August 8, 2013bitcoin cryptocurrency bruteforce security python
The concept of storing Bitcoins in a wallet generated by a passphrase is referred to as a brainwallet. This post will explore the insecurities of brainwallets and why you shouldn’t be using them.
Out of pure curiousity, I wanted to see how many insecure brainwallets could be found with just a simple dictionary. I would create a script that would loop through a dictionary file; each word would be converted into a public Bitcoin address and the resulting address would be searched for in all historical transactions.
Code and Setup
I was able to find an existing python library for the Bitcoin address generation code in order to convert a dictionary word into a public Bitcoin address.
Next up was finding a way to query for a public address in all historical Bitcoin transactions. My first option was blockexplorer.com. This website stores every Bitcoin transaction in a database and provides an API to query information. The biggest problem with using this site was that my bruteforce experiment would generate alot of traffic to the site. I then stumbled upon Abe, which is essentially a clone of blockexplorer.com that I could run locally. After getting it up and running, it took over a week to insert all transactions into the database from the blockchain.
Here are the brainwallets I found with this particular dictionary. Note that none of these wallets actually had any funds at the time of running the script, but at one point in the past these wallets were in use.
|Word||Received Bitcoins||Public Address|
Don’t use brainwallets! If you want to try it yourself, you can check out the project on Github.