Cracking Cryptocurrency Brainwallets

Presented at DEF CON 23 (2015), Aug. 7, 2015, 2 p.m. (60 minutes)

Imagine a bank that, by design, made everyone's password hashes and balances public. No two-factor authentication, no backsies on transfers. Welcome to "brainwallets", a way for truly paranoid cryptocurrency users to wager their fortunes on their ability to choose a good password or passphrase. Over the last decade, we've seen the same story play out dozens of times - a website is broken into, the user database is posted online, and most of the password hashes are cracked. Computers are now able make millions, billions or even trillions of guesses per second. Every eight character password you can type on a standard keyboard and every combination of five common english words could be tried in less than a day by today's botnets. Can people come up with passphrases able to stand up to that when money is on the line? Let's find out. For this talk, I will be releasing my high speed brainwallet cracker, "Brainflayer". I'll cover a history of brainwallets, safer passphrase-based wallet generation, passphrase security, in-the-wild cracking activity, and how I accidently stole 250 Bitcoins (and tracked down the owner to give them back).


Presenters:

  • Ryan Castellucci - Security Researcher, White Ops
    Ryan Castellucci has been interested in cryptography since childhood when his parents gave him a copy of "Codes, Ciphers and Secret Writing". He soon learned to program and wrote a tool to crack simple substitution ciphers. More recently, he co-spoke with Dan Kaminsky at DEF CON 22 and was a finalist in the 2014 Underhanded Crypto Contest. For his day job at White Ops, he finds new and exciting ways to tease out the subtle differences between bots and human-controlled web browsers. Twitter: @ryancdotorg Web: https://rya.nc

Links:

Similar Presentations: