Bitcoin Forum

To my understanding, using hashed string as a brain wallet carries with it the following risks:

1. The passphrase might be forgotten.
2. The passphrase might be randomly brute-forced by an attacker performing something like a dictionary attack on hashed strings.
--2.5  There could be an unintentional collision with someone who happens to use the same passphrase.
3. The passphrase might be stolen/phished/whatever.
4.  Some combination of 3 and 2.  Part of the passphrase is stolen, and the rest is discovered through brute force.

(1) is a big concern for me.  I intend to keep some savings in bitcoin for a long time, and it's very likely that I will forget the key if it is too difficult to remember.

My idea is to make a list of personal questions, and have the answers be my passphrase.  I understand that because of (2) doing so is magnitudes less secure than using a randomly generated passphrase, but using a random phrase would make (1) likely.  I wanted to have the key based on facts that will remain relatively significant to me throughout my life.

The list will be semi-secret.  I'm not going to show it in public, but I won't worry about keeping copies in several different places, online and offline.

My thinking is that in order to access my BTC, the attacker would either have to know me very well or invest considerable resources researching me.  With a sufficiently long list, (2) is less likely, albeit still a possibility.  I was thinking at least fifteen questions.

There's a small risk that the attacker will indeed know me well.  I need to think of some questions that I'll always remember the answer to, but have never told anyone else and never will.  This is easier said than done.

To minimize the risk of someone finding the list and brute forcing the answers they don't know, I'll need to think of multiple questions with a large number of possible answers.  Any suggestions?  I've also included some "trick" questions, where the nature of the answer is unexpected.

Comments?  Anyone with a better understanding of cryptography able to give me some idea of how many questions with how many possible answers would be needed to make this impractical to brute force?

I'm eventually planning a website with many many brain wallet tools. You have a good idea. I have many ideas also. One of the things I'm working on is accessing your brain in different states of consciousness to defeat chemical and physical coercion.

I would advise that at the very least some of your "answers" (assuming each one is a part of the pass phrase) should include numerical characters and also other characters (such as - $ @ &).

The following might give you some ideas:

Q. Birth date of someone important:
A. 1779-03-14

Q. Price paid for your first bitcoin:
A. $5.55

Q. An obvious equation:
A. 1+1=10

Q. Gave you a nudge:
A. ;)

Q. Long live:
A. Rock&Roll

Q. Full Metal Jacket:
A. *****

Pass phrase: 1779-03-14$5.551+1=10;)Rock&Roll*****

cbeast - Could you expand on that?  I'm not sure I understand.  Does it involve hypnosis or dream hacking?  :P

CIYAM Pty. Ltd. - Yeah, that's a good idea.  I had the same thought.

You could use the GPS coordinates of somewhere memorable (eg where you had your first kiss)

You will almost certainly forget the coordinates but can look them up, or actually go there again with a GPS sensor. You would need to remember the level of accuracy and map coordinate system for it to be repeatable.

So the question might be:

Where were you bitten by a dog when you were seven ? (lat, long in degrees to 0.01 degrees)

Hm, I don't know that much about GPS, but if you say it stays constant over time I'll take your word for it.

That sounds like a good idea, but you would have to use a very low level of precision to ensure it stays constant.  Otherwise, you risk losing tack of that area through earthquakes, landslides, and redevelopment.  I wouldn't feel comfortable getting much more precise than the city the even took place in.  It would be difficult to figure out exactly what part of the new commercial development used to be the park where you were bitten.

This would be good for a retirement account, since it would be a lot of trouble to dig up this info on a more regular basis.  It would certainly be hard to brute force though.

I believe in almost all places of the world, vulcanos/earthquakes/other tectonic activity, rarely causes changes more than centimers per year.

Also, you don't need perfect accuracy; you can still have the system attempt coordinates in an area wider and wider around the chosen location. Using a coordinate with accuracy 1m, and using areas of 30m in size seems quite reasonable, and requires only trying a 1000 coordinates.

Seems like a nice idea, using this as entropy.

I was mostly joking about earthquakes, but the risk I was talking about is that all familiar landmarks could be changed.  Presumably the location you choose is something, like a house, a school, a park, a wooded grove, or any number of destructible things.  If the area is redeveloped, it might not be easy to find the exact location you're looking for from memory.

I agree it would work if you didn't rely on perfect accuracy though.

Drugging travelers with Devil's Breath or similar substances is becoming a threat and is even possible at home. Banks often have a limit of what you can withdraw, but Bitcoin doesn't. There are behaviors that are only possible in certain mental states. These can be used to protect against drugging. Physical coercion can be defended against through training to reveal decoy, nested, or event locked accounts.

Sounds interesting.  Best of luck to you. :)

Brute force...With or without a rubber hose?

Too good. A+

Seriously though...the more coin you put in your head, the larger the number of people who will have access to it...

I'd have a better chance, given a rubber hose, of getting your pass phrase from you than from your safety deposit box at the bank.

That's a completely different conversation.  Check out this thread here (https://bitcointalk.org/index.php?topic=96609.msg1069241#msg1069241).

I would look at storing the key in motor memory. For example a difficult song to play on guitar/piano/[your skill here]. Choose a task you would be unable to perform while drugged. I'm not sure if the tools needed to accomplish this currently exist. Something like guitar hero is a first step though.

edit: Perhaps a customizable rubic's cube like device.

Hm, I could see adding a skill element to the key being a good idea.  It would be difficult to use music if only because of the precision that would be required, but I can see some possibilities.

Of course, one risk would be that you would be unable to access your funds if your motor skills were impaired through other means such as injury.

These are the kinds of things I am researching. Of course you don't use them for all your wallets. There will be many types that can secure your accounts. The possibilities are endless and customizable for every unique person's talents.

This is the system I use:

1) Generate a password that you can remember individually. Personally I use the program pwgen which produces "pronounceable passwords". I use it in 8-character upper/numerals/symbols mode.

2) Write that password down. Yes this is heresy; you'll securely destroy it later.

3) Memorize that password. This is a lot easier than you think. I find if I spend 5 minutes a day memorizing a password I can recall it easily in a week or so, and have probably memorized it pretty much permanently after a month or two. Remember studying in university? Use those techniques. Flashcards are very effective; an important part of memorization is being forced to recall what you are trying to memorize.

4) Repeat until you have 5 different passwords memorized. During this process it helps to do something like encrypting different files with the sub-passwords, and practice decrypting them to ensure you don't forget the individual parts. This also allows you to avoid having copies of the parts of the password if you're paranoid.

5) Take all five passwords and concatenate them into one big super password: eiS9ui@R + vi4Ug~ee + Aet\ito0 + ohB$oh9w + Roh"k2ie = eiS9ui@Rvi4Ug~eeAet\ito0ohB$oh9wRoh"k2ie

6) Use this password! Eventually you will forget it, although the time it takes to forget it will go down exponentially the longer you use it. For me I make a point of using my passwords every month or so. Even just recalling it mentally is enough.


This final password is now 40 characters long. How secure is it? We want at least 128 bits of entropy to make it infeasible to brute-force the password.

Well to make the password pronounceable pwgen filters out non-pronounceable letter combinations, which roughly speaking means that vowels are separated by constants. For the sake of analysis lets say we have a strict vCvCvCvC format; the actual algorithm allows for more possibilities. So each 8 character password divides into 4 pairs, each with 105 possible combinations. log((105^4)^5)/log(2)=134, IE we have 134 bits of entropy. Good enough!

One upper case character per password adds about 8 more possibilities. The one numeral adds roughly another 8*10 and the one symbol adds 8*32. log((105^4*8*8*10*8*32)^5)/log(2)=221 bits of entropy - almost the gold-standard 256bits level that modern encryption provides.


The key is that you don't try to memorize the whole thing at once. Split the task up into a few subtasks, IE, sub-passwords, and memorize them one after another. People used to have dozens of phone numbers in their head, memorized one at a time.


xkcd's famous password strength comic (http://xkcd.com/936/ (http://xkcd.com/936/)) is good advice too of course, although for a cryptographic password you need more like 12 randomly picked words. My point is that even doing things "the hard way" it's easier to come up with a really, really good password than people realize. You just gotta trust that you really can learn.

People used to commonly memorize entire books, word for word. Actors still memorize hundreds of lines for long plays, all the time. It's not that hard.

Of course, lets be realistic, the average Joe isn't going to do any of the above...

retep -

If that works for you, more power to you.  I won't deny that it is possible to commit a large amount of information to memory in a fairly short time.  I just don't trust myself enough to rely on that to hold a secret without a backup.  If you get confused over one character, your coins may be lost forever.  The mental anguish that would put someone through just isn't worth it to me.

I start with a simple passphrase per xkcd (http://xkcd.com/936/) and then use my own personal recipe salting algorithm. It is something like this:
1. Reverse the passphrase and append it to the end. Then triple it.
2. Capitalize every third letter.
3. Put a space in after every prime position.
4. Put digits in the spaces from my old phone numbers and/or SSN with n=n+2
5. Switch the positions of every 5th and 6th character.

There are an infinite number of salting algorithms you can make up. Mine are at least if not more complex than this one. Then there is the book cipher (http://en.wikipedia.org/wiki/Book_cipher). I prefer the Holy Bible KJV 1611.

Then put a copy in your safe deposit box. Heck, encrypt it with the key of someone you trust. It's a perfectly legit solution.

The point is, all these crazy salting schemes people are coming up probably aren't going to work, and on top of that, what if you forget the scheme? Why not just do things right and practice in the first place?

What makes your method "right"? ???

I never said it wasn't a legit solution, it's just not for me.

As I said before, the plan is to write down the "scheme" in multiple places, and consult the record when necessary.

Ah, yeah, I'll admit once you're writing down the scheme in multiple places it's not so bad. Although you have to think who the attacker is: an adversary scanning the whole block chain with a key brute-forcing script to try to break *everyones* key? Or this this an adversary targetting you? Do they have a court order to seize your funds and already have access to the multiple places where you scheme is written?

Lets suppose your adversary is purely targeting every key: why not just generate a random key and write it down? Or generate a long random salt, and append to that a password you can remember?

If your adversary is targeting you specifically once they get access to your scheme they can start targeting that using what they know about you. For instance the "where did I get bitten by a snake" question can be narrowed down pretty quickly, and then brute forced. Similarly for movie quotes and the like. What's worse is they may be targetting multiple people at once using similar schemes, which means the brute force effort can be amortized over every person to some extent.

Unfortunately I suspect the most fruitful approach is password strengthening functions. For an offline key waiting a few minutes for the function to crunch is acceptable and really will make the adversaries job difficult. Also while sipa, for example, has argued for functions that use a variable number of iterations depending on the key content I'd argue that it is quite ok for the iterations to be fixed or semi-fixed. Ultimately a brute force attempt with key strengthening consists of three stages: combinatorially generate a password, strengthen, check. Even if the iterations is different for each individual key, if the scheme to pick that number is known, the final brute force difficulty is still just the average number of iterations required for all possible keys.

I think a better scheme is as follows:


The security level of the brain wallet is now a function of the exponent picked on creation, yet the user doesn't need to remember that exponent as the system will automatically, and without wasting work, try all the possible ones in turn. The user interface will need some work, but essentially we can pick a reasonable upper bound exponent and have the software try up to that exponent first, and prompt the user if the key still isn't found, while allowing compatibility with later versions of the software that will up the exponent as computers increase in power.

Yeah, I've considered the possibility that someone targeting me could brute force the answers they don't know.  I think that choosing the questions carefully, so that at least some of them have a large number of possible answers will help.

That is a really interesting idea.  It never occurred to me to make some guess-and-check a necessary element of retrieving the coins.  I need to think about the implications of this.

I'm not really sure what benefit a "cheat sheet" offers. I like to think of a brain wallet is something you can use in a prison without internet access or something to cross borders with nothing in hand. It's not that I want something "torture proof" because that's just unrealistic, but having a little extra security never hurt.

I just want to have a backup in case my memory fails without compromising too much security.

As I said, I'm intrigued by the idea of using guess-and-check for additional security like retep touched on.

How about this.  Instead of a huge sprawling list of questions, we limit it to smaller number x.  We then run an algorithm that makes a random combination of y (repetition allowed) keys and a random iteration# within a fixed range and generates the address based on that but doesn't store the combination.  When we want to retrieve the private key, we have to run an algorithm to brute force the correct combination of keys.

Memory failure?  Check.  The keys could be answers to personal questions and the algorithm could be recorded in a semi-secret way.
Random dictionary attack?  Check.  The hash key will be too long.
Finding the list and brute forcing the answers you don't know?  Check.  The existing brute force makes this impractical.

This would be much more secure than my first idea, and much easier to remember too.

The only question would be the optimal values of x, y, and iteration range.  Hmm... (http://www.mathsisfun.com/combinatorics/combinations-permutations-calculator.html)

Using questions to create keys is the method I use in Buried Keys (http://www.buriedkeys.com). So far nobody has answered my questions correctly, heh.