Bitcoin wallet password Cracker
Executive summary: brain wallets are generally safe, because even with idiotic passwords and a bunch of hints it took days to crack them.
A wish: if you have written a fast program for cracking brainwallets (C/C++, CUDA etc.), I'm glad if you share them.
I deposited one bitcoin to each of the addresses at 2013-02-20 about 14:00 UTC. My original idea was just to put the bitcoins in, tell nobody and take the coins out (if they are lefy) after one month and then write a blog post about it. As you can see from the list, that lorem ipsum one was robbed after 7 hours from deposit.
I thought the addresses would be hacked very fast, but I was wrong. I had to give a number of hints on the way:
- there are no spaces, just words after words
- English and Finnish are not mixed
- the phrases only have 3-4 words
- the words are very common
After publishing these hints, it still took over 48 hours to crack them. The reasons, in my opinion are:
- There was no ready fast program for cracking brainwallet passwords. People were running slow Python scripts. With a well-written program in C/C++ and using a GPU, the cracking would take only hours or less.
- And: because the prizes were small, no superguru programmer/hacker wasted his/her time to write and run this kind of program.
Some interesting notices:
- People reported that they had found some other wallets with small amount of bitcoins accidentally (claims only, no proof, but I can believe it).
- With a quick-and-dirty Python script you can test 1500 passphrases in one second per core. That means that to crack a four-word passphrase with 10000 words vocabulary and 10-core CPU will take ((10000^4)/1500/10)/(60*60*24*365)=21140 years. If you use C/C++, speed optimize your code and use GPU and get a 100000-times speedup [1], it's two months. Now, if you either:
- add fifth word
- use punctuation characters between words and maybe add one or two capital letters
- mix two languages
- preferably do all of the above
you have a virtually bulletproof passphrase.