The Canary - Burst Early Warning System

  • admin

    @socalguy for a four word phrase yep, but anything longer ,,,,,,, blue balls.

  • @daWallet I created a new account with a rather long passphrasse (>2800 characters inclusing spaces). And I noticed that the encryption tool of the client doesn't handle it properly, so that when it gets loaded it changes the original passphrase. Is there a limit of characters that can be handled?

  • @vExact I have no idea but this may be this seedLimit: 512, Someone to confirm it

  • I am sure that any standard Wallet phase is secure. I think the "problem" is just a psychological one that people see that it is constructed from a known dictionary of words with spaces between, and because of that you can do what is being done here to crack it.

    I suspect that if the Passphrase generator inserted just a single random set of characters of a random length at a random place into the phase it would then be much stronger both in reality and in peoples minds?

    I wonder how long it would take to crack a two "word" Passphrase if the words were random characters and of a random length between 8 and 16 characters?

    @haitch what did you do with the Burst in the Wallets?


  • admin

    @RichBC Nothing, the wallets had already been emptied by the Burst4All mining account

  • @vExact

    1. JS no limit for the string length (as long as it fits into memory)
    2. How browsers handle request-string: Chrome 40 (Desktop), Chrome 40 (Android 5.1), Firefox 36, Opera 27, and IE9+ can deal with a property name of up to 2^27 characters
    3. JavaScriptSerializer.MaxJsonLength Property.
      The maximum length of JSON strings. The default is 2097152 characters, which is equivalent to 4 MB of Unicode string data.

  • @Blago that's cool. But for some reason it does not work for me. I don't know if it has to do with the lenght of the string (from what you say it doesn't seem to) or with the use of special characters :/

  • @vExact special characters must be convert to string like %10%11%12
    also "space" = %20


    in order to make this challenge more accessible, i wrote some javascript that can be run in browser (without network or local wallet) to generate passwords (with correct word count) and compare the public key for the above accounts.

    random passwords generated with code modified (for word count only) from wallet, public keys generated using javascript crypto libraries available on CDNs (same hash and key pair specs but not exact same libraries as the wallet). i have only brute forced the single word account but tested other public keys versus wallet.

    again no network calls or submissions only browser memory and local processor.

    code tested on chromium Version 56.0.2924.87 (64-bit)

  • @damncourier :) ~2 days (176/sec if window active and 75 if not)


  • @Blago glad to know it works for you and someone else is running it.

    thanks for the speed report.
    have you tried unchecking "show phrase" to avoid the overhead changing the text box value so often? it is less entertaining to watch but speeds things up a bit for me, which brings the rate on my (10 year old) laptop to a blazing 67/sec.

  • @damncourier testing it out, i get 174 sec .. but it seems to only use 1 CPU thread as i currently have 4 windows open with one working on each of the 3 , 4 , 5 , 6 word phrases and each is running at 174 sec no speed change with more or less

  • @Gibsalot yeah no attempt at multi-threading or asynchronous calls for key testing, was trying something simple to run in background that won't eat the machine. clever to use 4 windows though.

    interesting that 175/sec seems the max. beyond the show phrase, the delay can be set to 0, the extra millisecond doesn't help my rate though.

  • This post is deleted!

  • ok, i'd make some software and test it:
    bruteforce 1 of 12 words - 9 seconds
    2 of 12 words - 4 hrs 27 mins
    3 of 12 words ~ 301 days
    4 of 12 words .....1341 years

    max speed ~180 iterations/sec

    accountID calculated by soft from passphrase

    Edit: For more security, I suggest change the words in the list of wallet in every new release.
    Please, change word "gay" )))
    @luxe @haitch @dawallet

    hmm... i saw this part of passphrase "lonely funny women ready bleed ......."

  • admin

    Blago humor. XD
    Gay also means весёлый or дово́льный and comes right after "football" in the word list.

  • @Blago How can something like burst client even be bruteforced because when you enter a password and it doesn't recognize it to an account, it makes a new account?

  • @mathew but that new account is only activated with an outgoing transaction... Also it's not needed to enter in an account to bruteforce, it can just use the API, what i am pretty sure that is what all this bruteforces system are doing... ;D

  • admin

    @haitch 827,704,384 3 words passphrases tested and still churning away .....

  • admin

    @haitch wow... I haven't seen this coming: the 3 words passphrase not being cracked in almost a month.

    Seems like this little canary bird will be around for a long, looong time. The bounties getting more attractive as time passes.

Log in to reply

Action Coin
Once You Know, You Newegg

Looks like your connection to Burst - Efficient HDD Mining was lost, please wait while we try to reconnect.