Time to bust a myth. Paper wallets are less secure than normal encrypted wallets

[afriezalie]

In my opinion, both of them are same. If we use encrypted wallet such as electrum, our wallet could be hacked by someone or we lose our recovery ID  when we re-install our operating system. If we use paper walllet, maybe it's safer than encrypted wallet, but when we generate paper wallet, malware could read our private key. So there's no perfect place to store our BTC. That's my opinion.

[1715479612]

1715479612

[1715479612]

1715479612

[1715479612]

1715479612

[1715479612]

1715479612

[Klestin]

Serious comment: brainwallet for long term storag, Trezor for mid term, and Mycelium app for pocket change.
Comments?

Brainwallet is fine if done correctly.  Sadly, virtually all brainwallets are not done correctly.  The crib notes version for correctly generating a brainwallet:

- Pick 12+ random (really, actually, truly) random words from a large list. Diceware will work fine. (Google it if unfamiliar)
- Commit the words to memory, and periodically test yourself
- Generate your wallet/key from an offline copy of a page, that you either trust or have personally verified the code. Or use Electrum, if you trust it and have ensured it is untampered with.

Trezor and Mycelium I use myself.

[Quickseller]

Serious comment: brainwallet for long term storag, Trezor for mid term, and Mycelium app for pocket change.
Comments?

Brainwallet is fine if done correctly.  Sadly, virtually all brainwallets are not done correctly.  The crib notes version for correctly generating a brainwallet:

- Pick 12+ random (really, actually, truly) random words from a large list. Diceware will work fine. (Google it if unfamiliar)
- Commit the words to memory, and periodically test yourself
- Generate your wallet/key from an offline copy of a page, that you either trust or have personally verified the code. Or use Electrum, if you trust it and have ensured it is untampered with.

Trezor and Mycelium I use myself.

If the words are random, then it will be much more difficult to memorize, and the chances will be greater that you will lose access to your funds.

IMO a safer bet would be to do the following:
#create a brain wallet with a relatively easy to remember phrase
#sign a message with a second, but different easy to remember phrase
#the resulting signature will be your passphrase

For example:
#I create a brain wallet with the phrase "quickseller is cool" (without quotes)
#The corresponding address is using brainwallet.github.io (uncompressed) is 13qAJGPqcyK2Dd69b19n4S9Bvfwxn7SS5Q
#The private key to 13qAJGPqcyK2Dd69b19n4S9Bvfwxn7SS5Q is 5KcNGK5y76KHYMNLnzX8exekj5Y3ygDMNUhudeoc3Eurk9hWkEN
#If I sign the message "today is friday" (without quotes) with the above private key (multibit) then I would receive the following signature: G7PbabLubAJeeEUf0UGvEvD4YeTRw/M3ft/k4daoiocef4fqHY7QX7wJjvSss9TX0E3wMuFA+4zt2/44PkYimYM=
#I would then use G7PbabLubAJeeEUf0UGvEvD4YeTRw/M3ft/k4daoiocef4fqHY7QX7wJjvSss9TX0E3wMuFA+4zt2/44PkYimYM=
 as my passphrase for my brain wallet which would result in the address 1A9Xp5DgASmApmnRpgzriW663oJdv2Uxic

The above steps would make it much more difficult for a brainwallet farmer to try to crack my brainwallet because of the exponentially greater number of potential passphrases if you use two sentences found in literature or are otherwise easily crackable.

If you were to assume there are 1,000,000 words in the english dictionary, and you were to use a 'random' three words as your 'first' passphrase' and a 'random' three words as the message that you sign with the above resulting key then:

There are 1,000,000³, or ~1 * 10¹⁸ possibilities as to what your first (signing) address will be. If you can calculate a trillion 'three word' passphrase combinations per second then it would take you 1,000,000 seconds or ~99 weeks to find all of the possible 'three word' passphrase combinations - they have probably already been found a long time ago.

If you were to take a random of the above addresses and sign a random three word message with the resulting private key then there would be a total of 1 * 10³⁶ possible signing address - resulting signature combinations. If you can calculate a trillion of these combinations per second then it would take you 1 * 10²⁴ seconds to calculate all of these combinations, this works out to be roughly 1.335 * 10¹⁹ years to calculate all of the possible combinations.

The current Bitcoin network hash rate is something less then 400,000 trillion hashes per second, so if the entire current network were to be repurposed to calculate all of the possible above combinations (assuming ASICs could be repurposed to do this) then it would take roughly 3.3375 * 10¹² years to calculate all of the possible combinations. This is roughly 3.3 trillion years.

It should be noted that a three word combination would be very easy to remember, and it would not be difficult to increase either, or both of the lengths, and if this were to happen then the number of possible private key combinations would be exponentially larger.

It should also be noted that I am not going to personally endorse this strategy of creating a brain wallet, and as a result I am not going to take responsibility if anyone were to have their funds stolen as a result of employing this kind of strategy.

if someone can find any non-trival errors in my math then please feel free to point them out

[Klestin]

If the words are random, then it will be much more difficult to memorize, and the chances will be greater that you will lose access to your funds.

[snip]

The above steps would make it much more difficult for a brainwallet farmer to try to crack my brainwallet because of the exponentially greater number of potential passphrases if you use two sentences found in literature or are otherwise easily crackable.

It should also be noted that I am not going to personally endorse this strategy of creating a brain wallet, and as a result I am not going to take responsibility if anyone were to have their funds stolen as a result of employing this kind of strategy.

if someone can find any non-trival errors in my math then please feel free to point them out

As to math problems, I'll only point out that there are nowhere near 1 million english words - there are less than 200k words in total.  If these are words are to be memorized, they must be known to the user.  A more practical number to use here is 10,000.  This alone changes your math to a final result of 3.3 years instead of 3.3 trillion years.  If the words are not random, then of course this goes way way down.

This may not be good enough and may result in the loss of your funds.  Don't do this.  If you are unwilling to memorize (and keep memorized) those 12+ RANDOM words, then don't use a brainwallet.  Nobody said you have to memorize them into one long list - feel free to make them into four three-word phrases.  The KEY is that they have to be ACTUALLY RANDOM.  No phrases, no book quotes, no birthdays, etc.  Random words, chosen by dice roll or other non-computer-generated method.

You can also use a hybrid approach.  Memorize some of the words, and keep the rest written down somewhere safe.  Just nowhere digital.

[Borisz]

As to math problems, I'll only point out that there are nowhere near 1 million english words - there are less than 200k words in total.

Quick search has shown this:
"The number of words in the English language is: 1,025,109.8.   This is the estimate by the Global Language Monitor on January 1, 2014." source
So the 1 million words is OK, however it is more realistic that an average person uses only a fraction of this, as you said as well. Above-average people may use something like 25'000 so that is the order you should be looking at, maybe even less, yes. These are the words you would normally think of. Unless, of course, you flip open some scientific magazines.

Let's jump to maths.

if someone can find any non-trival errors in my math then please feel free to point them out

There are 1,000,0003, or ~1 * 1018 possibilities as to what your first (signing) address will be. If you can calculate a trillion 'three word' passphrase combinations per second then it would take you 1,000,000 seconds or ~99 weeks to find all of the possible 'three word' passphrase combinations - they have probably already been found a long time ago.

(1*10^18)/(1*10^12)=1000'000 which gives your 1 million seconds to break the first passphrase
1000'000/(60seconds*60minutes*24hours)=11.57 days instead of 99weeks

Assuming from the above an above-average person's dictionary, say 25'000 words, with the same numbers the first passphrase can be broken under 0.3 seconds.
The same 25'000 words, cracking with bitcoin network analogy would come down to under 20 years. Still probably pointless, but way less than the 3.3 trillion years. (which has probably the same flaw in calculating the time and it would be actually something like 0.08 trillion years, 7.93E10)

Check again the way you converted hashing time to actual time it takes and it will be OK. Significant error, however for the practical use it doesn't matter. If it takes 20,3 billion or 3 trillion years, who really cares? People will be happier stealing accounts with no encryption or the passphrase "puppy".


On a final note, I don't think you can make 10E12 guesses (trillion) per second, yet alone refurbish the Bitcoin network  . You can use this method if you want, but don't come up with words on your own like "it is Friday". Open a science book or something similar and roll some dice. However, at this point I would ask why would I do this? I personally find this method way too complex to be of practical use to me. I can write down my password somewhere and hide it on a piece of paper in a book's cover, glued to the back of some furniture etc etc.

[Fabrizio89]

That's the big problem with btc, too much thinking about how to secure your coins for the layman

[spazzdla]

That's the big problem with btc, too much thinking about how to secure your coins for the layman

This is a problem, if not the problem.  Things like trezor are trying.

[Klestin]

Quick search has shown this:
"The number of words in the English language is: 1,025,109.8.   This is the estimate by the Global Language Monitor on January 1, 2014." source

I based my number on this:
The Second Edition of the 20-volume Oxford English Dictionary contains full entries for 171,476 words in current use

So, I guess we should add "in current use" to the < 200k estimate.  Also, I can only guess that GLM's number includes every variant of every word (tense, subject, plurality, etc).  I expect it would be unwise to include all such variants for lists of words that must be precisely memorized.

In either event, I think we agree that the 1M or 200k discrepancy is largely irrelevant.  For brainwallets, there are two constraints on word selection: 1) They must be memorizable. 2) They must be randomly selectable.

Diceware uses five rolls of a six-sided die to do word selection.  This gives 7,776 possible "words", some of which aren't words, aren't well-known, and won't be easily memorized.  There are other lists out there, but they suffer the same constraints.  10,000 is a generous estimate of word pool size for this purpose.

Memorizing 12+ words, selected at random via dice roll, is a mathematically provable method to generate a sufficiently safe brainwallet.  Additional steps, shortcuts, obfuscations, etc are not necessary at best, and crippling to security at worst.

[vlom]

thank you very much.
i would like to add:
do not forget to backup HD/SSD with your wallet.
and don't forget to backup you backup.
and don't store all the backups at the same place.
and encrypt your backups.

and do not use a passphrase twice.

[BitcoinNewsMagazine]

I created the CIYAM Safe (https://susestudio.com/a/kp8B3G/ciyam-safe) for the purpose of making safe offline "cold storage".

To be really secure I would advise buying an *old computer" that predates any of the NSA attacks upon hard-drive firmware, etc. (yes it is a pity that they have made all modern hardware now suspect).

Like it or not we are in the middle of a "war' against privacy (which the major governments of this world hope we will lose).

How is CIYAM Safe more secure than Trezor? Thanks.

[bob123]

Conclusion.. Dont download every shit on every page and use a hardware wallet.

[helloeverybody]

That's some good information.  I will still stick to my paper wallets though.  I'm actually guilty of using a live machine to print them off.

[teukon]

In either event, I think we agree that the 1M or 200k discrepancy is largely irrelevant.  For brainwallets, there are two constraints on word selection: 1) They must be memorizable. 2) They must be randomly selectable.

Adding to point (2).  To achieve maximum entropy, it is essential that no word is more or less likely to be selected than any other and each select event is independent from any other.  Some people erroneously attempt to think up their own words or select them from random pages of some book.

Diceware uses five rolls of a six-sided die to do word selection.  This gives 7,776 possible "words", some of which aren't words, aren't well-known, and won't be easily memorized.  There are other lists out there, but they suffer the same constraints.  10,000 is a generous estimate of word pool size for this purpose.

Agreed.  I made my own version of the Diceware list years ago to counter this problem.  10 000 words is indeed generous.  Even as a native English speaker I wouldn't care to push much beyond 1000 words.

These days I use the English 2048-word list supplied with BIP0039:

Code:

abandon ability able about above ... zero zone zoo

Memorizing 12+ words, selected at random via dice roll, is a mathematically provable method to generate a sufficiently safe brainwallet.  Additional steps, shortcuts, obfuscations, etc are not necessary at best, and crippling to security at worst.

Certainly, shortcuts can cost entropy and while method obscurity may increase security, it will typically do so in a non-quantifiable way.  Relying on one's intuition regarding the difficulty of divining an obscure method is to abandon a foundational premise of information theory.

However, I'd like to highlight key-stretching as a fair source of additional security for a true brainwallet.  In essence, one simply forgets the last few words of their passphrase and brute-forces them whenever access is required.

I'd also like to expand on "sufficiently safe" here.

Selecting 12 words randomly and uniformly from a pool of 10 000 words gives 12 * log₂(10000) = 159.45 bits of entropy (2.d.p).  Roughly speaking, there are as many equally plausible 12-word passphrases as there are Bitcoin addresses.  Assuming the entropy of the passphrase is not reduced as it is converted into a private key, such a private key will be no less effective in securing a Bitcoin output than a standard random key.

Selecting 12 words from a pool of just 2048 yields

12 * log₂(2048) = 12 * 11 = 132

bits of entropy.  This is less secure than a standard address but is arguably "sufficiently safe" today.  Electrum¹ seeds have 128 bits by default.  Casascius coins used special 128-bit compact private keys.

Even 9 words from 2048 gives 99 bits of entropy.  We're well past the point of general cryptographic recommendation here but as far as a convenience/security tradeoff is concerned, I believe there are cases where 9 words would be a reasonable choice.  Extending your earlier point of reference:  As of block #387287, approximately 2^83.71 hashes have been calculated by miners in Bitcoin's lifetime, and such a hash is computationally cheaper than converting a private key to an address.

[1] Most new Electrum seeds are 13 words from the pool of 2048 words I linked to above.  One might expect such a seed to have 13 * 11 = 143 bits of entropy but some of the data is dedicated to a checksum/version-number and the final word is underutilised (usually begins 'ab' or 'ac').