₿ LIST ₿ Compilation of (open-source) BRAINWALLET projects.

[Financisto]

₿ BRAINWALLETS: awesome tools have been created all those past years by skilled developers and by a community of dedicated volunteers. So I decided to create this list as reference of research and development. i.e. cryptocurrency users and all related community might benefit from that. Be warned: don't risk your funds recklessly using brainwallets (don't risk coins if you don't fully understand what you're doing). This list is for research and development purposes only!

₿ WHAT IT IS: Brainwallet ← click to learn the basics about it.

If you think your project should be listed here, PM me. Requirements for participants:

1st) The project must be (primarily) a Brainwallet for cryptocurrencies or crypto-assets;

2nd) The project must be open-source;

3rd) The project's code must be available at https://github.com

4th) The project must not be just an identical clone version of a previously available original app (it must have - at least - one reasonable innovation or add-on built-in).

All parameters here are subject to change, this is a work in constant progress...

If you've got an idea, share it with us!

This is not meant to be an exhaustive list, just a compilation of similar projects and source of data for the community about development of those mentioned tools.

₿ IMPORTANT STATEMENT: This List is offered without any warranty whatsoever; we do not guarantee the ideal operation or funcionality of no tool nor app mentioned here. No professional code auditing were performed by us. If you lose your coins using one or any of those tools, we are not to be blamed and we're not responsible for it. We'd be very sorry, but we cannot help you about that. Cryptocurrencies are new stuff yet, so many experiments are still in early stages. We also cannot guarantee any member's reliability and that your coins will be 100% safe 100% of the time (even in the future). This is just a simple list for didactic purposes only. Due diligence, research, revision, and auditing is still necessary. Be smart and do your job. Use those tools/apps at your own risk!

Note one: please read and pay attention to the above statement and don't ever post here something like “Someone stole my coins because my password was 'password123456'”

Note two: please support those projects donating some coins.

₿ Projects:

Bitgen: software that generates bitcoin addresses from a given or generated random number. Some features: The output is saved as a ps file that can be converted to pdf; The private key can be generated by the following inputs: Hex number; Dice random numbers (1-6); Brainwallet (uses Argon2d as KDF + custom salt input method supported); Hash input; Computer generated pseudorandom key (/dev/random); Bulk; Mnemonic. It also supports: Bitcoin mini private keys; Invoice generation; Hierarchial pseudorandom generation; Vanity address generation. Support for split wallets using one-time-pads also available. Author: bit22gen. Website: http://bitgen.org/. Forum thread: https://bitcointalk.org/index.php?topic=1107927.0. GitHub Repository: N/A.

brainwallet.io: Deterministic bitcoin address generator. Address generation takes place in your browser, and no information is ever sent to server. Some features: Brain Wallet, word list for pseudorandom passphrase generation, passphrase generation by file hashing, uses scrypt as Key Derivation Function (KDF), custom salt input method supported. Author: Daniel Routman < r o u t m a n @ p r o t o n m a i l . c h > < d a n i e l @ n c r y p t . o r g > aka unchi. Forum thread: https://bitcointalk.org/index.php?topic=1160038.0. GitHub Repository: https://github.com/routman/brainwallet.io

MemWallet: It is a deterministic cryptocurrency address generator, like WarpWallet, but it works for Ethereum, Litecoin, Monero and Bitcoin. You never have to save or store your private key anywhere. MemWallet is a re-implementation of WarpWallet, but it works for other currencies. WarpWallet and MemWallet use the same algorithm, so WarpWallet and MemWallet will generate the same Bitcoin address for a given Passphrase and salt. Author: David Bengoa http://bengoarocandio.com Website: https://dvdbng.github.io/memwallet Forum thread: N/A. GitHub Repository: https://github.com/dvdbng/memwallet

MindWallet: A wallet generator based on memwallet for bitcoin, ethereum, monero and litecoin using argon2 instead of scrypt. MindWallet is a deterministic cryptocurrency address generator heavily based on MemWallet but using argon2 instead scrypt as hashing function, it's like WarpWallet, but it works for Ethereum, Litecoin, Monero and Bitcoin. Some features: implementation of MindWallet in JavaScript and Go. It makes use of Argon2i and PBKDF2 as KDF making it more brute-force attack resistant. Author: Patrick Aljord @patcito < p a t c i t o @ g m a i l . c o m >. Website: https://patcito.github.io/mindwallet. Forum thread: N/A. GitHub Repository: https://github.com/patcito/mindwallet

monero-wallet-generator: Deterministic Monero address generator. Address generation takes place in your browser, and no information is ever sent to server. Some features: Brain Wallet, custom entropy for deterministic wallet, mnemonic seeds available in EN, JP, EO, ES, and JP. Made by moneromooo, based on code from MyMonero. Author: moneromooo. GitHub Repository: https://github.com/moneromooo-monero/monero-wallet-generator

NOWALLET: This project is a secure Bitcoin brainwallet app that will ultimately be meant for desktop and mobile platforms. NOWALLET is written in Python, it uses Electrum servers on the back end, and communicates exclusively over Tor. It uses a variant of the 'WarpWallet' technique for key derivation, rather than the typical, highly insecure method that your average brainwallet uses. Full native and P2SH SegWit address support. You will only need to remember an email address and passphrase combination, rather than an entire 24 word mnemonic seed. Main features: Easy and intuitive Material Design based UI; Full SegWit support out of the box; Smart fee estimation and custom fees; Replace by Fee support, on by default; Live exchange rates and block explorer integration Author: Marc D. Wood @metamarcdw < m a r c d w 8 7 @ g m a i l . c o m >. Website: https://www.nowallet.org. Forum thread: N/A. GitHub Repository: https://github.com/metamarcdw/nowallet

PortalWallet A fork of WarpWallet that adds support to also generate BIP39 Mnemonic sentences and BIP32 extended public/private keys for easy import into any supporting wallet software. Author: Logicwax. Website: N/A. Forum thread: N/A. GitHub Repository: https://github.com/Logicwax/PortalWallet

WarpWallet (GUI): is a deterministic bitcoin address generator that adds two improvements: WarpWallet uses scrypt KDF to make address generation both memory and time-intensive. And you can "salt" your passphrase with your email address. Some features: it makes use of scrypt and PBKDF2 as KDF making it more brute-force attack resistant. Author: Maxwell Krohn < t h e m a x @ g m a i l . c o m > and Chris Coyne < c c o y n e 7 7 @ g m a i l . c o m >. Website: http://keybase.io/warp. Forum thread: N/A. GitHub Repository: https://github.com/keybase/warpwallet

WarpWallet (CLI): a fork from WarpWallet written in Go ready to run on terminal (CLI). Author: moncho Website: N/A. Forum thread: N/A. GitHub Repository: https://github.com/moncho/warpwallet

₿ Related projects:

BIP39 Tool: JavaScript Client-Side implementation of the BIP 39 'Mnemonic code for generating deterministic keys' proposal. This tool can be downloaded and used offline in an air-gapped machine. User may supply his own source of entropy (accepts binary, base 6, 6-sided dice, base 10, hexadecimal, cards) for mnemonic phrase creation. User may also decide to protect his keys with password/passphrase. Mnemonic passphrase available in several languages. Hierarchical Deterministic Wallets generators also implemented for Bitcoin, Bitcoin Cash, Ethereum (and all ERC20 tokens), Litecoin, Dogecoin, Dash, Peercoin, Namecoin and others. Author: mav. Website: https://iancoleman.io/bip39/. Forum thread: N/A. GitHub Repository: https://github.com/iancoleman/bip39.

brainflayer: is a Proof-of-Concept brainwallet cracking tool that uses libsecp256k1 for pubkey generation. It was released as part of a DEFCON 23 talk about cracking brainwallets. Some features: it does ~130k guesses/second (as per 2015). Good tool to test your brainwallet security. Author: Ryan Castellucci aka ryanc. Website: https://rya.nc/defcon-brainwallets.html. (Unofficial) Forum thread: https://bitcointalk.org/index.php?topic=1147035.0. Paper: https://rya.nc/cracking_cryptocurrency_brainwallets.pdf. Video: https://rya.nc/b6. Github Repository: https://github.com/ryancdotorg/brainflayer

PassGuardian: Store and share your secrets (Secret Sharing) safely by splitting them into cryptographically-secure pieces. To reconstruct the original, combine a specific number of these pieces. PassGuardian is built on secrets.js, an open-source implementation of Shamir's secret sharing scheme. Some features: All computations are done in your browser. No secrets or secret shares are ever transmitted back to servers. Once the PassGuardian page is loaded in your browser, it can be run offline. Author: Alexander Stetsyuk < a l e x @ p a s s g u a r d i a n . c o m > aka amper5and. Website: passguardian.com. Forum thread: https://bitcointalk.org/index.php?topic=142875.0. GitHub Repository: https://github.com/amper5and/secrets.js/tree/gh-pages

[1714211235]

1714211235

[Financisto]

₿ WARNING: YOU MUST READ THIS BEFORE MESSING WITH BRAINWALLETS

₿ About passwords: DO NOT use obsolete methods (weak passwords) for wallet protection. Spend some time educating yourself about Password/Passphrase strength, Entropy as a measure of password strength and the importance of randomness when generating passphrases. Due to brute-force attack unstopable and increasing power & Moore's law, simple password protection is getting obsolete. Remember: you're your own bank, apply some pro-security mesures to protect your coins. Info: http://blog.codinghorror.com/passwords-vs-pass-phrases/ & https://www.random.org/

₿ About random passphrases: DO NOT create passphrases thinking that you (a human) can be naturally very random and generate good bits of entropy by your own will. Humans tend to be predictable in their behavior and in their actions (and reactions). Idioms and languages - which words are used most of the time as passphrases - are structured in a logical and sequential way. i.e. no randomness in any way. What I'm trying to explain here is that: "it's really a bad idea for people to come up with passphrases themselves". Suggestion: use Diceware. Use (at least) a group of twelve words.

₿ About brainwallets: DO NOT use brainwallets which run fast hash functions (MD5, SHA family etc.) in order to hash your passphrase and for key pair creation. Avoid them! They are widely recognized as insecure and vulnerable to GPU brute-force attacks! You'd better choose those versions that use more secure methods such as Salt + Key Derivation Function e.g. scrypt, bcrypt, PBKDF2 and Argon2. And if you're a newbie, don't use brainwallets at all! Just remain safe with your paper wallets. Further info: http://blog.codinghorror.com/speed-hashing/ & https://rya.nc/cracking_cryptocurrency_brainwallets.pdf

₿ About change addresses: DO make sure you fully understand how change addresses work when dealing with brainwallets and paper wallets while spending your coins. When used correctly, change addresses help increasing privacy of cryptocurrencies. But also with this capability comes the potential for loss and theft when its use isn't completely understood. "To avoid potentially costly mistakes, familiarize yourself with change addresses and how your wallet software implements them". Beware while importing your single address' private key on different wallet softwares: "wallet developers can implement this feature in a number of ways". "Learn how to prevent and Recover from Change Address Disasters" reading this excellent article: http://bitzuma.com/posts/five-ways-to-lose-money-with-bitcoin-change-addresses

₿ About use of applications: DO NOT generate wallets neither addresses when conected to the Internet. Download the app, review the code, check the file's hashsum in order to verify it's the original file, only work with it in an air-gapped machine (use a Live Operating System) and never touch the net while doing it. Before sending funds to an address, it is recommended that you first check for compatibility of addresses generated by those apps by importing some of their private keys into the official (and most popular unofficial too) client. This can be done most of the time through the debug console using the "importprivkey" command. If you are able to successfully import keys, the tested generator/app is compatible.

₿ About security paranoia: DO NOT consider yourself an InfoSec expert. If you think your coins are safe because you have an "ultimate unbreakable encryption scheme", you'd better think twice: https://xkcd.com/538/ P.s Real life is always tougher than we thought it might be. 

[ryanc]

coinb.in is using the dangerously weak "classic" brainwallet algorithm. It also includes third party javascript which can do whatever it wants. Why is it rated so highly on security?

[ryanc]

I also think that rating based on the number of KDFs combined does not make sense. You need to take the work factors into account.

[Financisto]

coinb.in is using the dangerously weak "classic" brainwallet algorithm. It also includes third party javascript which can do whatever it wants. Why is it rated so highly on security?

I PMed the author of coinb.in some days ago and I'm still waiting for some answers about that project.

I also think that rating based on the number of KDFs combined does not make sense. You need to take the work factors into account.

Yes, in fact I thought it was awkward adding pts by combining KDFs types by the time I first generated the Table's 1st version (I was so asleep at that time lol).

1st idea: For brainwallets I guess I'll add some pts for using different types of KDF according to their resistance to ASIC and GPU attacks. Maybe something like:

PBKDF2 = 20pts

bcrypt = 30pts

scrypt = 50pts

2nd idea: And maybe we could add some additional pts for some additonal KDF algo iteration and/or extra rounds (over those recommended by standards).

P.s. for this one, I'll need some deeper research and estimate what are the standard numbers (of rounds/iterations of scrypt, bcrypt and PBKDF2) used to protect from brute-force attacks today and I'll estimate safer (higher) numbers considering the increase in brute-force attack strenght (GPU + ASIC) in the next (at least) 5 to 10 years. (BTW Do you have any numbers - for scrypt, bcrypt and PBKDF2 - in mind?)

The list is gonna change soon to reflect those changes...

Thanks for your comments, I really appreciate it.

[CryptInvest]

With regard to the generators purses question. Where is the guarantee of key generation, the developer does not receive access to the private key?

[Financisto]

With regard to the generators purses question. Where is the guarantee of key generation, the developer does not receive access to the private key?

In fact there's no guarantee at all. They're all free of warranty as you'll notice at their websites.

As a pratical measure, the guarantee is the open-source code that is accessible to you to review it so that you can be assured that the app runs client-side only and is expected that you will be a smart guy that will run it offline in an air-gapped machine and will come up with VERY GOOD security measurements.

Doing that way (respecting all security procedures), developer won't have access to your (offline) generated private keys.

[ryanc]

Regarding KDFs, I would score them on a logarithmic scale based on spot instance cracking cost, and severely penalize anything that doesn't include a salt. I would be very surprised if someone made ASICs to try to crack Bitcoin keys generated via brainwallet or otherwise due to very large (well over a million dollars) one time costs. GPUs are likely, FPGAs may be difficult due to memory requirements.

Helpfulness of KDFs is also a little unusual because the public key computations themselves take a bit of work. For example, PBKDF2 with 64 rounds would only double the cracking cost vs a classic brainwallet.

[Financisto]

Regarding KDFs, I would score them on a logarithmic scale based on spot instance cracking cost, and severely penalize anything that doesn't include a salt. I would be very surprised if someone made ASICs to try to crack Bitcoin keys generated via brainwallet or otherwise due to very large (well over a million dollars) one time costs. GPUs are likely, FPGAs may be difficult due to memory requirements.

Helpfulness of KDFs is also a little unusual because the public key computations themselves take a bit of work. For example, PBKDF2 with 64 rounds would only double the cracking cost vs a classic brainwallet.

I guess we'll adopt your approach in some way: "score them (KDFs) on a logarithmic scale based on spot instance cracking cost, and severely penalize anything that doesn't include a salt".

I'll just need some time to think about a fair way in order to compare different types of KDFs (scrypt, bcrypt, PBKDF2) and their respective "spot instance cracking cost" or some estimation of those values.

Any further suggestions?

[ryanc]

Any further suggestions?

Prominently mention that it's a really bad idea for people to come up with passphrases themselves and link to diceware. At least eight words.

[OutCast3k]

coinb.in is using the dangerously weak "classic" brainwallet algorithm. It also includes third party javascript which can do whatever it wants. Why is it rated so highly on security?

You realise that bitaddress.org also uses the same brain wallet algorithm as coinb.in, so I'm not sure why its been singled out. That being said, the next version will allow the user to select a bunch of different algorithms.

Also what third party JavaScript? Google analytics? If that actually puts you and others off I'll remove it.

*edit*: removed analytics.

[ryanc]

coinb.in is using the dangerously weak "classic" brainwallet algorithm. It also includes third party javascript which can do whatever it wants. Why is it rated so highly on security?

You realise that bitaddress.org also uses the same brain wallet algorithm as coinb.in, so I'm not sure why its been singled out.

bitaddress.org should also remove the brainwallet option, but it does at least require a minimum of 15 characters and warns about cracking/theft.

That being said, the next version will allow the user to select a bunch of different algorithms.

This is possibly an unpopular opinion, but offering a bunch of security choices that most people don't really understand isn't actually a good thing. What I would suggest is using WarpWallet's scheme with the salt *required* and a strong recommendation that a random passphrase be used (provide a generator). You could also provide a "classic brainwallet" option with a warning that makes it clear that it's very weak and should only be used to sweep old brainwallets.

Also what third party JavaScript? Google analytics? If that actually puts you and others off I'll remove it.

*edit*: removed analytics.

Yes, I was talking about Google Analytics. If I were a bad person and could get one SSL certificate for any site of my choosing, it would be Google Analytics - it's a super high value target because of how widely used it is.

Cloudflare is also a tremendously high value target, but I doubt arguing against it would get very far.

[Financisto]

UPDATE #1 of year 2015.

The ranking calculation has been changed.

Brainwallets that don't support Salt have been penalized.

Brainwallets that support KDF get different points according to the type implemented.

Multigenerators (Brainwallets, paper wallets and multisig: all-in-one) get weighted so we can compare every generator easily and fairly.

Github numbers are now "square rooted".

List updated and scores upgraded as well.

New changes may apply soon...

Keep up the good work all developers and programmers!

[OutCast3k]

I think you miss understood why coinb.in was created, its primary a learning tool, a way to deal with multisig and build and sign raw transactions, because of this I'd be greatful if you can remove it from this list. I don't see any point in being involved in this discussion as coinb.in is being treated as a brain wallet, when its not! its much more than that and your scoring system doesn't take this into account.

For example are signatures of signed transactions RFC 6979 complient? Is TOR supported? Are stealth addresses supported? Is bip32/HD supported? Is op_return working and can that be combined with multisig? are multiple networks accepted? Is the site compatable with other leading sites? Can the site be downloaded and fully run offline, whilst still being able to create and sign transactions. Further more can you even create and sign a transaction with the other sites listed or is it purely for address generation? as i beleive all the sites listed except coinb.in have no way to actually build a transaction and spend the funds. I could go on and on and on.

Thanks and good luck.




*edited to fix typos and add a couple of points.

[ryanc]

For example are signatures of signed transactions RFC 6979 complient? Is TOR supported? Are stealth addresses supported? Is bip32 and HD supported? Is op_return working and can that be combined with multisig? are multiple networks accepted? Is the site compatable with other leading sites? Can the site be downloaded and fully run offline, whilst still being able to create and create and sign transactions. Can you create and sign a transaction with the other sites listed or is it purely for address generation? I could go on and on and on.

These are all excellent points.

[ryanc]

Thanks for putting this together.  It's nice to see brainwallet.io on the list!

I'm surprised to see bitaddress.org ranked so low.  Is theirs not considered true random?

It is random (using SJCL). It's penalized for offering classic brainwallet. I'm not sure how much the scoring methodology makes sense.

[Financisto]

UPDATE #2 of year 2015.

The ranking calculation has been simplified.

Brainwallets are now compared only with Brainwallets and the same goes for Paper wallets.

P.s. Although the main feature will be considered (Paper wallet OR Brainwallet) in order to fill the list, warnings may apply when there are security issues found in multigenerators (Paper wallet + Brainwallet).

Multisignature projects have been removed until I find a good way to compare them.

"Client-side" and "Offline Use" criterions were incorporated to "Security".

Added "Inclusive Web Design" (IWD).

Added "Number of cryptocurrencies supported" (CCY).

Weight (for average purpose) is now 6 for security matters.

List updated and scores upgraded as well.

* Edited:

New "Miscellaneous and related projects" added --> Bitgen; brainflayer; Coinb.in & Multi-signature P2SH

New Paper wallet generators added --> WalletGenerator.net; Liteaddress.org & ethaddress.org

[Financisto]

Thanks for putting this together.  It's nice to see brainwallet.io on the list!

I'm surprised to see bitaddress.org ranked so low.  Is theirs not considered true random?

Those distortions have been corrected by using new calculation method.

i.e. Security features are 3x more important than collaborative development (Git points) AND Security features are 6x more important than everything else...

Maybe I'll raise that Security weight even more (to 8x OR even 10x).

Let's see how everything "behaves".

[bit22gen]

bitgen has been updated with KDF and salt for the brainwallet option:

http://bitcoin-gen.org/

The KDF is "Argon2", which is supposed to be improved compared to scrypt:

https://password-hashing.net/candidates.html

https://www.cryptolux.org/images/0/0d/Argon2.pdf

[Financisto]

Good to hear that!

I guess your brainwallet function is the first to offer Argon2 algo as an encryption option.

Congratulations!

I'm gonna update bitgen's info here as soon as I review and test your new brainwallet option.

Keep up the good work!