 I'm Ryan Castellucci and I am here today to talk about cracking brain wallets. A quick disclaimer, just because somebody's passphrase is terrible does not give you the right to steal their money. Please don't do it. Don't blame the victim. Don't be a jerk. Pretending people don't choose shitty passphrases doesn't help. So brain wallets are not a good idea. If you want to use something that works kind of like a brain wallet but is actually secure, there's this thing called work wallet. It's a lot better and if you use it with eight diceware words, everything will be great. So don't use brain wallets. If you are using one, please move your money out of it. Somebody lost $14,000 worth of Bitcoin just last week from one. Really quick overview about what a cryptocurrency is. Electronic money using cryptography to secure it. We don't need a bank or government to run one of these. Transfers work very similarly to checks. You sign the money over to somebody else, except for instant of ink on paper. It's cryptographic signatures on a blockchain. A big problem with this for a long time was how to keep people from spending the same money twice. Bitcoin solves this with a public transaction log. Transfers are identified by accounts. So it's pseudonymous. Bitcoin, Litecoin, Dogecoin, Defcon, we have Defcoin. And control of the private key is control of the money. A brain wallet is a little thing built on top of this. You need a private key but you can't memorize a private key really. It's a long string of hex. So you can turn a pass phrase into a private key with a hash. And then control of knowledge of the pass phrase becomes control of the money. Why do people like this? Well, the first thing they think is plausible deniability. If there's no record on my computer or anything of me making this thing, then if somebody asks me about it, I can just say, no, it doesn't exist and they can't prove me wrong. Not actually quite true. If blockchain is pseudonymous, you can track the transactions. It's just tricky. The other thing that people say is, oh, well, fifth amendment protection against government seizure. Well, sure, but you don't need a brain wallet to do that. An encrypted wallet gives you the same protection and is far more manageable. And then there's the old meat is a better random number generator than silicon because you can't back door meat. But you don't need to back door meat because it just comes up with shitty passwords and pass phrases. So this doesn't really work very well. So remember that cryptocurrency transactions are public. People are working on adding privacy to that, but it's not really there yet. Brain wallet addresses show up in the transactions. And the same address. So if you look at all of the addresses, you can just check them to see if there's a matching brain wallet. So a weak pass phrase can be guessed. And that $14,000 was sent to the pass phrase of, yeah, an empty string. There's a certain brain wallet tool site where that's the default pass phrase. And somebody just used it. So here's how a brain wallet tool works. You start with a pass phrase. I'm sure you've all heard of correct horse battery staple. First thing we do is run it through SHA-256. The address is treated as a 256-bit integer. And that's your private key. The next thing we do is compute the public key. So an interesting thing is that there are actually, well, one, this step is the most CPU intensive step of the whole process. And two, there's actually two different ways you can represent a public key. Compressed and uncompressed. For a long time uncompressed was the default. Most brain wallets still default to this. There's also the compressed format, which is basically a truncated version where you spend a little bit more CPU time to restore the part that's left out. And you can usually pick which one you want to use. So then we have a public key. We put this through SHA-256 as well. But that's still kind of long. So we also put it through RIPE MD-160, which is another somewhat obscure hash algorithm. Most transactions use this as the on-network and on-disk format. And, well, 160 bits in hex is kind of unwieldy for a person. And if you made any typos, the money would be gone forever. So there's base 58 check. You get the first character identifies which cryptocurrency it goes to. The rest of it is base 58 encoding with a checksum. So if you typo it, it probably will catch your typo. So brain wallets make the blockchain into a public hash database. So what do we ask when a password hash database is made public? Well, the first thing is, are the passwords, in fact, hashed? Well, yes, they are. Are they salted? No. Is the hash slow to crack? Well, kind of not slow enough, it turns out. Cracking yields money. This is a fantastic motivation for password crackers, it turns out. So back in 2013, I came across this blog post talking about brain wallets. Somebody made a bunch of them as tests to see how long it would take people to crack them. I thought this was interesting. And, you know, I had a half hour each way commute on a train. So I wrote that over the course. I wrote a cracker over the course of the week, using C and open SSL. So it would take in a long list of hash 160s from a file and then on standard in I could pass it passwords and passwords. No real reason to build in my own password or password generation because there's lots of other tools that will do that and it results out to standard out. So I have a Core i7 that's about four or five years old at this point and it was able to do about 10,000 guesses per second. And like a lot of people here, I find it someone interesting to go through password leaks and crack the hashes. So I had a bunch of word lists sitting around so I just had to feed it some of them. I was not prepared for the results. So I got this going and went to a picnic and then I got home and I saw how much wood could a woodchuck chuck if a woodchuck could chuck wood. This is pretty funny. And then I ran the balance check script. It turns out that woodchucks can chuck about 250 bitcoins worth of wood. At the time this was $20,000. So being a good guy is hard. Running a dictionary attack is easy but the hard part is well, being good. And I put myself in a wonderful little moral dilemma here because if I did absolutely nothing, you know, I'm not that smart. Somebody else will probably figure out how to do the same thing I just did and crack it and they might not be as nice as me. So I had to come up with something to do and in my flabbergasted state the only thing I could think of to do was call my friend Dan Kaminsky a admitted white hat. So about an hour, hour and a half later I'm at Dan Kaminsky's place. All I have is Mr. Woodchuck's Bitcoin address and no direct way to contact him. So what do I do? Well, we talked a while and we came up with this idea of sending Chuck a few cents and then taking it back. For extra fun there's a tool called Vanity Gen. If you're not familiar with it, what it does is it generates a shit ton of private keys until you get one that starts with a prefix you choose. But it has to be pretty short otherwise it just takes forever. So crude way to send a message. Cool. So my wife was there for moral support and she's listening to this and she pipes up with yoink. If you're not familiar with that, it was perfect. So we send some money to Chuck, take the money back. At this point I should clarify, a Bitcoin address does not hold a balance. It holds a collection of previous transaction outputs. And so there's a separate 250 Bitcoin transaction output that belongs to Chuck and a .00031337 Bitcoin output that I just put there. Hopefully Chuck will notice that this yoink address is actually able to take money back from him after sending it and freak out about that and move his Bitcoins. This was the plan anyway. So I send the money to Chuck and I try to take it back because it's kind of my money anyway and I'm not a thief. But the Bitcoin software had other plans so I get the money back to the yoink address and the rest of it, the rest of Chuck's 250 Bitcoins goes to some other address I don't recognize. You can imagine my reaction here. So Dan left for a while and told me to sort it out. So once I calm down a little bit, I remember how Bitcoin actually works. I made a little mistake. I thought it would just use the exactly right amount transaction output, which seems kind of reasonable. But it turns out that it will choose outputs automatically based on the product of size and age. Well, 250 Bitcoins that was put there several weeks ago is a lot higher priority than a few pennies that I just put there. So I got that. I got my fraction of a penny of Bitcoin sent back to the yoink address and my change went to some other address that the Bitcoin wallet generated for me. So I figured it out and I put the money back. I only borrowed Chuck's money for a few minutes. It was fine. So I do this for a few days and it doesn't seem to notice that Bitcoin is all still there. So, you know, pseudonymous, cryptocurrency, totally hard to trace, right? Well, I'm going to do it anyway. So I followed the Bitcoins and pretty quickly I find out that he was a miner from a Bitcoin mining pool called DeepBit, which it just so happened I happened to use in 2011 back when GPU mining was still a reasonable thing to do. So I got in touch with the guy who ran DeepBit and spent about an hour on IRC convincing him that I was both crazy. I'm sorry. Not crazy. And a good guy. He was actually really good. He was like, well, no, I'm not going to give you this guy's email address but I'll pass along your contact information for you. I can't complain about that. So he does this and then the next morning I checked my email and I have this thing asking me who the hell I am and what the hell is wrong with my Bitcoin or what the hell is wrong with his Bitcoins. The problem is I knew that the person I had gotten in touch with was the person who funded the brain wallet which is not necessarily the rightful owner of the brain wallet. I figured the best way to sort this out was talk to the guy on the phone. So I did. He was really nice. I asked him if he knew what a brain wallet was and he said he did and I asked him if he had a bunch of money in a brain wallet and he said he did. And I explained that I knew what his pass phrase was and that I'm a nice guy but there are not nice people who are also smart. And I could hear his jaw hit the floor over the phone. So he was very, as I said, he was very nice. I didn't tell him that I borrowed his Bitcoins without asking. I figured it was better that way. So he didn't call the cops. In fact, he sent me two Bitcoins for my trouble which I actually gave to a friend as a wedding gift because I didn't want to make money off of the whole thing. And he missed his Bitcoin and he's fine. Nothing bad happened to him which is great. And he wasn't an idiot. I talked to him and he realized that choosing a standard password would not protect his Bitcoins. But how many people actually have a good intuition of what a password, a pass phrase cracker can actually do? Show of hands here. How many of you have used an obscure quote or song lyrics or something like that as the encryption key for a GPG wallet or disk encryption? Anyone? I don't believe you. Well, lots of people do. I've done it, certainly. And there's a post on Reddit about a year, year and a half ago. Somebody had put a couple Bitcoins in a brain wallet and his pass phrase was a line from an obscure poem in Afrikaans. And it got stolen. So anyway, Chuck's okay. And the next thing for me to do is see if I can actually make my brain wallet cracker fast in order to just point out that, hey, this is a serious problem and if you use these things, you're going to get robbed. So brain flare. There's a new elliptic curve library that came out for Bitcoin called live SECP 256K1 which is named after the curve Bitcoin uses. It's way faster. I got 130,000 pass phrases a second out of my machine. And I benchmarked this in EC2. 560 million pass phrases checked per dollar of spot instance time on C3 large instances. You can pretty easily call Amazon up and get your instance limit bumped. Mine is currently a couple thousand. With 1,000 instances and $175 you can check a trillion pass phrases in nine hours with this thing. But so remember this? XKCD. Yeah. So XKCD is not always right. Brain flare can cover that search space with 1,000 instances in less than a week for about $2,800. And bad guys don't use EC2. Well, maybe but there will be someone else's EC2 instances. So they don't have to pay for it. And they also have botnets. And these days a small botnet would be 100,000 nodes. If we want to get a nice lower bound we can assume that these nodes are 10% as fast as those EC2 instances which aren't fast. And with that you can try 2 to the 48 pass phrases per day which is about 275 trillion. That's a lot of pass phrases. If this still isn't fast enough for you there's still plenty of room for optimization and fancy math to make it go faster. And this can definitely be GPU accelerated. It can definitely be FPA accelerated. It can even be ASIC accelerated. But I don't expect that to happen. Mining ASICs mine bitcoins. They can't do anything else. They can't even hash arbitrary data. They only hash blocks. And if you want to get ASICs made for something you're going to be dropping a few million dollars to get a fab run done. I just don't see that happening. How brain flare works. So the first thing you need to do is get a copy of the blockchain. The Bitcoin blockchain is currently about 40 gigs. Takes a few hours to download usually. Then you need to extract all the unique addresses from it. Then we got to preprocess those because checking them one by one would be slow as hell. Then we have our candidate passphrase generation. We feed those in and calculate the corresponding addresses. And we check them for matching addresses in the blockchain. If there's a match win. The Bitcoin currently has had about 80 million addresses used ever. I use a technique called a bloom filter to check all of them effectively simultaneously. Bloom filter is like maybe second or third year computer science stuff. If you don't know what it is go look it up on Wikipedia. I will give you a really brief explanation. But the important thing is that it either tells you no match or there's probably a match. So that doesn't mean it has false positives but you can clean those up later. The likelihood of a false positive depends upon how much depends on the parameters of the bloom filter and how many items have been inserted. The way brain with brain flares bloom filter parameters you get about one false positive after in every 380 million passphrases with 100 million addresses inserted. But why 100 million addresses and not 80 million? Well you can just crack multiple block chains at once. It's just going to make your false positives a little bit higher. All of the alt coins use basically the same format. So load as many of them as many of them as you want in there. So you can check Bitcoin brain wallets, dogecoin, litecoin, whatever all at the same time. And it doesn't slow you down. So brain wallet uses or brain flare uses a 512 megabyte bloom filter. This is two to three two bits. Nice round number. And each hash 160 is mapped to 20 different bits in the bit mask. When we insert a hash 160 we set the corresponding bits to check whether or not the hash 160 is present. We look through those bits one by one until we find one that is not set. If we find one that's not set we stop looking and say no match. If we get through to the end and they're all there we can say probable match. Normally with a bloom filter you would take your input and run it through a bunch of different hashes to generate the bits. You don't have to use a cryptographic hash for this. It just has to have a uniform distribution. Usually something like XX hash is used. But well it's called a hash 160. It's already hashed. So we cheat. Just bit slice the thing. Cut it up into a bunch of chunks. Combine them in a few different ways. This turns out to work really well and it takes a few CPU cycles per hash 160. Super fast. Candidate passphrase generation is a little tricky. Word lists for password cracking are really easy to find. Passphrase lists less so so I did some scraping. Song lyrics, Wikipedia, project Gutenberg, forums like bitcoin talk, reddit, decipher punks mailing list, whatever. And then you've got all this raw data so you've got to clean it up. Every source is going to require different cleanup so I'm not going to go into how to do that but use your favorite scripting language. It's not hard. Once you've got clean list of phrases you can put you can run rules against them. So you could try it with normal capitalization, all caps, all lower case, initial caps, with or without punctuation, with or without spaces. Some results. So the QTC one, I'm pretty sure somebody found and they just burned the coins. It got sent to an invalid address and so this coins are gone forever. It was about two bitcoins. I think that's a Texas Social Security number and the persistence of memory is the name of that melty clock painting by Dolly. That actually had bitcoin in it when I found it but I couldn't figure out how to contact the guy. He used bitcoin gambling sites but those don't make you register so I had no way to get in touch with him. I don't know if he cleaned it out himself or he got robbed, unfortunately. Even more, these ones were all very tiny amounts. So yeah, there were a lot of anorhands quotes. A lot of them looked like they were just put there for people to find. They had like a tiny fraction of a penny in bitcoin in them but good times. So I went through all of the ones that I was able to crack, added up to 733 bitcoins. I mean this is starting in 2011 and going through two. I think I scraped the blockchain last sometime in June. I didn't necessarily find any of these while they had a balance but a lot of them did have money in them at one point and it's very, very hard to tell which ones were stolen from and which ones the owner just moved the money out and to be clear I did not take any of it with the exception of borrowing a little bit of Chuck's bitcoin for a few minutes on accident. So don't be Chuck, any password or passphrase that you can come up with on your own can be found by a sufficiently clever guessing algorithm and if somebody else came up with it it's going to end up in a word list or phrase list at some point. And there's just better ways to do this. There's a lightweight bitcoin wallet called Electrum. It does a nice little thing. It will randomly generate a master key and export this for you as 12 words. So you just remember those 12 words and you can restore your wallet and it doesn't give you just one address. It gives you as many as you want. It's pretty convenient and then as I mentioned earlier warp wallet which does support assault, they recommend you use your full your email address. You could also use your full name or ID number or whatever and it uses S-crypt for hardening. So I haven't actually benchmarked it but I would be impressed if you could make a hundred guesses a second against it. And then there's my personal favorite encrypted paper wallets which is where you print out a encrypted version of your private key. The encryption is hardened with S-crypt so even if you find one of these things you still have to crack it and if you know somebody found it and you have another one somewhere else for example you keep one in a bank fault and one under your bed you can get the other copy and move the funds before they crack it. I'm a big fan of this one. So a lot of people have spent a lot of time trying to figure out how to figure how to determine how strong a password or passphrase is. Really easy when it's computer generated randomness. If you're willing to assume the random number generator is good all you have to do is count the bits. Each bit doubles the strength each 10 bits increases it by about a thousandfold. When a person chooses it it's more complicated. Randomness and unpredictableness end up being more or less the same thing and it's predictable. And I know you've all used plenty of sites that will give you a password strength meter and you've probably noticed that password strength meters don't agree with each other. The best one I've seen was made by a team at Dropbox. It's called ZXCVBN. If you are confused by that name look at the bottom of the query keyboard. And it works pretty well but it does have its limitations and failure cases most of which are caused by the inherently limited dictionary size that such a tool can have. I ran a few things through it. Quiggy bow hash rated as 42.2 bits of entropy but that's a word that Bart Simpson played in Scrabble in an episode of The Simpsons so that's definitely in someone's word list. And then 1, 2, 3, 4, 5, 6, 7 which is the kind of combination an idiot would use on his brain wallet. Rated is 92.9 bits of entropy which would take centuries to crack. So clearly these estimates are not credible. Microsoft did a study where they determined that the average user's password was about 40 bits in strength. Watt. You can make things a little better with key stretching which is a must have in any modern encryption or password hashing application. The idea is you just make the hash take a lot of CPU time. If it's taking 100 milliseconds for the legitimate user's password to be checked it's not a big deal but you're going to make a cracker really sad if they have to spend 100 milliseconds each time. Even if they super optimize it they're checking dozens or hundreds of passwords a second. It sucks for them. And brainflayer does 130,000 a second on one computer and stretching could make that be one per second easily. Common algorithms S crypt, B crypt, SHA 512 crypt which is not the same as SHA 512, PBKDF2, similar sorts of stuff. There's a password hashing competition which was just recently completed. They announced their winner as Argon 2. I really need to go read up about that. It sounds really interesting. You end up being able to increase strength in a lot of cases by about a million fold using key stretching and it's not that expensive of trade-off. But you can do more. There's extreme key stretching. I came up with this and I've seen other people talk about it as well so it's not that clever of an idea. What you want to do is have a short value, say five digits, six digits, something like that, that is written down or stored on a disk. This is a shortcut. It's run through its own key derivation function. And if you have the shortcut and the pass phrase, it takes, you know, 100 milliseconds a second to recompute the key or verify it. If you're missing the shortcut, you have to brute force it. The legitimate user having the pass phrase or password can recover their shortcut in a few hours to a day or so. But then the attacker has to spend that long on every pass phrase or password they check. And who's got time for that? Pretty easy to generate a secure password or pass phrase. You generate it randomly. Diceware is great. And you might not be able to, if you have a bunch of these, you're not going to be able to remember them all, but hey, password managers can do that. But you need a master password for your password manager and you need to back up the password manager and then the backups can be cracked and it's just kind of turtles all the way down. You still have to memorize at least one strong pass phrase or password. I'm going to go over a little bit about what I've seen actual brain wallet thieves actually doing in the wild. There seems to be about half a dozen of them active currently. They're pretty sophisticated. I've seen them do crazy things like looking for brain wallets as part of multi-sig addresses. If you don't know what that means, don't worry about it. And they compete with each other. So they have to be fast. And they're not going to be fast enough manually, so they've got bots. Cracking with brain flayer or something like it isn't real time, it would be too slow. Rainbow tables are a lot faster than actually fully cracking, but they're also kind of slow. So lookup tables are really the only option. And some of these guys seem to have some pretty big lookup tables. If I were going to build one of these things, I haven't, but if I were, I'd go with a disk backed key value store using whatever no SQL database is popular that day. Use a truncated hash 256 as the key, the pass phrase or private key as the value, whichever one's shorter. Then you just have to monitor the transactions. You can't just monitor the blockchain, you actually have to actively monitor the network because by the time it's in a block somebody else's who's monitoring transactions would have already gotten it. So you have to talk to the network and then when you see a private key or an address that you have a private key for, you just sweep it off to your own address. And you do this faster than the other guys that are also doing this. So a $120 four terabyte hard drive should be big enough for about 64 billion passwords and pass phrases. In the wild, I am pretty sure I can confidently say that somebody's got one with at least 100 billion entries because they're able to instantly crack any random five character password I put out, like including numbers, letters, special character symbols, instantly. And anything on common word lists also was stolen instantly, song lyrics, mini song lyrics, that sort of thing, it vanishes instantly. Six random characters I've tried a few of and the ones that I've made have not been stolen yet. So this is clearly a little bit too big, but Brain Flare could go through that search space on EC2 for $1,300. If you actually want to memorize something secure, crypto mnemonics are the way to go. Diceware has been around forever, the idea is you take a big list of words, you roll some casino dice to pick words from that list and your pass phrases made up of those words. Electrum, as I mentioned earlier, also exists. There's also pronounceable password generators. I don't think they work that well, but some people like them. Then there's structured generators. This is trying to not only come up with words, but to put those words together in meaningful combinations. You could do adjective, noun, verb, tuples. You can use a Markov chain to generate things that look sort of like sentences. That sort of thing. It seems easy, it seems like it's going to be easy to remember. There's a lot of research going on on this though, and I expect this to improve in the wild soon. So your meat is predictable. Don't use it to generate passwords or pass phrases. Don't be robbed. So I figured I would make this fun for everyone. So Defcoin exists. It's a cryptocurrency for Defcon. There's the coin droid's contest. They use it. And the crack me if you can folks were helpful enough to or were kind enough to make me a bunch of passwords and pass phrases to use as brain wallets. So Brain Flare will be online shortly. And I'm going to over the next hour or so make a bunch of Defcoin brain wallets. So if you want some Defcoin you can download Brain Flare and hopefully be faster than everybody else here. And I will announce this on Twitter when it's actually done. Which should be within an hour or two. Any questions? You got it? Are we doing a line or am I just shouting at people? Yep. In fact somebody there's uh he asked it seems the big problem here is that brain wallets don't use just use Shot 256. He's exactly right. A popular site for making these things is brainwallet.org and they're on GitHub and somebody actually submitted a patch to upgrade it to a hardened hash. And the guy rejected the patch with some explanation of oh well elliptic curve public key derivation is slow so this is unnecessary. This guy has been accused of cracking brain wallets himself. And yeah his site will default to empty string as a passphrase and there's no complexity requirements enforced. So okay who's next? You. Length doesn't uh he asked if inserting spaces in a password or passphrase would strengthen it sufficiently? No adding spaces does not significantly increase the strength of a password. Length really doesn't matter. It's complexity that matters. I think you were first. Um he asked if deterministic wallets could have the same problem. Um there's uh bitcoin has hierarchical deterministic wallets. If you seated them with a passphrase you chose yourself then yes it would have the same problem depending upon whether or not any hardening or salting was used. But electrum is the most popular tool that does this and it will choose a passphrase for you so you don't have that problem. Uh does adding spaces or capitalization to a password actually weaken it under any circumstances? Uh oh like if someone hears you type it. If someone is hearing you type passwords and is using this to against you you have other problems. Uh but I mean the weakest version of any passphrase is going to be one that appears verbatim somewhere. So if you stripped all the spaces it would be very very very slightly stronger but if you're relying on this to save you you're going to be disappointed. Anyone else? Uh there was that one in africans. Uh I found some in Chinese and Russian. You know you said any multilingual like two languages in them. Um I didn't find one but I don't think that the lists I was using had anything like that in them. Uh so there might be I just didn't find them. I can't hear you. Uh I had a couple of slides with examples on there. Um there was definitely used the force loop in there. Anybody else? Oh yeah I'm sorry I did skip over that. Uh he's asking how I figured out what people are actually doing. Um the answer is I made bait wallets. So you know I made this mental model of how I would steal brain wallets if I were going to do it and I realized well they're going to have bots and so if I send a small amount of bitcoin to a weak brain wallet any bots capable of stealing it will steal it. So I was able to kind of use their theft bots as an oracle against their look up tables. And then by doing some blockchain forensics I was able to see get some idea rough idea of how many of them there are. Anyone else? Way in the back? Uh are you saying it's too big too small or too big by a factor of ten? Uh he's saying that my math was wrong. Um one second. Uh my assumption is that storing a single passphrase takes about a hundred bytes. Right uh if you know what the dictionaries are you still have to store the dictionaries somewhere. So your dictionary is taking space either way. So you can't optimize it that much. Um I'm sorry I'm having a little bit of trouble securing you. Uh right but the look up table has the dictionary words or private keys themselves. Uh find me later and we can talk about this.