Brainwallets: A cautionary tale

Thursday 27 February 2014

Last week I wrote about the rock-solid security of the bitcoin protocol, and how the issue of transaction malleability we’ve heard so much about does not pose an existential (or even a serious) threat to bitcoin. Most exchanges got on top of the problem within just a few days – if they needed to fix anything at all. The problems over at Mt Gox may have been compounded by a hack that exploited this loophole in their implementation of the wallet software, but by all accounts they certainly don’t begin and end there. Whatever’s going on with the world’s first and once largest bitcoin exchange, transaction malleability is the least of their worries right now.

There are, however, more serious threats to bitcoin’s security – and they all come down to human error and human malice. In this article I want to take a look at ‘brain wallets’, and why the immense convenience they offer is very often a major security flaw.

There is already plenty of bitcoin malware circulating the internet – applications that steal from your wallet, exploiting not the bitcoin protocol itself but the interface between you and the wallet software. A chain is only as strong as its weakest link, and if your wallet is vulnerable thanks to poor security practices, this represents a far easier way to steal your coins than trying to guess your private key. As I wrote last week, this is a 256-bit number, which is essentially unguessable – not just for any computer made with existing technology, but within the laws of physics as we currently understand them.

Computer typingTo avoid malware and online wallet hacks, it’s advised that you keep large quantities of coins offline. Essentially, this means generating a private key on a computer that is not connected to the internet, and sending bitcoins to its associated address. Cold storage is a great idea, and gives bitcoin holders the peace of mind that their coins won’t be stolen by hackers. But writing these numbers down poses its own security threat, since anyone who finds them could steal your bitcoins. Some people prefer not to create physical cold wallets, instead memorising their private keys. The problem is that random 256-bit numbers, or 32-byte character strings, aren’t at all easy to remember. And that brings me on to brainwallets, one of the best and worst ideas in the bitcoin ecosystem.

Brainwallets attempt to answer the problem that private keys are hard to memorise. The human mind does not like randomness. So brainwallets generate a private key from a word or phrase. Done well, they are almost as secure as a randomly-generated private key.

Done badly, using a brainwallet is a little bit like leaving the keys to Fort Knox hidden under a rock by the back door.

What brainwallets allow you to do is

  • ‘Secure’ your bitcoins with a memorable passphrase
  • Trade the unbreakable 256-bit security of the bitcoin protocol for the strength of a lucky guess.

Guess the passphrase
Every year, tech magazines publish lists of the most popular passwords. Some of them are staggeringly unimaginative: 123456, password1, iloveyou, and so on. Thousands of people secure their email and other applications with passwords that can be (and routinely are) easily guessed. The same, unfortunately, is true of brainwallets.

In the course of researching this article, I used to generate a number of private keys from a series of phrases I thought someone, somewhere might have used. Within a few minutes, I had a list of private keys that corresponded to addresses that had, indeed, once held bitcoins. No longer though – and there lies a cautionary tale. Once you realise why they are empty, you’ll see there’s no reason I shouldn’t pass on some of the list I came up with, which included gems such as:

  • bitcoin
  • password
  • password1
  • 1234

Why are these addresses empty? I hope because the owners have moved the funds somewhere more secure. But the reality is that it’s more likely there are bots carrying out sophisticated dictionary attacks on them. As soon as these addresses receive funds, they are swept into other accounts. If you want to test the theory, try transferring a small amount of bitcoins into one of them and see how long it stays there. These addresses are empty because hackers are sweeping them of bitcoins – and the balances of other addresses associated with millions of other words and phrases – every day.

What makes a good brainwallet?
Back in 2012 Gavin Andresen wrote a blog post entitled ‘DO NOT USE A BRAINWALLET! YOU ARE LIKELY TO LOSE YOUR COINS!’ You can guess the gist of it, but it’s well worth a read because it shows just how bad we are at understanding the kinds of numbers involved and the speed at which a fast computer running a well-written algorithm can guess them.

The more complicated a brainwallet password, the harder it is for even a malicious script running a complex dictionary attack to find. However, it’s also harder to remember it, which is the point of a brainwallet. Gavin Andresen writes:

‘So: is it impossible for people to create a secure brainwallet? Passwords/passphrases don’t work-- because we share so much (popular culture, language, education), even when told “think of something nobody else will think of” we’re likely to think of something similar to what lots of other people pick.
Here’s a proposal for a brainwallet scheme that I think might be secure:
Create a secure brainwallet by combining:

Your Full Legal Name

So my secure brainwallet might be: “Gavin Anthony AndresenI have eleven hovercraft full of eels!Okey dokey: patches welcome.”’

How secure is secure?
Gavin’s example isn’t particularly easy to remember. What’s the minimum level of complexity required to keep your coins safe? I don’t know, but this thread from Reddit suggests you need to be far more careful than you might think:

‘Just lost 4 BTC out of a hacked brain wallet. The pass phrase was a line from an obscure poem in Afrikaans. Somebody out there has a really comprehensive dictionary attack program running. ’

Bitcoin itself is secure. Too often the way we use it is not.


By Brandon Hurst

Brandon Hurst

comments powered by Disqus