> If you literally just use 4 or 5 dictionary words, someone is going to crack it fast. Bad people can write a program to try a kabillion combinations of words and it will run fast.
Wrong. Wrong wrong wrong. If you randomly choose a sequence of 4 or 5 dictionary words you'll have a strong password. This is simple math. The author then tries to support his point with this gem:
>One of the wallets, with the password “lorem ipsum dolor sit amet” was cracked in 7 hours,
Well, "lorem ipsum dolor sit amet" isn't 5 randomly chosen dictionary words. It's an extremely common 5 word sequence and has nothing like the entropy of a random word sequence.
The most important thing about pass phrases is that you have to choose the words randomly. You can't go pulling phrases from movie lines, and you can't even come up with them yourself. You need an unbiased process like a computer or a dice roll to generate it for you.
More subtly, you shouldn't be picky about the phrase. If you keep generating new pass phrases until you find one that's memorable, you are drastically reducing the entropy of your phrase. It is plausible that an attacker could build a model that limits their search to memorable phrases, and then you'd be in bad shape.
And this last point is where pass phrases need work. What we need is a system for randomly generating passwords that guarantees some level of memorability without sacrificing entropy. Fitting them to roughly sentence formats is one possibility (e.g. adj noun verb noun), so that we can visualize something happening. But it's not an easy problem.
That "mad-libs" method does reduce entropy quite a bit. I don't know if it reduces it enough to make the password crackable, but the search space is much smaller than just 5 random words.
Edit: Another technique that I find useful is to place the four words into a more memorable sentence. For example, if I pull "frequently scared earth understanding" from passphra.se, I might have trouble remembering that raw sequence of words. But if I put it into a sentence like "I am frequently scared, but the Earth is understanding.", then I have a much more evocative sentence that I'm likely to remember. I usually will just use that whole sentence, punctuation and all, because hey, extra entropy. Dropbox's zxcvbn tool[1] estimates that pass phrase at nearly 128 bits of entropy.
Use something like diceware. Ideally, use a 7 word phrase with a good password safe.
The article doesn't use any numbers, and so the author doesn't have a feel for just how strong a passphrase is compared to a password.
Also, the author seems to be missing the point of the xkcd comic. You can create a strong password. $xK!r88w82;)|@N?c463)fpD2SAtRNQq But very few people do this. Because of poor password policies people have a password. PASSWORD. They then modify that to conform to the policy. Must include numbers? PASSWORD89. Must include specials? !PASSWORD89
These are trivially easy to find. Firstly because the limited amount of modification available means other people would have tried it first, and those words will now be in dictionaries. Secondly, crackers can auto-substitute characters in wordlists.
xkcd uses math and I don't see much wrong with it either. You're use hand waving and anecdotes. You can't just say "it will run fast." Unless computers get infinitely fast, there will always be intractable problems.
And you realize that "lorem ipsum dolor sit amet" is an extremely common phrase, right? It has no relation to the entropy in 4 random dictionary words. The thing about cracking a password is you don't have to know the exact format if what you're grasping at is a bunch of low hanging fruit.
The other thing is that the article completely ignores the possibility of generating a new private key in the normal way and memorizing that. It's only the same number of digits as seven phone numbers which while certainly difficult is well within the range of any moderately determined human of normal intelligence. I suspect that most people have 7 phone numbers memorised as it is.
If you're truly paranoid about security, doing that gives you just as much security as anyone else using bitcoin.
1 in 2^44, in fact. Unlikely enough that if you tried once per millisecond, you'd expect it to happen only once in 550 years.
If instead you use only 16 character password with no dictionary words (i.e. completely random or sufficiently randomized memorable words) you have 3.4 * 10^38 possibilities.
3.4 * 10^38 > 4.3 * 10^36 > 2.8 * 10^33
I think everybody should use what works for them, and pass phrases are easy to remember but they have the exact same trade off that using pure dictionary words does at shorter lengths; it's easier to crack.
>If instead you use only 16 character password with no dictionary words (i.e. completely random) you have 3.4 * 10^38 possibilities.
You're confusing characters and bytes. If you limit yourself to what can be typed on a typical keyboard, you're looking at a set of 95 characters, not 256. That gives you 4.4E31 possibilities (or ~105 bits of entropy). If you limit yourself to what most password fields will accept, it's more like a set of 75 characters (optimistically), giving you 1E30 possibilities (~100 bits).
Secondly, I'm not sure the comparison is fair in terms of memorability. 7 words will fit easily in my working memory. 16 characters will not. If I have an exceptional working memory, I might be able to fit 10 characters in it, and suddenly we're down to 63 bits of entropy, compared to 77 bits for a 7 word pass phrase, even if we limit ourselves to a 2000 word dictionary. And committing those 7 words to long term memory is still going to be way easier than committing the random 9 character string.
Incidentally, 77 bits is very close to the 80 bits that NIST recommends for the strongest passwords. 63 is quite a long way off.
Whether you realise it or not, what you want from a private key is lots of entropy.
A simple pass phrase is easily cracked, a complicated one is hard to remember (and it needs to be remembered exactly).
There may potentially be a small amount of middle ground here, particularly if your memory is very good, but what happens if you get dementia as you get older?.
If you must use a pass phrase, use it to encrypt a truly random private key, this way the only the private key is exposed to the blockchain. An attacker would need the encrypted copy of your private key to brute force it, don't keep this online unless you need to send bitcoins.
Remembering 10 random words in order isn't that much easier than 10 random alpha numeric chars and symbols. The words might have some mnemonic value, but the point is, if you need entropy, don't mess about, use a real private key.
Read this post https://gist.github.com/gavinandresen/3840286
Bitcoin the currency is a different beast. Well if you have to rope the value of money to something - computational power is not the worst thing possible in an increasingly. digital world
Why do you want to rope the value of money to something else than trust ? I know this is low tech and very old but a trust based system can work even for the digital economy. Of course to work properly a trust based system need some conditions which are not met today : transparency and dissuasive sanctions if someone cheat.
I think we need to upgrade our financial system but we need more transparency not more opacity.
And you aren't attacking a single address at a time. You're attacking them all in parallel. Even if the expected time to crack one password is very long, the expected time to crack some password can be much, much smaller.
The phrases generated by passphra.se have 44 bits of entropy. That means your rainbow table has to be on the order of hundreds of petabytes. I have doubts that the attack you're proposing could be implemented in practice. If it were a problem, you could just tack on a few more words and take the table into the yottabyte range.
They're making something up, and humans are extremely bad at generating high entropy that way.
No one does that any more. The amount of computing power in the blockchain is impressive. FPGAs didn't last too long; people are using ASICs now.
It's a shame if all those farms of GPUs are wasted. I guess I should have looked on ebay for people selling them off cheap. Or maybe they're just being used for protein folding now.
It's interesting that by tying mining to value has driven people to create home clusters and now people have developed ASICs. It'd be cool if those could have some other use in future.
