14 DAY TRIAL // Three researchers have published a paper that details a new method of cracking Bitcoin "brain wallet passwords," which is 2.5 times speedier than previous techniques and incredibly cheap to perform.
Bitcoin is a cryptocurrency that, despite using advanced cryptography functions to secure and protect transactions, at its core is quite easy to grasp, and most users can start using it right away.
Bitcoin accounts, called wallets, are distinguished from one another using an "address" that plays the role of a username. Bitcoin addresses are actually a string ID that has between 26 and 35 alpha-numeric characters.
Persons that set up a Bitcoin account are also supplied with a private key so they can access their wallet and later authorize transactions.
If the user loses this private key, they lose their only method of accessing a wallet. In most cases, users are supplied with an automatically generated private key when they register an account, which they can change later on.
The Brain Wallet technique
One of the most common practices to choose a Bitcoin wallet is via the "Brain Wallet" technique. Users can visit special sites or use special applications, sometimes embedded within Bitcoin wallet services, to enter a regular text-based passphrase.
This passphrase is then converted using the SHA-256 hash algorithm into a 256-bit number that becomes the Bitcoin wallet's private key.
In case the user loses their private key, they can always reproduce it by converting their passphrase into a 256-bit number via the SHA-256 algorithm.
Passwords chosen via the Brain Wallet technique can be cracked
Unfortunately, this is not a safe method to create Bitcoin private keys, which White Ops security researcher Ryan Castellucci proved last summer at the DEFCON 23 security conference in Las Vegas, USA.
Expanding on his work, two researchers from the University College London have targeted the secp256k1 elliptic curve algorithm used in Bitcoin's internal make-up.
The two devised a method that's 2.5 times faster at cracking Bitcoin private keys created through the Brain Wallet method.
The researchers used their technique against real-life Bitcoin wallets and managed to crack 18,000 passwords. Some of the passwords included silly passphrases like: ► say hello to my little friend ► to be or not to be ► party like it's 1999 ► yohohoandabottleofrum ► dudewheresmycar ► andreas antonopoulos ► Arnold Schwarzenegger ► blablablablablablabla ► for the longest time ► captain spaulding
The researcher also revealed that, by using a run-of-the-mill Amazon EC2 account, an attacker would be able to check over 500,000 Bitcoin passwords per second.
For each US dollar spent on renting the EC2 server, an attacker would be able to check 17.9 billion password strings. To check a trillion passwords, it would cost the attacker only $55.86 (€49.63).
The conclusion of this research is that users should stay away from using common passphrases to generate Bitcoin private keys, and despite the complex cryptography utilities used to build Bitcoin, the service's security can still be sabotaged by the maligned practices users employ when choosing passwords for online accounts.
You can read more about this method in the Speed Optimizations in Bitcoin Key Recovery Attacks research paper, published on the International Association for Cryptologic Research website.