Wed Nov 25, 2015 11:32 pm

However, this doesn't sound quite right to me. Although there are more than one million words in the English language, and the Oxford dictionary has 600,000 words, let's be generous and say you use an easy-to-find list of only 300,000 words. If you had a computer guessing 4-word combinations at 150,000 guesses/second, it would take 1.7 billion years to guess every possible combination. Even a botnet of one million machines would take 1700 years. We can even upgrade your botnet to 1.5 million guesses per second and assume the majority of hits will be found within the first half of your guesses, and it will still take 85 years. That's pretty different from checking "every bitcoin address that has ever received funds in a single day."

shuf /usr/share/dict/words | head -n 4

Code: Select all chromatophilic tetradactyly autoskeleton aluminothermics

(note - the article you reference is based on my research)The English word list sizes you mention are unrealistic - the figures cited were assuming a 2,048 entry wordlist. The diceware list, which is the largest one I'm aware of being promoted as a wordlist for random passphrases, is only 7,776 words, and calling many of them "words" is a stretch. Most of the other common tools use a wordlist of 2,048 or 1,626 words. A typical adult native English speaker's vocabulary is somewhere in the vicinity of 20,000 words.As an example of why using an entire dictionary is a problem, here's four random words from the system dictionary on my linux box (containing 234,937 words) produced withI think I'd have a hard time remembering those.If you are using random words, it's fairly easy to calculate the security - you compute "work" as log2(list size) * nWords + hardening then compare against your desired security margin (96 bits is probably fine for at least a decade). With diceware and brainwallet.io or warpwallet (both use scrypt(2, 8, 1)), each word is a little shy of 13 bits, and scrypt is providing at least 20 bits of hardening, so 6 random diceware words should get you past the 96 bit security level. If you're really paranoid use 8 random diceware words for a ~123 bit security level.Using a hardened kdf with your email as a salt shaves off a random word or two from what you need for good security, and requires anyone trying to steal your money to target you directly (unless you have a *trivially* weak password) at almost no cost.Several performance improvements have been made to Brainflayer since DEFCON, and I was recently able to scan for ~743 billion passwords at a cost of $52 using EC2 spot instances.