Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Bitcoin Technical Support
Re: How to recover your wallet.dat encryption password (Brute force)
by
biggie
on 11/07/2013, 02:03:30 UTC
Quote from: NEICH on June 17, 2013, 08:13:06 PM
Dear Sharky444,

It depends on how you can delimit your calculation...

Two cases:

(A) Let's imagine you know some of the characters you used... Or someone knows you usually use numbers and certain symbols.... a very short list would include 20 characters ...
But let's imagine you are very sure that with only 12 chars it would be enough..... With 12 chars you will reach an amount of 20^12 = 4096*10^12 combinations.
The current brute force has a bitcoin client passphrase limitation: It can only check about 10 phrases per second due to security reasons.
This means that one PC, will take 13.168.724 years.

Now lets imagine you can run up to 6 virtual machines in your PC, in each of them you run the brute force script against the bitcoin a copy of the wallet client.... then the pc will need 1.316.874 years.... Now lets imagine you are really rich or an awesome hacker and you can have 100.000 computers working for the wallet password.....  Then you will spend 13 years for obtaining the password...... In addition, you would need the wallet.dat file.... that in fact is not very easy to be obtained.

Now, go to a more realistic situation:
(B) You have no idea about the used password characters.... you may have upper-cases, lower-cases, numbers, symbols.... You should include a lot of characters for your combinations calculation... Then you may consider 85 characters...  {a...z, A...Z, 0..9, !"·$$%&/()=?¿^<>@#~|[]{}€*¨Ç;:_/*......... etc)

Same calculation will lead to a brute force time of 762.183.626 years
In this case, if you want to get the password in a reasonable time (about 1 month) you would need 762.183.626.000.000 computers.

From my point of view, 12 characters is a long and very safe password... maybe too long for our minds.
I think it is safe enough to use passwords of 10 characters, where you alternate text, upper/lower-cases, numbers, and rare symbols.... Considering that some brute-force dictionaries may not be treating very rare symbols for reducing the combinations number... if you are using rare symbols you will increase a lot your password safety:  "¬ ~| % ` [ ] } etc..."




Thank you for the info !

Only one thing, the limitation of 10 per second is just coded in the client software right ? So a programmer can change that and recompile the client and this allows you to use all you got in computing power.