Bitcoin Forum

I'm writing this new blog post as an introduction to Bitcoin for new users.  I may add more to it later, but it's at a good stopping point for now.


The emphasis here is on Brain Wallets, because I consider this concept to be a very useful one for enabling users to recover their accounts.  Even if the main browser-based or standalone client that you use develops a problem, and even if you lose your wallet backups, paper wallets, private keys, etc., as long as you keep your coins in a brain wallet, then you can just enter your brain-wallet passphrase into a different site or client, and still access your coins.

I wouldn't want my grandmother, for example, to use Bitcoin, if I didn't know that I could always help her to retrieve her main stash as long as she still remembered (or had written down) her brain-wallet passphrase.  :)

Comments are welcome.
Regards, -Mike Frank

Humans are pretty bad at being original. REALLY bad at being random. And we are terrible at comprehending huge numbers.

So if you ask the average person to create a secure passphrase, they're very likely to create something that a "determined attacker" with a lot of computing power can crack.

I think if people start to use quotes from obscure literary works as their brain wallets, then they're going to lose their bitcoins sooner or later. Attackers can try MILLIONS of passphrases per minute, to crack EVERY SINGLE brainwallet that has ever been created.

So: if you absolutely, positively won't be dissuaded from using a brainwallet, here is my advice on how you might be able to come up with a secure passphrase:

Think of two passphrases that you think you can remember. And think of a government-issued number that you can easily lookup or remember (like your driving license or social security number).

Create a brainwallet passphrase that is:

the first passphrase,the government id number,the second passphrase

Then create a 'sentinel' brainwallet that is just the first passphrase, and send a small number of bitcoins to it. When those bitcoins get spent (or more bitcoins are sent to it by somebody else), you know that the first passphrase you chose isn't good enough any more.  Choose a more complicated passphrase and create a new 'sentinel' and real brainwallet, and move your old brainwallet there.

Good idea, thanks!

P.S. Casascius suggested to me that we might also consider moving to a slower key-generation algorithm, using scrypt for example, to make brute-force attacks on brainwallets more expensive.

Miners who find themselves in possession of obsolete gear (GPUs after ASICs hit the market) could very well become those determined attackers.

Nice cube, Mike!  Brainwallets and the Electrum light client are why am getting involved with BTC again after a losing a hard drive over a year ago right after I got started.  Luckily there was only faucet scale BTC in my wallet. 

There is no way I would consider holding significant funds in BTC without a brainwallet.  I don't even trust bits of paper in banks. 

I enjoyed your article, and I agree this is the best angle to promote BTC.

Thanks!  I need to add more material about Electrum.  I only just learned about it myself today!

5MyBitcoinPrivKey1234567890 = sha256("salt" + sha256("MySuperSecretPassPhrase"))

^There.

"salt" can be an everchanging number, so you can constantly move on to new brainwallets, without forgetting, or losing access to the old ones.
.

As far as randomness of passphrase, Electrum generates a pretty random phrase.  I don't see that those should be very crackable, and I don't beleve in the idea of including personal information in my passwords either, despite Gavin's recommendation.

The personal information bit makes it easy for a employer, government or bank to crack your password. I don't know how that's entropic at all in a objective sense.

In fact, the suggestion of associating your personal information with your bitcoins puts a very bad taste in my mouth. Why would you suggest this, Gavin?

To make a truly secure brainwallet passphrase take the output of and convert it to PGP words (http://en.wikipedia.org/wiki/PGP_Words)

Don't use anything that can be found in a book.  "Really obscure" doesn't mean anything in the context of a brute force attack.

But that also means brain could not handle it well

Hm, perhaps it might be OK to use a sentence from a very old/rare book that hasn't been scanned into Google Books yet?   :)  Although I guess it could always still get scanned in the future...

This is the essence of what I intend to propose as a standard brainwallet replacement for sha256:

First, I propose scrypt as the key derivation algorithm.

Second, I propose the following standardized method for creating salt: a user should enter their own birthdate and their postal code that was current at the time their brainwallet was created.  The postal code should be stripped only to alphanumeric characters (no spaces or dashes).  These should be provided as salt to the scrypt algorithm in the form YYYY-MM-DD-x where x is the stripped postal code.  The purpose of these is that it's unlikely the user will forget these (even if they move) while still providing satisfactory entropy to substantially prevent parallel cracking of the entire brainwallet universe.  If all brainwallet generators and decrypters follow the same method for generating salt, users won't be burdened with having to remember how they created their salt, nor how they formatted their information.

Third, I propose the scrypt parameters 16384,8,8 as a starting point.  I propose that brainwallet creators offer a checkable option called "additional security" that will result in using sensible power-of-two multiples of these parameters instead (which multiples to use are the implementer's choice, but should be appropriate for the current state-of-the-art in potential cracking threats).  For example, 32768,8,8, 32768,16,8 are logical next steps when more difficulty is needed.

Brainwallet decrypters should consider the possibility that a user may have enabled "additional security".  After trying the default parameters, a decrypter should be prepared to bruteforce 8 to 16 of the most likely possible alternates, looking for something that results in a private key with funds.  This should happen if and when a user fails to decrypt a brainwallet having funds, or indicates that they have enabled "additional security".  The user does not have to remember specifically whether or not they enabled it - the worst case for a user is that they don't remember, and are forced to wait a while for the brute forcing process to either find their correct private key, which will succeed regardless of whether they enabled it, or fail, if they have entered the wrong passphrase.

That might be OK except that your average grandma isn't Linux literate.  :)

That's the problem with brainwallets. Anything less than 256 bits of entropy will probably be brute forced at some point.

What about Casascius' new suggestion?  With a salt and a computationally-intensive keygen function, doesn't the situation improve considerably?

It's an improvement but Moore's law is ruthless, especially considering the economic incentives to recover those keys and how bitcoin mining causes people to accumulate massive amounts of computing power.

Imagine how many keys an FPGA rig made obsolete by ASICs could test.

Yeah but scrypt isn't a very good fit for an FPGA since it is memory-intensive...

Because it is critical that YOUR passphrase be different from EVERYBODY ELSE'S passphrase.

Adding your email address or driver's license number or some other certainly-unique-for-you information makes that work.

That shifts the problem from "attacker is trying to guess EVERYBODY's passphrase" to "attacker happens to know that you have a bunch of BTC in a brainwallet and is trying to attack YOUR brainwallet, specifically."


Nicely said.

Again: we are really bad at thinking up good, unique passphrases. We share so much experience and culture that whatever you think of, somebody else will probably think of, too.  Or some attacker will think of something similar enough to crack your passphrase.

And we are really bad at imaging what it means that an attacker might try a few hundred BILLION passphrases to try to crack everybody's brainwallet.

That's true today based on current RAM prices. Will that still be true 10 or 20 years from now? What happens if somebody relies on that assumption to store their life savings?

The problem of protecting web site passwords and the problem of protecting financial assets do not share the same threat model.

Thanks, that sounds like a good improvement.  Upgrading sites and software to support a new key-generation standard will take time...  In the meantime, I've edited my blog post to quote your and Gavin's suggestions regarding added (unique or quasi-unique per-user) salt data.

Yeah, the Electrum phrases certainly appear to have substantial entropy, but on the other hand, they would also take substantial effort to memorize.  I think this is always going to be somewhat of a fundamental trade-off...  If it's harder to brute-force, it's also going to be harder to get it to reliably stick in your brain...  And if you can't recall it reliably, it kind of ruins the point of having a brain wallet in the first place.  :(

EDIT:  It might be feasible to remember a string of words with a large amount (e.g. 256 bits) of entropy by turning it into a short story.  I wrote a short Facebook note about this:  https://www.facebook.com/notes/michael-frank/memorizing-ultra-secure-passphrases-via-short-stories/10151445953063552

Why the focus on brain wallets? Deterministic wallets, imo, make much more sense. There would have to be a standardized system though, or people would have to remember which one they used to create it. But ask for some personal details to add lots of entropy against any unknown brute-force attacker, then ask for 3-5 names of people significant to your past but extremely difficult to guess or research (first kiss type questions), then ask for a 4-word passphrase from randomly selected words from a dictionary, or perhaps from a generated list, and then make them type it a dozen times. Hash it up and use it as a seed. Should get at least 100 bits against an unknown brute force attacker, and perhaps 80 or 90 against someone who knows you and is trying to get your money. That should be good enough for your average user for at least a decade.

Isn't birthdate and postal code alone insufficient because they merely add a well-known and limited set of of data to potential dictionary attacks, especially if this way of setting up brainwallets is somewhat standardized?

I don't intend on ever merging "derive key from human selected passphrase" code into bitcoinj, at least, because given the current state of the art I think it will inevitably lead to people losing their money.

But this does not apply to neat ways to memorize real keys. The human mind is capable of amazing feats when fed data in the correct form. If somebody came to me with a PGP words style transformation that

a) Was secure

and

b) Had real usability studies done on it showing long term recall was possible

then I would probably be enthusiastic about that. The musical note game that came up a while back was the kind of research I have in mind.

Until somebody proves it's possible for normal people to memorize 256-bit numbers, our time is better spent on finding ways for people to easily back up their deterministic wallets and feel confident while doing so.

This is why password strengthening algorithms are not sufficient for a brain wallet. They are designed to be "good enough" for a few years because they assume you can make the user change his password in the future when it's time to increase the number of rounds.

Brain wallets must potentially remain uncrackable for the rest of the user's life.

There is no substitute for passphrases of sufficient entropy. Telling users, especially unsophisticated users, that their funds are safe with anything less is negligent.

Sufficient entropy might not be 256 bits, maybe 168 would be enough, but whatever that number is there is no safe alternative to using it that's going to hold up over time.

Agreed. Unsophisticated users should not use brain wallets at all. I do think that password strengthening algorithms are sufficient if they are used with multiple passes and are sophisticated.

I think onerous scrypt parameters are totally reasonable here.

Who cares if it takes 600+ seconds or more of 100% CPU on a highly tuned scrypt implementation to run?  That should allow for a lifetime of improvement without being too inconvenient.  Opening a brain wallet is akin to smashing a piggy bank.

Can someone please tell me:

a) how to calculate entropy - is there a simple formula for it?

b) what is the entropy of Electrum's 12 random words?  Estimated time to crack?

c) is entropy decreased by personal information such as email or government ID's ?

 

The words themselves are not random, they are chosen a way to transform a large random number into a form that can be expressed verbally with a minimal chance of ambiguity. That would make them easier to memorize.

I agree with the use of scrypt (which I use in my offline key generation) and many of the other good suggestions.

Creating a secure "brainwallet" is actually very difficult (as Gavin has pointed out).

The "memory key" idea I have created (http://ciyam.org/memory_key.html) is another way to help - but of course if you want to create something "impossible" to brute force you need to be "creative" and you need to "work at it" (it can take quite a while to come up with something good enough).

I am willing to "test" publicly what *I* can come up with but of course I don't think that the same approach would necessarily work for others.

The problem of creating "secure" passwords has become "the problem" of our time as the "brute force power' has become so strong that a "new approach" is very much needed (if we are ever going to be able to get the "mums and dads" little own "grandmas and grandpas" using it successfully).

Well, as I understand it, even a number generated by a RNG is not truly random.

Without digging into the Electrum source, does anyone know what process is used to generate its passphrases?

My best reference on difficulty at this point is this cartoon ( ! )

 https://xkcd.com/936/

which claims 4 words would take 550 years at 1000 guesses per second.

The brain wallet I use was created by printing out a random paper wallet and using the private key from that plus a memorable pass phrase to create a new address/private key.
I then gave copies of this paper wallet to people I trust to keep in a safe place. This paper wallet address contains no bitcoins.

Should someone steal the paper wallet they would be unlikely to be able to reconstruct the brain wallet key (or even know it had anything to do with a brainwallet), and it also allows me to maintain safe semi-backups with people I trust (or even don't trust).

Though not a pure brain wallet as such, I will always know how to reconstruct the private key when necessary.

If the ratio of ~11 bits per word is correct you'd need 23 words to achieve 256 bits of entropy.

Basically it means we need to stop thinking in terms of passwords, and even passphrases, and instead think about pass-short stories.

Thanks.  OK, that does cause me some concern. 

Here's another method for converting large numbers into memorizable form:

http://en.wikipedia.org/wiki/Mnemonic_major_system (http://en.wikipedia.org/wiki/Mnemonic_major_system)

I memorize each letter and number and associate it with something I can remember.

taking a few numbers from my private address: 8Sp57A

that subset I remember that when I was 8 years old I broke my arm, the 'S' I think about Superman, the 'p' stands for taking a piss, 57 for 57 Chevy that my dad rebuilt, the A is for Al's restaurant on Happy Days...

just a simple way of remembering it all no problem :P

Thanks for the great links CIYAM and Ukigo  :o

Here are my tests so far:

- 12 words similar to Electrum:

dumb gattaca simp argonaut redact finger elephant duplex orinoco fan depilate roster Entropy: 463.98 bits

- Individual 4 words, like xkcd:

dumb gattaca simp argonaut Entropy: 138.37 bits
redact finger elephant duplex Entropy: 161.77 bits
orinoco fan depilate roster Entropy: 143.69 bits

- CIYAM situation/event password

R00L20A01E06Y01D07R04F11Z18  Entropy: 153.16 bits

More power to everyone who is willing to have their ability to memorize potentially be a critical point of failure in retrieving their bitcoins. But what happens if you just forget it? I could never seriously recommend to anyone to store their savings in an account for more than a few months with only a memorized password, especially one that needs to be sufficiently long. Bank accounts, retirement accounts, etc, can still be recovered if you forget your password. Bitcoin is extremely secure, but also extremely unforgiving.

I found a good technical article here:

https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/


and two more strength tests:

https://dl.dropbox.com/u/209/zxcvbn/test/index.html

http://howsecureismypassword.net/

Humans are really bad at remembering phrases and numbers. 

Even a seemingly easy to remember phrase like "category platypus ennui toast" will not last more than 3-6 months in most peoples' long term memory, unless they rehearse it regularly.  Most regular bitcoin users are too busy/lazy to keep rehearsing their passphrases.  Also, rehearsal can accumulate errors over the years and overwrite the original memory, so to be safe you would have to write down the passphrase to remind yourself once in a while, which defeats the whole point of a brain wallet.

Humans are good at remembering images, however.

Instead of memorizing phrases, I would recommend employing your visual memory, for example like this: Go for a jog/walk/bike ride along a particular route once a week, for a period of 6 months. Then use the GPS coordinates of certain key points along the route as your passphrase. Even if you forget the coordinates, you are unlikely to forget the locations, and you can always look them up on a map.

Implicit memory (http://en.wikipedia.org/wiki/Implicit_memory) is even more reliable than visual memory.

Though time consuming, this is probably the most secure way to set up a brain wallet:

http://www.extremetech.com/extreme/133067-unbreakable-crypto-store-a-30-character-password-in-your-brains-subconscious-memory

One time when I needed a temporary bitcoin receiving address in a pinch, but before paper wallets were easy to print and carry, I just thought of a silly song I had made up in elementary school which contained some non-words, and took a line from it.  Since I had remembered it that long despite having no use for it, there was no concern of forgetting it, and since it contained nonsense, there was no chance of anyone guessing it.

I would venture to guess that anything that can be reliably recalled from childhood should be suitable candidate material.  The work of embedding it into your brain has already been done.

Neat idea! Did you come up with this on your own?

I see one possible weakness however:
What if someone manages to record the exact times "Joespass" decides to log in?
Perhaps there is a way to make this even more secure..?

Well, entropy of a string is not really even an objectively definable quantity.  For example, if you type "3.141592653589793238462643"
into that calculator, it thinks it has 139.6 bits of entropy, but to remember it, I only have to remember "pi to 24 decimal places" and then compute it (or look it up) when I need it.

Another example is a page from an old book, which looks like it has a lot of entropy, until you know the book and page number and have access to a library.

In general, even a very long and apparently random string could have been computed by a very short algorithm (e.g., compute pi to 24 places; or, go to library, get that book, turn to page 37) and therefore could be feasible to guess (e.g. by trying all algorithms with minimum description length below a certain size).

This leads to a "pseudo-objective" measure of string entropy called Kolmogorov complexity, http://en.wikipedia.org/wiki/Kolmogorov_complexity (http://en.wikipedia.org/wiki/Kolmogorov_complexity), but it is intractable to compute in general.

The only way to be sure that a given passphrase has high Kolmogorov complexity would be to actually try cracking it by searching all algorithms below a certain length.  To be comprehensive, the algorithm should also have read access to all the world's published information.  (To prevent passphrases like, "Page 37 of such-and-such book available on Google.")

I'd say that memorizing randomly-generated stories, or using detailed, already-existing memories that you already know, or some of the other ideas suggested is the way to go, to be confident in ultra-high passphrase security...

Of course, people on this thread would also be well advised to remember this other xkcd comic...  :)

http://xkcd.com/538/ (http://xkcd.com/538/)

Is there something like CIYAM with a larger set of locations?

How about this: http://www.yubico.com/products/yubikey-hardware/yubikey/

It's can be very easily edited/extended (just do a view source and you'll see it's quite readable) - also if anyone has enough interest to dedicate some time working on extending this then I will be happy to put up a task for it on CIYAM Open and allocate at least a bitcoin or two towards the effort.

So, I'm currently trying Diceware (http://world.std.com/~reinhold/diceware.html (http://world.std.com/~reinhold/diceware.html)) (advantage - the original random data never even touches a potentially-compromised computer) with the English word list (http://world.std.com/~reinhold/diceware.wordlist.asc (http://world.std.com/~reinhold/diceware.wordlist.asc)).  It takes about 100 rolls of a 6-sided die (grouped 5 at a time to produce 20 diceware words) to get 256 bits of entropy.  Then I take the resulting 20-word list, break it into 4 chunks of 5 words each (about 64 bits of entropy each), and embed the 5 words in each chunk into a memorable sentence or pair of sentences.  I think I could remember these four chunks, with practice.  Would I still remember them in 20 years?  Doubtful, although I might try using a free spaced-repetition tool like Menemosyne (http://mnemosyne-proj.org/download-mnemosyne.php (http://mnemosyne-proj.org/download-mnemosyne.php)) to do it.

Example die rolls and the corresponding words:

Chunk #1:
----------
1.  46623 = pz
2.  16546 = chump
3.  23146 = dint
4.  25324 = feed
5.  51335 = rangy

Chunk #2:
----------
6.  14212 = bigot
7.  31325 = glory
8.  25661 = flour
9.  51153 = quinn
10. 14225 = bind

Chunk #3:
----------
11. 43133 = mugho
12. 21541 = crane
13. 45145 = parse
14. 42656 = movie
15. 21146 = louse

Chunk #4:
----------
16. 36634 = loeb
17. 14314 = bland
18. 31623 = grim
19. 33214 = holdup
20. 24566 = et

Full passphrase:  "pz chump dint feed rangy bigot glory flour quinn bind mugho crane parse movie louse loeb bland grim holdup et" - Suitable to feed into SHA-256 or scrypt.

Mnemonics for the four chunks:

1. PZ Myers made me feel like a chump, by dint of making me feed on the rangy grounds of his estate.
2. Call me a bigot, but I find no glory in grinding flour.  Harley Quinn had me in a bind.
3. I hoisted a mugho pine shrub up with my crane.  If only I could parse the meaning of that movie about a louse.
4. Even the Loeb classical library seemed bland to me these days.  But the grim logic of a holdup, et cetera, wouldn't let me go.

So, if you can remember these four passages, and which words in them are the important ones, then you can memorize a passphrase with 256 bits of entropy.  :)

Blockchain and electrum work quite well enough for me!

I have a brainwallet with a passphrase of two sentences that I'm almost certainly never going to forget. It has unconventional punctuation, made up words, and it doesn't appear anywhere either online or in print. Is it safe to assume that this will be safe for a long, long time?

I think that if you are smart then a brainwallet is really not too hard to do. The problem that we are really trying to deal with here (as far as I can tell) is to help those that are "not so smart" (and therefore are unable to create a secure brainwallet).

So I would think that your brainwallet is safe (as I do mine and I welcome the challenge of anyone that wants to try and crack mine - there is a *lot* of BTC there to steal if you can).

:)

I don't think anybody knows. But you can find out:

Send a token amount of bitcoin to two more brainwallets, made from each of the sentences.

When somebody else either spends those bitcoins or sends more bitcoins to them, you know that your main brainwallet isn't safe any more.  (are the services that will send you an email when there is activity on a bitcoin address still around?)

So, there is a flaw with that strategy, Gavin:  A shrewd attacker who is systematically scouring passphrase space for coin balances might intentionally pass up most of the smaller, more easily-found jackpots so as not to alert the community that he has this search capability; he may be waiting to pounce until he finds a single, sufficiently-large stash.  Kind of like how the British code-breakers in WW2 intentionally did not act to prevent many U-boat attacks because they didn't want to tip off Germany that Britain had broken the Enigma code.  A classic application of information theory to warfare...

Furthermore, if your short "test" passphrase is a substring of your real passphrase, then by using it as a probe, you've now actually made it easier for attackers to figure out your longer, real passphrase...  Since once they find the shorter passphrase with coins in it, now to find the long one, they only have to search the subspace of longer strings that includes the shorter one as a substring.  

And including ID information (as you suggested earlier) could be counterproductive if the attacker has the capability to trace the transaction graph back to Mt. Gox (say) and compel them to release the customer's dox...  Then they can easily include the ID info when searching for the longer string, AND further they will have evidence that the big stash still belongs to you when they do find it.  

Okey dokey, first I think nobody should use an easy-to-memorize brainwallet for anything more than experimenting. I predict we'll start seeing very unhappy brainwallet users reporting huge losses sooner or later.

Second: the 'sentinel wallet' idea is all about incentives.

You need to put enough BTC in the sentinel wallet so it is economically rational for an attacker to "take the money and run" rather than spend time and money trying to crack a bigger brainwallet that might not even exist.

Again, I don't think you should use a brainwallet, so I'm not motivated to do the math to figure out how many BTC you should put into the sentinel wallet so a ration attacker will just take it, but that is the way you should think about it.

Sure, but I'm just saying that, if you do use sentinel wallets, their passphrases should most certainly NOT be a substring of any longer passphrases for your other brainwallets; that is just asking for trouble.  They could be shorter passphrases designed in a similar way, however, to still give you some idea about the security (or lack thereof) of your other brainwallets.

Here is another idea: split your funds across 10 or 20 brainwallets whose passphrases don't easily lead to one another.

Admittedly though, this is far easier said than done.

I have long thought that being able to have 10 or 20 distinct brainwallets would be a killer application for Bitcoin.  The catch is that each of those brainwallets must not be clues as to how to hack the other ones, otherwise someone will do it.

The prototypical application for such a thing would be an activist in prison, or someone stuck in another country and robbed of everything but their underwear.  The prisoner would want the ability to have a brainwallet so that he could reliably secure legal counsel and pay bills, but without being stuck with the choice of giving access to nothing or everything.  He could use brainwallet #1 for his retainer (if in prison) and release the remaining ones to pay bills as they came due.  The robbery victim could call somebody back home and ask for fiat via Western Union (assuming no way to sell BTC locally), without the risk that the person could rip them off for more than 10% of their brain money (and have it 1/10 the temptation at the same time).

Of course, the problem is that it's bad enough just learning a single passphrase with sufficient entropy, let alone a dozen.  For someone really interested in it, they'd probably have to learn some sort of algorithm that they could sort out in their head or with nothing more than a pencil and paper, so they could derive their own private keys by hand.  (In this case, it's safe to assume they've got relatively unlimited time on their hands)

For example if one memorized the SHA256 algorithm and could compute a SHA256 hash on paper with unlimited time, he could remember "n bottles of beer on the wall in my grandmother's basement at 20205 poppy lane in Witchita" where n was a number he could increment.  He could hand-hash in his prison cell without divulging his passphrase (assuming he had a way to not get his notes confiscated).

How secure is this type of brainwallet?
1. Memorize a short phrase like a song lyric or quotation.
2. Make an algorithm that converts the letters to numbers.
3. Use those numbers to find words in a book making sure of the exact edition.
4. Use those words as the actual brainwallet passphrase.

As long as the code used is obscure, it might be OK, but the need to have access to the book makes it unsuitable for some scenarios (e.g. you're on the run and have to quickly access your stash, you don't have the book w. you, and there's no time to visit the library).

There was a discussion of this on HN a few months ago:
https://news.ycombinator.com/item?id=4266115

Well, in addition to all the critiques on that thread, it seems rather cumbersome and unwieldy.  And I think it's unlikely to be widely adopted.  Also, I would be nervous that maybe my subconscious wouldn't meet expectations when I need it to the most.

That hexdump format drops leading zeros, so you don't always get the same length output.  Use %08x instead:


Also note that /dev/random won't always have 32 bytes of random data available, so you might get a much shorter output.

It should block until it has enough data.

It would be unfortunate to make brainwallets inconvenient to generate because they won't hold coins securely for decades when some people may desperately need them for just a few hours or days during periods of travel or social unrest...

OR.. OR....  use a random wallet and store the private key / recovery code in LastPass or keepass.

I understand the 'attractiveness' of brainwallets is that your computer could go away and you can still get your bitcoins back.

HOWEVER usb drives / paper wallets / safe deposit boxes / mom's houses are very effective and cheap. 

This reminds me of a conversation we had at work.  We currently backup on-site and ti our data center, which happens to be about two blocks away from us.  We had the opportunity to add another city to that list.  Whilst discussing it I brought up the good question "if our building is destroyed AND the datacenter is destroyed will we still be in business?"

if you PGP encrypt your wallet and give your mom a copy and put a copy in your safe deposit box and all those are destroyed then most likely your primary concern is going to be running from zombies and not where your magic internet money went.

Just Sayin.

I am interested in how you calculated that every brute force attempt would take 2.5 hours.

A brainwallet generator that has an option that can be cranked up to 90+ minutes might be useful.  But one that requires people to wait 90 minutes to do their first brainwallet, is one that probably hasn't been properly thought through.

A 90-minute or 900-minute brainwallet has useful properties from the perspective of robbery/duress prevention.  Teaching someone that a brainwallet is something that requires at least 90 minutes to access, on the other hand, is going to sound ridiculous.

I am not sure I see the point in this vs truly random keys?

My thought behind brainwallets were so that they could not be lost or destroyed?  The idea behind just using a simple SHA256 was that it was not complicated or hard, you can even find (non bitcoin) related sites to do it for you.

If you require a special program to generate your address then does that leave the realm of brainwallet and enter the realm of super-duper wallet generator?

Don't get me wrong, I really like the idea, but it would be very hard for me to loose anything digital.  But for your average user I am not so sure?

How about a SHA256 hash of a picture or video from your own camera? The photo or video is of the sky, or of the ground, or something weird; something no one else is going to take a picture of; in the dark, with highest ISO speed for grainiest photo. Or a bunch of photos. Of course, add salt and iterate a few hundred times.

404, do you have a working link of the souce code?