. But the mad-libs method
should let us know exactly what our effective key length is, and allow us to
make up for it with longer phrases if needed.

Edit: Another technique that I find useful is to place the four words into a
more memorable sentence. For example, if I pull "frequently scared earth
understanding" from passphra.se, I might have trouble remembering that raw
sequence of words. But if I put it into a sentence like "I am frequently
scared, but the Earth is understanding.", then I have a much more evocative
sentence that I'm likely to remember. I usually will just use that whole
sentence, punctuation and all, because hey, extra entropy. Dropbox's zxcvbn
tool[1] estimates that pass phrase at nearly 128 bits of entropy.

[1] <https://github.com/lowe/zxcvbn>

------
DanBC
That's a lousy article. Pass phrases are strong if you exclude anything that's
been in print and if you use random words.

Use something like diceware. Ideally, use a 7 word phrase with a good password
safe.

The article doesn't use any numbers, and so the author doesn't have a feel for
just how strong a passphrase is compared to a password.

Also, the author seems to be missing the point of the xkcd comic. You can
create a strong password. $xK!r88w82;)|@N?c463)fpD2SAtRNQq But very few people
do this. Because of poor password policies people have a password. PASSWORD.
They then modify that to conform to the policy. Must include numbers?
PASSWORD89. Must include specials? !PASSWORD89

These are trivially easy to find. Firstly because the limited amount of
modification available means other people would have tried it first, and those
words will now be in dictionaries. Secondly, crackers can auto-substitute
characters in wordlists.

------
jere
>If you literally just use 4 or 5 dictionary words, someone is going to crack
it fast. Bad people can write a program to try a kabillion combinations of
words and it will run fast.

xkcd uses math and I don't see much wrong with it either. You're use hand
waving and anecdotes. You can't just say "it will run fast." Unless computers
get infinitely fast, there will always be intractable problems.

And you realize that "lorem ipsum dolor sit amet" is an _extremely_ common
phrase, right? It has no relation to the entropy in 4 random dictionary words.
The thing about cracking a password is you don't have to know the exact format
if what you're grasping at is a bunch of low hanging fruit.

------
kybernetikos
He talks about how the XKCD article password is commonly known as if this is
worrying for some reason. But it's no surprise for anyone getting started with
brainwallets who has gone to brainwallet.org and noticed that the default
passphrase entered into their client side generator is 'correct horse battery
staple'. The chance of you coming up at random with a phrase that is the
default in a popular brainwallet generator is so low as to not be worth
worrying about.

The other thing is that the article completely ignores the possibility of
generating a new private key in the normal way and memorizing that. It's only
the same number of digits as seven phone numbers which while certainly
difficult is well within the range of any moderately determined human of
normal intelligence. I suspect that most people have 7 phone numbers memorised
as it is.

If you're truly paranoid about security, doing that gives you just as much
security as anyone else using bitcoin.

~~~
mistercow
>The chance of you coming up at random with a phrase that is the default in a
popular brainwallet generator is so low as to not be worth worrying about.

1 in 2^44, in fact. Unlikely enough that if you tried once per millisecond,
you'd expect it to happen only once in 550 years.

------
chrismorgan
The first one I tried, in similar style, was "The quick brown fox jumps over
the lazy dog":
[http://blockexplorer.com/address/13w4Hn1BJQM4bjZZgYtXpyp4cio...](http://blockexplorer.com/address/13w4Hn1BJQM4bjZZgYtXpyp4cioiw29tKj).
Fortunately, its balance is also now at 0.

~~~
DanBC
I think I accidentally downvoted you. Sorry!

------
ebbv
This article misses the real flaw with the pass phrase; pass phrases aren't
really 2^B (where B = bits obviously) entropy. They're D^N entropy where N =
number of words and D = size of the dictionary. The OED has 171K words in it,
so say you're using a 7 word phrase that's ~4.3 * 10^36 possibilities. In
reality most people's vocabulary is no more than 60K words whch gives us 2.8 *
10^33.

If instead you use _only_ 16 character password with no dictionary words (i.e.
completely random or sufficiently randomized memorable words) you have 3.4 *
10^38 possibilities.

3.4 * 10^38 > 4.3 * 10^36 > 2.8 * 10^33

I think everybody should use what works for them, and pass phrases are easy to
remember but they have the exact same trade off that using pure dictionary
words does at shorter lengths; it's easier to crack.

~~~
mistercow
A couple of problems. First off:

>If instead you use only 16 character password with no dictionary words (i.e.
completely random) you have 3.4 * 10^38 possibilities.

You're confusing characters and bytes. If you limit yourself to what can be
typed on a typical keyboard, you're looking at a set of 95 characters, not
256. That gives you 4.4E31 possibilities (or ~105 bits of entropy). If you
limit yourself to what most password fields will accept, it's more like a set
of 75 characters (optimistically), giving you 1E30 possibilities (~100 bits).

Secondly, I'm not sure the comparison is fair in terms of memorability. 7
words will fit easily in my working memory. 16 characters will not. If I have
an exceptional working memory, I might be able to fit 10 characters in it, and
suddenly we're down to 63 bits of entropy, compared to 77 bits for a 7 word
pass phrase, even if we limit ourselves to a 2000 word dictionary. And
committing those 7 words to long term memory is still going to be _way_ easier
than committing the random 9 character string.

Incidentally, 77 bits is very close to the 80 bits that NIST recommends for
the strongest passwords. 63 is quite a long way off.

------
epscylonb
Completely agree with the article.

Whether you realise it or not, what you want from a private key is lots of
entropy.

A simple pass phrase is easily cracked, a complicated one is hard to remember
(and it needs to be remembered exactly).

There may potentially be a small amount of middle ground here, particularly if
your memory is very good, but what happens if you get dementia as you get
older?.

If you must use a pass phrase, use it to encrypt a truly random private key,
this way the only the private key is exposed to the blockchain. An attacker
would need the encrypted copy of your private key to brute force it, don't
keep this online unless you need to send bitcoins.

~~~
NateDad
So, you're wrong about the entropy in the pass phrase. XKCD goes into the
math, and for a sufficiently long phrase, there's plenty of entropy. And yes
he takes into consideration there's only so many English words.

~~~
epscylonb
I have had this conversation before, what is "sufficiently long"?.

Remembering 10 random words in order isn't that much easier than 10 random
alpha numeric chars and symbols. The words might have some mnemonic value, but
the point is, if you need entropy, don't mess about, use a real private key.

~~~
DanBC
You realise that a 10 word Diceware passphrase is significantly stronger than
a 10 character (alphanumeric + specials) password, right?

95^10 = 5.9873694e+19

7776^10 = 8.0828128e+38

~~~
epscylonb
Yeah and both are weaker than a truly random private key, I give up, it's only
money after all.

~~~
DanBC
What do you mean by "truly random" random private key?

How much computing power is needed to attack a 7 word Diceware passphrase?

------
vidyesh
Brainwallets are good as long as your passphrase is long and very specific to
what you want it to be.

Read this post <https://gist.github.com/gavinandresen/3840286>

------
nossim
Bitcoin itself is a flawed and dangerous idea. What makes the value of money
is the trust you put into the economics institutions of some territory. Value
of money should not be derived from some computational tricks but should be
the reflect of the real economy. The other explanations including some from
Wall street (remember Subprimes ?) are just big misredirections some conmen
invented to take a lot of money from your pockets. Bitcoin is just a modern
version of a pyramidal scheme. Think of it as pyramidal scheme 2.0

~~~
venomsnake
Bitcoin the system and the blockchain is brilliant. The adaptable difficulty
and the hashcash chaining can be used for a lot of stuff where for various
reasons you don't trust a central authority.

Bitcoin the currency is a different beast. Well if you have to rope the value
of money to something - computational power is not the worst thing possible in
an increasingly. digital world

~~~
nossim
I agree with you when you say "Bitcoin the system and the blockchain is
brilliant." this is a brilliant misdirection like when a magician distract
your attention to hide the real trick.

Why do you want to rope the value of money to something else than trust ? I
know this is low tech and very old but a trust based system can work even for
the digital economy. Of course to work properly a trust based system need some
conditions which are not met today : transparency and dissuasive sanctions if
someone cheat.

I think we need to upgrade our financial system but we need more transparency
not more opacity.

~~~
venomsnake
Have you by any chance read the Sten (Cole, Bunch) series? There the currency
is pegged to the antimatter because it is the perfect fuel and is the only
thing moving the economy.

The problem with trust based systems is that trust is a fickle thing. If it
was up to me I would peg a currency to the kWh. It will create dynamic
equilibrium because it will be constantly consumed to create GDP.

------
ef4
This actually misses the worst problem. Brain wallets are essentially
unsalted. You can build a gigantic rainbow table once and then watch those
addresses forever after.

And you aren't attacking a single address at a time. You're attacking them all
in parallel. Even if the expected time to crack one password is very long, the
expected time to crack some password can be much, much smaller.

~~~
mistercow
>This actually misses the worst problem. Brain wallets are essentially
unsalted. You can build a gigantic rainbow table once and then watch those
addresses forever after.

The phrases generated by passphra.se have 44 bits of entropy. That means your
rainbow table has to be on the order of hundreds of petabytes. I have doubts
that the attack you're proposing could be implemented in practice. If it were
a problem, you could just tack on a few more words and take the table into the
yottabyte range.

~~~
ef4
Yes, but I'm highly confident that a significant fraction of users are not
using passphra.se or similar.

They're making something up, and humans are extremely bad at generating high
entropy that way.

~~~
mistercow
Yes, people should never come up with pass phrases out of their brains. A good
entropy source is an absolute must. As I mentioned in another comment, even
flipping through something like passphra.se until you find something
especially memorable is shooting yourself in the foot because you're
discarding an unknown amount of entropy.

------
tocomment
So is there any safe way to store bitcoins? It's getting kind of frustrating
to not have a best practice.

------
CallingIit
Excellent! The first of today's several Bitcoin threads! All board the fail
train, next stop mom's basement leeching electricity with 20 badly set up
graphics cards and fans.

~~~
DanBC
> next stop mom's basement leeching electricity with 20 badly set up graphics
> cards and fans.

No one does that any more. The amount of computing power in the blockchain is
impressive. FPGAs didn't last too long; people are using ASICs now.

It's a shame if all those farms of GPUs are wasted. I guess I should have
looked on ebay for people selling them off cheap. Or maybe they're just being
used for protein folding now.

It's interesting that by tying mining to value has driven people to create
home clusters and now people have developed ASICs. It'd be cool if those could
have some other use in future.

