Oddly enough, the website brainwallet.org which is used to create most brainwallets seems to be in itself malicious. nullc on reddit makes an interesting comment about it.
> "Yes, the creator of Brainwallet.org got his start with password based private keys by cracking them. Here is an old IRC log extract I pulled out for someone else who didn't believe this: https://people.xiph.org/~greg/brainwallet.txt*
More recently he really was in IRC asking for information on faster cracking mechanisms, right after whining about needing money. But uh, he might have just been trying to further convince himself that brainwallets really are secure and that it's really the users fault (or a MITM on the site) when they get robbed.
I'm less inclined to assume malice, and more inclined to assume that he's clueless— both of the insecurity of these schemes, the acceptability of blaming the victims when users inevitably choose poor keys, and how scammy his own actions look. But thats just my own impression.
When you choose to use something like that you should start with the assumption that the creator is malicious and ask yourself why its safe to use anyways. For the Bitcoin reference software you can point to the large amount of open public review, processes which prove the binaries agree with the source, etc. For brainwallet.org? Not much.
So if ever you find the prospect that the creator of something might be a bit black-hat and this concerns you thats potentially a red-flag."
Probably more concerning, the first "random" key the website displays is "correct horse battery staple", which people get their funds stolen from almost constantly.
"correct horse battery staple" is a reference to xkcd [0]. Its not meant to be "random" and not meant to be used by anyone. I assume that people who send funds to that address are fully aware that anyone can access them.
I doubt it, they've sent almost 5BTC over 2300 transactions to that address so far. I personally know somebody who got caught out with it, and another with the static change address in the transaction view of the same site.
About a year ago, I generated the Bitcoin addresses derived from single-word passphrases in the English language. I then came across a "top 1000 passwords" list from a large site hack, and added those as well.
Finally, I set up a script that watched Blockchain.info's Websockets endpoint and checked every destination address against the list.
I quickly noticed that there were a large number of ~0.05 BTC transactions to these addresses, and a network analysis showed that many of them ended up in the same handful of addresses. Those addresses were tagged on Blockchain.info as being the destination for coins used to buy off the writer of the ransomware that was making the rounds at the time.
None of the money sat at those addresses for more than a couple of minutes. I'm fairly sure that the coins aren't being stolen from those addresses, but merely quickly run through in a feeble attempt to launder coins.
ETA: I suppose I should add that I didn't take any balances. I was merely satisfying my own curiosity.
> "Yes, the creator of Brainwallet.org got his start with password based private keys by cracking them. Here is an old IRC log extract I pulled out for someone else who didn't believe this: https://people.xiph.org/~greg/brainwallet.txt*
More recently he really was in IRC asking for information on faster cracking mechanisms, right after whining about needing money. But uh, he might have just been trying to further convince himself that brainwallets really are secure and that it's really the users fault (or a MITM on the site) when they get robbed.
I'm less inclined to assume malice, and more inclined to assume that he's clueless— both of the insecurity of these schemes, the acceptability of blaming the victims when users inevitably choose poor keys, and how scammy his own actions look. But thats just my own impression.
When you choose to use something like that you should start with the assumption that the creator is malicious and ask yourself why its safe to use anyways. For the Bitcoin reference software you can point to the large amount of open public review, processes which prove the binaries agree with the source, etc. For brainwallet.org? Not much.
So if ever you find the prospect that the creator of something might be a bit black-hat and this concerns you thats potentially a red-flag."
Probably more concerning, the first "random" key the website displays is "correct horse battery staple", which people get their funds stolen from almost constantly.
http://blockr.io/address/info/1JwSSubhmg6iPtRjtyqhUYYH7bZg3L...