Bitcoin is renowned for its security, with a vast array of possible private keys making it virtually impossible to brute force hack a Bitcoin address when properly set up and utilized. Nonetheless, humans are prone to errors, and these mistakes can lead to compromised private keys and Bitcoin theft. This article serves as a guide on what not to do when producing and using private keys and may inspire those looking for exploitable weaknesses in human handling of private keys.
A good private key must be perfectly random. As we are yet to invent a device capable of producing true randomness, we rely on pseudorandom functions for creating private keys. Bitcoin wallet software uses pseudorandomness for new keys, which has been effective as there are no known instances of keypair generation collisions in Bitcoin's history. This suggests that the risk of accidentally generating a keypair that controls another person's coins is virtually nonexistent.
For creating cryptographically secure private keys, a simple line of code in Bash can be used after installing OpenSSL if necessary:
perlopenssl rand -hex 32
This command generates a 64-character hexadecimal string, like:
7ed821b0cfa039a69d8403f8b93d5ca008e8c11f6bf9ee3e422854165519f56a
This string can be used as a secure private key, equivalent to these two private keys:
5Jn9eY6hNux6Dct7w67b1587bNyxa8iBmouEDiPjurpf3uwXjvT L1UHAgG9DiiA2hNdbja55KCQ6k2QHF2nYn1XM7hNQJuLwcKFBcDM
Which control these four public addresses:
14z8XV5zRs1iHR4ScppvkjPaz34CLZcTRN 1DLdKSMvgh6C7QEvy8zYXSPp9DhYQGQrU4 35LbfTGPfUAqjsAAr6vsRa8ou5766xhzZH bc1qsatm4dxhxe8a756xznh6c2p52cctxzqgwkx7lc
These keys are secure unless the private keys are disclosed, as in this example.
Here are three ways Bitcoin has been hacked:
Google and the Cloud: Up until around 2014, unencrypted Bitcoin Core wallet files with unspent Bitcoins could be found using Google searches like “site:dropbox.com wallet.dat”. This was primarily due to users storing their wallet files in public Dropbox folders, which were indexed by Google. Saving wallet files unencrypted in publicly accessible online folders is highly insecure.
Bitcoin ATMs and Social Media: Bitcoin ATMs print receipts with private keys in the form of QR codes. There have been instances where individuals have shared photos of these receipts on social media, exposing their private keys to theft.
Brainwallets: Until 2015, a service called brainwallet.org allowed users to create Bitcoin keypairs based on SHA256 hashes of simple passwords or phrases. This method is insecure as humans are not good at creating random, memorable passwords. Despite the shutdown of brainwallet.org, similar services exist, and they are just as vulnerable.
In conclusion, the best practice is to let computers handle the generation of private keys using secure methods, avoiding the pitfalls of human error and the temptation to use insecure methods like brain wallets.
https://rya.nc/
https://www.youtube.com/watch?v=f2s3_UG9IPU&source_ve_path=MjM4NTE&feature=emb_title
No comments:
Post a Comment