Bitcoin Forum

Here is a very simple suggestion I thought of, that would make it virtually impossible for someone to lose their wallet, in a way even Grandma could understand.  By lose, I mean lose access.  But it could also be extended to be an effective wallet encryption method.

Upon first run for a NEW bitcoin user, the client would simply ask for a passphrase, or generate one at random that met the security requirements, and offer to send it to the user's printer so they could stash it in their safe.  Example:





The SHA256 of the passphrase would be used as a PRNG seed to generate the user's first 1000 or 2000 or more invisible addresses (the same way 100 addresses are pre-generated for future use), and then would be completely discarded.  The logic is very simple and straightforward, runs once at wallet creation and would require no modification to the way bitcoind works internally.

This would also be a safe way to do wallet encryption.  Part of the fear of encrypting a wallet is, what if the encryption code is buggy or something and irreversibly trashes the private keys in the process.  If you know the entire wallet can be re-generated from scratch with nothing more than the passphrase on paper, it would be safe to provide an option that disposes of the private keys completely, the passphrase on paper being the only way to recover them.  The Bitcoin client could be used in receive-only mode (e.g. to verify incoming payments and keep track of total balance of BTC wallet-wide, or to remain able to spend a subset of the wallet whose keys have not been discarded).

With this methodology, the only real drawback is that one cannot change their passphrase without basically sending all their coins to a different wallet.  The simplicity though, both for developers implementing and users understanding it, may make it still worth it.

Sounds good, but:
Wouldn't that mean that if two people are using the same password they will generate the same addresses ?
(I'm not very educated when it comes to the Bitcoin internals.)

Yes exactly, they would generate identical wallets and the client would behave the same way as if you copied one wallet to two computers now.  They could spend/steal each other's coins.

At the rate passwords can be brute forced, any password that wasn't super strong and long would be quickly hacked.  

Because a hacker could theoretically start brute forcing your passphrase just by knowing any ONE of your bitcoin addresses, it would be an absolute requirement to use a strong passphrase that's astronomically unlikely to be guessed by anyone else.  Even a sentence off a random page off Wikipedia (what I chose) would be a dictionary vulnerability.  The phrase would have to be so long and contain so much entropy to be safe, that printing it directly to paper (rather than relying on the user to write it down) would pretty much be mandatory to be of any benefit.

Great idea, but as SmokeTooMuch noted, identical passphrases would generate the same keys, although this could be easily solved by appending some random string to the passphrase.

I've actually printed the private key for my savings address.


Built in import/export of private keys is one of the features I miss the most right now.

I guess printing all private keys on paper and find a way to scan them in a way to build a new wallet or importing these keys into an existing wallet would be more secure.

Perhaps someone could implement that as an external utility.

I wish Wallet.dat were something more cross-platform and easier to work with, such as XML.  A Wallet-to-XML and XML-to-Wallet utility would be mighty useful in and of itself.

Would QR codes of the PrivKeys be too big to be practical?

How many bits would you need to have a secure password for regenerating the first few thousands addresses? Would that fit in a QR code?

What if it automatically did this? What if it literally went to Wikipedia, or made a google search and went to a random page, picked a sentence off of that page, and presented it to the user as their passphrase?

They'd need to be able to reject a given phrase and get a new one an arbitrary number of times, and there'd have to be a manual override as well, but if we could automatically present the user with a reasonable passphrase it would go a long way. Then we can disallow anything with less than X bits of entropy (and apply this requirement also to our auto-generated passphrases)

I think the idea was fine for my example, but not for real world usage.  In the real world, the passphrase would have to be nonsensical, maybe ten to fifteen randomly chosen words from the dictionary, if not sequences of gibberish letters.

If it was known that all wallets were based upon a sentence from Wikipedia, as ridiculous as it sounds, someone could (and would) write a program that generates a wallet from every sentence in Wikipedia and then look for the resulting addresses in the block chain.

The idea of using a QR code is viable, in that it indeed holds enough bits for this purpose.  I am not sure how one would scan the QR code and get the resulting passphrase into the Bitcoin client and how that would be any easier than typing the passphrase when needed, but I suppose a recovery page that included the same thing both in plain text and QR couldn't do any harm (other than, at worst, to make this feature idea more complicated and less likely to get a developer to bite on).

either read it with a mobile or scan the printed page and run the image thru a reader program; the Bitcoin client itself could do that to make sure the scanned image don't even get saved as a file on the computer

This seems infeasible. Wikipedia is edited all the time. Articles are deleted, changed. You would have to hash every single sequence of words ever posted to Wikipedia; maybe we randomly drop a word.

I was not suggesting that it be the sole source, as well; could also do a google search and pick a sentence off that page. Or pick two sentences on Wikipedia. Or train a Markov chain generator and use that. Having a sentence that at least makes some grammatical sense to the user makes it easier for them to remember. A sequence of 10 random words will not be remembered, but something that the user can at least read will help.

In any case the implementation details are unimportant, but we need to provide the user a sensible default.

Wikipedia allows its entire database, including edit history, to be downloaded as compressed tarballs available to the public.  Hashing every single sequence of words ever posted to Wikipedia isn't that outrageous when you consider the number of words will be what, billions? trillions? and yet network wide, we are already computing into the trillions of hashes every second just for mining.  Dropping a word out of every sentence would maybe increase the difficulty by a factor of ten, but far away from an ideal bit count of entropy.  It would take it from maybe 48-bit security to 51-bit security.  If stealing the entire Bitcoin network's Bitcoins would be the reward for pulling off such a thing, it will surely get done.

To me, a sensible default would be to allow the user to pick their own passphrase, and then provide built-in controls to detect poor ones.

It seems that you do not understand how Bitcoin works. The wallet encryption may be useful in 0.4 but no more. :-\

Your idea is possible as the third party service. But I really do not want something like that in the standard Bitcoin.

Under the OP's suggestion, what casascius said is completely true.  Maybe I'm misunderstanding what you mean, but as long as the passphrase/pass sentence is secure, wallet encryption is still useful/required as generating of addresses will be unpredictable. 

As long as we don't let users generate their own passphrases (users are terrible at them), it is perfectly secure (assuming we generate passphrases/words well).

How about using the seeding method PGP used. Have the user bang on the keyboard randomly while giving him feedback on the entropy until both he and the program are satisfied. If he likes the idea of regenerating his wallet, he can print out the random sequence. If not, he can just bypass that step and the client is just the regular client with a very strong seed.

In all the years PGP has been used I don't think there was ever a danger that two PGP clients ended up with the same seed. I think the same would be true of the wallet in bitcoin.

Yep, some variation on random input with a minimum length is what would be needed.  Whether its then printed as text or pass sentences (or random words) doesn't really matter as long as its random and of a good enough length.

With all due respect, I don't think you understand the original suggestion clearly, because even though I do believe I understand how Bitcoin works, the suggestion would still hold water even if I didn't, because of the following known principles:

• Bitcoin addresses in wallets are generated in a deterministic process based on random numbers
• Pseudo random number generation by definition is repeatable with the same algorithm and seed
• Therefore, generating two wallets using identical pseudo-random numbers as input, because they were generated by the same algorithm and seed, will result in a wallet with the same keys.

Where is it that you suppose I have gone wrong?

The idea, stated in another way, is to generate addresses in a predictable fashion, but only predictable to someone with the appropriate passphrase (whose hash yields the seed that will be used in the PRNG).

BTW, the "bang on the keyboard" idea is solid and sound in my opinion... assuming of course this refers to generating a truly random passphrase.

I think this would be a good idea. Not only for backup, but allow user to "create" a password (enter a password) and that password is used to create ONE bitcoin adress.

The good thing for this is situations where theres no local storage, for example live-CD systems and such. It would be bery good to be able to embed a bitcoin client in a such system, and the user just enter their password and everything is generated and fetched based on the password.

Why only one?

Might be useful for people who don't want their entire wallet to be re-creatable given the password but might want to backup a single address.  Though at that point, printing out the private key would probably just be more secure.

Is there any way in the current client to enter a key-pair not generated in that client?

Not currently but there are patches to allow importing keys from other wallets and it isn't theoretically too hard.

Well then, if the import-keys function is added, I suggest adding the ability to create a new key-pair seeded by a password entered then and there.

This way you could create one of those keys, park a bit of coin in it and have it available at any time in the future at any client simply by entering the same password.

Not only useful for you, but a neat way to transfer coin using a human memorable password. You and your buddy are having dinner and you need to transfer 10 BTC to him. Your client on your phone creates a temporary key solely for this transfer, based on a simple password you both agree on, and loads it with 10 BTC. He enters the same password on his phone client and moves the coin to one of his permanent keys. The temporary password is not needed any more and can be dropped by both parties.

Of course if a password generated key-pair is used to store coin long term, make the password a strong one and print it out!

Bad idea. What happens when two people use the same password?

Nothing worse than if you save your wallet on a public forum, as far as I can tell. If you're stupid, you lose your coin.  No one is storing any coin long term in these keys and if someone is stupid enough to use "password" as the password he should expect a collision sometimes.

If we want to protect stupid users I suppose the client could perform basic checks like password quality indicators and checking that the new key-pair has never been seen before in the block chain. My experience is it's a losing game trying to protect stupid people from themselves.

People will always want to use simple phrases or words. Collisions will abound, and it will only serve to cause trouble. Leave it out I say.

For single uses, I would suggest it's already feasible to do this, just use a throwaway MyBitcoin account, and using passwords to generate single addresses is outside the scope of the original suggestion.  Using MyBitcoin, the security needs of passing a password as a proxy for a single transfer could be met with a weaker password since using an online service takes away the opportunity to brute force billions and trillions of possibilities per second.