retep -
If that works for you, more power to you. I won't deny that it is possible to commit a large amount of information to memory in a fairly short time. I just don't trust myself enough to rely on that to hold a secret without a backup. If you get confused over one character, your coins may be lost forever. The mental anguish that would put someone through just isn't worth it to me.
Then put a copy in your safe deposit box. Heck, encrypt it with the key of someone you trust. It's a perfectly legit solution.
The point is, all these crazy salting schemes people are coming up probably aren't going to work, and on top of that, what if you forget the scheme? Why not just do things right and practice in the first place?
What makes your method "right"?
I never said it wasn't a legit solution, it's just not for me.
As I said before, the plan is to write down the "scheme" in multiple places, and consult the record when necessary.
Ah, yeah, I'll admit once you're writing down the scheme in multiple places it's not so bad. Although you have to think who the attacker is: an adversary scanning the whole block chain with a key brute-forcing script to try to break *everyones* key? Or this this an adversary targetting you? Do they have a court order to seize your funds and already have access to the multiple places where you scheme is written?
Lets suppose your adversary is purely targeting every key: why not just generate a random key and write it down? Or generate a long random salt, and append to that a password you can remember?
If your adversary is targeting you specifically once they get access to your scheme they can start targeting that using what they know about you. For instance the "where did I get bitten by a snake" question can be narrowed down pretty quickly, and then brute forced. Similarly for movie quotes and the like. What's worse is they may be targetting multiple people at once using similar schemes, which means the brute force effort can be amortized over every person to some extent.
Unfortunately I suspect the most fruitful approach is password strengthening functions. For an offline key waiting a few minutes for the function to crunch is acceptable and really will make the adversaries job difficult. Also while sipa, for example, has argued for functions that use a variable number of iterations depending on the key content I'd argue that it is quite ok for the iterations to be fixed or semi-fixed. Ultimately a brute force attempt with key strengthening consists of three stages: combinatorially generate a password, strengthen, check. Even if the iterations is different for each individual key, if the scheme to pick that number is known, the final brute force difficulty is still just the average number of iterations required for all possible keys.
I think a better scheme is as follows:
strengthened_password = password
exponent = 1
while strengthened_password is not in blockchain:
strengthen password with (2^exponent-2^(exponent-1)) iterations
exponent += 1
The security level of the brain wallet is now a function of the exponent picked on creation, yet the user doesn't need to remember that exponent as the system will automatically, and without wasting work, try all the possible ones in turn. The user interface will need some work, but essentially we can pick a reasonable upper bound exponent and have the software try up to that exponent first, and prompt the user if the key still isn't found, while allowing compatibility with later versions of the software that will up the exponent as computers increase in power.
