How few characters in a brain wallet before it gets really difficult to crack

[mughat]

If you have a formula or a table that would be great.

Would 16 random chars be ok? How long would that take to brute force...



Thanks.

[ffe]

maybe 100 characters that are easy to remember like your email address plus 16 to 20 truly random alphanumeric characters.

The email address makes it specific to you so a general sweep of the block chain by a password cracker doesn't pick you up. The 16 to 20 truly random part gives you over 100 bits of entropy. Not ironclad but good.

You know you will forget the password unless you store it in a safe place. Why not just export a secret key generated by a good computer algorithm to paper?

[mughat]

maybe 100 characters that are easy to remember like your email address plus 16 to 20 truly random alphanumeric characters.

The email address makes it specific to you so a general sweep of the block chain by a password cracker doesn't pick you up. The 16 to 20 truly random part gives you over 100 bits of entropy. Not ironclad but good.

You know you will forget the password unless you store it in a safe place. Why not just export a secret key generated by a good computer algorithm to paper?

I am making metal "brain" wallets. In copper and brass. 2 copies. one for backup. Fire proof
Stamping the chars in the metal takes time so I want to keep it to a minimum.

[DannyHamilton]

maybe 100 characters that are easy to remember like your email address plus 16 to 20 truly random alphanumeric characters.

The email address makes it specific to you so a general sweep of the block chain by a password cracker doesn't pick you up. The 16 to 20 truly random part gives you over 100 bits of entropy. Not ironclad but good.

You know you will forget the password unless you store it in a safe place. Why not just export a secret key generated by a good computer algorithm to paper?

I am making metal "brain" wallets. In copper and brass. 2 copies. one for backup. Fire proof
Stamping the chars in the metal takes time so I want to keep it to a minimum.

Use a random selection of upper case, lower case, numbers, punctuation and other symbols.  This will significantly decrease the odds of a rainbow table having your chosen string.

I think that gives you about 94 unique characters to select from.  The number of possible combinations can then be computed as 94^x where x is the number of characters in your passphrase.

You'll have to make your own predictions about how fast brute forcing is likely to get in the future, but 350 billion attempts per second for the present is a good number to start with.

If you want to make sure that an attacker has less than a 1% chance of stumbling on your passphrase within 10 years, figure about 1.1x10²⁰ attempts in that time frame, so you'll want at least 1.1x10²² combinations.

94¹² = 4.76x10²³

If I haven't messed up my math anywhere (and that is definitely a possibility), it looks like you'll want at least 12 characters.  Scale that up however you'd like to account for future increases in cracking speeds and reduction in chance of collision.

[pc]

For making physical bitcoin tokens, you may want to use the same "minikey" format used by Casascius for his physical coins. See Mini private key format on the wiki. It's probably the closest thing there is to a standard.

[xDan]

Presumably 12 random words would also work? (i.e. like an Electrum wallet seed). It might be easier to remember.

Is that a sound approach?

[Rygon]

This seems appropriate for this conversation:

https://xkcd.com/936/

Oh, and assuming roughly 50,000 common words, 12 of them should be sufficient even against a dictionary attack.

[Prattler]

For making physical bitcoin tokens, you may want to use the same "minikey" format used by Casascius for his physical coins. See Mini private key format on the wiki. It's probably the closest thing there is to a standard.

This! Don't use a password

[ivanol]

How difficult is really difficult? It depends on how much in the way of computer resources someone is willing to expend on the attack, which depends on how much money you have stored in your brain wallet.

You need to test how many passphrases your computer can create brain wallets from per second. If your computer is old then multiply this up to a decent high end computer available now. How long will it take them to crack your password? (there are 3 x 10^7 seconds in a year).

Now work out the number of possible passphrases according to the scheme you are using. If you go with printable ascii characters then there are 95^x =~ 10 ^ (x * 2) possiblities, where x is the length of your password. If with a randomly chosen word from the most common 10000 words in english then 10 ^ (x * 4) possiblities where x is the number of words. eg.
   
    8 characters =~  4 words = 10 ^ 16 possibilities
    12 characters =~  6 words = 10 ^ 24 possibilities

I've just generated a sample 10 ^ 24 possiblity password for each of these so you can decide which type is easier to remember.
     Lj0Z4c|==i5CJ<pT
     heroin swallowed goddamn hustle serge imitating

If you assume the crackers top end hardware will depreciate to near nothing over 5 years, it is only worth them trying to crack your password if:
     value_of_bitcoins_in_brain_wallets >  cost_of_hardware * password_possibilities / (passphrases_per_second * 5 * 3 * 10^7)

Note that if many brain wallets use the same generation code then a hacker can test all of them at the same time, so the important value is that stored in brain wallets using the same generation code as you, not that stored in your wallet.

The best defence is probably to make brain wallets slow to generate.  If the cracker can crack brain wallets at 350billion per second then you need a long passphrase. If the first step of the brain wallet is to sha hash the passphrase 80 billion times, it might take you 80000 seconds to create your brain wallet (just under a day) on your 1MH/s CPU, but even a cracker with a 80GH/s ASIC is only going to be able to try crack passphrases at one per second. A 3 word (or 6 random character) passphrase now takes them 100000 years to crack...

Ivanol

[DannyHamilton]

Wow, seems today is the day that people respond to threads without paying attention to what the OP is looking for:

- snip -
Stamping the chars in the metal takes time so I want to keep it to a minimum.

None of these suggestions seem like a good idea for keeping the number of characters to a minimum:

Presumably 12 random words would also work?
- snip -

This seems appropriate for this conversation:

https://xkcd.com/936/

Oh, and assuming roughly 50,000 common words, 12 of them should be sufficient even against a dictionary attack.

- snip -
The best defence is probably to make brain wallets slow to generate.  If the cracker can crack brain wallets at 350billion per second then you need a long passphrase. If the first step of the brain wallet is to sha hash the passphrase 80 billion times
- snip -

And he should stamp the entire algorithm into the metal so he doesn't forget it?

For making physical bitcoin tokens, you may want to use the same "minikey" format used by Casascius for his physical coins. See Mini private key format on the wiki. It's probably the closest thing there is to a standard.

This! Don't use a password

The Mini private key is a password, isn't it?  I thought that the private key was simply a SHA-256 hash of the mini key (just like the private key of a brainwallet is just the SHA-256 hash of a password).  Note, that means that the Minikey is just a 29 character password.  As a checksum, a mini key with a ? added to the end will always create a hash that that has a first byte of 0x00. Since the minikey only uses 58 characters the gives you about 5.4X10⁴⁸ possible combinations.  This would be equivalent to a 25 character password using all 94 characters.  You'll have to decide for yourself it the benefits of a mini-key are worth the additional characters.

- snip -
Note that if many brain wallets use the same generation code then a hacker can test all of them at the same time, so the important value is that stored in brain wallets using the same generation code as you, not that stored in your wallet.
- snip -

I'm not sure what you are trying to say there.  Perhaps I'm just not paying close enough attention.  When you say "generation code" do you mean password?  Or do you mean algorithm for converting a password into an address?

[ivanol]

Wow, seems today is the day that people respond to threads without paying attention to what the OP is looking for:
- snip -

- snip -
The best defence is probably to make brain wallets slow to generate.  If the cracker can crack brain wallets at 350billion per second then you need a long passphrase. If the first step of the brain wallet is to sha hash the passphrase 80 billion times
- snip -

And he should stamp the entire algorithm into the metal so he doesn't forget it?

OK, maybe not the best suggestion for the original poster, but it did answer the question in his first post - the number of characters required to make a brain wallet difficult to crack directly relates to the speed of the brain wallet algorithm. If there is only one existing brain wallet algorithm available online then that's not that helpful for him I agree. If there is more than one, then choose the slowest.

- snip -
Note that if many brain wallets use the same generation code then a hacker can test all of them at the same time, so the important value is that stored in brain wallets using the same generation code as you, not that stored in your wallet.
- snip -

I'm not sure what you are trying to say there.  Perhaps I'm just not paying close enough attention.  When you say "generation code" do you mean password?  Or do you mean algorithm for converting a password into an address?

I meant the algorithm for converting a password into an address. The expensive bit of any brainwallet is going to be generating the keys from the wallet. If everyone using a brainwallet uses the same algorithm then a cracker who brute-forces possible passwords can check the generated public keys for each trial password against all existing public keys with significant funds in them very cheaply (eg. using a bloom filter). If the trial password matches anyone's brain wallet then he has a hit.

[DannyHamilton]

- snip -
I meant the algorithm for converting a password into an address. The expensive bit of any brainwallet is going to be generating the keys from the wallet. If everyone using a brainwallet uses the same algorithm then a cracker who brute-forces possible passwords can check the generated public keys for each trial password against all existing public keys with significant funds in them very cheaply (eg. using a bloom filter). If the trial password matches anyone's brain wallet then he has a hit.

Yeah, I agree on that one.  At the moment I'm pretty sure that most (all?) brainwallets are simply a single (or perhaps double) SHA-256 hash of the passphrase.