# Bitcoiners are just like everybody else: They use rubbish passwords

Don't pretend you can invent a strong enough, memorable password to protect your Bitcoins: crypto-boffins can crack the so-called "brain wallet." In research published at the International Association for Cryptologic Research (IACR), University College London's Nicolas Courtois and Guangyan Song and White Ops' Ryan Castellucci …

1. #### So - what constitues a suitably strong password

If they can run 10e9 password checks for \$60 - what sort of complexity is 'suitable'? For normal use. I'm not talking about withstanding a year of continuous attack on something that isn't rate limited or anything of that nature but let's assume a non-2FA web site (i.e. not your bank).

Yeah - I know that's a 'how long is this piece of string' question - but I really have no idea what sort of size/complexity we're dealing with nowadays.

Now if you'll excuse me there's some youngsters I have to chase off my lawn.

1. #### Re: "how long is this piece of string"

Hey ! That's a great idea for a password ! At least as good as horse battery staple.

2. #### Re: So - what constitues a suitably strong password

Not all that long. 9 random characters is probably fine.

If you've got \$60 worth of bitcoins then using a random 9 digit number (which obviously has 10e9 possibilities) as your password would make it not currently worthwhile cracking your password. Guard against a 10x increase in performance / reduction in cost by using a 10 digit number. Alternatively, use a random password of upper case, lower case and numbers (62 possible chars). That would only need to be 1/(log(62) times as long which means 5.58 random characters will do it.

6 gives 56 x 10e9 possiblities.

9 gives 13,537,086 x 10e9 so should give plenty of room for the possiblity that you're storing more than \$60 worth and increases in processing power for the near future (unless quantum computing hits the big time soon in which case this is all moot).

Final option, use the xkcd method. Pick 4 random words, even if you only pick from the 1000 most common that's 1000^4 = 10e12 possibilities

1. #### Re: So - what constitues a suitably strong password

I'd just like to point out that although it occurred to me as well, that kind of worth-the-effort analysis isn't really accurate, because they're not trying to get your password, they're trying to get everybody's. So although they may have to spend more than \$60 to get \$60 worth of bitcoins from your account, they also get money from a bunch of other accounts.

again!

that is all.

1. #### Re: "...I'll be back"

Using "Arnold Schwarzenegger" as a password? Surely that should be Arnold Schwarzenegger1.

1. #### Re: "...I'll be back"

I'd never be able to remember how to spell his surname so it's not "all-too-obvious" to me.

1. #### Re: "...I'll be hacked"

I usually have 6 letters (from any untraceable text document), 2 numbers, and no Bitcoins. How secure is the virtual money that I haven't got?

3. #### Hmmmm

So "youshallnotpass" is right out then?

1. #### Re: Hmmmm

It's valid.

Counting to 5 after pulling the pin on the Holy Hand Grenade of Antioch, however, is right out.

2. #### Re: Hmmmm

"Mellon" is good, only your friends will try that.

1. #### Re: Hmmmm

""Mellon" is good, only your friends will try that."

Bit trusting isn't it? Someone speaks 'friend' in a foreign language and enters, you having let them in? Home invasions happen that way. Big, shadowy, flaming, ancient demonic home invasions...

1. #### Re: Hmmmm

If it's also the door guard's day off, sure.

Then again, maybe it also voice prints selected senior British actors.

Ian McKellen

Peter Cushing (always possible, e.g. he played Doctor Who in movies, but also a Star Wars baddie)

Christopher Lee: obviously not. He's a vampire.

4. #### Correct....

Obligatory xkcd :

https://xkcd.com/936/

5. #### Research funding woes

should be over.

Assuming each account will have at least 1 bitcoin, and they would not object to making a contribution because they have a direct and immediate interest in the research, this would mean that £4.5M is available for research, which is much more generous than any other research grant. This would also have the advantage of not having to face a review committee.

BTW - @AC xkcd gets it so wrong, as this piece of work some admirably demonstrates. The other thing that randall gets wrong is that restricting pass phrases to dictionary words reduces the size of the rainbow tables significantly, which makes the cracking so much faster.

AC because dangerous people who have lost bitcoins might want to ask questions in so many uncomfortable ways.

1. #### Re: Research funding woes

"BTW - @AC xkcd gets it so wrong, as this piece of work some admirably demonstrates."

If you're referring to the "Correct Horse Battery Staple" I don't think so; the dictionary attack relies on the pass phrase being a relatively common expression or a name of someone or something so, unless you actually used "correcthorsebatterystaple", your combination of four unrelated words is still relatively secure (based on number of possible words to the power four) as this is a large number even if you restrict it to fairly common English words:

http://www.oxforddictionaries.com/us/words/how-many-words-are-there-in-the-english-language

6. #### And...

...we're back to searching a RNG that really is random and not just "random".

7. ddfe8e879cb6f63c5f4907fc1a4f279c

1. Uppercase? Where are the uppercase?

8. #### "[..] demonstrates again that brain wallets are not secure and no one should use them."

The very first phrase in the Bitcoin wiki on this subject is : "A brainwallet refers to the concept of storing Bitcoins in one's own mind by memorization of a passphrase. As long as the passphrase is not recorded anywhere, the Bitcoins can be thought of as existing nowhere except in the mind of the holder. If a brainwallet is forgotten or the person dies or is permanently incapacitated, the Bitcoins are lost forever. ".

My first reaction to that was Hoy Cow, how more useless can you get ?

If someone steals my Visa, I can have it blocked. If I lose my account password, I can go to the bank, prove I'm myself and get another one. If I lose my Internet access, I can go to the bank. With real money, there is always a fallback option.

This ? A knock on the head and your "money" is gone forever.

And you can't even light a cigar with it. Pff.

1. #### Re: "[..] demonstrates again that brain wallets are not secure and no one should use them."

That's the whole point of crypto currencies though; trust no-one (except yourself and the maths (and the group of large miners who de facto set the rules)).

For there to be a fall back option, you need to trust someone to be the central bank and have access to everyone's money. At that point you may as well use a real bank and a real currency.

So either you do make a backup and store it in a separate "Availability Zone" (your mum's house) or you accept that mindwallets are like cash, let go of a bank note on a windy day and it's gone, no fallback.

9. #### I simply

Copy and paste el reg articles and remember which article it was.

Thanks to the huge number of typos its impossible to crack such a password with a dictionary attack.

10. #### Once again - generate the password FROM the passphrase!

Let's use the phrase "THese ARen't THe DRoids YOu're LOoking FOr".

Take the first two letters from each word. Capitalize the first one (it's a sentence) and add punctuation. This gives you:

Tharthdryolofo! - a 15-character near-random password that's EASY to use.

You don't have to REMEMBER it, you say the phrase as you go and simply type the relevant letters.

I teach my users this trick and it's working a charm. The least technical of them can remember a sentence. This is the best real-world compromise I've found.

12. #### "Not secure and no one should use them"

That strikes me as an awful strong claim. It may well be that many people use them insecurely, or even that using them securely is impractical. But it certainly isn't impossible.

I've probably mentioned before that I'm a fan of Diceware for strong passphrases. You have a list of 7776 words and pick one by rolling 5 normal dice. It's completely random, and also nicely easy to quantify exactly how many possibilities there are. Each word is worth a little under 13 bits of "random". So to get 256 bits (the length of the private key), you'd need 20 words. Obviously memorizing 20 random words is not an easy task, but it's doable.

Or another option, English text is said to contain 1 to 1.2 bits of information per letter. So if you can memorize a 256-letter non-random (but unpublished) paragraph that should do the job as well.

And either of those method are probably more secure than necessary. A bitcoin address is only 160 bits, significantly shorter than the 256-bit private key, so I would guess that's a reasonable length to shoot for and still get very good security.

13. #### Long pass phrase

I find that adding a couple of long memorable numbers (6 to 10+ digits) to a 'sentence long' passphrase can really help defeat this type of attack.

## POST COMMENT House rules

Not a member of The Register? Create a new account here.