I think we shouldn't make such of assertions without any evidence.
If someone calculated a rainbow table (and almost sure that have done more people) then it has nothing to do with the site owner.
He's just saying SHA256 brain private keys are a bad idea, and sites like Brainwallet.org should be taken down so that is not easy for misinformed people to create weak private keys. How hard we should try to protect people from themselves, I guess that's a philosophical/ideological debate that is OT.
As for the evidence of a rainbow table, how about this:
I did a small investigation some time ago to see how widespread the problem was, and these were the results:
- Sent 0.001 BTC to an address generated with a password you will find in any top 10 common password list. Taken immediately.
- Sent 0.001 BTC to an address generated with a six digit password. Taken immediately.
- Sent 0.001 BTC to an address generated with the same six digit password as above, but with Point Conversion set to "Compressed". Untouched.
- Sent 0.001 BTC to an address generated with an upper/lower/digit six character randomly generated password, normal Point Conversion. Untouched.
Someone is definitely out there grabbing things from weak-passworded wallets, but even a six-character random password thwarts them.
The only thing slightly surprising to me is that mechs's password "stfu!" has punctuation, but I just checked and that verbatim string is in the Rockyou password dump, and anyway it's not much more creative than just "stfu" alone.
Yes, I think that you should (please) change the title to "If you use any brain wallet - MUST READ! - Security Risk!" as this issue of losing your BTC when using a common/simple pass phrase applies to any brain wallet, not just those from brainwallet.org.
Agreed. More accurate, less alarming, more applicable.