Bitcoin brain wallets are useless, like Bitcoiners’ passwords

Hard to guess! Long! Complex! Unique!

Coming up with strong passwords is hard.

That’s certainly the impression you get from things like the annual list of password groaners: “123456,” anyone?

Still hanging on to that No. 1 spot, six years running!

We already know that even rocket scientists can blow it.

But you’d imagine that people tech-literate enough to use Bitcoins might be a bit better at coming up with strong passwords to protect the wallets where Bitcoin addresses and corresponding keys are stored, right?

Not all the time. It turns out that Bitcoiners are also capable of creating easily guessed groaners.

Think Arnold Schwarzenegger, or dudewheresmycar.

But according to new research, the so-called “brain wallets” that some Bitcoiners are using to store their Bitcoin valuables are dangerous, because even passphrases you’d probably think were secure enough can be cracked with a brute-force attack.

Researchers at the International Association for Cryptologic Research (IACR), University College London’s Nicolas Courtois and Guangyan Song, and White Ops’ Ryan Castellucci, took a look at the secp256k1 elliptic curve used by at least hundreds of thousands of users in Bitcoin and other cryptocurrencies, publishing their results in this paper (PDF).

But first, you might wonder: what’s elliptic curve cryptography (ECC)?

As Nick Sullivan – who worked on cryptography at Apple for a number of years – explained in an article he wrote for Ars Technica, fittingly titled A (relatively easy to understand) primer on elliptic curve cryptography, ECC is a set of algorithms for encrypting and decrypting data and exchanging cryptographic keys.

The TL;DR version from Sullivan:

ECC is the next generation of public key cryptography, and based on currently understood mathematics, it provides a significantly more secure foundation than first-generation public key cryptography systems like RSA. If you’re worried about ensuring the highest level of security while maintaining performance, ECC makes sense to adopt.

There’s been much discussion about the security of various ECCs, including secp256k1.

In 2013, rumor had it that the National Security Agency (NSA) had worked with the National Institute of Standards and Technology to create a backdoor in the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG), a pseudorandom number generator designated as a standard for encryption.

At any rate, the researchers’ conclusion, as they put forth in a recent paper (PDF): security wise, things are pretty dismal.

They present what they say is the first detailed benchmarks on secp256k1 elliptic curve implementations used in Bitcoin brain wallets.

First, the researchers came up with a way to examine passwords in brain wallets 2.5 times faster than the state of the art implementation presented at DEFCON 23 last August.

(As Cryptocompare defines it, a brain wallet is a standard wallet – basically the Bitcoin equivalent of a bank account – that generates its address by hashing a passphrase to create a private key and therefore a public key and resultant address.)

In order to compare their results with the DEFCON 23 attack, the group benchmarked their implementation and the DEFCON released software on Amazon server.

The team used an Amazon EC2 m4.4xlarge instance.

Based on Amazon’s current price for that service, the team managed to implement the brain wallet attack at the piddly cost of 17.9 billion passwords checked per USD $1.

It cost them less than $60 – $55.86, to be precise – to check a trillion possible passwords, and the attack yielded 18,000 passwords.

They cracked what they said were “some quite difficult ones”.

And then too, there were the not exactly what you’d call difficult ones.

They provided this list of passwords and pass phrases, some of which are drop-dead easy for a dictionary-based attack to crack, but at least one of which is tougher (though obviously still crackable):

  1. say hello to my little friend
  2. to be or not to be
  3. Walk Into This Room
  4. party like it’s 1999
  5. yohohoandabottleofrum
  6. dudewheresmycar
  7. dajiahao
  8. hankou
  9. {1summer2leo3phoebe
  10. 0racle9i
  11. andreas antonopoulos
  12. Arnold Schwarzenegger
  13. blablablablablablabla
  14. for the longest time
  15. captain spaulding

Their conclusion: a brute force attack with $55 worth of Amazon crunching could buy an attacker a whole lot of Bitcoin passwords stored in brain wallets:

Our research demonstrates again that brain wallets are not secure and no one should use them.

Image of easy password courtesy of