Please login or register.
This location

How safe is the password protecting a Monero wallet?

Chicken76 posted this 9 years ago

Chicken76 | 9 years ago

As the title says, how much brute force is it needed to find the password of a Monero wallet? Here's an (older) article that claims that any standard Windows password can be cracked by a cluster of 25 GPUs in just 6 hours: http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

I was wondering if it would be safe to send myself my Monero wallet to my addresses on public email services such as Gmail or Yahoo Mail, so that I never lose it, even if I lose my laptop and my desktop breaks.

Replies: 8
wekonnoot edited 7 years ago Weight: 0 | Link [ - ]

The password less than 10 digits could be brute-forced within days with cloud servers. Here is a demo tutorial for password breaking. The average speed is 1000 per second.

smooth edited 9 years ago Weight: -382 | Link [ - ]

The password hashing in Monero uses the same algorithm as mining. So you can estimate the rate that brute forcing is possible from the rate of mining. The entire mining network of Monero could brute force about 10-15 million passwords per second. Assuming strong passwords, that really isn't very many.

That still gives little to no protection against weak or especially very weak passwords however, which might give a brute force attacker a hit after only a few thousand guesses. That's easy to do on a laptop.

papa_lazzarou edited 9 years ago Weight: -401 | Link [ + ]

Keep in mind that that article refers to offline attacks, i.e. when you have a list of hashes and you try combinations to get the same hash. I don't think it could be possible to try that many combinations per second to try to decrypt the keys file, but I could be wrong (and probably am).

If your purpose is to send your encrypted .keys file to an email to work as a cloud storage, you must make your password is strong. Then again, you probably would have to write that password down so you might just as well write down the mnemonic seed words and be done with it.

Be careful with those because they are your private key.

sylviaplathlikestobake edited 9 years ago Replies: 2 | Weight: -405 | Link [ + ]

I would use an encrypted email for this or not at all. Also, you probably want to enclose the word seed in a letter or poem, so if the mail is read, it won't be an obvious pass-code.

Reply to: sylviaplathlikestobake
XMRChina posted 9 years ago Weight: -306 | Link [ - ]

I dont think cloud storage is safe at all even if it is encrypted. If the password to decrypt your encrypted email is ever exposed to a keylogger, the encryption no longer protects you. Keep most XMR in cold storage, using view key to verify balances after incoming transactions if needed.

If you need to make a lot of outgoing transactions create a 2nd wallet with a smaller balance for that purpose. That way if your private key is ever exposed to a key logger less is at risk

As others have said, always use extremely strong passwords and brute force attacks to crack them will not be feasible

Reply to: sylviaplathlikestobake
Chicken76 edited 9 years ago Replies: 2 | Weight: -404 | Link [ + ]

So what you are saying is that the password protecting the wallet is not that strong to stand in front of a serious bruteforce attack?

Reply to: Chicken76 sylviaplathlikestobake
chocolatebar edited 9 years ago Weight: -339 | Link [ - ]

It's as strong as you make it. If you use a crappy password you're gonna have a crappy time when someone steals your funds. If you use a good password, you're gonna have a good time because all your moneros are safe and sound.

Reply to: Chicken76 sylviaplathlikestobake
sylviaplathlikestobake edited 9 years ago Weight: -403 | Link [ + ]

I'm was only replying to the second part of your OP. I'm assuming that you wanted to send your word seed over gmail or yahoo, to which my reply was that you should use encrypted email as gmail and yahoo aren't very secure. The word seeds are very strong, just not if you display them on very insecure networks.