The concept of storing Bitcoins in a wallet generated by a passphrase is referred to as a brainwallet. This post will explore the insecurities of brainwallets and why you shouldn’t be using them.

There are many ways to generate a brainwallet. For example, brainwallet.org provides a simple client side javascript application to do this. The passphrase used to generate the wallet is essentially just a password and it provides the only means of protection from theft. If someone guesses this password, they have full access to the wallet and the funds.

The Idea

Out of pure curiousity, I wanted to see how many insecure brainwallets could be found with just a simple dictionary. I would create a script that would loop through a dictionary file; each word would be converted into a public Bitcoin address and the resulting address would be searched for in all historical transactions.

Code and Setup

I was able to borrow the Bitcoin address generation code in order to convert a dictionary word into a public Bitcoin address.

Next up was finding a way to query for a public address in all historical Bitcoin transactions. My first option was blockexplorer.com. This website stores every Bitcoin transaction in a database and provides an API to query information. The biggest problem with using this site was that my bruteforce experiment would generate alot of traffic to the site. I then stumbled upon Abe, which is essentially a clone of blockexplorer.com that I could run locally. After getting it up and running, it took over a week to insert all transactions into the database from the blockchain.

I pointed my script at an English dictionary file and let it run.

Results

Here are the brainwallets I found with this particular dictionary. Note that none of these wallets actually had any funds at the time of running the script, but at one point in the past these wallets were in use.

Word Received Bitcoins Public Address
a 0.01 1HUBHMij46Hae75JPdWjeZ5Q7KaL7EFRSD
cat 0.15 162TRPRZvdgLVNksMoMyGJsYBfYtB4Q8tM
chicken 0.001 15Z16yvxv3oH6FBd83qkgo8AmzYcaSy2vX
destruction 0.09 11p4664ndnKmiPBL6naW9nF9z91skDdkf
dog 0.01 19MxhZPumMt9ntfszzCTPmWNQeh6j6QqP2
hangzhou 0.2 1EaUxkWMQ1kGPh3gWLev3Uzb2MUEmP59ws
love 0.012 1Mm6ouhpHqbtahCRNYfTo7Art1fbmk7PcR
password 0.06108 16ga2uqnF1NqpAuQeeg7sTCAdtDUwDyJav
poop 0.001 1LVL6qEhMQTbNtSBDfBkmzo5ZS1PwaKZWs
root 0.001 148qEts4TkouGRwvUMRFM8dB9MjxM6iCuN
sausage 0.01 1TnnhMEgic5g4ttrCQyDopwqTs4hheuNZ
supper 0.002 16rAKW1gUqtQL8PaaYM2Drkitm686kgdEC
root 0.001 148qEts4TkouGRwvUMRFM8dB9MjxM6iCuN
swordfish 0.00144271 1PG9p4dG3vhZ8gx19aVdu5ZfECw9Q7N3B6
test 0.0511876 1HKqKTMpBTZZ8H5zcqYEWYBaaWELrDEXeE
very 0.0075 16NpdGeEeEebivqHGSXeDCjozr9yKHeZPD
wang 0.0001 1AjzxqeicCxMYDSAW5xqk1is3KX8eipD82
you 0.01 1NGj2UvhbC79ZXFBPBaXSmf7vwRy7cXK5R

Conclusion

Don’t use brainwallets!

The project source can be found at https://github.com/dan-v/bruteforce-bitcoin-brainwallet.