Researchers use $1 AWS servers to crack Bitcoin brain wallet passwords

Bitcoin is a very popular cryptocurrency that is stored in Bitcoin accounts, called wallets. These wallets are distinguished from one another using an “address” that plays the role of a username. Bitcoin addresses are actually a string ID that has between 26 and 35 alpha-numeric characters.

This wallet can be opened by a private key so that can be used to authorize bitcoin transactions. If the user loses this private key, they lose their only method of accessing a wallet. In most cases, users are supplied with an automatically generated private key when they register an account, which they can change later on.

One of the most common practices to choose a Bitcoin wallet is via the “Brain Wallet” technique. Users can visit special sites or use special applications, sometimes embedded within Bitcoin wallet services, to enter a regular text-based passphrase. This passphrase is then converted using the SHA-256 hash algorithm into a 256-bit number that becomes the Bitcoin wallet’s private key. In case the user loses their private key, they can always reproduce it by converting their passphrase into a 256-bit number via the SHA-256 algorithm.

Now, three researchers have found out a rather simple way to crack the Bitcoin brain wallet passwords. The researchers have  published a paper detailing the method, which they claim, is 2.5 times faster than previous techniques and incredibly cheap to perform.

White Ops security researcher Ryan Castellucci had demonstrated last summer at the DEFCON 23 security conference in Las Vegas, USA that it is easy for hackers to hack private bitcoin keys. He was joined by two more researchers from University College London to crack the bitcoin wallet password.

The three researchers used their technique against real-life Bitcoin wallets and managed to crack 18,000 passwords. Some of the passwords included silly passphrases like:

?   say hello to my little friend

?   to be or not to be

?   party like it’s 1999

?   yohohoandabottleofrum

?   dudewheresmycar

?   andreas antonopoulos

?   Arnold Schwarzenegger

?   blablablablablablabla

?   for the longest time

?   captain spaulding

The researcher also revealed that a potential hacker could use the basic Amazon EC2 account to check over 500,000 Bitcoin passwords per second. The researchers said that by renting a $1 EC2 server, an attacker would be able to check 17.9 billion password strings. To check a trillion passwords, it would cost the attacker only $55.86 (€49.63).

The conclusion of this research is that users should stay away from using common passphrases to generate Bitcoin private keys, and despite the complex cryptography utilities used to build Bitcoin, the service’s security can still be sabotaged by the maligned practices users employ when choosing passwords for online accounts.

The researchers have published their Speed Optimizations in Bitcoin Key Recovery Attacks research paper on  International Association for Cryptologic Research website.