Two new research papers confirm what bitcoin developers have feared: brain wallets leave users' money vulnerable to theft. Ryan Castellucci, working with other researchers, published findings in two
Two new research papers confirm what bitcoin developers have feared: brain wallets leave users' money vulnerable to theft.
Ryan Castellucci, working with other researchers, published findings in two papers—"Speed Optimizations in Bitcoin Key Recovery Attacks" and "The Bitcoin Brain Drain"—after his August presentation at DefCon exposed the weakness in a common security technique. Brain wallets promised to solve a fundamental problem with bitcoin security: the 256-bit private keys that authenticate transactions are impossible for humans to remember. Developers proposed an elegant solution. Users would create a memorable password. Software would run that password through the SHA256 algorithm to generate a valid private key. The password itself became the backup—lose your computer, and you could still recover your funds by regenerating the key from memory.
The problem came down to salt. Brain wallets apply no cryptographic salt to passwords before hashing them, which means attackers encounter no added randomness to slow them down. Castellucci's team examined 300 billion candidate passwords and found 884 brain wallets that had been used. Thieves drained nearly all of them. The original owners never authorized those transactions.
His August method checked 520 million passwords for one dollar of computing time on Amazon's EC2 service. Castellucci's new technique outpaces that approach by orders of magnitude. He can now check 17.9 billion passwords for a dollar, or a trillion passwords for under $56. He and his team recovered around 18,000 passwords using this method.
Some passwords were trivial: "password", "party like its 1999", "andreas antonopoulos". Others seemed to resist conventional attack. The password "{1summer2leo3phoebe" would need 9 quadrillion years for a hacker to crack using a standard desktop computer, according to password strength calculators. Castellucci's method cracked it in minutes, paired with lists of common words and phrases.
Attackers drain brain wallets within hours of creation, most within a day and some within minutes. Castellucci estimates that about a dozen people operate as professional brain wallet hunters, competing to drain newly-created wallets before anyone else. These attackers don't bother laundering the stolen coins—they keep them on public addresses as proof of their hacking abilities.
The brain wallet concept wasn't new to bitcoin. In the early days of the internet, before the web existed, people maintained printed directories of IP addresses they wanted to reach. Bitcoin developers hoped brain wallets would be the equivalent: the feature that would make the network as simple as memorizing a password. That dream is dead. Castellucci will present the papers later this month at the Financial Cryptography and Data Security 2016 conference. Bitcoin users who have coins in brain wallets should move them elsewhere now. These papers prove the vulnerability. The risk is real.
