How to create a secure brainwallet

[davebb]

I wrote up some notes and put together a bash script for the purpose of creating a secure brainwallet - beyond the sha256(passphrase) model.  There's lots of concern that sha256(passphrase) generates very weak keys.  This approach should solve that problem.

You can find the notes at http://cycadgarden.com/BrainWallet/

This new approach uses a salt (common across all passphrases/private keys for a single user)  and keystretching to create private keys that are much more resistant to attack.  A downside to this new approach is that you have to keep an encrypted copy of the salt for use in re-generating the brainwallet keys.

The resulting keys are also unique to each user (two users with the same passphrase will generate different private keys) due to the salt.

There aren't really any new ideas in this - I've just collected them for use in generating brain wallets.  Hope you find them helpful.

Dave

[FLHippy]

I'm interested to know if anyone can break into your wallet. You've provided a handy password and everything. Please keep us updated.

[rate5]

Awesome tutorial on how to create a secure wallet with a salt file and password.  The only problem is that this is not a true brain wallet as it requires the user to keep the salt file.  

The idea behind a brain wallet is that your computer can be destroyed, all your backups can be destroyed, everything you own can be destroyed and as long as you can remember your brain wallet password you can access your wallet.  This method requires that you to keep a salt file, if the salt file is lost so is your wallet.  

It's still a nice hybrid method for those who want to keep a backup of their salt file.

[Finch_Coins]

I am relatively new to this is the risk really that high when just using a Bitcoin wallet with a 16 digit encryption? Kinda scary

[davebb]

I'm interested to know if anyone can break into your wallet. You've provided a handy password and everything. Please keep us updated.

So am I    I'll keep you updated.

The only problem is that this is not a true brain wallet as it requires the user to keep the salt file. 

True enough - but for a strong private key, the entropy has to be somewhere.  Either in the passphrase, or the salt, or some combination of the two.  Most people haven't been interested in using a strong passphrase.  This seems like a workable compromise for most - but obviously not all.

is the risk really that high when just using a Bitcoin wallet with a 16 digit encryption?

Like most things in life, it depends.  If you use a truly-random hex string of 16 digits (128 bits), the keyspace is about 10^38 keys big.  That would take an attacker some time to crack.  However, if you limit yourself to words, or other common sequences, then you greatly reduce the entropy possible with a 16 digit key.  Then the odds shift greatly in favor of the attacker.

What my brain wallet approach does is let you keep a good amount of entropy in the key (256 bits if you use a truly-random 64 byte salt), but have more manageable passphrases - of the sort that most people are capable of remembering.

But the fact remains, you do have to keep track of the salt in one way or another.

Dave

[Kazimir]

A downside to this new approach is that you have to keep an encrypted copy of the salt for use in re-generating the brainwallet keys.

This kinda makes it not a real brain wallet anymore.

I think essentially the problem boils down to creating truly unique, strong passwords. "Bob is a great guy" is a very bad example, because this is by no means a strong password.

A better example would be:

Code:

Kazimir^1982^Scruffy^51^Mantenna^Raspberry

where Kazimir is my name, 1982 is my birth year, Scruffy is my dog's name (or my guinnea pig's), Blue is my favorite color, 51 is my lucky number, Mantenna was my favorite He-Man action figure, and Raspberry is my favorite fruit. All separated by a ^ because I think it's a funny character.

No dictionary attack in the world (not even a personalized / targeted one) is gonna crack this And a single SHA256 hash step without additional salt or trickery, surely has enough entropy to make a safe brain wallet.

And rather than this example I would prefer uncommon, irregular words or names or numbers or phrases that have a special meaning to you. Easy for you to remember, impossible for others to guess or brute force. Be creative: the teacher from high school you hated most (and don't capitalize his name). Your favorite movie. Your first boy/girlfriend's name, perhaps spelled backwards. Your social security number. The first model game console or home computer you ever had (e.g. Commodore 64). That strange word your little brother used to yell. Your favorite pizza. You get the idea.

Don't combine too many terms though, otherwise you'll have a hard time putting everything back in place. Use some kinda scheme or logic that makes sense to YOU. Some 5 random terms or so should be fine.

[Sethenes]

I really love the idea of a brain wallet.  So, if your computer is destroyed, the only evidence the bitcoins belong to the address you had in your wallet is through the blockchain?  So, you don't really need a physical location for your bitcoins? 

[paraipan]

I really love the idea of a brain wallet.  So, if your computer is destroyed, the only evidence the bitcoins belong to the address you had in your wallet is through the blockchain?  So, you don't really need a physical location for your bitcoins? 

Eureka 

+1 what Kazimir said, prob the best brain wallet in the world

[Kazimir]

I really love the idea of a brain wallet.  So, if your computer is destroyed, the only evidence the bitcoins belong to the address you had in your wallet is through the blockchain?

That's not the point of a brain wallet.

So, you don't really need a physical location for your bitcoins?

Exactly. It's meant as a way to 'store' a wallet without depending on any physical storage or online wallet service.

There is no evidence in the blockchain about who owns what addresses. The only thing you can detect is if two addresses appear on the input side of a transaction together, which is an indication they belonged to the same wallet (and thus to the same person). Although you still wouldn't have any clue who that person is.

If you want to avoid evidence that a certain address or wallet belongs to you, just store it on an encrypted drive or file container (e.g. TrueCrypt). Which is a good thing to do anyway, also because of theft (if someone steals your laptop and the wallet is encrypted, they can't do anything with it).

[davebb]

Kazimir^1982^Scruffy^51^Mantenna^Raspberry

You are using an alphabet that includes cap and small letters, numbers, and ascii symbols.  The passphrase is also reasonably long.  These are good things.

I don't think your name and birthdate add anything to the entropy of a passphrase - those are the first things an attacker is going to try.  Since Scruffy, Mantenna, and Raspberry are words, the entropy is probably half of what it would be if these were random strings.  Similarly with the favorite number.  The symbol is re-used, so count that as half as well.  Thus, this passphrase has an entropy of approximately 28*3.5 = 88 bits (printable ascii symbols always have a leading 0, so only contribute 7 bits).

The private key corresponding to this passphrase has about 1/3 the entropy it could have with a purely random 256 bit private key.

Crackable now?  Probably not.
Crackable in a few years?  Probably.

The brain wallet method I've proposed lets you get much closer to that magic 256 bits of entropy in your private keys, with relatively simple passphrases. 

But the fact remains, you do have to keep track of the salt in one way or another.

Dave

[ErebusBat]

This thinking, while appears accurate on the surface is not.

While it is true that an attacker could / might try names and whatnot they can not half crack the pass phrase.

Unless an attacker know exactly your pattern, to the length then the security is still solid.

That gives Kazimir's passhrase search space of ~~ 1200 × the number of atoms in the visible universe (~~ 10^80).

Which is a little more than88 bits.