Warpwallet unsafe compared to memorizing 12 word mnemonic

[ekrizdis]

I very much like warpwallet, but I don't believe that it is safe.

Now that many software and hardware wallets use 12 word mnemonics, I believe the best option for a brain wallet is to simply memorize a 12 word mnemonic. A good method for doing this is as follows:

1. Generate a random 12 word mnemonic
2. Break it into 4 3-word pieces (or 3 4 word pieces)
3. Come up with a story or word picture for each piece
   • For example, if the first three words are "actual raccoon balcony", you might imagine someone standing on a balcony made of raccoons looking very pleased
   • If the pieces aren't memorable, go back to step one and re-roll the mnemonic
4. Write down the mnemonic on a piece of paper
5. Every day for the next 7 days, try to remember the mnemonic and then confirm that you remembered it correctly by looking at the paper
6. Destroy the paper

I think that this is about as easy as memorizing a warpwallet password, and much more secure.

I think that warpwallet should be depreciated in favor of this approach.

[maxtaco]

That is like your opinion man.

On Sun, Jul 16, 2017 at 3:36 PM ekrizdis notifications@github.com wrote:

I very much like warpwallet, but I don't believe that it is safe.

Now that many software and hardware wallets use 12 word mnemonics, I believe the best option for a brain wallet is to simply memorize a 12 word mnemonic. A good method for doing this is as follows:

1. Generate a random 12 word mnemonic
2. Break it into 4 3-word pieces (or 3 4 word pieces)
3. Come up with a story or word picture for each piece
   • For example, if the first three words are "actual raccoon balcony", you might imagine someone standing on a balcony made of raccoons looking very pleased
   • If the pieces aren't memorable, go back to step one and re-roll the mnemonic
4. Write down the mnemonic on a piece of paper
5. Every day for the next 7 days, try to remember the mnemonic and then confirm that you remembered it correctly by looking at the paper
6. Destroy the paper

I think that this is about as easy as memorizing a warpwallet password, and much more secure.

I think that warpwallet should be depreciated in favor of this approach.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/keybase/warpwallet/issues/28, or mute the thread https://github.com/notifications/unsubscribe-auth/AA05_-46sKKPfgri5-smOJOVB8B6Jlixks5sOmYpgaJpZM4OZZB1 .

[ekrizdis]

Indeed it is! But I think there is a reasonable rationale for it:

A. A warpwallet uses some unknown user-supplied amount of entropy, plus key-stretching. Memorizing a 12 word mnemonic is safer, since it uses a full 128 bits of entropy.

B. A 12 word mnemonic can be used as the seed of an HD wallet, whereas a warp wallet generates a single private key, public key, and address. An HD wallet has privacy advantages. Also, a warp-wallet user will likely be tempted to reuse their wallet, which means exposing the public key.

C. A warpwallet user will need to enter their password on a computer and then import their private key into a software wallet. If their computer is compromised, all their funds can be stolen. A 12 word mnemonic can be used to initialize a hardware wallet directly.

I think that A is pretty persuasive, since humans are very very bad at supplying entropy. Key stretching helps but doesn't make up for it.

B means that if you reuse your warpwallet you'll be at risk if quantum computers become a thing, since your public key will have been revealed.

C is, I think, the most important argument. A warpwallet user will have to enter their password on a computer to generate the wallet, enter the password on a computer every time they want to use their wallet, as well as import their private key into a software wallet. If they memorize a 12 word mnemonic they can avoid it ever being on any device other than a hardware wallet. I think this is a huge security advantage, since a potentially compromised PC never holds a private key.

Sorry for not laying out my rationale in the initial issue.

[dabura667]

That is like your opinion man.

The way he phrased it... yes.

Let's make it a little more scientific.

1. Let's say it makes trying a password 4294967296 times longer on any type of hardware. (which it doesn't, but I'm overestimating the power of warp wallet just for argument's sake)
2. That means the equivalent of 32 bits of entropy is being added to any password chosen. HUZZAH!
3. Subtract that from 128 bits and you get 96 bits.
4. Users need to make a password that is at least 96 bits strong to be equivalent to a normal 12 word BIP39 phrase.
5. let's say they use 0-9a-zA-Z!"#$%&'()-=^~|[{]}:;+`\/><,.?_ which is 92 characters for their password.
6. They would need at least 15 characters from that 92 character set. Super hard to remember. Super hard to write down and re-read later.
7. Let's say they use random words (perfectly random) from a dictionary with 171476 words (number of actively used words in the Oxford English dictionary)
8. They would need 6 words. A little better for remembering. But still not best. Some word combinations might be misleading when writing down or committing to memory.

Therefore, we can state unequivocally that users of Warp wallet are sacrificing large amounts of security for a tiny bit of convenience.

But they are free to place their bitcoins in relative danger if they so choose.

The "bounty" put up is peanuts to anyone with the machinery to actually crack warp wallets seriously, and the people who put that bounty up know it.

Tell me one person who stores billions of dollars worth of bitcoin on a warp wallet, and I can guarantee you it will be cracked within a few years.

Meanwhile, the heat death of the universe will come by before someone can brute force my BIP39 phrase.

[ekrizdis]

Dabura's analysis is correct, but I think that the opsec aspect of being able to generate a mnemonic on a hardware wallet which never touches anything but a hardware wallet is equally important.

[malgorithms]

Some counterpoints:

• The odds you keep your money "safe" as you say, are really the product of the odds that (a) they're not stolen, and (b) the odds you don't screw up. Unfairly, you're assuming that a WarpWallet has to reach the exact brute force difficulty of a a full 12-word to be preferable, because you apply zero (!) discount for the very high safety risk of memorizing a 12-word passphrase. As if the above memorization technique is guaranteed to succeed.

• As for the difficulty: actually memorizing a BIP39-selected phrase for multiple years without writing down has a significantly higher risk of user error, really wrecking the equation. If you're going to write it down, great. For a brain-stored key, I wouldn't actually tell any loved one to follow your above instructions. If you really can do it, great. But I just grabbed 12 words by randomly clicking into the BIP39 english dictionary: "client modify happy delay dragon drill gas poverty hope know lyrics rapid". If I spent 15 minutes a day for 2 weeks memorizing that then there'd be a 75% chance (at best, really, shit...) I would still know it after 5 years of forgetting to think about it...even using these battery horse staple techniques. So basically a 25% chance I'd lose them. If I picked even a much smaller phrase in WarpWallet, salted with a personal email, I'd feel the odds of not being stolen * remembering would be significantly better and a much smarter personal decision. As max said "that's like your opinion, man", because really, there's no way of measuring the odds you remember the 12-word passphrase vs. the odds of something shorter, especially since the personal one might even be crafted with an entropy technique of your own choosing.

• you didn't mention salting by email, which mitigates broad-sweeping searches. Admittedly you can't assign an exact value to this, because you could have the most important email address, associated with half of all the warp wallet value, and this address could be known, thereby adding really < 1-bit of entropy. But again, that's not really the case...so it's up to you to decide what that's worth. If zero, cool, but it's worth considering.

Valid points about recovery, later...although with my Trezor (which I like a lot) I've found that if I want to prevent the computer from stealing the key during a recovery I need a 24 word key so the computer can't learn the key (24! possibilities) on import. I assume some hardware wallets allow direct word entry to keep it at 12?

[dabura667]

Trezor feeds you dummy words if you have a 12 word phrase. So recovering a 12 word wallet requires typing 24 words. :-)

[dabura667]

Also, I'd like to add that my stance personally is that memorizing your private key, regardless of the method, is dangerous. The odds of a memory loss event where you forget even the most permanent memories you hold is so non-zero it's not even joke-worthy.

And if you're going to write it down anyways, 12 words is easier to write down than most "secure" brainwallets.

I agree that email salting is better, but not really when the fact that a user's balance leaked online means they probably aren't too private with their email addresses either. And even if they had many email addresses, there's another thing they have to remember and could easily forget.

I agree that warp wallets are relatively better than single SHA256 wallets. But just wanted to point out that "ooooh it took an extra 10 seconds on my browser, if you multiply that by my entropy of my password...... that's..... a lot!" may SEEM correct, as intuition would say that "100,000 times longer is a looot longer!" But when you think about it, 100,000 is only 16 bits. So by multiplying the work by 100,000 you only increase the effective entropy-like quality by 16 bits. And those 16 bits are dependant on the algorithm not being broken to be made faster.

[maxtaco]

@dabura667 I think you missed a point about the bounty. It was a small bounty and a small password. It's nice to know that a 48 bit password costs more than 10 BTC to crack over 2 years. To beat the challenge, on average, you'd have to compute 2,231,378 guesses a second for 2 years. Apparently it wasn't worth anyone's while. You'd probably need to invest over $500 million in hardware and get free power to beat the challenge, by my back-of-the-envelope calculations (recall, this is a memory hard operation, meaning you need a lot of RAM to get your guesses per second up). Wouldn't it make more sense to mine instead? If you think there's a good GPU solution for scrypt with N=2^17, that would be an interesting result, but it doesn't currently exist. If you don't believe in the crypto (salsa20 in this case), you should probably not be investing in any cryptocurrencies.

Anyways, if 48 bits of entropy in a warpwallet can protect 10BTC (we've put our money where our mouth is here and so far are correct), then 56 bits of entropy should be able to protect 1280BTC (for 2 years). 56 bits of entropy seems way easier to remember than 128 bits, so the risk of accidental loss is much lower (as @malgorithms indicates).

[maxtaco]

In other words, it all comes down to how much BTC you're protecting, over what period of time. You have to assume your attacker is rational and won't bother wasting resources if she/he can't recoup costs.

[malgorithms]

Trezor feeds you dummy words if you have a 12 word phrase. So recovering a 12 word wallet requires typing 24 words. :-)

Love it!

[homakov]

As someone who spent many hours on social media, explaining why strong derivation scheme is a game changer for private keys - eg https://github.com/sakurity/securelogin/issues/34 - I want to cheer your persistence and clear arguments. WarpWallet FTW!

May I add some suggestions for next version?

Drop "optional" part of email entirely - w/o email it's way easier to brute, everyone has an email, email is not leaked to 3rd party, etc - only positive stuff. It must be always required to prevent broad-sweeping searches you mentioned.

Also drop the confirmation checkbox. No idea how is it helpful. I'm not blind, I can see the email I just typed :)

Otherwise, keep it up and please promote Warpwallet approach more - what we have right now for address generation is unusable bullshit. (just laundered my paperwallet, thanks god i made a pic of it previously)

[DJviolin]

@ekrizdis Maybe I'm not understanding correctly what you want, but basically you want mnemonic passphrase without the email salt? That's great, what if someone chooses this sentence for the mnemonic seed?

Is this the real life
Is this just fantasy
Caught in a landslide
No escape from reality

By the longness, this should be even more secure than a 12 word Mnemonic seed, but in reality, this is probably hacked in the first few minutes, doesn't matter, if you written down on a piece of paper right after generation.

Of course, not everyone will choose the first sentence from this Queen song, maybe the smartest chooses the second strophe. Or even better, take away this from the users and only allow mnemonic words from a pre-selected list. I will tell you what's the problem with that: what do you think, how long it will take to figuring out by a hacker this word list with the help of a web scraper? In a fair amount of time they will have a very definitive list of words from songs, authors, websites that the wallet generator using.

My bet is to using a seed with a passphrase.

What you asking is actually a lowered security. And yep, because every stupid mobil wallet doing it, doesn't mean it's a good practice, nor secure.

[ekrizdis]

@DJviolin please Re-read my original comment, particularly how the mnemonic is generated.

[James-E-A]

I'm not sure if I'm missing OP's point,

but who's to prevent you just entering 12 words, lowercase, space-delimited, as the main passphrase, and then your email as the salt?

I mean, just because it supports password-like levels of special characters doesn't mean you can't just correct horse battery staple, right?

[homakov]

@JamesTheAwesomeDude you're not missing author's point, author is just being wrong :)

[James-E-A]

This is a very interesting thread, however; and I would be interested to see someone who knows what they're talking about put to bed @ekrizdis and @dabura667's concerns solidly.

I think that @maxtaco's figures

Anyways, if 48 bits of entropy in a warpwallet can protect 10BTC (we've put our money where our mouth is here and so far are correct), then 56 bits of entropy should be able to protect 1280BTC (for 2 years).

sound pretty solid to me, but I really hope to hear back from OP on whether or not this addresses his original point.

Besides, re:privacy if you really wanted to be paranoid with the salt and pump up the entropy for cheap, you could use warpwallet@secretsubdomain.domainyouactuallyown (use IDN subdomain for extra security +lolz)

I feel like the guy who made this tool could probably mathematically completely dismiss these concerns, to the satisfaction of universal consensus, in 2 seconds if he cared to, which is why it does disconcert me a bit that it seems..at least a bit unresolved as yet

[dabura667]

if 48 bits of entropy in a warpwallet can protect 10BTC

1. A large portion of people with enough computing power to blaze through it are mostly benevolent actors, such as Google etc.
2. If there was a known warpwallet with 1280 BTC on it at current prices, it would probably be brought down by the user's poor opsec. Maybe their reddit account or something else gets compromised and they get a keylogger, turns out they reused their favorite password salted with their main email address... hacked.
3. Ok, so now assume the warpwallet user used a unique password with a fake and complex email address...... so now they have to write it down? Commit it to memory? Why is this better than BIP39 again? If they're going to write it down anyways they could just write down a 128 bit entropy passphrase to begin with and the SHA256 brainwallets would be sufficient. <<<<<< the whole point of this thread.

So while it is great that warpwallet is better than single SHA256, it is unarguably worse than a simple 12 word BIP39 phrase in almost every way. The only way it is better than BIP39 is that barely anyone uses warpwallet, which makes it "secure" for the same reason "linux doesn't get viruses"... well, it's not that it's more secure in and of itself, but that less people use it and the people that do use it are more likely to be security conscious to begin with, so no one bothers to try and make sweeping attacks against it.

As long as warpwallet remains an obscure tool for security focused individuals, and they don't go around telling everyone they have money in a warpwallet AND don't use "password" etc for a password... they should be fine.

However, to say that the design of the system itself is "more secure" than BIP39 is not justified.

Also, TIL keybase made warpwallet, so I almost kinda want to give them a pass on this imo. Keybase rocks...

[homakov]

It might be 10 times less secure than a generated seed in terms of entropy, but being 1000 times more usable it wins anyway. Security without usability is dead end - google for lost mnemonic seeds and backup files. That can happen to passwords but much more rarely.

Mnemonic phrases will NEVER be adopted by general public. Even myself I hate dealing with them. Warpwallet approach is extremely clear and equal internet banking email+pw all of us already used before.

[dabura667]

That can happen to passwords but much more rarely.

Let me pull up the "forgot password" password reset counts for the bitcoin exchange I work for.

30% of users (out of over 30,000 total) have done it at least once.

one user has done it 24 times over the span of 6 months... lol

Also, I just ran a quick query on 2FA resets (we require them to re-upload a selfie with the same ID they have on file with a hand written message saying "reset 2FA") and it looks as though 5% of users have done this once (we don't track counts though). BTW, 25% of our users have active 2FA currently... so that means 20% of the users that have 2FA enabled have reset it at least once.

...

The usability argument is fine. If you think xyz is more usable for you, that is subjective, as everyone has an idea of what "usability" is for themselves. And I'm sure you are right that if we took an average of all people from all walks of life, surely remembering "daughtersname+birthday" and their email address is much more familiar to people... but to say that "everyone is more likely to lose a phrase than their own password..." well, I know that a shit ton of people lose their password on our site... so unless people who lose their phrase are all just keeping super quiet about it, I highly doubt 30% of all bitcoin wallet users are losing phrases...

I don't have any data though...

Mnemonic phrases will NEVER be adopted by general public.

Just as password managing software will never be adopted by general public. That doesn't mean you shouldn't use it. :-P

To each his own though.

The entropy argument is just scientific fact so you can't really argue with it though. 90% of users will use a password that is less than 10 bits of entropy (name+birthday or something like that)... probably less for warpwallet, as I said earlier, since the only people using it are tech savvy individuals who think iterative hashing is the bee's knees.

I just hope no one is recommending warpwallet to newbies who would use a password like "password" or their birthday or something like that.

[dabura667]

I should find a client side javascript library that measures password strength and record our users' pw strength ratings... would be interesting to follow...

[homakov]

30% of users (out of over 30,000 total) have done it at least once.

A password you cannot forget is a prerequisite to a mnemonic and backup file as well. So if you forget a pw in any scheme there's no recovery. In brainwallets however there's no burden of a mnemonic or file to worry about, just a pw.

[dabura667]

prerequisite to a mnemonic

Nope, just write down the mnemonic and keep it in a safe. Spend from it using a Trezor/Ledger.

No need to remember anything... if you forget your HW PIN you still have your safe.

People know how to keep wads of cash and gold etc. safe by throwing it in a safe. Same applies for mnemonics.

Backup files are a pain... which is one of the reasons why BIP39 was made, SatoshiLabs didn't want users to have to manage files and USB memory sticks to backup their Trezor... just write it down (everyone knows how to write...... well, not everyone) and throw it in a safe.

[homakov]

No need to remember anything... if you forget your HW PIN you still have your safe.

https://www.wired.com/story/i-forgot-my-pin-an-epic-tale-of-losing-dollar30000-in-bitcoin/

i wouldn't recommend anyone experience like this. And it will happen again and again. Cash != $30k seed. Maidens know of cash, they don't know about papers with words. I myself got a maid in our hotel to throw a seed to like 100k of btc. Thanks god i made a photo.

So, NO, screw paper backups.

[James-E-A]

@dabura667

You keep mentioning repeatedly how "12 words is stronger than a password"

but what prevents you from using a password which contains or even comprises 12 words?

There's literally nothing prohibiting the user from using an all-lowercase, pure-alphanumeric, space-delimited-word-sequence password. (And then you can add further punctuation or capitalization or whatever to "season" it and seriously amplify the strength, if you really want! Which is not even an option with BIP39.)

And then when you add in the salt (and believe me, I have used a similar salt to the one I have described, which is both unforgettable AND unguessable), how many even just regular english words in the password does it take to meet/exceed BIP39's levels of security?

[James-E-A]

@homakov

So if you forget a pw in any scheme there's no recovery. In brainwallets however there's no burden of a mnemonic or file to worry about, just a pw.

I agree with what you're saying generally, I think I'm on your "side" in this discussion..but this seems a bit irrelevant, no? Since the guy you're arguing against IS advocating the BIP39 Brainwallet, and I don't see anywhere that you've put forward evidence for the argument it seems (correct me if I'm wrong) that you're making that a password is somehow less of a "burden" to remember than a mnemonic.

That is, how is it

So, NO, screw paper backups

when a "proper" password will necessitate a "fallback" paper backup just as much—if not more than!—a mnemonic, since passwords' difficulty to remember correlates strongly and ~exponentially with strength? (Unless you disagree with this correlation?)

[dabura667]

but what prevents you from using a password which contains or even comprises 12 words?

The whole point of my argument is "if you give users the option to use "password" as a password, someone will use it."

While you could make the argument that warpwallet is the "strongest wallet in the world because it allows you to enter a 4687 character long (how many characters can fit in the input box???lol) password with all possible unicode characters which is more entropy than exists in the universe so my bitcoins are safe... after a certain point, the extra entropy is useless.

That point is 128 bits. As Koblitz curves have symmetric security equal to n/2 of the bitlength of the keysize (256).

BIP39 12 word phrases have 128 bits of entropy exactly.

What does "reindeerlover38!" password have as entropy? Not that much.

How much time does warpwallet bide? Who knows, but judging from my time, I'd say one key generation in warpwallet takes about 10000 times more time than a single SHA256. 10000 is about 13.3 bits. So if "password" has 0 bits of entropy, then using "password" with warp wallet is about the same as brute forcing a 13 bit password. if "reindeerlover38!" has 30 bits of entropy, then 43.3 bits of brute forcing are required.

To be equivalent to a simple 12 word BIP39 phrase, the user must think of a 115 bit entropy password (but actually a little more since BIP39 has light hash iteration within itself.) in order to be equivalent.

If you personally are satisfied with 78 bits as long as it requires someone to target you specifically (because it is salted) then that is fine for you, go bonkers with whatever method you want.

However, I stick to the idea that this tool should not be recommended to my grandma. She will use "password" or something weak like that as the password and lose money.

[James-E-A]

So..basically just the lack of a mandatory minimum of security? That it allows the user to pick a bad password?

[homakov]

Another way to look at it: security never works without usability. So you pick something usable and known first (username + pw), then you spice up the security (scrypt N=18, p=20 - works for 1 minute). Not other way around where you pick a purely random string of bytes and ask the user to write it down. How on Earth anyone thought it's a good idea to ask normal people to write down words on a paper. No bank ever asked them to do that. So they are frustrated and of course papers are eventually lost.

With warpwallet + 10x stronger derivation even top 1m passwords are out of reach of hackers, just too expensive to brute. Look at their challenge.