Brainwallet Passphrase limits?

[npudar]

I really wanted to correspond in another really good thread on brainwallets, but alas, I'm a noob.

So, here are my questions:

1) In generating a brainwallet on bitaddress.org, what is the limit for the number of characters in the passphrase?

2) On the site bit2factor.org, in creating an encrypted private key, what is the limit for the number of characters in the passphrase?

Thanks.

[serves-two]

Don't.  Bad for privacy, usually done wrong and hacked, even if done right people often forget or lose the password...

If you still must create a brainwallet, for the love of $deity_or_lack_thereof please make sure you generate the passphrase genuinely randomly - e.g. an Electrum-esque 12 Diceware words chosen with real dice, written down multiple somewheres (perhaps split up) - and use some kind of KDF that requires a substantial amount of time to slow down brute-forcers anyway. 

But, please, just don't even do it in the first place.

[npudar]

Don't.  Bad for privacy, usually done wrong and hacked, even if done right people often forget or lose the password...

If you still must create a brainwallet, for the love of $deity_or_lack_thereof please make sure you generate the passphrase genuinely randomly - e.g. an Electrum-esque 12 Diceware words chosen with real dice, written down multiple somewheres (perhaps split up) - and use some kind of KDF that requires a substantial amount of time to slow down brute-forcers anyway. 

But, please, just don't even do it in the first place.

I appreciate the good advise.  I still want to know what the limits are to the number of characters in a brainwallet passphrase, as well as the limits for the private key encryption passphrase in BIP38.

The passphrase I am thinking of has 230 bits of entropy, and I can recreate it reliably.  I was thinking of using that same brainwallet passphrase for both creating the private key as well as for encrypting it.  But I've been thinking of using a different (equally high entropy) passphrase for the second step of the process.

So back to my original questions, soes anyone know what the limits are to the size of the passphrases?

[coinjipsey]

Yea I would definitely forget. Put a copy of your wallet.dat file on a few usbs, cds, maybe print one out. Store them in separate locations. Maybe give a copy to someone you trust (ALOT), incase anything ever happened to you. Oh yea and encrypt the wallet.dat file too.

[DannyHamilton]

I'm not sure what the limits are for the text box at the brainwallet.org website, but for the concept of a brainwallet there is no limit.

With the brainwallet concept, you start with a passphrase and then you create a 256 bit digest of the passphrase.  The most common method is to use SHA256.  SHA256 can create a 256 bit digest of any arbitrarily large data set.

[bloss]

I'm not sure what the limits are for the text box at the brainwallet.org website, but for the concept of a brainwallet there is no limit.

With the brainwallet concept, you start with a passphrase and then you create a 256 bit digest of the passphrase.  The most common method is to use SHA256.  SHA256 can create a 256 bit digest of any arbitrarily large data set.

I'm not a programmer to understand the open source code... But do all brainwallet sites use the same algorithm to convert the passphrase to a private key and address? In other words, does a particular passphrase always generate the same private key on all sites?

[J35st3r]

I'm not a programmer to understand the open source code... But do all brainwallet sites use the same algorithm to convert the passphrase to a private key and address? In other words, does a particular passphrase always generate the same private key on all sites?

I think the answer to that has to be no. One convention is to use SHA256 (both bitaddress.org and brainwallet.org use this) but there is nothing stopping another site from using some other algorithm (for instance SHA256d, or including some salt).

As mentioned above, you're far better off using a deterministic wallet like electrum and saving the 12-word passphrase. Write it down (for your own sake, or for your beneficiaries in case the worst should happen, lost/forgotten passwords are far more risk than stolen ones) and keep it in a safe place or better, several.

And a general comment. Brainwallets are NOT safe for newbies to use, have a read of this thread https://bitcointalk.org/index.php?topic=251037.0

[no name]

I have one brainwallet question for crypt/math gurus, please. 

I found that 2^256 private keys, they only map to 2^160 unique wallet addresses. Could SHA-256(whatever) map whole set of possible private keys or only its subset? And what is dimension of that subset?

I'm googled few days but without success.

thanks in advance!

[DannyHamilton]

I have one brainwallet question for crypt/math gurus, please. 

I found that 2^256 private keys, they only map to 2^160 unique wallet addresses. Could SHA-256(whatever) map whole set of possible private keys or only its subset? And what is dimension of that subset?

I'm googled few days but without success.

thanks in advance!

I don't know if anyone has determined yet if the result set of SHA-256 actually includes every number from 0 to 2²⁵⁶.  I suppose it may be possible that there are some private keys that SHA-256 will never create no matter what input is used.

Furthermore, since addresses are the result of finding an ECDSA public key from the private key, then calculating RIPEMD-160(SHA-256(public key)), and it's possible that any of those three functions (ECDSA, RIPEMD, SHA) may have result sets that do not include every number in their respective ranges, it is quite possible that the complete result set of addresses that can be generated from using SHA-256 to create a private key is less than 2¹⁶⁰ possibilities.

[no name]

I don't know if anyone has determined yet if the result set of SHA-256 actually includes every number from 0 to 2²⁵⁶.  I suppose it may be possible that there are some private keys that SHA-256 will never create no matter what input is used.

Furthermore, since addresses are the result of finding an ECDSA public key from the private key, then calculating RIPEMD-160(SHA-256(public key)), and it's possible that any of those three functions (ECDSA, RIPEMD, SHA) may have result sets that do not include every number in their respective ranges, it is quite possible that the complete result set of addresses that can be generated from using SHA-256 to create a private key is less than 2¹⁶⁰ possibilities.

Thank you very much for your answer DannyHamilton, VERY helpful.
I appreciate that.

[NxtChoice]

The length should has no restriction, but you'd better input more than 20 characters.