Bitcoin Box

A magazine dedicated to all things Bitcoin

The Bitcoin Security Challenge, Part II

author: Vitalik Buterin
published: 2011-06-28 12:49:17 UTC

In many otherwise ironclad security systems, the human element is the weakest link. Even with 4096-bit encryption, the latest hashing algorithms and a 5-kB operating system written by hand for the one specific purpose and inspected by twenty security agencies, the humans holding the keys can be socially engineered, and (and this is especially important due many Bitcoin users' desire to stand up to the power of governments) are always susceptible to the internet-famous five dollar wrench attack. And sometimes a security system does not even need to be bypassed in this way; sometimes the human weakness manifests itself in that no one bothers to set up the security system in the first place. This is true for email accounts, it is true for sensitive corporate data, and it is true for Bitcoin. For example, it has for a long time been suggested for people with a significant amount of BTC to keep a separate savings wallet and a spending wallet, but few people actually do this. Wallet encryption is also suggested; few people also do this. Social engineering attacks targeting Bitcoin are appearing, and it is only a matter of time before one scores a high-profile success.

The main weakness in the Bitcoin ecosystem as a whole is that of weak passwords. There are two issues here; the first is passwords that are short, or passwords that are medium length and do not use special characters. Even worse than that, however, are the passwords that everyone else uses - it seems that 3-10% of accounts can be cracked by checking ten passwords! To explain just how bad this is, an explanation of how passwords are stored in databases is necessary. Websites, except the really insecure ones, do not store passwords, they store hashes of passwords. A hash is a function that can be easily calculated on any string (eg. a password) but which is impossible to do in reverse, ie. find a string that hashes to a specific value, without resorting to the strategy of trying every possible combination. There are two ways to try to crack a password of an account: the normal way - putting text into the "password" box and trying to log in over and over again, which can be limited to something like 10 tries per minute by the website, or one can get a leaked copy of the database and start trying passwords to fit the hashes - the website cannot limit this, since the hashes are not under its control. Leaking is arguably unavoidable for anything larger than one person and will happen eventually to everyone, so security should be designed around the second type of attack. Computers can try hundreds of millions of hashes per second (you can see how quickly your password would fall to a concerted attack with Steve Gibson's tool); indeed, the hardware to do this is easily available thanks to Bitcoin itself, since mining involves brute-forcing the reverse hash problem. Thus, a password which is a word in the English language, one of the most common passwords on this list, or a 6-character alphabetical lowercase-only password can be cracked in one second.

There is an even more serious issue: people have already done reverse hashes of many trillions of the simplest strings, so a cracker can simply use a lookup table to find many passwords from hashes instantly, taking advantage of years of combined effort already done by others. This attack can be secured against through salting: instead of storing and checking against the hash of the password, store and check against the hash of a string made up of the password and something else that is different for each user (a simple example is hashing the username appended to the password, eg. "123456vbuterin"). This way, hashes need to be tried for each user separately, rather than concurrently for hundreds of thousands of users. However, many sites do not do this - MtGox itself didn't until two months ago. Another possibility is to make the salt extremely long - several megabytes long - in order to make a single hash check take a significant fraction of a second, and thus make a billion hash checks take over a year, rather than a second, although storing all the salts and calculating hashes as many legitimate users try to log in can make this difficult, and the marginal value of this is far less than that of the more basic protections.

The second problem is that many people use the same password for different sites. Thus, if one gets a list of username/password combinations for one website, some of them will likely work on other websites as well. This is a problem especially for the Bitcoin ecosystem, since it is a tightly linked community where the same small set of sites are used by everyone. One person did get his MyBitcoin account compromised in this way. Thus, given the present set of password habits, one's password is only as strong as the weakest link protecting it, so a poorly secured website is a liability to the entire system. However, we cannot practically rely on every website to have strong security, and a single coding error can potentially be exploited and cause a leak. Given the current state of security as it is, a 12-character mixed-case alphanumeric password with at least one special character is recommended to outlast reverse hash brute-forcing; every character added to that makes the cracker's job 50-100 times more difficult, and a different password should be used for each site. The problem is, however, that although passwords can be made strong enouch to be uncrackable, few would bother memorizing such passwords. As someone on the Bitcoin French forum laments, "in fact this story makes me doubt the utility of cryptography for the mainstream public. These days a password even with special characters is considered crackable with specialized equipment, all the way up to twelve characters. Twelve characters, that's long ... it's nice to have elliptic curve based keypairs, but it doesn't do much if access to them is memorized by a human being."

I do not share this pessimism, and instead offer the viewpoint that it takes time for any rituals, including security practices, to work their way into the public consciousness. If one were to take a hypothetical group of people who have lived with constant access to the internet since age 1, who can carry out all the necessary security precautions and memorize a completely different 20-character password for each website they have an account on, but have never gone outside, and suddenly give them their own houses and cars, for many years they would likely be too lazy to lock their doors and would leave their car keys in the ignition, because the rituals are not ingrained and they would follow the path of immediate convenience (ie. laziness). However, we, who have spent our entire lives in the physical world, have no problem with physical security, although the rituals of first world residents are likely weaker than those of residents of third world high-crime communities due to the difference in risk. The problem with the internet is that most people have never used a password to guard anything of substantial value. There are e-mail addresses, but in the general public not many people use them as their primary means of communication. Credit card fraud can be carried out through the internet, but customers are protected from this with the possibility of chargebacks. Now, things have changed. The security problem in general is one that encompasses the entire internet and more, but Bitcoin is a crucial new stage in its progression: suddenly, a file can, by itself, be worth 500,000 dollars, and people are not ready for this. First world residents in particular are not ready - the internet is a place with a first world quantity of wealth and a third world quantity of criminals, and first world residents will thus need to develop not only different rituals , but also far stronger rituals, than the ones they are used to.

In the short term, it is therefore necessary to have security systems which translate cyberspace security rituals into physical security rituals, since rituals for protecting physical objects are much more ingrained than those for protecting information. Following this line of thought, security expert Bruce Schneier recommends writing passwords down on a physical piece of paper, which can be protected like a key. There are other options available:

2-step verification with cellphones, like that implemented by Gmail - when one wishes to log in, a one-time code is sent to the person's cellphone which must be entered along with the password. Thus, having physical access to the phone is necessary to log in to the account.
2-step verification with locally stored software - Gmail also allows this option. A one-time code must be generated by a program stored on the person's computer, smartphone or even a specialized USB key, which must be entered along with the password (the YubiKey actually reports itself as a USB keyboard, so it enters the password itself).
The idea of writing down one's passwords has a few extensions. First, one can use a USB key instead of a card, a setting that YubiKey also offers. Second, one can have a password card where the location of the individual passwords on the password card is unknown, effectively making a password with a written down component (the card) and a memorized component (the path one follows on the card to read the password).

However, the necessity of even these rituals is not ingrained, and many people will go with the lazy option of an easily remembered 8-character English word or name as a password, possibly with the number 1 at the end (which, as the leaked password list shows, is really not that useful - if you are going to do this, adding the number 2 at the end instead is at least twice as secure). In the long term, as the internet becomes a more and more central part of people's lives, security rituals will become more and more ingrained. Given the present trend in education against memorization learning, many people (although not everyone) will go the route of password cards rather than memorization, and for highly secure applications a combination of one-time codes and passwords will become necessary as well. As the rituals become ingrained, and "did you remember to lock the door?" becomes "did you remember to set a new password?", information security will become a core part of our lives.

Since, as we have established, in the absence of rituals the default condition is laziness, in the short term secure defaults are necessary to protect Bitcoin in order to make the process of security less arduous (and even, potentially, make the process of insecurity more arduous than the secure default). The process of getting Bitcoin wallets encrypted by default is underway, and in the future we may see the concept of multiple wallets in the client as well, and the client could even help users keep secure backups of all their wallets. Bitcoin developers need to fully realize that they are writing a financial application, and develop extremely strong security in the client to match the importance of what the client is doing. It should not be possible for someone with access to a Bitcoin user's computer for 10 seconds to steal all of that person's money, and the encryption patch will change this by requiring the password for every transaction. I personally recommend that, when the pull request makes it into the client, users make their Bitcoin password at least 15 characters, including special characters, memorized, possibly augmenting that by appending characters written down on a password card, since it is easy to memorize something if one must type it in every time one wishes to make a transaction - if you have a screen lock password on your computer, consider how effortlessly you can type it in without thinking.

Bitcoin is, of course, not only about the client and the network, but also about the ecosystem as a whole. Many online services, like Gmail, have password strength checkers, and minimum password lengths, and Bitcoin services should adopt these as well. Extremely important ones, like MyBitcoin and exchanges, need to adopt 2-step verification, so that security rituals that should have started developping among the public ten years ago can start to develop as quickly as possible. Every website and every wealthy user that gets hacked makes the public doubt Bitcoin more and harms adoption. Everything and everyone that is insecure is a liability to the whole system. If Bitcoin users wish to prove that intrusive government regulation is not necessary to protect us, then we must protect ourselves. We are all in this together.