Two security papers have recently been released, showcasing the overall insecurity of bitcoin brain wallets. Speed Optimizations in Bitcoin Key Recovery Attacks and The Bitcoin Brain Drain: A Short Paper on the Use and Abuse of Bitcoin Brain Wallets. Both list Ryan Castellucci as an author, among other researchers. Castellucci recently made headlines by revealing how insecure brain wallets are during a presentation at DefCon earlier this year.
Brain Wallets were once seen as the ideal solution to bitcoin’s address problem. The 256-bit numbers that serve as Bitcoin users’ password and secret identifier called a private key, have one major problem: they aren’t easily memorized. Brain Wallets take a more easily remembered password, usually created by the user, and utilize the SHA256 algorithm to turn it into a valid Bitcoin private key. Users can then use that password to regenerate their key at anytime.
In August, Castellucci proved that brain wallets are less secure than previously thought. Obviously, easy to remember passwords like “password” are quickly cracked but according to researchers even “quite difficult” passwords were cracked using their methods. One major issue with brain wallets is that they are not cryptographically salted which would add some randomness and therefore difficulty to them.
Nevertheless, the researchers have determined, after examining 300 billion candidate passwords, that 884 brain wallets were used at some point and that nearly all of them were drained, most likely not by their legitimate owner.
The method Castellucci developed is significantly faster than the method he presented at DefCon in August. While that method was capable of checking over 520 million passwords while spending only $1 on Amazon’s Cloud Computing Services (EC2) the new method can check a mind boggling 17.9 billion passwords per dollar spent on EC2 and a trillion passwords can be checked spending under $56. Using this method, Castellucci and his team were able to recover around 18,000 passwords.
Some of the passwords were obviously insecure, like “party like its 1999” and “andreas antonopoulos” others, like “{1summer2leo3phoebe” would supposedly take “9 quadrillion years” to crack from a desktop PC, according to howsecureismypassword.net, but that proved not to be the case using Castellucci’s method and common words lists.
The researchers estimate that there about a dozen serious brain wallet hackers in cyberspace. The hackers apparently compete to see who can drain wallets the fastest, which means they often haven’t been laundering their ill-gotten gains, preferring instead to let their wallets stand as a testament to their skills. The researchers determined that most brain wallets are drained within 24 hours, with many of them being drained minutes after their creation.
In the early days of the internet, before web browsers and domain name registries, users often kept a book of IP addresses that would connect them to their favorite databases. Many hoped that brain wallets would be Bitcoin’s version of that, something that simplified the experience and made memorizing or storing long strings of numbers something of the past.
It seems that Bitcoin will have to wait a bit longer before getting its killer feature that makes it usable by the general population. In the meantime, we strongly advise that users halt using brain wallets and if you have a brain wallet with any significant amount of bitcoin in it, we suggest you quickly move it.
We will have more when information becomes available. The latest paper will be presented later this month at the Financial Cryptography and Data Security 2016 conference.
[Shout out to fastcompany and Arstechnica]