Note: You are viewing this blog post without the intended style information, which may result in formatting issues.
On August 7th I will be giving a talk at DEF CON about cracking brainwallets. As part of that talk, I will be releasing a fast[1] brainwallet cracker. I'm writing this post to provide a little insight as to why I'm giving away a tool that could be used to steal. I also hope that people who are currently using brainwallets will take notice and move to a more secure storage method.
By my estimates, a single day should be more than enough time for a botnet to check every possible eight character ASCII password and XKCD-style passphrase against every Bitcoin address that has ever received funds. There are already people cracking brainwallets, but it's unclear what exactly their capabilities are. I will be presenting some research on that at DEFCON (particularly weak brainwallets have been robbed within seconds), but I can only divine so much information indirectly. Releasing a cracker will give concrete, indisputable evidence of what's actually possible, and mine probably isn't faster than what bad guys are already using. Hopefully this will convince people not to use (or stop using) brainwallets.
In computer security, there's a concept known as responsible disclosure. The idea is that if someone like me discovers a bug, they make a good faith effort to get the bug fixed before sharing it with the world. I've done this in the past, and I think it's generally the right approach. Sometimes, as in the current situation, there's just no getting the bug fixed[2], or it's already being exploited. In such a case, the best thing is to let everyone know so they can take appropriate steps to protect themselves.
If you're using a brainwallet, move your coins - NOW! Your passphrase is not as strong as you think it is. Don't think you're safe because you use some other cryptocurrency - the same tools and techniques work just as well against them. I recommend a BIP38 paper wallet with a passphrase generated using diceware with at least eight words. If you must use something that is "purely in your brain", look into WarpWallet, but use it with a salt and a diceware password (again - at least eight words). Humans brains are too predictable. If you're using a password or passphrase that has been used for a brainwallet anywhere else, change it. I'll be posting again soon about my work on passphrase schemes designed for human memory.
Andy Greenberg has written an article about my research with a few more details, but I'm saving the most exiting bits for my talk.
[1] | I've found other rudimentary brainwallet crackers posted in various places, but they've all been at least an order of magnitude slower than what I'll be releasing. |
[2] | There are several brainwallet implementations, but brainwallet.org is the most popular one. The guy who runs the site refused to accept a patch to make cracking more difficult, dispite there having been several public reports of brainwallet theft by that time, because "ECDSA ... is a few orders of magnitude slower than SHA256". While ECDSA is on the order of 100 times slower than SHA256, best practices for password hashing call for them to be 100,000 to 1,000,000 times slower. |