Bitcoin Forum

I have been experimenting in alot of different ways to store my bitcoins.

I have found a good way, but just for kicks I wanted to see how fast easy brainwallets would be taken

It took about 10 seconds from time of broadcast for the bitcoins to be transferred

Crazy

People have scripts set up to claim bitcoins sent using common public keys I think. That's how so many people had money stolen due to the android random number problem.

that is crazy

Wow, didn't realise people camped out waiting for this.

so could there be a possible collision?  ???

you really need a very strong password something like "1bH7Dt62Hu82" should be good enough no?

surely Electrum is working.  it seems 12 random words is enough to securely create a master key.

Actually, I like that password. If nobody is using it, can I have it?

I'm no expert but that seems woefully short.

1000+ years to guess at 20,000,000 guesses per second

Wow. Guess I will use a long phrase with my brainwallets if i ever make one.

16GsPwhmfrTLEqp9kVbtMXEuHztCsbYL19

Sure, there it is!

Also, KeePass has a nice plugin called "readable passphrase generator" that spits out things like

"that repentant bragger wondered the stunted one sorely will dignify amidst the cloaked tackle"

and

"Capetown announced her 241 softest emissions stackly might unhinge via the cruel intruder"

Now I don't know how much entropy those have, since they follow speakable format, but it's not nothing, and I think you can actually set it to just randomly spit out words from its dictionary in random non-phrase format.

https://readablepassphrase.codeplex.com/

12 words is a very long and good password in my opinion.

Here are three examples of deep brain wallets:

Passphrase	Bitcoin address	Total volume	Comment
bitcoin is awesome	14NWDXkQwcGN1Pd9fboL8npVynD5SfyJAE (http://blockchain.info/address/14NWDXkQwcGN1Pd9fboL8npVynD5SfyJAE)	501 BTC	500 BTC snatched within 36 seconds back in 2012
You don't win friends with salad!	15gCfQVJ68vyUVdb6e3VDU4iTkTC3HtLQ2 (http://blockchain.info/address/15gCfQVJ68vyUVdb6e3VDU4iTkTC3HtLQ2)	157.5 BTC	3 BTC temporary lost, "How could this have happened...?" thread on Reddit (http://www.reddit.com/r/Bitcoin/comments/1j9p2d/blockchaininfo_unauthorized_transactionhow_could/) - with happy end
8964009	12vGMScGWHVDKRBPTJn8i7E9GxYXq8zaz3 (http://blockchain.info/address/12vGMScGWHVDKRBPTJn8i7E9GxYXq8zaz3)	6.5 BTC	6.5 BTC drained in 2 seconds one month ago

Conclusion: Don't use brain wallets if you don't know about how to choose really secure passwords.

In practice, 7 words *randomly* (no cherrypicking) chosen from a 7,000 word dictionary is all you need to keep *everyone* (including government and russian hackers) away from your brainwallet. Anything longer is absolute overkill - despite anything you may hear on these forums. Many people are misinformed when it comes to choosing a proper passphrase. All you will get with longer passphrases, in practice, is a higher risk of forgetting them.

It takes literally billions (not just millions) of dollars to have a reasonable chance of cracking such a passphrase.

Please research and understand passphrase entropy if you don't agree with the above statements.

Also give the NoBrainr script a try for a bare-bones way of generating such passphrases securely.

What electrum does is not "12 random words" in the way that you'd produce them.  It generates a cryptographically strong 128 bit random number, and using that number selects a unique string from the set of all possible 12 word sequences (using a particular dictionary), there is a 1:1 mapping so each value is equally possible an the value has 128 bits of entropy.  It then applies a moderately computationally expensive transformation to convert that 128 bit value into the 256 bit bitcoin keys, so even an attacker who knows part of your electrum seed must do a lot of computation to check it.

If you try to pick 12 "random" words on your own you will fail. Humans are terrible at randomness.

Even most people who think they know how to choose good passwords are incorrect. The common password advice people receive is applicable to security for centralized systems like login passwords, but not Bitcoin key security, as they have entirely different threat models. (e.g. Bitcoin key security for a brain wallet is inherently unsalted: you have to worry about attackers all over the world, over all time, potentially using high speed hardware crackers, and precomputing rainbow tables).

Yea, I'm a bit surprised people use brain wallets in such ways.

If the private key is simply the digest of the brain wallet pass phrase, then it's susceptible to rainbow tables. Maybe if you used the number of rounds of sha256 as a sort of salt, but even then I'm not too keen on the idea. You'd have to remember quite a big number to make it reasonably harder on the attacker, which sort of defeats the purpose.

Here are 12 "words" that I can remember that aren't in any dictionary

thingy
depribe
weenus
integrous
prollums
pompatous
dickfor
tigger
"xxxxxxxx" (my last name, shared by fewer than 100 people worldwide - okay, that's probably on some list)
sadistics
skullfuck
dickstain

Most people could come up with their own list - probably less twisted, immature, and pathological - but still their own list.

I could arrange my 12 "words" in several ways to make several passphrases, and I would bet all my BTC (I don't have any) on any of them.

One address is "unlocked" by ~2^96 private keys

~2^256 possible private keys
~2^160 possible addresses
Hence ~2^96 private keys per address

So if  would use a sentence like:
This passphrase is the most amazing of all times
that would be a safe "password" am I right?
Now that I said the password go get my money! I'm kidding, I never used that sentence for a brainwallet so I guess there are no bitcoins in it.

The problem is that it might be guessed in 2 seconds , in 10 minutes or in 989 years.

It's "1000+years" to try them all.
Usual misconception about password security.

Your password is just a needle in a haystack,which the cracker attempts to find.If your add more characters the bigger the stack is , but it doesn't mean that you're 100% safer.

To make it clear:
It will take god knows how many billions years to get all the private keys right?
Well , a few thousands private keys will be generated in one hour , if you're one of the owners... it's just luck :)

"It will take 1000 years"
Maybe there are 10.000 hackers so .1 year?
Maybe each have 10 computers so .01 year?
Maybe every 12 words found in any sequence on any publicly available web page get stuffed into a rainbow table...

Have fun securing your brain wallet.

Want a good brain wallet?

-Pick your favourite book
-use the first 3 digits of your birthday to pick a page number ( or 2 digits if you read books with pictures, or graphic novels)
- use all the words down the left hand side.

But what if you get in a car accident 2 years and 2 months from now, and you're taking painkillers, and you leave the book in the car, and you use a false birthday at the hospital to get insurance, and you can no longer tell your left from your right, what then?

What organization will help you?

Maybe any software that supports brain wallets should do a security check.

1. Generate brain wallet
2. Send a tiny amount of bitcoins to that address
3. If the bitcoins haven't been stolen in some period of time (1 hour? 12 hours?) then consider the wallet secure and you can transfer larger amounts to it

Plot twist, some bots have a minimum wait time or transaction size before stealing the funds.

This is silliness. If you are looking to pick X random words, take a book--for example, a dictionary--open it to any page and point your finger at any spot. Rinse repeat. Not everything has to be protected by a layer of high-tech gidgetry. Plus the process is simple and adds a physical connection where one might be apt to take it more seriously rather than some randomly generated gibberish on the screen. It also means it will be more memorable.


Well if they didn't before, they do now. :P

You're specially unlikely to open it on page 1. The book's binding will make it more probable to open it on specific pages. All that reduces entropy.

Yes, I could have made the corollary referencing this nonsense, but alas.

Or.. you know, don't use brain wallets. Create one locally and encrypt it with true crypt.

i'v learned a lot ! Thanks for sharing this info  ;D

This ^^^

So is it safe for me to create a wallet using the bitaddress.org brain wallet creator provided I use enough random numbers and letters?

I don't intend to remember the passphrase and I will not make a record of it.  I am only interested in the public address and corresponding private key using this method of generation.

I intend to boot a brand new laptop using Ubuntu from a new storage card/pen drive and then accessing the bitaddress'org zip files from a second storage card.

The laptop will never connect to the internet or bluetooth and the pen drive/storage cards will never connect to the internet after first loading them with the operating system and zip files.

Thanks.  I will start to look into Armory.  I understand a new version is due very soon and what your saying sounds similar to a discussion on Letstalkbitcoin! I heard recently.

My current plan is to create ten wallets and duplicate each three times using metal stamps onto brass strips.  Each strip of brass will hold a public address on one side and a private key on the other and will be cut into three pieces.

I will spread the pieces of brass across three locations to ensure that a visit to any two of the three locations will allow for retrieval of all ten wallets.

It was my intention to never use this new laptop again and possibly even destroy it and the pen drives/ storage cards after I have generated all the wallets I need.  Overkill?

The wallets are for long term storage and I was going to 'watch' them using a phone app.

 

A number of people mentioned recursive hashing.  I was wondering about that.  Is there really any point to it?  Sure, it adds entropy, but why not just add the entropy to the key directly?  Instead of hashing the key ten thousand times, why not why not add an extra random word or two?  In both cases, the attacker will have to do tons of extra hashing, but in the latter case you won't.

Yeah, but what's the point?  I get it that the idea is to increase the amount of information an attacker will have to guess in order to compromise the key, but adding more words to the key has the same effect, doesn't it?

It reminds me of that correct horse battery staple (http://xkcd.com/936/) thing.  Adding a complicated hashing algorithm will make it more difficult for you to access your coins when you want to, and it won't necessarily be more secure than simply adding more to your key would be.

Indeed. There's a nice thread about this exact topic on the Agilebits forum. I'll see if I can find the link again.  
As long as you have enough entropy in your passphrase (in a provable way), you will be just fine. Speaking about this, you may want to check out NoBrainr, which is our simple command-line tool based on this principle.

It generates bruteforce-resistant addresses perfect for cold storage and brainwallets, using an easy-to-remember xkcd/diceware-style passphrase. Example:


This has 90.47 bits of entropy, which is more than strong enough to protect against passphrase bruteforcing, if you do the math. It may look like a bold statement to the untrained eye, but I, for one, feel be perfectly safe and happy to store up to 5000 BTC with such a passphrase.

That password just sucks (http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/).

I'm not a fan of brainwallets for myself (I have a lousy memory and also I could die at any moment )
I ended up using bitaddress random generation, BIT38 and print.
But returning to brainwallets:  What about using 12 words from dictionary and one word that makes sense for you (like DeathAndTaxesRules ) but is not any dictionary

What about adding a non-dictionary word like your your screen name in some forum, your email address, nospaced phrases like "tooyoungtodie", you can even remember them more easily than "thyme" and "relish"

You can make a brain wallet + a paper wallet. I have...

For me it is a danger to lose the coins more likely than to get stolen. So i made a brain wallet with a password. I think that this password can be hacked is 0.1% of my problems. To lose it maybe 0.9%, but 99%, that I made a mistake with the generation.
- Maybe my connection was still on?
- Or it is still somewhere on my HDD?
- Or it was saved by a malware and when I connect again it will send the private key to the hacker?

What is your guess: I moved a few bitcoins to an address one week ago and the private key is just in my brain, paper wallet + truecrypt container (on usb stick I never use). How likely some malware get the private key?
My password? 30 characters, serveral words, names, seperated by an ~, and the words are written backwards or one character wrong. For example not "australia" but "ausdralia"

Don't panic. If you use correctly brainwallets are the most secure.
But they are not newbie proof.

Are you sure? (http://aws.amazon.com/datasets/41740) The link has essentially the entire text of the Internet. While de-duplication would be tricky for common phrases (including misspellings), it should be trivial to pull all unique "words".

Are you saying none of the 100 people using your last name have a web-page on the Internet?

The hardest part would be trying all 12 word permutations. 4 word permutations should be doable.


I would say paper wallets are most secure. Remember: you are not only trying to guard against theft, but also data-loss. Memory is notoriously unreliable. If you are hit by a vehicle, even if you survive, you may forget your passphrase.

With paper, you can store the passphrase is more than one physical location. You can use Multi-party signatures to require data from m of n locations (Pay to Script hash (BIP16) ,+ Multi-signature transactions (BIP11))

My offline wallet will survive a city-destroying event. Can't make the same claim about any "brain wallet" in my head.

Quick question.

In making my 'paper' (brass) wallets,  I'm going to use bitaddress_org html file and it so happens that it's the 'brain wallet' creating function that I need to use to be able to enter a passphrase.

So let's imagine I roll a dice 50 times and toss a coin 50 times and I enter those results with some added text of my own as a passphrase.

This is the passphrase that you would remember if it was indeed a brain wallet you were creating.

Clearly I would be unable to actually remember the newly created passphrase.

This is because I am only interested in the public address and corresponding private key which come from the above process.

So my question is simple.  

Is it okay for me to disregard the passphrase and never make a record of it as I'll already have everything I'll ever need for my cold storage brass wallets?

That should be fine, but why bother with a passphrase at all?  Why not just let bitaddress randomly generate your addressed using their "single wallet" or "bulk wallet" option?

Because of this:
http://www.bbc.co.uk/news/technology-24048343 (http://www.bbc.co.uk/news/technology-24048343)
https://www.schneier.com/blog/archives/2013/09/surreptitiously.html (https://www.schneier.com/blog/archives/2013/09/surreptitiously.html)
But if you use random number generator with mouse input or keyboard input for entropy collection then it is OK.
If the entropy is collected only from the own hardware then it is not safe because it is predictable. A deterministic wallet or a random wallet with human input is not predictable.

My blockchain password goes in the format of "chippy2370spence2721" .

I assume this would be a crap brainwallet password and quickly cracked and my BTC stolen?

M

Looking at the extraordinary hoops folks are jumping through in order to secure their bitcoin, is a decent measure of how very far we have to go yet to get to mainstream adoption.
These are early days.
Like hearing grandpa talking about starting their cars with a crank.

Thanks for the reply.

It's just as protection in case there are security flaws with that method. 

Why don't you just put in 1000 random characters with the keyboard on bitaddress? The private key is just a SHA-256 key of that string. And the public address will get created out of this private key. So you get the maximum entropy... But in this way you don't have a backdoor to access your coins in your head.

can I use http://passwordsgenerator.net/ to generate a 50 char password such as


and use the phonetic output



as seed for a resonably secure wallet?

I am using cold storage the same way you were talking about. Only difference was I was livebooting from Ubuntu and then opening bitaddress in html file offline to generate a key pair using brainwallet (as stated, don't trust RNG).
But seeing you won't use the computer afterwards it should be perfectly fine - just don't go online on it again.


I'm not so sure about how you would go and import one of these on an offline client like the armory/official client, however I would just sweet it on a Blockchain.info account with Google 2-FA and then transfer the funds to whatever destination.

I have been wanting to participate in this discussion, and am now happily past the newbie speedbump.  :)

I like the concept of deterministic wallets, and am thinking of an approach that lets me create deterministic and encrypted paper wallets.

It starts with a brainwallet created at bitaddress.org with a 230+ bit entropy passphrase.  I then encrypt the private key at bit2factor.org which implements BIP38 to create an encrypted private key.  For this encryption, I use a different 230+ bit entropy passhprase.  I then use the encrypted private keys as the successive brainwallet passphrases to create more encrypted private keys in a deterministic manner.

I have read this full post and others like it, and am aware of the need for high entropy passphrases.  I can use even higher entropy passphrases than what I am thinking of, and I can reliably re-create the passphrases when I need to.  But I am interested in knowing how much entropy bitcoin passphrases can handle.

My questions are:
1) what is the limit for the number of characters a passphrase can have to create a private key at bitaddress.org?
2) what is the limit for the number of characters a passphrase can have to encrypt a private key at bit2factor.org for the BIP38 implementation?

Thanks.

It is safer to properly generate the entropy and store the result on paper.

Due to to nature of cryptographic hash functions, there is no limit to the length of the pass-phrase. It can be the King James Bible (which is well known enough, it may very well be guessed by dedicated pass-phrase crackers).

My rule of thumb: if it has ever been published, it is not a good pass-phrase.

It will suffice to use a good password. Supercomputers can't beat good passwords. Just don't use anything that could be beaten with wordlists etc., do not use lyrics from your favourite song and so on. The problem is the same as choosing a good password. It's totally doable if you use some sense. Put something personal in it, something that is not found in a word list. That way if the attacker wants to really crack it he would have to focus on cracking just your password.

If we look at passwords like "correct horse battery staple"
The words
correct - 1822nd most common (Wolfram Alpha)
horse - 1315th most common (Wolfram Alpha)
battery - 3222nd most common (http://www.wordfrequency.info/free.asp?s=y)
staple - ???, but not in the top 5000

So, one would most probably need a word list of at least 2000 words to be able to have all those words. This means 16000000000000 different combinations of four words. Assume an attacker could hash passwords at 10 TH/s. She would need 1.6 seconds to surely find the key. So not safe for the future attacker. Add a fifth word, it will take an hour now. Add punctuation, substitute a letter for a number, do a strange error in spelling... something you can remember. The key will become impossible to guess. Remember something personal. Also in practice the word list would have to include way more than 2000 words.
Anyway, think this for yourself, but it's not difficult to come up with a safe passphrase that you can also surely remember. I have a mixed Finnish/English passphrase I know I really can't forget but it's also quite impossible for anyone to come up with.
Just remember something random or personal as well, there are around 7 billion people on this planet and  if you think no one else likes that obscure quote or poem you're using, you might as well be wrong.

There are safer ways to hold into btc's ,it's clear that some people generated thousands if not millions of wallets and are using bots with bruteforce to break any weak passwords. To have a somehow moderate wallet you might need to enter a semi-impossible to imagine word with letters/number/signs etc... making it hard for you to remember. Paper wallets might be more useful.

How about a coinbase wallet?   Is it secure?

Its as secure as the owner is. But remember, if you don't control the keys, you don't control the bitcoin.

Blockchain.info is a much better wallet because you get to keep control of your keys

And your blockchain.info wallet is as secure as the password you set it up with?

Sorry for the noob q's

So if my coinbase has an easy pw, when I do a transaction someone may use the public key to track me and try to crack my pw? 

Is that the way it works?

New to this but want to be secure.

Perhaps not using words would be prudent as lists exist which have fancy titles like DICTIONARY etc :)

Skynet's new 12nm ASIC chip is able to learn at a geometric rate and can crack passwords at 500T/flop/s whilemining / coordinating missile strikes under WIN7/Ubuntu. Also it is self-conscious.

Fancy computers can quite easily hack passwords so beware!

No.  They know your e-mail address and they guess your password and transfer the coins.  That's why you should set up the Authy authentication so they can't do that.

Also, you should only keep spending money in there, not $10,000.