14 DAY TRIAL // An experiment on generating brainwallets, presented at the DefCamp security conference in Bucharest over the weekend, iterated once more a warning issued multiple times by security experts about the insecurity of the system.
Yet, despite the alerts, people continue to rely on it without adding extra-security to their bitcoin wallets, such as providing a long enough unique phrase that cannot be replicated with ease.
Large password dictionary has been used
During his research, Alexandru Andrei, security engineer at Safetech Innovations, managed to generate brainwallets holding a total of 126 bitcoins. At today’s exchange rate, this would have translated into $48,000 / €38,600; however, at the time of the experiment, the bitcoin stash was worth about $81,000 / €65,100.
The Brainwallet system works by taking the passphrase and creating a hash from it, which is then converted into a private key and then into the bitcoin address; the hashes are not salted, which means that the same private key and wallet is generated when entering the same passphrase.
Relying on a short, common string of characters increases the possibility of someone using the same phrase to generate a wallet. In this case, multiple individuals would have access to the same bitcoin address.
This is exactly what the security expert did. Relying on a collection of 26GB of passwords that have been leaked online, he generated bitcoin addresses and then checked which were active in the bitcoin blockchain.
The process took about three months to complete and he relied on public APIs to retrieve the information and validate it.
More than half of the passwords led to a brainwallet
Andrei found that 60% of the leaked passwords corresponded to brainwallets generated by someone else. Out of these, 20% were active bitcoin wallets meaning that they stored a certain amount of digital currency. Obviously, the digital currency was left untouched.
This method is not new, but it is surprising that it still works, after security experts drew attention to the issue.
Creating a wallet this way would be feasible in case access to a previously created one is lost, which is based on the private key. However, the phrase should in no way be used as a password for other services. Most importantly, it should be long enough and customized (drop a few intentional typos) in order to make sure that it cannot be replicated by a third party.
The recommendation from Alexandru Andrei is to avoid this system and use encryption to protect the wallet, as well as enable two-factor authentication (2FA) for secure access.
