Understanding passwords for server vs local encryption
Since the dawn of the Internet era, we have grown accustomed to the need for passwords to secure access to critical data such as our e-mail, online banking accounts, and plethora of social media accounts such as Google+, Facebook, and Twitter. We have understood that our passwords needed some level of complexity and that it would be prudent to avoid simple strings such as our first and last name or “12345”.
Almost all the services that we needed a password for involved logging into a server which would do the authentication. Round-trip access to a server offers a level of security to protect against easily guessed passwords as well as forgotten passwords. All respectable web services will temporarily disallow access to a specific account after repeated attempts with an incorrect password. This makes it incredibly difficult to ”brute force” the password by simply making millions of “guesses.” In addition, forgotten passwords can be recovered by simply requesting a new password via e-mail verification. From all this, we have grown accustomed to being digitally “irresponsible” for our data.
The advent of bitcoin has brought the need for locally encrypted content. Unfortunately, passwords used for encrypting local content, such as your bitcoin private key, must have a sufficient level of complexity to provide even modest security. Unlike your online banking password, encryption passwords can be brute forced if someone gains access to your encrypted data. Depending on the encryption algorithm used, brute force attempts can be made as fast as 1000 attempts per second on a standard desktop computer, and much faster on a high powered workstation. To give an idea of how easy it would be to brute force a password, take the following password as an example: “m5y4kr”
To most of us, this would appear to be a fairly cryptic and difficult to guess password. However if you look closely at the level of complexity, this password only has six digits with lowercase letters and numbers. Each digit only has a maximum of 36 combinations (26 letters, 10 numbers). With six digits, this type of password has a total of 36⁶ number of possible combinations which equals 2,176,782,336. Wow, over 2 billion possibilities. That sounds like a lot, but at 1000 tries per second, it would take only 25 days to crack this password on a desktop computer. Now the hacker would have to gain access to your computer and download the data, but in this day and age of theft, viruses, and other malware, this is an unfortunate possibility.
Some encryption software, such as the bitcoin wallet Armory, implement a technique called key stretching which hashes your password into a much longer and complex string before using it as an encryption key. With complex hashing algorithms that can take over 1 second to execute, password brute forcing can be made significantly more difficult. Unfortunately, most encryption software, including bitcoin wallets, do not clearly advertise the type of encryption used and whether or not any key stretching algorithm is implemented as well.
Always play it safe when using encryption passwords for locally encrypted data. A generally safe rule is to use passwords of at least 10 digits with upper and lowercase letters, numbers, and some special characters such as %&@#. And once you’ve created this heinously complicated password… DO NOT FORGET IT. In the world of locally encrypted data, there is no password recovery service. There is no one you can e-mail for support. There is no “I forgot my password” link. If you forget your password, you lose access to your data. In the case of bitcoin, you lose your money ☹.
As most people do not realize which type of applications employ locally encrypted data, I thought I would include a list of commonly used applications below:
Bitcoin wallets (Bitcoin-QT, Armory, Mycelium, Electrum, Blockchain.info)
Password saving software (Lastpass, Onepass, Roboform)
Any hard drive encryption software
Hopefully this level of understanding helps prevent some future bitcoin thefts that could have been easily prevented.