In my first post, I wrote about what Bitcoin is, how it’s transacted, and a bit about its history. When I’m talking to family or friends, it’s around this point that people start mentioning that they read an article where someone had their Bitcoin stolen or “hacked.” What does that mean? Is Bitcoin secure? Can your money simply be stolen? We’ll dive into what makes your Bitcoin wallet secure here in Part 1 of this 2 part series.
We know that Bitcoin is held in digital wallets which are defined by an address and a password (also called a public key and a private key). Anyone can send money to a wallet simply by knowing its public key. But to send money from a wallet, you need to have its private key. A unique characteristic of the public / private key pair is that the public key actually comes from the private key. Meaning that if you have the private key, you always have the public key, but not the other way around.
A private key looks like this:
5KJCVZHsV61NJz4XWk7suEbEe3J2PdxurRVr8sRh22sHSW1g6tP
We take that private key and run some calculations on it to convert its associated public key which looks like this:
1EqLuuECRh7Jm2NbmTynnFsYH8WmSyGqFp
Those calculations use something called hashing and it has 3 important properties:
- That private key is the only private key that will generate that public key.
- A single private key will always spit out that same public key. There’s no randomness.
- The hashing process cannot be reversed.
The most important piece of those properties is number 3 and what it really means is: If someone has your public key (which they’d use to send you Bitcoin), they have no way to get your private key (unless you give it to them).
Now you might be wondering… Why can’t you just reverse the calculation? Just run the algorithm in rewind. I’ll admit I thought the same thing too.
I’ll give you an example. Imagine that our hashing algorithm does the following:
- Start with a private key that looks like this: XY where X and Y are numbers between 0-9. An example would be 37 (X = 3 and Y = 7).
- Your hashing algorithm is simply X + Y so you perform it. 3 + 7 = 10
- Our public key is 10.
Now I give you the public key: 10. You can send me money to that address and I ask you, can you guess my private key? You know the algorithm, it’s X + Y = 10. Well you don’t know if it’s 1 + 9, 2 + 8, 3 + 7, 4 + 6, 5 + 5, 6 + 4, 7 + 3, 8 + 2, or 9 + 1… So you try them all and on your 3rd guess you’re right! You found my private key.
Now imagine that X and Y are numbers between 0 and 100,000,000,000,000. You can’t make all those guesses! And because of that, we’ve made it near impossible for you to find my password without guessing every combination.
Now Bitcoin doesn’t use just addition for its hashing algorithm. It uses something called SHA-256 which is what banks use to secure your passwords. In fact, there are
115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936
different possibilities for SHA-256. If a supercomputer tried every combination as fast as it could to find the private key, it would take billions of billions of years to find just one successfully.
And it is for that reason that it’s nearly impossible for someone to steal your Bitcoin… At least by “hacking” your wallet.
So how come there are so many articles about Bitcoin being stolen and hackers getting into people’s accounts? Well that’s simple… People make bad choices and store their Bitcoin private keys in places like their email and on their phones. Hackers guess their e-mail password or figure out a way to reset their password and then boom… Bitcoin private keys. It’s not rocket science.
There are many nefarious ways that someone can steal private keys… Social engineering, getting access to passwords of your email or phone, or even stealing a piece of paper where you wrote them down… But importantly: No one, in the more than decade that Bitcoin has been running, has stolen Bitcoin by cracking the software that makes Bitcoin possible.
Check back in for Part 2 where I discuss how Bitcoin ensures that the coins transacted are ensured to be correctly accounted for and people can’t cheat the system.