Wallet security research - Experiment


#1

Hello everybody!
Recently, I have been conducting research on a list of all wallets in the burst community. I have written a program using C# (which I will not be sharing here!), and essentially what it does is runs through a large wordlist and attempts to discover as many passphrases as it can.

I WILL NOT BE STEALING BURST USING THIS!!!

This is a public security announcement (see what I did there?).
Within the first 10 seconds of running the program on a fairly large wordlist, I was able to crack 2 keys. Again, I am not stealing any burst with this! I have alerted the people who’s keys I have cracked and given them instructions on how to pick a password. If you use the default 12 random word passphrase, you are okay. Those passwords are far to strong to be cracked like this. But if you picked your own passphrase, it will likely be cracked unless you generated it in a very smart manner. Do what you are told to do in the pinned Wallet Safety thread.

If you believe you are using an insecure passphrase, generate a new, 12 word passphrase and move all your burst and assets to that address!!!

Thank you for securing your burst!


#2

wanna test mine?


#3

In theory I already am. I am testing all wallets that have a public key linked to them at the same time.


#4

but but but fine ok


#5

daWallet’s old post:

The auto-generated random passphrase of 12 Words out of a 1626 Words dictionary is considered by many as not safe enough. Let’s see if these doubts are appropriate or not.
It is a false conclusion to use a songtext or “own random words” instead - as your own passphrase may not be as random as you think. Using hundreds or thousands of characters to feel safe is not very handy, too.

That’s why I set up this little game and early warning system. Each Account has funds in it and uses an auto generated passphrase by the Burst Wallet with 12 and less words. All words in the used dictionary are openly available: https://github.com/burst-team/burstcoin/blob/master/html/ui/js/crypto/passphrasegenerator.js#L29

1 Word BURST-GMVF-Z5L4-LGWZ-8BW6W (entropy of 10.66 bits) time till cracked: 6 seconds,
2 Words BURST-ADFP-EN99-24FD-44QA7 (entropy of 21.334 bits) time till cracked: 53 seconds, record: 4 sec by blago
3 Words BURST-UP6D-R28A-67XL-DYBJL (entropy of 32 bits) time till cracked: 27 days by haitch
4 Words BURST-24M6-5CWP-CPPZ-D9PVS (entropy of 42.67 bits)
5 Words BURST-RT5Y-YLDA-AZ5R-6T6MN (entropy of 53.34 bits)
6 Words BURST-AYQF-7YUJ-A88H-D32VQ (entropy of 64 bits)
7 Words BURST-ND84-WUE8-L9EZ-C27NB (entropy of 74.67 bits)
8 Words BURST-K8GV-VEAA-LRLS-F5C58 (entropy of 85.33 bits)
9 Words BURST-YRZY-WDWF-XQ35-AURDX (entropy of 96 bits)
10 Words BURST-RGGF-SJ88-272C-G3RXG (entropy of 106.67 bits)
11 Words BURST-P7SA-89F9-62F4-53MEG (entropy of 117.34 bits)
12 Words BURST-6L9L-LULB-XVAZ-463RB (entropy of 128 bits)

Each of these Accounts hold 1000 Burst at the moment. I have not saved nor shared any of the passphrases.
Maybe someone likes the idea and can make a webpage out of it with current balances and so on.

Also the same warning system can be made with different type of passphrases.

It’s about to brute force the auto-generated passphrase with the known dictionary.

EDIT: 3 Words BURST-UP6D-R28A-67XL-DYBJL cracked by Blago - 5:40:52 hrs
[06:04:45] Start cracking BURST-UP6D-R28A-67XL-DYBJL
[11:45:53] ignore neither guy
[11:45:53] END