Bitcoin Forum
September 20, 2017, 05:59:03 AM *
News: Latest stable version of Bitcoin Core: 0.15.0.1  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4 »  All
  Print  
Author Topic: New blog post: Hiding Bitcoins in Your Brain  (Read 6857 times)
mpfrank
Sr. Member
****
Offline Offline

Activity: 247


Cosmic Cubist


View Profile
January 27, 2013, 11:36:02 PM
 #1

I'm writing this new blog post as an introduction to Bitcoin for new users.  I may add more to it later, but it's at a good stopping point for now.


The emphasis here is on Brain Wallets, because I consider this concept to be a very useful one for enabling users to recover their accounts.  Even if the main browser-based or standalone client that you use develops a problem, and even if you lose your wallet backups, paper wallets, private keys, etc., as long as you keep your coins in a brain wallet, then you can just enter your brain-wallet passphrase into a different site or client, and still access your coins.

I wouldn't want my grandmother, for example, to use Bitcoin, if I didn't know that I could always help her to retrieve her main stash as long as she still remembered (or had written down) her brain-wallet passphrase.  Smiley

Comments are welcome.
Regards, -Mike Frank

If all the sovereign non-cryptocurrencies will eventually collapse from hyperinflation, you can't afford *not* to invest in Bitcoin...  See my blog at http://minetopics.blogspot.com/ .

Donations accepted at:  17twYNyqTiCTM2gJmumkytvhZh4sCVSKNH
1505887143
Hero Member
*
Offline Offline

Posts: 1505887143

View Profile Personal Message (Offline)

Ignore
1505887143
Reply with quote  #2

1505887143
Report to moderator
1505887143
Hero Member
*
Offline Offline

Posts: 1505887143

View Profile Personal Message (Offline)

Ignore
1505887143
Reply with quote  #2

1505887143
Report to moderator
1505887143
Hero Member
*
Offline Offline

Posts: 1505887143

View Profile Personal Message (Offline)

Ignore
1505887143
Reply with quote  #2

1505887143
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1505887143
Hero Member
*
Offline Offline

Posts: 1505887143

View Profile Personal Message (Offline)

Ignore
1505887143
Reply with quote  #2

1505887143
Report to moderator
1505887143
Hero Member
*
Offline Offline

Posts: 1505887143

View Profile Personal Message (Offline)

Ignore
1505887143
Reply with quote  #2

1505887143
Report to moderator
1505887143
Hero Member
*
Offline Offline

Posts: 1505887143

View Profile Personal Message (Offline)

Ignore
1505887143
Reply with quote  #2

1505887143
Report to moderator
Gavin Andresen
Legendary
*
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
January 27, 2013, 11:49:08 PM
 #2

Humans are pretty bad at being original. REALLY bad at being random. And we are terrible at comprehending huge numbers.

So if you ask the average person to create a secure passphrase, they're very likely to create something that a "determined attacker" with a lot of computing power can crack.

I think if people start to use quotes from obscure literary works as their brain wallets, then they're going to lose their bitcoins sooner or later. Attackers can try MILLIONS of passphrases per minute, to crack EVERY SINGLE brainwallet that has ever been created.

So: if you absolutely, positively won't be dissuaded from using a brainwallet, here is my advice on how you might be able to come up with a secure passphrase:

Think of two passphrases that you think you can remember. And think of a government-issued number that you can easily lookup or remember (like your driving license or social security number).

Create a brainwallet passphrase that is:

the first passphrase,the government id number,the second passphrase

Then create a 'sentinel' brainwallet that is just the first passphrase, and send a small number of bitcoins to it. When those bitcoins get spent (or more bitcoins are sent to it by somebody else), you know that the first passphrase you chose isn't good enough any more.  Choose a more complicated passphrase and create a new 'sentinel' and real brainwallet, and move your old brainwallet there.


How often do you get the chance to work on a potentially world-changing project?
mpfrank
Sr. Member
****
Offline Offline

Activity: 247


Cosmic Cubist


View Profile
January 27, 2013, 11:53:13 PM
 #3

...
Think of two passphrases that you think you can remember. And think of a government-issued number that you can easily lookup or remember (like your driving license or social security number).

Create a brainwallet passphrase that is:

the first passphrase,the government id number,the second passphrase

Then create a 'sentinel' brainwallet that is just the first passphrase, and send a small number of bitcoins to it. When those bitcoins get spent (or more bitcoins are sent to it by somebody else), you know that the first passphrase you chose isn't good enough any more.  Choose a more complicated passphrase and create a new 'sentinel' and real brainwallet, and move your old brainwallet there.


Good idea, thanks!

P.S. Casascius suggested to me that we might also consider moving to a slower key-generation algorithm, using scrypt for example, to make brute-force attacks on brainwallets more expensive.

If all the sovereign non-cryptocurrencies will eventually collapse from hyperinflation, you can't afford *not* to invest in Bitcoin...  See my blog at http://minetopics.blogspot.com/ .

Donations accepted at:  17twYNyqTiCTM2gJmumkytvhZh4sCVSKNH
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
January 27, 2013, 11:58:25 PM
 #4

So if you ask the average person to create a secure passphrase, they're very likely to create something that a "determined attacker" with a lot of computing power can crack.
Miners who find themselves in possession of obsolete gear (GPUs after ASICs hit the market) could very well become those determined attackers.
UncleBobs
Member
**
Offline Offline

Activity: 103


It From Bit


View Profile WWW
January 28, 2013, 12:13:09 AM
 #5

Nice cube, Mike!  Brainwallets and the Electrum light client are why am getting involved with BTC again after a losing a hard drive over a year ago right after I got started.  Luckily there was only faucet scale BTC in my wallet. 

There is no way I would consider holding significant funds in BTC without a brainwallet.  I don't even trust bits of paper in banks. 

I enjoyed your article, and I agree this is the best angle to promote BTC.

Disobey the Thought Police.  Resist Totalitarian Humanism.
http://attackthesystem.com/?s=totalitarian+humanism
mpfrank
Sr. Member
****
Offline Offline

Activity: 247


Cosmic Cubist


View Profile
January 28, 2013, 12:18:01 AM
 #6

Nice cube, Mike!  Brainwallets and the Electrum light client are why am getting involved with BTC again after a losing a hard drive over a year ago right after I got started.  Luckily there was only faucet scale BTC in my wallet. 

There is no way I would consider holding significant funds in BTC without a brainwallet.  I don't even trust bits of paper in banks. 

I enjoyed your article, and I agree this is the best angle to promote BTC.

Thanks!  I need to add more material about Electrum.  I only just learned about it myself today!

If all the sovereign non-cryptocurrencies will eventually collapse from hyperinflation, you can't afford *not* to invest in Bitcoin...  See my blog at http://minetopics.blogspot.com/ .

Donations accepted at:  17twYNyqTiCTM2gJmumkytvhZh4sCVSKNH
oOoOo
Full Member
***
Offline Offline

Activity: 238


View Profile
January 28, 2013, 12:26:32 AM
 #7

5MyBitcoinPrivKey1234567890 = sha256("salt" + sha256("MySuperSecretPassPhrase"))

^There.

"salt" can be an everchanging number, so you can constantly move on to new brainwallets, without forgetting, or losing access to the old ones.
.
UncleBobs
Member
**
Offline Offline

Activity: 103


It From Bit


View Profile WWW
January 28, 2013, 12:28:06 AM
 #8

As far as randomness of passphrase, Electrum generates a pretty random phrase.  I don't see that those should be very crackable, and I don't beleve in the idea of including personal information in my passwords either, despite Gavin's recommendation.

Disobey the Thought Police.  Resist Totalitarian Humanism.
http://attackthesystem.com/?s=totalitarian+humanism
The Fool
Jr. Member
*
Offline Offline

Activity: 56


View Profile
January 28, 2013, 12:34:10 AM
 #9

As far as randomness of passphrase, Electrum generates a pretty random phrase.  I don't see that those should be very crackable, and I don't beleve in the idea of including personal information in my passwords either, despite Gavin's recommendation.
The personal information bit makes it easy for a employer, government or bank to crack your password. I don't know how that's entropic at all in a objective sense.

In fact, the suggestion of associating your personal information with your bitcoins puts a very bad taste in my mouth. Why would you suggest this, Gavin?
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
January 28, 2013, 12:34:47 AM
 #10

To make a truly secure brainwallet passphrase take the output of
Code:
dd bs=32 count=1 if=/dev/random | hexdump -e '"%x"'
and convert it to PGP words
coretechs
Donator
Sr. Member
*
Offline Offline

Activity: 362



View Profile
January 28, 2013, 12:41:14 AM
 #11

Don't use anything that can be found in a book.  "Really obscure" doesn't mean anything in the context of a brute force attack.


http://bitcoindoc.com - The Rise and Rise of Bitcoin | http://nxtportal.org - Nxt blockchain explorer
twolifeinexile
Full Member
***
Offline Offline

Activity: 154



View Profile
January 28, 2013, 12:47:40 AM
 #12

Don't use anything that can be found in a book.  "Really obscure" doesn't mean anything in the context of a brute force attack.



But that also means brain could not handle it well
mpfrank
Sr. Member
****
Offline Offline

Activity: 247


Cosmic Cubist


View Profile
January 28, 2013, 12:55:24 AM
 #13

Don't use anything that can be found in a book.  "Really obscure" doesn't mean anything in the context of a brute force attack.

Hm, perhaps it might be OK to use a sentence from a very old/rare book that hasn't been scanned into Google Books yet?   Smiley  Although I guess it could always still get scanned in the future...

If all the sovereign non-cryptocurrencies will eventually collapse from hyperinflation, you can't afford *not* to invest in Bitcoin...  See my blog at http://minetopics.blogspot.com/ .

Donations accepted at:  17twYNyqTiCTM2gJmumkytvhZh4sCVSKNH
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1358


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
January 28, 2013, 12:56:28 AM
 #14

This is the essence of what I intend to propose as a standard brainwallet replacement for sha256:

First, I propose scrypt as the key derivation algorithm.

Second, I propose the following standardized method for creating salt: a user should enter their own birthdate and their postal code that was current at the time their brainwallet was created.  The postal code should be stripped only to alphanumeric characters (no spaces or dashes).  These should be provided as salt to the scrypt algorithm in the form YYYY-MM-DD-x where x is the stripped postal code.  The purpose of these is that it's unlikely the user will forget these (even if they move) while still providing satisfactory entropy to substantially prevent parallel cracking of the entire brainwallet universe.  If all brainwallet generators and decrypters follow the same method for generating salt, users won't be burdened with having to remember how they created their salt, nor how they formatted their information.

Third, I propose the scrypt parameters 16384,8,8 as a starting point.  I propose that brainwallet creators offer a checkable option called "additional security" that will result in using sensible power-of-two multiples of these parameters instead (which multiples to use are the implementer's choice, but should be appropriate for the current state-of-the-art in potential cracking threats).  For example, 32768,8,8, 32768,16,8 are logical next steps when more difficulty is needed.

Brainwallet decrypters should consider the possibility that a user may have enabled "additional security".  After trying the default parameters, a decrypter should be prepared to bruteforce 8 to 16 of the most likely possible alternates, looking for something that results in a private key with funds.  This should happen if and when a user fails to decrypt a brainwallet having funds, or indicates that they have enabled "additional security".  The user does not have to remember specifically whether or not they enabled it - the worst case for a user is that they don't remember, and are forced to wait a while for the brute forcing process to either find their correct private key, which will succeed regardless of whether they enabled it, or fail, if they have entered the wrong passphrase.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
mpfrank
Sr. Member
****
Offline Offline

Activity: 247


Cosmic Cubist


View Profile
January 28, 2013, 12:58:40 AM
 #15

To make a truly secure brainwallet passphrase take the output of
Code:
dd bs=32 count=1 if=/dev/random | hexdump -e '"%x"'
and convert it to PGP words

That might be OK except that your average grandma isn't Linux literate.  Smiley

If all the sovereign non-cryptocurrencies will eventually collapse from hyperinflation, you can't afford *not* to invest in Bitcoin...  See my blog at http://minetopics.blogspot.com/ .

Donations accepted at:  17twYNyqTiCTM2gJmumkytvhZh4sCVSKNH
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
January 28, 2013, 01:06:19 AM
 #16

That might be OK except that your average grandma isn't Linux literate.  Smiley
That's the problem with brainwallets. Anything less than 256 bits of entropy will probably be brute forced at some point.
mpfrank
Sr. Member
****
Offline Offline

Activity: 247


Cosmic Cubist


View Profile
January 28, 2013, 01:32:05 AM
 #17

That might be OK except that your average grandma isn't Linux literate.  Smiley
That's the problem with brainwallets. Anything less than 256 bits of entropy will probably be brute forced at some point.

What about Casascius' new suggestion?  With a salt and a computationally-intensive keygen function, doesn't the situation improve considerably?

If all the sovereign non-cryptocurrencies will eventually collapse from hyperinflation, you can't afford *not* to invest in Bitcoin...  See my blog at http://minetopics.blogspot.com/ .

Donations accepted at:  17twYNyqTiCTM2gJmumkytvhZh4sCVSKNH
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
January 28, 2013, 01:35:06 AM
 #18

What about Casascius' new suggestion?  With a salt and a computationally-intensive keygen function, doesn't the situation improve considerably?
It's an improvement but Moore's law is ruthless, especially considering the economic incentives to recover those keys and how bitcoin mining causes people to accumulate massive amounts of computing power.

Imagine how many keys an FPGA rig made obsolete by ASICs could test.
mpfrank
Sr. Member
****
Offline Offline

Activity: 247


Cosmic Cubist


View Profile
January 28, 2013, 01:50:21 AM
 #19

What about Casascius' new suggestion?  With a salt and a computationally-intensive keygen function, doesn't the situation improve considerably?
It's an improvement but Moore's law is ruthless, especially considering the economic incentives to recover those keys and how bitcoin mining causes people to accumulate massive amounts of computing power.

Imagine how many keys an FPGA rig made obsolete by ASICs could test.

Yeah but scrypt isn't a very good fit for an FPGA since it is memory-intensive...

If all the sovereign non-cryptocurrencies will eventually collapse from hyperinflation, you can't afford *not* to invest in Bitcoin...  See my blog at http://minetopics.blogspot.com/ .

Donations accepted at:  17twYNyqTiCTM2gJmumkytvhZh4sCVSKNH
Gavin Andresen
Legendary
*
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
January 28, 2013, 02:02:33 AM
 #20

Quote
In fact, the suggestion of associating your personal information with your bitcoins puts a very bad taste in my mouth. Why would you suggest this, Gavin?
Because it is critical that YOUR passphrase be different from EVERYBODY ELSE'S passphrase.

Adding your email address or driver's license number or some other certainly-unique-for-you information makes that work.

That shifts the problem from "attacker is trying to guess EVERYBODY's passphrase" to "attacker happens to know that you have a bunch of BTC in a brainwallet and is trying to attack YOUR brainwallet, specifically."

Quote
It's an improvement but Moore's law is ruthless, especially considering the economic incentives to recover those keys and how bitcoin mining causes people to accumulate massive amounts of computing power.

Nicely said.

Again: we are really bad at thinking up good, unique passphrases. We share so much experience and culture that whatever you think of, somebody else will probably think of, too.  Or some attacker will think of something similar enough to crack your passphrase.

And we are really bad at imaging what it means that an attacker might try a few hundred BILLION passphrases to try to crack everybody's brainwallet.

How often do you get the chance to work on a potentially world-changing project?
Pages: [1] 2 3 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!