Paper/Brain Wallet Suggestion (please share your thoughts)

[zaubertrank]

The usual method for BTC-cold-storage is well known (Generate key-pairs with the bitaddress-page on an offline computer and so on. Details here for exampe...)

Problem: Paper Wallets have to be printed out. And to be secure you should store them at different places. And there goes the security... Maybe someone manages to take a photo of the address-pairs and you're f***ed.
Brain Wallets can fix this, but you have to choose very long passphrases. And if you are not recalling your passphrase from time to time, you will forget it (Don't overestimate your powers...).

Solution: So I'd like to suggest a method that fixes both of the aforementioned problems:

Pick sentences from your favourite childrens book or from your favourite poems, lets say:

Quoth the raven, “Nevermore.”
Bob the builder: Can we fix it? Yes we can
... and so forth.

The above (incomplete) method yields the passphrase

ravennevermorebuilderfixwe

You now can write on a piece of paper as your memorizing-aid:
Quoth the -, “-.”
Bob the -: Can we - it? Yes - can

To apply this method correctly, you obviously shouldnt choose phrases like those above as they are too easy. Anyone knows them. But when I flip the pages of my favourite children books (or poems, or things my mom said to me that stuck or....) I always stumble upon everyday-sentences, that have no importance to anyone but me: For me they were (for whatever reason) highly memorable. You can write down the sentences, by replacing the relevant passphrase-words with a dash. Ideally not even your close family members are capable of filling these dashes with the right words. So you can write down these clozes, which is for you like a perfect reminder, but useless for anyone else.

Advantages: You can produce very lengthy passphrases you do not need to memorize, as you can write them down without giving too many hints to others (ideally)

Disadvantages: Close to random choice of words, but not perfectly random.

Question: How many words do you think you have to collect with this method to meet standard-brain-wallet-security?

[marcovaldo]

Yes, but I think that it is overdone.
Paper wallet, with safe storage is enough for me.

[Abdussamad]

@OP: You and this guy need to get together and plan world domination:

https://bitcointalk.org/index.php?topic=300102.0

[MPOE-PR]

Taking it a step up:

On the other hand and not unrelatedly, the passphrase has to be strong. A brain wallet based on remembering the secret code “strawberries” isn’t a very good brain wallet, even if you don’t forget it. The reason is that a number of people also won’t be forgetting strawberries, and it’s certainly possible that some other guy one day just decides to use that passphrase for his brain wallet, triggering de facto marriage and pooling of assets between you two. And you don’t even know the guy!

Tinkering with these problems a novel idea suddenly occurred to me. You could write a bit of software that takes a picture, picks four random numbers and spits out a key. That’s your key.

Full article.

[zaubertrank]

Sorry, but I think the point Abdussamad (and to a lesser extend MPOE-PR) is trying to make is, that "security by obscurity" is a bad idea. While this is true, I don't think that the suggested method is such a "security by obscurity"-idea.
You can put the whole process described above on a piece of paper together with your cloze-text.

It has about the same drawbacks like a brainwallet though: If you get a stroke or if you die - the BTCs are gone.

Thanks for taking your time on commenting!

[davidgdg]

I don't understand what the debate is here.

Is it this?

1. The supposed problem with brain wallet passcodes is that the ones that are easy to remember are insecure and the secure ones are hard to remember

2. The supposed problem with writing down the passcode is that then it is insecure.

3.  So supposedly what is required is some method of only having to remember some  simple piece of information that then enables the owner to retrieve the passcode without having to write it down anywhere.

If 1. and 2 really are a problem, then the solution is surely to use something which is un-guessable and un-brute-force-crackable to generate the private key. That is surely easy?  e.g. a jpg (then all you have to remember is "the photo of me with the clown hat" - though then you have to do your own hashing) or some unique sequence of text (e.g. "the first paragraph of the letter granny sent me on my 16th birthday"). Obviously don't lose the clown pic file or the letter from granny.  

But I think 1. and 2. are both dubious.

Re. 1. , if there are 10,000 English words, then choosing seven of them at random gives 1 * 10^28 combinations which should be enough for a few years yet even with terrahash asics.

Re. 2. a passcode is less obviously a private key than is a private key. So writing it down is less insecure than printing out and storing your private key (which is generally regarded as a very secure way to store BTC)

So IMHO the solutions are neat but they answer a problem that isn't really a problem.

Edit: changed 10^20 to 10^28

[zaubertrank]

Thank you for commenting, davidgdg

Reading your answer I think I have to explain in more detail the "use case"/ the scenario I have in mind for this method.

Let's say, it is intended to be a foolproof method for bitcoin cold-storage: I bought a bunch of bitcoins in the last months. It might be the case, that I loose interest in following bitcoin-news the next years (checking exchange-rates, legal status, security measures, new applications... whatever). So if in 5 years I discover that bitcoin is a huge thing then and my bitcoins are worth a fortune, i want to be able to redeem them. So, yes, the two problems you mentioned are exactly the problem, but your requirement is not exactly the one I have in mind:

3.  So supposedly what is required is some method of only having to remember some  simple piece of information that then enables the owner to retrieve the passcode without having to write it down anywhere.

I want to have a method where I do not have to remember any information at all (well, at least, not any new information. I only use information I already know since my childhood). Using this information I do not have to remember, that the privateKey/passphrase is hidden in clown.jpg (which additionally might get lost in a HD-Crash) or in grannys birthday letter (which might get lost also). I can write the whole process on a piece of paper that I can put in my "finance"-folder on the shelf. And I can even give a copy of that paper to a good friend. Restoring the passphrase from the cloze text is easy for me but impossible for anyone else.

Re. 1. , if there are 10,000 English words, then choosing seven of them at random gives 1 * 10^28 combinations which should be enough for a few years yet even with terrahash asics.
Re. 2. a passcode is less obviously a private key than is a private key. So writing it down is less insecure than printing out and storing your private key (which is generally regarded as a very secure way to store BTC)
So IMHO the solutions are neat but they answer a problem that isn't really a problem.

Both answers you give here do require either remembering at least some new information (you have to be able to recall it in 5 years) or you have to make sure that nobody else gets to see your paper-wallet.

[Abdussamad]

Two things:

a) Human beings are not good at picking random phrases so don't create your own brain wallet passphrase.

b) Don't reinvent the wheel - use electrum

Electrum generates a random seed that is basically 12 words. You can memorize those or write them down. They are all you need to restore your wallet with multiple addresses. Electrum also supports watch only wallets and offline wallets. So if you want to create a brain wallet use electrum. It is all you'll ever need.

[mechs]

My suggestion, choose a difficult to remember phrase with many misspellings, etc.  Repeat it to yourself daily.

As a second level of security, write this passphrase down and then split it with shamir's sharing secret into 5 pieces with a quorom of 3.  Hide them in different places.  If you ever forget your phrase, you only need to retrieve 3 of them to recreate your passphrase and use that to regenerate your private key. 

[zaubertrank]

a) Human beings are not good at picking random phrases so don't create your own brain wallet passphrase.

This is a valid point. While I do know, that human beings are bad at creating randomness, we tolerate this weakness for practical purposes: Or don't you have passwords you chose by yourself? But the longer your self-chosen password / passphrase gets, the more it compensates the weaknesses of its non-randomness. Thats why I came up with the last question in my OP: "How many words do you think you have to collect with this method to meet standard-brain-wallet-security?"

b) Don't reinvent the wheel - use electrum
Electrum generates a random seed that is basically 12 words. You can memorize those or write them down. They are all you need to restore your wallet with multiple addresses. Electrum also supports watch only wallets and offline wallets. So if you want to create a brain wallet use electrum. It is all you'll ever need.

I will have a closer look at alternative clients and they will have a place in my bitcoin-environment. But software-solutions don't qualify for my "total-foolproofness"-standards.

As a second level of security, write this passphrase down and then split it with shamir's sharing secret into 5 pieces with a quorom of 3.  Hide them in different places.  If you ever forget your phrase, you only need to retrieve 3 of them to recreate your passphrase and use that to regenerate your private key. 

Cool! I never heard of that! This is definitely a good idea if you want to give your bitcoin-credentials to friends.

[Five Points]

What if you invented your own language, and used that for the passphrase?

What really bugs me with a brainwallet is if you ever send bitcoins out of there, you wasted your entire time memorizing it.

I would like to remember the phrase for life, and not worry about having to remember another friggin' brainwallet passphrase.

Another thing that should be discussed is how can we mitigate the risks of a brainwallet without compromising the reason why we chose to use a brainwallet?


Such as if you get injured or die, no one will ever know. So, does that mean you have to have copies laying around for your family? Doesn't that kind of defeat the original purpose of the brainwallet?