Is it safe to share my wallet hash?

14 replies 252 views
blockz283Senior Member
Posts: 5 · Reputation: 1446
#1Apr 3, 2023, 02:40 PM
Is there a security concern with sharing just the "hash" from my old wallet with a password recovery service? I'm talking about the hash that comes from using bitcoin2john.py ($bitcoin$<hash>) or ethereum2john.py ($ethereum$s*<hash>) scripts from JtR. My password isn't an issue since it's unique, hasn't been used anywhere else, and won't be in the future.
6 Reply Quote Share
Posts: 244 · Reputation: 60
#2Apr 3, 2023, 07:41 PM
As long as you always use secure software and do not share the wallet.dat. An attacker successfully cracks the hash, they obtain the password. With this password, they can access the wallet ONLY if they have the wallet file.
0 Reply Quote Share
blockz283Senior Member
Posts: 5 · Reputation: 1446
#3Apr 4, 2023, 09:37 PM
This also applies to the UTC-Keystore Ethereum wallet, right?
6 Reply Quote Share
Posts: 244 · Reputation: 60
#4Apr 5, 2023, 01:38 AM
Yes, in both cases, without the wallet.dat and Keystore file, they can’t do anything by obtaining your password cracking the hash.
1 Reply Quote Share
Posts: 105 · Reputation: 20
#5Apr 7, 2023, 12:13 AM
I don't think sharing the hash only is a risk to the wallet. Because hash is a one-way thing, hashing is a procedure in which a hash is made from the public key because the public key is very long and it takes a lot of storage, not good as size matters, so hashing converts the public key into a hash by hashing. What is the difference between public key and public key hash. This thread will be of great help to you because I also came to know what's the importance of hash and public key and private key and what's the difference between them. I am sure if you will read some replies, you will know if it's okay to share the hash or not. I think it's not wise to share the hash to a service you don't trust or don't have good feedback on. I mean, the tool you are using, John the Ripper (jtr) I don't know much about it but the hash is here in the discussion and can be used by the jtr to crack the password.
0 Reply Quote Share
blockz283Senior Member
Posts: 5 · Reputation: 1446
#6Apr 7, 2023, 09:35 AM
This is not exactly a hash in the usual sense. These scripts extract some data from the wallet that is needed to check the correct password.
1 Reply Quote Share
Posts: 105 · Reputation: 20
#7Apr 7, 2023, 02:40 PM
Hmm so I checked how jtr works and it works when you give it the type of encryption to decrypt when it won't automatically pick one like there are many. So far, I think it's not bad to use it because the software is a trusted one but lacks in performance when compared with hashcat but to be specific, I think the hash data it will extract will be used to apply brute force attacks or any other attack to predict the password, and you aren't giving it, it will automatically extract it. So in order to open the wallet, you need a password and in order to get the password, you have to provide access to the jtr so it can get the hash, but you doubt if it will give you the password, and you are risking giving it a hash. I think jtr won't do anything bad to you. Until then, let's hear what other members have to say about it.
4 Reply Quote Share
blockz283Senior Member
Posts: 5 · Reputation: 1446
#8Apr 7, 2023, 10:35 PM
The scripts are used separately from jtr, they have open source code (python). The question was whether it was possible to transfer the received "hash" to someone else in order to find the password and not be left without funds.
4 Reply Quote Share
Posts: 166 · Reputation: 27
#9Apr 9, 2023, 07:00 AM
The "hash" is the encrypted encryption key, not actually a hash. This key is used only to encrypt the private keys stored in the wallet.dat file. It is not used for private key derivation and there is no relationship between that key and your private keys. If the service can brute force the password, they will only know the password and having possession of that encryption key. However, unless they have the wallet.dat file itself, there is no risk to funds.
1 Reply Quote Share
Posts: 244 · Reputation: 60
#10Apr 9, 2023, 11:58 AM
so, bruteforce same hash using hashcat
3 Reply Quote Share
Posts: 105 · Reputation: 20
#11Apr 10, 2023, 12:39 PM
Hmm, I can't actually answer it because in the first place you are sharing a hash with someone so they could unlock or crack the password for you, and on the other side you are asking if they can crack the password and I, not be left without funds. I mean, if they could crack your password for the wallet by using Hash, that's awesome at one point, but I can't really tell if they will scam you or not. The main question here is should you trust them or not, even if it turns out to be a success or failure. I think you should avoid sharing hash with anyone else, even if it is a one-way function and no one can really reverse the hash back into the key due to the complexity and many other factors but I'm not a hacker or cracker so I can't really say for sure that they won't open your wallet with Hash because there are ways to crack the wallet and by using Hash it's possible IMO.
4 Reply Quote Share
blockz283Senior Member
Posts: 5 · Reputation: 1446
#12Apr 10, 2023, 02:19 PM
Just check out the answer above from the Moderator (and not only him): This is also true for Ethereum UTC-Keystore. I just needed confirmation from a competent persons that this does not pose a security risk. So, without the full wallet file, it is impossible to obtain the private key and steal funds. From the hash obtained from these scripts, you can only check the correctness of the password for this wallet, and that's all.
4 Reply Quote Share
titanx539Member
Posts: 804 · Reputation: 117
#13Apr 10, 2023, 07:08 PM
It's okay to share the "hash" as long as he keep the wallet.dat safe offline where it can't be accessed by anyone. Here's how it works: Your wallet's secrets (e.g.: private keys) are encrypted with a "master key" (mkey) which is generated randomly.That mkey is encrypted with the hash of your wallet's password, then the encrypted mkey is stored in the wallet.dat file together with the information to correctly derive the hash of your possible passwords.Scripts like "bitcoin2john.py" can extract that encrypted mkey and those other info (salt, number of iterations for the password hash) from the wallet.dat file.With those info alone, that encrypted mkey can be decrypted if they can bruteforce the correct password. Then it's as the reply above you said: since it's only the mkey that a 'recovery service' can decrypt from the wallet dump, there's no way that they can use it to decrypt the wallet's secrets without having access to the actual wallet.dat file where the secrets it encrypted are saved.
3 Reply Quote Share
Posts: 105 · Reputation: 20
#14Apr 11, 2023, 01:21 AM
💔💔 ah competent word was a little harsh why I am feeling it haha. Just kidding bro I know my answers were not upto the standards of what you were seeking because I was being careful with my words I don't want to say something that I don't understand better but I knew there are people here like the ones you mentioned personally to me haha they are competent and you must follow them. I also learned the same thing that without the dat file, you would face no harm, so chill and share the hash.
5 Reply Quote Share
mr_cipherNewbie
Posts: 113 · Reputation: 20
#15Apr 11, 2023, 06:08 AM
Yes. There’s always a risk involved even if it’s just the hash that you will be sharing and this password has not been used nor will be used again somewhere else. You need to consider the reputation and reliability of this service. Even if you’ve only used this password once, the service can still use your password to be able to gain access to other data of yours. It is wise though to not use the same passwords to ensure that even if one wallet or account is compromised, not all of your data will be in danger.
5 Reply Quote Share
?Reply
Sign in to reply to this topic

Related topics