Hard to guess! Long! Complex! Unique!
Coming up with strong passwords is hard.
That’s certainly the impression you get from things like the annual list of password groaners: “123456,” anyone?
Still hanging on to that No. 1 spot, six years running!
We already know that even rocket scientists can blow it.
But you’d imagine that people tech-literate enough to use Bitcoins might be a bit better at coming up with strong passwords to protect the wallets where Bitcoin addresses and corresponding keys are stored, right?
Not all the time. It turns out that Bitcoiners are also capable of creating easily guessed groaners.
Think Arnold Schwarzenegger, or dudewheresmycar.
But according to new research, the so-called “brain wallets” that some Bitcoiners are using to store their Bitcoin valuables are dangerous, because even passphrases you’d probably think were secure enough can be cracked with a brute-force attack.
Researchers at the International Association for Cryptologic Research (IACR), University College London’s Nicolas Courtois and Guangyan Song, and White Ops’ Ryan Castellucci, took a look at the secp256k1 elliptic curve used by at least hundreds of thousands of users in Bitcoin and other cryptocurrencies, publishing their results in this paper (PDF).
But first, you might wonder: what’s elliptic curve cryptography (ECC)?
As Nick Sullivan – who worked on cryptography at Apple for a number of years – explained in an article he wrote for Ars Technica, fittingly titled A (relatively easy to understand) primer on elliptic curve cryptography, ECC is a set of algorithms for encrypting and decrypting data and exchanging cryptographic keys.
The TL;DR version from Sullivan:
ECC is the next generation of public key cryptography, and based on currently understood mathematics, it provides a significantly more secure foundation than first-generation public key cryptography systems like RSA. If you’re worried about ensuring the highest level of security while maintaining performance, ECC makes sense to adopt.
There’s been much discussion about the security of various ECCs, including secp256k1.
In 2013, rumor had it that the National Security Agency (NSA) had worked with the National Institute of Standards and Technology to create a backdoor in the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG), a pseudorandom number generator designated as a standard for encryption.
At any rate, the researchers’ conclusion, as they put forth in a recent paper (PDF): security wise, things are pretty dismal.
They present what they say is the first detailed benchmarks on secp256k1 elliptic curve implementations used in Bitcoin brain wallets.
First, the researchers came up with a way to examine passwords in brain wallets 2.5 times faster than the state of the art implementation presented at DEFCON 23 last August.
(As Cryptocompare defines it, a brain wallet is a standard wallet – basically the Bitcoin equivalent of a bank account – that generates its address by hashing a passphrase to create a private key and therefore a public key and resultant address.)
In order to compare their results with the DEFCON 23 attack, the group benchmarked their implementation and the DEFCON released software on Amazon server.
The team used an Amazon EC2 m4.4xlarge instance.
Based on Amazon’s current price for that service, the team managed to implement the brain wallet attack at the piddly cost of 17.9 billion passwords checked per USD $1.
It cost them less than $60 – $55.86, to be precise – to check a trillion possible passwords, and the attack yielded 18,000 passwords.
They cracked what they said were “some quite difficult ones”.
And then too, there were the not exactly what you’d call difficult ones.
They provided this list of passwords and pass phrases, some of which are drop-dead easy for a dictionary-based attack to crack, but at least one of which is tougher (though obviously still crackable):
- say hello to my little friend
- to be or not to be
- Walk Into This Room
- party like it’s 1999
- yohohoandabottleofrum
- dudewheresmycar
- dajiahao
- hankou
- {1summer2leo3phoebe
- 0racle9i
- andreas antonopoulos
- Arnold Schwarzenegger
- blablablablablablabla
- for the longest time
- captain spaulding
Their conclusion: a brute force attack with $55 worth of Amazon crunching could buy an attacker a whole lot of Bitcoin passwords stored in brain wallets:
Our research demonstrates again that brain wallets are not secure and no one should use them.
Image of easy password courtesy of Shutterstock.com
Jonas
Dear Lisa.
Thank you for your article, but I have absolutely no clue about what this has to do especially with brain wallets….!?
You just stated, that nearly every chosen password can be cracked (probably anyone if enough money and time is there), but what has this to do especially with brain wallets? It´s like saying “your Facebook password isn´t save” or “your online banking password isn´t save” ! It´s not that kind of “neutral” journalism every journalist is supposed to do, at least in my point of view…
Kind regards
Jonas
Paul Ducklin
The difference is that you can’t have 18 trillion guesses at your Facebook password, because you can’t do an offline attack. What the researchers are claiming is that the brain wallet crypto might not be strong enough in the face of an offline attack…
Anonymous
why is it you STRESS it is Bitcoin repeatedly when you clearly stated the problem lies with ALL CURRENCY WALLETS, not just Bitcoin. People like you thrive of creating controversy wherever you can, and it is ridiculous to try to cause issue for a certain group, when all crypto has the same goal. Stop promoting your personal beliefs and report fairly like you are supposed to do when you have the ear of the community. Put the facts out and let them decide, not based on your obvious contention for Bitcoin. I hold many coins, so I am not devoted to omly Bitcoin, but it gets incredibly tiring to hear all negativity associated with crypto to be put solely on the back of Bitcoin due to sub-par reporting by people such as yourself.
Paul Ducklin
The reason that we used the words “Bitcoin brain wallets” in the headline is that the article is about the cryptographic protection that is used by Bitcoin brain wallets. I think that’s fair enough, don’t you?
Anonymous
even your headline is full of Bias
Anonymous
Just because some people hash weak passwords and use it as privkey does not make brainwallets useless as the misleading title says. And that hashing has nothing to do with secp256k1 elliptic curve that is used to sign the transactions. Anyway, proper brainwallets are defined in BIP32 and are still solid and sound.