Bitcoin Brain Wallet Version 2
5 stars based on
47 reviews
What people currently refer to as a "brainwallet" is simply a passphrase run through a single SHA and then the result is the private key for a bitcoin address. The problem here is that an attacker can download correct horse battery staple bitcoin value blockchain and then run very fast attacks basically hashing any text they can find to see if it hashes to a key which has some bitcoins. And when they find one, they drain that address.
They can do this very fast since a single SHA is quite cheap. This leads to sadness. An awesome answer is key stretching. The short version is that a function is used to make it more time complex to test a key.
That means it is a million times more expensive for an attacker to test each possible password. Then you make it even better by adding in something unique to the user. This makes the attacker have to do much more work as each different salt uses a different input on its million SHA operations.
Key stretching is usually discussed in terms of a user entering a password to gain access to something. In that situation, the user is only willing to wait a short amount of time maybe a few seconds correct horse battery staple bitcoin value most. For bitcoin users protecting their wealth, this isn't nessesarily a concern. If an address is used a long-term offline storage a few minutes might be a tolerable delay.
That means we can get a little silly. Why stop at a million hashes when we could do correct horse battery staple bitcoin value and make each attack really expensive? Also, people have computers with multiple cores.
Why not use them all? The key derivation functions usually used are serial in nature. You get the output from one operation and use that in the input of the next. But there is no reason we can't construct a tree of them and use all our cores. This key is broken correct horse battery staple bitcoin value into a segment to be used by each thread. The thread work can be paralellized or even distributed to multiple computers if you are so inclined.
Our objective here is to correct horse battery staple bitcoin value an attacker as much CPU time as possible while keeping the user wall time 'reasonable'.
Lets say our attacker has cores at his disposal. If each password try takes CPU seconds, it doesn't matter to him if it is parallel or single-threaded. If it is parallel, he runs it on his cores. If it is single threaded, he runs it on one core and tries other passwords on correct horse battery staple bitcoin value remaining cores. In either case, his limiting factor is how many cores. However, for our user who just has one password to run and multiple cores, parallelism reduces his wall time how long he is looking at his watch waiting for this thing to finish without making it any easier on the attacker.
So parallelism is a clear win for us in terms of costs. I've picked numbers to make use of at most cores and takes about one minute on a fairly modern setup.
I've specifically made the numbers not easily tunable because if you use different numbers that is one extra thing you need to remember to recover your key.
So a modern 12 core machine I'm using to test can do all of this in about 60 seconds. Lets say this is equivelent of an Amazon EC2 c3. Lets also assume that someone can build their own computers or rent them elsewhere but the price will be about the same.
So my challenge key below has 2. So it could cost an attacker on average 2. I expect someone will do it anyways but probably more for fun that profit. Two words is just too weak. Maybe they can get that down by 10x using big FGPAs big enough to run memory intensive scrypt. This still means that even with correct horse battery staple bitcoin value weak password of only two words, most likely no one will ever bother to find it. Of course computers get faster and the price of Bitcoin changes so build in some buffer.
My recommendation would be to use something like Correct Horse Battery Staple and using 4 or 5 words.
When used as an Electrum seed: I have stored 0. The salt is 'fireduck gmail. The password is two words from the Electrum word list in lower case with a single space between them just like in the test vector. Whoever finds the password first is free to take the bitcoin. My guess is that no one ever will without using many more CPU years than it is worth. It is only 2. Here is the address: This sounds suspiciously like correct horse battery staple bitcoin value. You had me at 'bitcoin'.
How do I use this thing already?
