There's also 3:

3) The wallet encryption uses a slow hash that takes a significant fraction to compute, whereas brainwallets can be attacked pretty much as fast as you an compute the public keys.

I don't think most people - even people who think they're experts - really appreciate how good password cracking has gotten. I really didn't fully grasp what constitutes a good passphrase until I started attacking them. There is also a ton of bad advice in this space all over the internet, so we have lots of people who think they know what a good password/passphrase is, but don't really. I'm an expert and I don't even trust myself to come up with passwords or passphases any more. I use a password manager to randomly generate individual passwords, and diceware passphrases - generated with casino dice - for full disk encryption, master passwords, gpg, etc. Real entropy is way better than imaginary entropy. It just takes a little effort to memorize.

As to motorcycles - I have several friends who have gotten pretty badly hurt. One lost part of his small intestine, another had his hip destroyed and the last ended up with brain damage and was in intensive care for weeks, then in recovery for a few more months. This is all despite good motorcycle armor (a helmet is nowhere near sufficient protection). Being in the wrong place at the wrong time can still destroy you.

Anyway, the reason for the heroin analogy (which seems to have come across as a little more extreme than I had intended) is because the advice on heroin should always be "Don't do it.". Needle exchanges exist because some people will do it anyway, and there is value in making it somewhat safer.

I'm glad brainwallet.org is dead. Tools like WarpWallet and brainwallet.io are a lot better. Using them with randomly generated passphrases is safe against all plausible attacks, so long as they are sufficiently long. Some organically chosen passphrases may be safe against most attacks, but it is far more difficult to predict the effectiveness of attacks against those, so it's best to assume they are dangerously weak.

Prominently mention that it's a really bad idea for people to come up with passphrases themselves and link to diceware. At least eight words.

The user should still not be coming up with a password or passphrase themselves. If they use an actually random passphrase they can ensure it has enough actual entropy to not be cracked.

Tools like brainwallet.io and warpwallet are like giving clean needles to heroin addicts. Harm reduction. Heroin (brainwallet-like tools with user-generated passwords/passphrases) is bad, but we can at least make it slightly less bad...

The issue is that a legitimate user has to spend the same amount of work as the cracker per passphrase, so there is a practical limit on how much work the KDF can do. With scrypt specifically, scrypt(N=2¹⁸, r=8, p=1) uses 256MiB of memory - scrypt(N=2²⁰, r=8, p=1) would be 1GiB. If you wanted scrypt to take longer than that, I'd probably suggest something like PBKDF2(iter=64, prf=scrypt(N=2²⁰, r=8, p=1)) which would take several minutes to run and is probably close to the upper bound of what anyone is willing to put up with.

You could also force some extra randomness into this by generating say, four hex digits as part of the salt and telling the user to write it down. Lose the digits and you have to brute force them - time consuming but possible. The cracker, though, doesn't have them and has to try them all in addition to whatever other salt there is... 

At the time that wallet was made, brainwallet.org had "correct horse battery staple" as the placeholder text. Nothing on the site said not to used phrases like that.

Regarding KDFs, I would score them on a logarithmic scale based on spot instance cracking cost, and severely penalize anything that doesn't include a salt. I would be very surprised if someone made ASICs to try to crack Bitcoin keys generated via brainwallet or otherwise due to very large (well over a million dollars) one time costs. GPUs are likely, FPGAs may be difficult due to memory requirements.

Helpfulness of KDFs is also a little unusual because the public key computations themselves take a bit of work. For example, PBKDF2 with 64 rounds would only double the cracking cost vs a classic brainwallet.

"Better" as in you expected it to be more or less expensive? Cracking benchmarks are typically understood to imply the numbers are for a single salt, if salts are used.

For those of you complaining to people linking to my slides/blog posts about brainwallets - I'm currently testing support for brainwallet.io in brainflayer. My limited benchmarking gives an estimate of about 75k 750k passphrases guessed per dollar on Amazon EC2 spot instances.

Edit: I am bad at math.

I also think that rating based on the number of KDFs combined does not make sense. You need to take the work factors into account.

coinb.in is using the dangerously weak "classic" brainwallet algorithm. It also includes third party javascript which can do whatever it wants. Why is it rated so highly on security?

With what? It seems like pretty much all tools have been supporting compressed keys for quite some time.

The documentation on the website as to what algorithm brainwallet.io uses is inaccurate.

It says:


It's actually:


Why are you using uncompressed keys?

If you're going to print it, just use BIP38 paper wallets. If you're worried about it getting lost, make multiple copies.

The initial release of brainflayer deliberately has very limited documentation to keep unskilled people from using it. I will be releasing an enhanced version (with better documentation) soon, now that it's made some news and convinced some people to stop using brainwallets.


This would pollute the UTXO set, and I don't think it's really any better than using multiple vanity addresses in the same transaction. I was going for subtle at the time.

There's a couple of things people use the term "brainwallet" to mean.

1. The weak cryptocurrency private key generation scheme of SHA256(passphrase)

2. Brainwallet.org, a site implementing the SHA256(passphrase) algorithm as well as some miscellaneous tools

3. Any scheme turning a user chosen passphrase into a cryptocurrency private key

4. Any scheme where a user memorizes a generated passphrase representing a cryptocurrency private key

Brainflayer specifically targets number one in that list.

btcspry said that based on a misunderstanding of some sort. What I said was that I ran a "peak balance analysis" on all the brainwallets I cracked, and the total was about 733 BTC. This does not reflect the balances they had when I found them - it's the most they ever held. I do not know how much of this was moved out by the legitimate owners and how much was stolen.

I want to be absolutely clear - other than by accident (and those coins were returned within minutes) - I have not taken anyone's bitcoins. I will be following up with a blog post sharing more details of my research soon.

You could try asking btcrobinhood on reddit - they have a bot that sweeps brainwallets. I believe that their policy is to return 100% if you are able to demonstrate ownership sufficiently.

I would consider helping to recover forgotten brainwallet passphrases (using a tailored search), but I don't have a policy on this at the moment.

I've written a patch that adds this and a few other properties to Namecoin's getblock RPC call.

https://github.com/namecoin/namecoin/issues/87
https://gist.github.com/ryancdotorg/5e610e9ee546beed367d

Is there source for your version of oclvanitygen so I can build/use it on Linux?

Would be happy to help debug if there's any problems.