The Canary - Burst Early Warning System

  • admin


    The auto-generated random passphrase of 12 Words out of a 1626 Words dictionary is considered by many as not safe enough. Let's see if these doubts are appropriate or not.
    It is a false conclusion to use a songtext or "own random words" instead - as your own passphrase may not be as random as you think. Using hundreds or thousands of characters to feel safe is not very handy, too.

    That's why I set up this little game and early warning system. Each Account has funds in it and uses an auto generated passphrase by the Burst Wallet with 12 and less words. All words in the used dictionary are openly available:

    1 Word BURST-GMVF-Z5L4-LGWZ-8BW6W (entropy of 10.66 bits) time till cracked: 6 seconds,
    2 Words BURST-ADFP-EN99-24FD-44QA7 (entropy of 21.334 bits) time till cracked: 53 seconds, record: 4 sec by blago
    3 Words BURST-UP6D-R28A-67XL-DYBJL (entropy of 32 bits) time till cracked: 27 days by haitch
    4 Words BURST-24M6-5CWP-CPPZ-D9PVS (entropy of 42.67 bits)
    5 Words BURST-RT5Y-YLDA-AZ5R-6T6MN (entropy of 53.34 bits)
    6 Words BURST-AYQF-7YUJ-A88H-D32VQ (entropy of 64 bits)
    7 Words BURST-ND84-WUE8-L9EZ-C27NB (entropy of 74.67 bits)
    8 Words BURST-K8GV-VEAA-LRLS-F5C58 (entropy of 85.33 bits)
    9 Words BURST-YRZY-WDWF-XQ35-AURDX (entropy of 96 bits)
    10 Words BURST-RGGF-SJ88-272C-G3RXG (entropy of 106.67 bits)
    11 Words BURST-P7SA-89F9-62F4-53MEG (entropy of 117.34 bits)
    12 Words BURST-6L9L-LULB-XVAZ-463RB (entropy of 128 bits)

    Each of these Accounts hold 1000 Burst at the moment. I have not saved nor shared any of the passphrases.
    Maybe someone likes the idea and can make a webpage out of it with current balances and so on.

    Also the same warning system can be made with different type of passphrases.

    TL;DR: It's about to brute force the auto-generated passphrase with the known dictionary.

  • I'm a bit clumsy and I do not get it right.
    Where to hit? Because you can not create an account with a word, or what you have to do is repeat the same word as necessary, or what you have to do is create a password and put it here?

  • @daWallet I didn't understand 😕

  • admin

    I try to rephrase it:

    It's about to brute force the passphrase. The first account uses only one word from the standard Burst Wallet dictionary.

  • admin

    The first Account got emptied by the Burst4All Pool Bonus Account. 😃

  • @daWallet well if it was only one word you can try one by one. That's an easy one, when you have two you now have to start making the combinations and so on. Brute force might be used and successful if there are few words to discover 🙂

  • @daWallet how are we supposed to brute force 12 thats like over a 31726512 combinations

  • admin

    @HiDevin From memory, there are 1,204 words in the dictionary, so the possible combinations (r!)/(n! * (n - r)!) where r= 1,204 and n =12 is: 183,357,161,96,648,799,306,792,081,830 combinations. Good luck brute forcing that any would be hacker..... Add in a single letter change or symbol/number transposition and you just made it exponentially harder.

  • admin

    @haitch 1626 words. That's the point of the exercise: To show that 12 words is secure (or not) by an example.

    The second account with a 2 words passphrase got emptied.

  • well, alpha testing my stalking system.

  • @haitch I really don't get your math man...

    I think to calculate the possibilities is just:
    where D is the number of words in the dictionary and W is the number of words to use in the pass...
    So for 12 words with 1204 words in the dictionary should be something like 9'279'356'137'345'777'447'161'964'892'117'800'000 possible combinations or am i wrong? xP

    @dawallet i create a imcros and javascript bot just now to do this tries and it is running for the 3 words pass... Although by my math so i can reach the last try i will take 34.08 years... LOL

    I know that imacros is not the best way to do this but it literally took me 10 minutes to do!

    EDIT: actually i redid the math and it will take me 408.96 years to reach the last try this way hahahaha Imacros is not for this for sure hahahaha

  • If order in combinations doesn't matter - need use (r!)/(n! * (n - r)!).
    But in BURST passwords order of words matter, so D^W

  • admin

    @Blago Yeah, I was thinking of the formula for combinations, not permutations. For permutations it (n!)/(n - r)! , which presumes the same word is not used more than once, if words can be repeated then n ^ r.

  • admin

    @haitch Two word account cracked - took approx 29 minutes. 1,395,756 passphrases tested - approx 800 per second

    3 word running - worst case about 62 days. Four word worst case is 276 years. For each additional word, multiply the previous result by 1626. So a five word result is worst case 448,000 years. For 12 words I come up with 13,537,856,339,904,134,474,012,675,034 years. Replace one character in the phrase with a number or symbol - you just made it virtually impossible - the 12 word passphrase from a known dictionary is basically brute force proof.

  • @haitch yep me personaly with the new wallet i auto generated a pass phrase and then added some numbers , symbols , caps in various places so its not using 100% whats in the known word data base.

  • @Gibsalot i also use words in other languages, and portuguese skank, i think it's pretty impossible someone to hack my passphrases xD

  • @gpedro my old pass phrase should be not hackable it was song lyric based three 12 word lyrics from 3 dif songs strung together with various add ins like sertain numbers and caps for a total of 179 digits that i could physicly remember and input from memory within 1 or 2 trys lol .. but i did a complet comp clean and wallet swap after i found a phishing virus on my comp and had no idea what i could of found.. can not remember the new pass phrase as its to far removed from being personal to be rememberd for longer than 10 sec

  • @Gibsalot then be careful to not lose your backups hahhaa

  • admin

    @haitch over 62.5M combinations tried and still looking for the three word phrase.

  • @haitch what are you using to make the atempts >?