A white-hat hacker has released a new tool designed to illustrate the ease with which illicit actors can steal bitcoins from brainwallets, a type of bitcoin wallet iteration where passwords are not stored digitally – but in the memory of the user.
Originally conceived as a way to keep sensitive wallet data offline and make bitcoin addresses easier to remember, the brainwallet was partly undone due to how it interacts with the bitcoin blockchain. A brainwallet uses a single, long password or phrase, converts it to a private key, a public key and finally an address. Using an offline attack, it’s possible to rapidly guess potential passwords to see if they’re correct.
New research by Ryan Castellucci, a security researcher at digital fraud firm White Ops, indicates there is as major flaw in this method. He highlights that the final bitcoin address is recorded in the blockchain as a password hash. When used for website authentication, password hashes help determine whether the word or phrase supplied is correct, meaning this data can be used as a reference to bad actors looking for the password.
Released on 7th August at DEF CON 23,