I have spent quite a lot of time (~250h) on this problem as part of my dissertation and found ~18k brainwallets. Most of the 10k brainwallets found by the author have probably been made by another 'researcher' who is actively probing the network to look for thieves. There are many other similar analyses online which have better and more interesting results than this.
Edit: I can upload some rather large and confusing transaction network diagrams if anyone wishes to see them.
I have a few more but they are even more confusing.
Red nodes are brainwallets and blue nodes addresses that brainwallets transfer to. You will notice the massive cluster on the left, that is the 'researcher' who is actively probing the network.
The rest are standard brainwallet transactions and thefts.
I think the cluster at the end of July/beginning of August of 2013 was me. I am not entirely sure because it was during BlackHat/defcon and I was drunk. Was a few thousand sampled from the rockyou list? Post a pgp key I have a question for you.
Oddly enough, the website brainwallet.org which is used to create most brainwallets seems to be in itself malicious. nullc on reddit makes an interesting comment about it.
> "Yes, the creator of Brainwallet.org got his start with password based private keys by cracking them. Here is an old IRC log extract I pulled out for someone else who didn't believe this: https://people.xiph.org/~greg/brainwallet.txt*
More recently he really was in IRC asking for information on faster cracking mechanisms, right after whining about needing money. But uh, he might have just been trying to further convince himself that brainwallets really are secure and that it's really the users fault (or a MITM on the site) when they get robbed.
I'm less inclined to assume malice, and more inclined to assume that he's clueless— both of the insecurity of these schemes, the acceptability of blaming the victims when users inevitably choose poor keys, and how scammy his own actions look. But thats just my own impression.
When you choose to use something like that you should start with the assumption that the creator is malicious and ask yourself why its safe to use anyways. For the Bitcoin reference software you can point to the large amount of open public review, processes which prove the binaries agree with the source, etc. For brainwallet.org? Not much.
So if ever you find the prospect that the creator of something might be a bit black-hat and this concerns you thats potentially a red-flag."
Probably more concerning, the first "random" key the website displays is "correct horse battery staple", which people get their funds stolen from almost constantly.
"correct horse battery staple" is a reference to xkcd [0]. Its not meant to be "random" and not meant to be used by anyone. I assume that people who send funds to that address are fully aware that anyone can access them.
I doubt it, they've sent almost 5BTC over 2300 transactions to that address so far. I personally know somebody who got caught out with it, and another with the static change address in the transaction view of the same site.
About a year ago, I generated the Bitcoin addresses derived from single-word passphrases in the English language. I then came across a "top 1000 passwords" list from a large site hack, and added those as well.
Finally, I set up a script that watched Blockchain.info's Websockets endpoint and checked every destination address against the list.
I quickly noticed that there were a large number of ~0.05 BTC transactions to these addresses, and a network analysis showed that many of them ended up in the same handful of addresses. Those addresses were tagged on Blockchain.info as being the destination for coins used to buy off the writer of the ransomware that was making the rounds at the time.
None of the money sat at those addresses for more than a couple of minutes. I'm fairly sure that the coins aren't being stolen from those addresses, but merely quickly run through in a feeble attempt to launder coins.
ETA: I suppose I should add that I didn't take any balances. I was merely satisfying my own curiosity.
It is possible that people would try to find their private key on directory.io for fun. You can do that by jumping to the relevant page. Meanwhile, the servers at directory.io would cache the GET requests and blast through the handful of keys on that page.
The site is likely generating the pages on the fly. You can type directory.io/<any number upto x>
x : 904625697166532776746648320380374280100293470930272690489102837043110636675
Somebody did set up a website somewhere that allowed users to see if their private key was in the "database". It would jump them to the correct page, and, steal their private key in the process.
I didn't like them potentially stealing my revenue, so I implemented this feature myself. The pluses beside the private key are permalinks.
Thanks for clarifying. Even though you may not have bad intentions, there are several points of failures e.g. server logs falling into wrong hands, man-in-the-middle-attack (using http) etc.
Maybe put a big disclaimer in red on top of every page.
> The site is likely generating the pages on the fly.
The site is definitely generating hashes on the fly. There is not enough known storage in the universe for all possible 32 byte private keys. To be more precise, 1E77 is within a few orders-of-mag of the estimated number of atoms in the universe.
Directory.io is not phishing. The chances of someone finding an adress that has ever been used by anyone ever, (aside from people sending coins to the first one for fun) is impossible.
The problem is that some moron can enter his private key there, to see what the site says about it. Then if the owner reads the server logs, he can read the private key. To be clear, never ever never ever never ever put your private key in a random website.
I hope that most morons only know the public address (that is a hash of the public key), and don't know about the private key that is stored in a wallet. In https://www.google.com/search?q=site:Directory.io the numbers are too low, so they are probably only a few random keystrokes, not "real" private keys.
> The problem is that some moron can enter his private key there, to see what the site says about it. Then if the owner reads the server logs, he can read the private key. To be clear, never ever never ever never ever put your private key in a random website.
You would think that the word "private" in "private key" would give them a clue... or do most people now not really understand the concept of privacy anymore?
So, I've always had a bad feeling about brain wallets. They make me uncomfortable. The fact that some folks consider them more secure than a random private key is even more worrisome. There is the fear of an exploit of your computer, which is valid. It's very, very common. But, if your computer is exploited the exploiter could still obtain your brain wallet if you use it on that computer. Cold storage of your private keys, protected with a passphrase, on a couple of USB flash drives in two locations seems the obvious choice for safely protecting your cryptocurrency. Yes, there are still potential exploits. When you plug those drives into an exploited computer, you're potentially exposing yourself.
I think we need a lot more security awareness among the general population before Bitcoin becomes a mainstream thing. Right now, it's simply too dangerous to use Bitcoin with most people's security practices and their understanding of security.
Brainwallets are secure, but need to be more than just words.
"foo bar baz" is a terribly passphrase, for instance. "foo bar baz lyndsy@lyndsysimon.com" is a much better passphrase - it's trivial to use a bit of personal information as a salt, thereby providing substantial protection against non-targeted attacks.
Say I have a private key with some money. All I have to do is type 'importprivkey <private key>' in a new client and the money shows up (am I missing something)?
If everyone randomly starts entering a couple of completely random combinations, is there a finite possibility that someone might simply steal a wallet? Is it like spinning a wheel of fortune?
"Imagine you hide some money in a hole in the ground, and take note its GPS coordinates. Now imagine someone publishing a list of all valid GPS coordinates on the planet, down to 10cm resolution. In that list, there will be also the position of your money."
There's 2^160 different public keys, the chance of hitting one of this accidentally is so vanishingly small that it doesn't even warrant thinking about it. The improbability of this event is literally the basis of all cryptology; big keyspaces are difficult to bruteforce without unlimited resources and unlimited energy.
If you analyse it as probability it makes a lot more sense than intuitively thinking about it. A login & a password combination can also be seen as a unique string combination and so is 2FA i.e. a 3 string combination. Not really multiple levels of security mathematically.
Yes, there is a finite probability of just guessing a very fat wallet via a random guess. But there is also a finite probability that a briefcase with a million dollars in it gets caught in a tornado and falls out of the sky onto your head.
I'm not sure which finite probability is larger, but I'm not holding my breath for either one.
edit: oh, the units came from the grand-parent post to yours, but wouldn't the correct conversion be "2^-160 earth's surface-areas"? That's actually bigger than the planck area- but still stupid small.
The human mind can't generate enough entropy to create a secure brainwallet in that way. However, the reverse is permissible: use Bitcoin Armory or Electrum to generate a wallet, and then you should memorize the BIP39 mnemonic: https://github.com/bitcoin/bips/blob/master/bip-0039.mediawi...
Using the passphrase as both the salt and password for the PBKDF2 step strikes me as suspicious, but as I don't do crypto for my day job I'm not sure how bad this is (or isn't).
The directory.io thing is really interesting. I assume the idea is that the site does the calculation in some way that in theory produces a full set of results and they hope that Google will index more and more of them over time, thus allowing a search for some public keys to find the corresponding private key. It seems like Google does index a few pages (including some higher number ones), but not too many.
Edit2: This is one of those basic security things I have trouble getting an intuitive grasp of (but need to). How much can being able to determine a random small part of a random large key space hurt? I've worried about this before with 256-bit key spaces and been reassured with calculations, but I still don't intuitively get it.
It's not interesting really, it just takes the page number and generates the keys for that particular page on the fly. Google will most certainly never find anything, if nothing else the CPU of the server is a severe bottleneck when you're talking about 2^160 keys. You could load pages on that webserver until the sun becomes a red giant and consumes the earth, and you wouldn't have covered even the smallest percentage of the keyspace.
Deterministically generating wallets is just dumb. It's the exact opposite of randomly generating wallets. We spend all this time on making things cryptographically secure and then mess it up by using a tiny subset of the keyspace.
It's trivial to use a "large" subset of the keyspace if you have any clue whatsoever about information theory. Just pull ten words uniformly at random from a list of the 4096 most common, hash them, and you've got yourself a 120 bit key right there. (Or even hash them another 128 times to give yourself an effective 7 bits of extra security.)
However, obviously idiots who will pick a 2 word passphrase should not be encouraged to use a brainwallet.
Perhaps this comment will start a good discussion, or maybe people won't like it because I'm one of the thieves mentioned. I'm the owner of the 1brain7kAZxPagLt2HRLxqyc3VgGSa1GR address.
First, for those curious, the passphrases of the wallets taken from so far:
The implementation isn't particularly exciting. I have a PostgreSQL database containing a single `address' table storing (address, privKey, passphrase). Of course, the passphrase doesn't actually need to be stored, but I kept it around to satisfy my own curiosity. I run a modified bitcoind client that checks each transaction it hears about (in CTxMemPool::accept) to see if any of the outputs are in my database. If they are, a transaction is created, signed and broadcast to send the same number of BTC (minus fees) to 1brain7kAZxPagLt2HRLxqyc3VgGSa1GR.
I just wanted to point out that, when I started this, it was not for financial gain. I simply saw it as a fun and interesting exercise about the Bitcoin protocol. I wanted to see if I was capable to "winning the race" -- trust me when I say there are loads of people out there "mining" brainwallets, and whosever transaction is included in a block first tends to win and get the Bitcoin. I never expected to gain over 1 BTC, I think I got rather lucky. My database contains 19,412,020 passphrases (mostly single passwords, actually) which all came from various wordlists I found online. I consider this to be a fairly small dictionary, based on what I've read about other people doing the same thing. I originally had plans to make the database much bigger, however I've since moved onto other projects.
Remember -- if you experiment with adding these "trivial" keys to your wallet, some software may generate transactions that return change to those exact keys (and it will be stolen in an instant). It's happened before.
Yes, if you use a weak seed on a service like brainwallet to deterministically generate your keypair then it is quite easy to brute force / dictionary attack your private key. This is why clients like Electrum force you to use a long passphrase that they themselves generate. This really isn't new or novel.
Side note: I ran this attack months ago and you would be shocked at how many weak passphrases actually had money in them at some point.
The alt-coin NXT has a big problem with this. They pretty much _only_ support brain wallets. The clients have these giant warnings if you use a pass-phrase shorter than 30 chars, but it still happens and a lot of new users get their money stolen 3 seconds after they get it. Some new clients use a real wallet, but that move can't come fast enough!
According to the classic xkcd on this subject (https://xkcd.com/936/) 4 random common words provides 44 bits of entropy which is easily crackable (you can do a hell of a lot more than 1000 guesses/sec)
Something that uses key stretching like WarpWallet might be acceptable: https://keybase.io/warp/
You get something like 17 bits of password strength per word, depending on the size of your dictionary. (The relevant xkcd estimates more like 11 -- which makes sense because /usr/share/dict/words has a lot of obscure words, shitty words, and alternate forms of words, that you would probably exclude when generating a password.)
So if you want a passphrase that's secure against brute force, you'd want more like 7-12 words.
Not if those 4 words are in the dictionary. Crackers are definitely aware of this password generation technique and it isn't hard to run through 4 word combinations from a dictionary.
In the end, the best password right now is a 16+ random password made up of uppercase letters, lowercase letters, numbers and symbols. Use a password manager to manage and store your passwords.
It depends on the size of your dictionary. If you want to run through all combinations of 4 words from a 131072 word dictionary you need to test 2^68 combinations.
Brain wallets should never be used.
Even experts fail at picking phrases with enough entropy.
Full stop.
You should be very carefull with your Bitcoin.
I would go with one of the zero trust multisignature wallets because I like 2factor and I don't like the idea of some malware taking the funds away at will when it finds a key in memory.
Warp Wallet has had a 20 BTC bounty on cracking an 8-bit alphanumeric password for a few months now, still unclaimed: https://keybase.io/warp
There are safe(r) ways to use a brain wallet, but it shouldn't be done without understanding the math and the risks. At the end of the day, redundant and physically secure paper wallets will always be the best option.
I guess scrypt makes it much harder in memory requirements to bruteforce dictionaries and famose phrases/documents although still risky with keyloggers.
The most promising web wallet i've seen so far is https://greenaddress.it which seems pretty much like "Electrum" online but with two factor which in theory means a local keylogger can't steal your bitcoin.
Directory.io first of all does not contain all private keys - it's more of a joke.
Anyway, if a brain wallet has a weak password, you have quite a good chance of cracking it easily. But you have to know that it's a brain wallet. But using a brain wallet is just silly.
Also, don't forget cracking private keys using weak signatures, although good luck finding someone who has a wallet and a weak signature...
I'm really don't know much about the technical details of bitcoin, but why is a bitcoin address tied to a specific key pair?
Why isn't the address+balance just signed with a key pair?
That way me knowing a key pair wouldn't get me an address with a balance in it...
is there something i'm missing?
EDIT:
I guess it doesn't matter, since the address space is so large.
Either way, if i were targeting an account, i would know what key pair to attack..
Bitcoin wallets are surprisingly tricky to implement. Use a good one that a lot of others are using, not the edgy one. Don't try to customize your key pair, just use what's generated for you. Split the wallet you spend from from the one that has real money on it. Backup the real one with a paper wallet and keep that safe.
People should really understand the part "phrase" in "passphrase". Can't really have any sympathy for people who are apparently computer savy enough to create a bitcoin wallet and then protect them with "blah"
Ok, get why this is downvoted. It's a bit of a throwaway comment, and the problem is not with the users I guess - although I do feel in this case people should know better. but let me elaborate:
Really the only way people now get educated is by using enforced formats on password fields [1].
That is not are not solid in any way, nor is the proposed 4 random words method (although better).
But both are still better than allowing people to use weak passwords when it's involving money.
Every bank these days has 2-factor auth to allow transactions.
Sure someone can phish your credentials from whatever, but the transaction authorization itself is only one-time, while with Bitcoin you can transfer money if you've stolen the wallet.dat and can bruteforce the key...
There is no protection (throtteling, locking) on bruteforcing wallets.
Usually with banks, or most 2-factor auth implementations, there is.
I didn't downvote either comment, but complaining about downvotes is typically the very most effective way of ensuring your comment blends into the background here. :P
tl;dr: Forensic Accounting is the way the Feds busted Al Capone for tax evasion; they never did pin a murder rap on him.
Even if no one is cooking the books a shop like Mt. Gox needs Forensic Accountants anyway, because someone could always have made an honest mistake.
I myself Found Religion the day I decided I'd grown weary of a ten-cent error in my quickbooks. I required eighteen hours to clue in to that it was two separate errors that totalled ten cents, as well as to locate the actual errors.
(Now I use GnuCash. There's a damn good reason for double-entry accounting; GnuCash uses it but Quicken and QuickBooks do not!)
Edit: I can upload some rather large and confusing transaction network diagrams if anyone wishes to see them.