Ryan Castellucci, a security researcher at digital fraud firm White Ops, shared that there could be a loophole in which bitcoin passwords can be traced to steal funds. This might be possible through brainwallets, wherein bitcoin passwords are stored in the memory of the user through a long word or phrase that interacts with the blockchain.
In particular, the brainwallet password might be traced to the private key, then to the public key, and eventually to the bitcoin wallet address. Castellucci revealed his findings in the DEF CON 23 annual global hacker convention.
Traceable Bitcoin Passwords?
Brainwallet bitcoin passwords aim to add an additional layer of security to digital wallets but Castellucci says that this could expose a critical flaw. He pointed out that the final bitcoin address is saved in the blockchain as a password hash which helps in verifying whether the word or phrase is correct when used for website authentication. With that, it can be used as a reference by unlawful entities when trying to guess the bitcoin password. He added that using an offline attack can allow criminals to quickly find out which passwords are valid.
To demonstrate, Castellucci unveiled his brainwallet cracker called Brainflyer during the convention. This software can be able to guess 130,000 passwords per second and even more when run on more powerful computers. It is estimated that Brainflyer can guess 500 million passphrases for just a dollar.
Fortunately, Castellucci is an ethical hacker who looks into potential loopholes that might destroy a particular system, allowing industry experts to find a solution before criminals exploit the flaw. However, Castellucci also said that some members of the industry might just choose to ignore his warnings until a working proof of concept is passed.
“You can scream from the rooftops that something is weak and vulnerable, but many people will just stay in denial without a working proof of concept. I think that the concept of letting humans choose their own passwords and passphrases for high security applications is fundamentally flawed,” he said in an interview with CoinDesk.