New blog post: Hiding Bitcoins in Your Brain

[mpfrank]

I'm writing this new blog post as an introduction to Bitcoin for new users.  I may add more to it later, but it's at a good stopping point for now.

http://minetopics.blogspot.com/2013/01/hiding-bitcoins-in-your-brain.html

The emphasis here is on Brain Wallets, because I consider this concept to be a very useful one for enabling users to recover their accounts.  Even if the main browser-based or standalone client that you use develops a problem, and even if you lose your wallet backups, paper wallets, private keys, etc., as long as you keep your coins in a brain wallet, then you can just enter your brain-wallet passphrase into a different site or client, and still access your coins.

I wouldn't want my grandmother, for example, to use Bitcoin, if I didn't know that I could always help her to retrieve her main stash as long as she still remembered (or had written down) her brain-wallet passphrase. 

Comments are welcome.
Regards, -Mike Frank

[1714048526]

1714048526

[1714048526]

1714048526

[1714048526]

1714048526

[Gavin Andresen]

Humans are pretty bad at being original. REALLY bad at being random. And we are terrible at comprehending huge numbers.

So if you ask the average person to create a secure passphrase, they're very likely to create something that a "determined attacker" with a lot of computing power can crack.

I think if people start to use quotes from obscure literary works as their brain wallets, then they're going to lose their bitcoins sooner or later. Attackers can try MILLIONS of passphrases per minute, to crack EVERY SINGLE brainwallet that has ever been created.

So: if you absolutely, positively won't be dissuaded from using a brainwallet, here is my advice on how you might be able to come up with a secure passphrase:

Think of two passphrases that you think you can remember. And think of a government-issued number that you can easily lookup or remember (like your driving license or social security number).

Create a brainwallet passphrase that is:

the first passphrase,the government id number,the second passphrase

Then create a 'sentinel' brainwallet that is just the first passphrase, and send a small number of bitcoins to it. When those bitcoins get spent (or more bitcoins are sent to it by somebody else), you know that the first passphrase you chose isn't good enough any more.  Choose a more complicated passphrase and create a new 'sentinel' and real brainwallet, and move your old brainwallet there.

[mpfrank]

...
Think of two passphrases that you think you can remember. And think of a government-issued number that you can easily lookup or remember (like your driving license or social security number).

Create a brainwallet passphrase that is:

the first passphrase,the government id number,the second passphrase

Then create a 'sentinel' brainwallet that is just the first passphrase, and send a small number of bitcoins to it. When those bitcoins get spent (or more bitcoins are sent to it by somebody else), you know that the first passphrase you chose isn't good enough any more.  Choose a more complicated passphrase and create a new 'sentinel' and real brainwallet, and move your old brainwallet there.

Good idea, thanks!

P.S. Casascius suggested to me that we might also consider moving to a slower key-generation algorithm, using scrypt for example, to make brute-force attacks on brainwallets more expensive.

[justusranvier]

So if you ask the average person to create a secure passphrase, they're very likely to create something that a "determined attacker" with a lot of computing power can crack.

Miners who find themselves in possession of obsolete gear (GPUs after ASICs hit the market) could very well become those determined attackers.

[UncleBobs]

Nice cube, Mike!  Brainwallets and the Electrum light client are why am getting involved with BTC again after a losing a hard drive over a year ago right after I got started.  Luckily there was only faucet scale BTC in my wallet. 

There is no way I would consider holding significant funds in BTC without a brainwallet.  I don't even trust bits of paper in banks. 

I enjoyed your article, and I agree this is the best angle to promote BTC.

[mpfrank]

Nice cube, Mike!  Brainwallets and the Electrum light client are why am getting involved with BTC again after a losing a hard drive over a year ago right after I got started.  Luckily there was only faucet scale BTC in my wallet. 

There is no way I would consider holding significant funds in BTC without a brainwallet.  I don't even trust bits of paper in banks. 

I enjoyed your article, and I agree this is the best angle to promote BTC.

Thanks!  I need to add more material about Electrum.  I only just learned about it myself today!

[oOoOo]

5MyBitcoinPrivKey1234567890 = sha256("salt" + sha256("MySuperSecretPassPhrase"))

^There.

"salt" can be an everchanging number, so you can constantly move on to new brainwallets, without forgetting, or losing access to the old ones.
.

[UncleBobs]

As far as randomness of passphrase, Electrum generates a pretty random phrase.  I don't see that those should be very crackable, and I don't beleve in the idea of including personal information in my passwords either, despite Gavin's recommendation.

[The Fool]

As far as randomness of passphrase, Electrum generates a pretty random phrase.  I don't see that those should be very crackable, and I don't beleve in the idea of including personal information in my passwords either, despite Gavin's recommendation.

The personal information bit makes it easy for a employer, government or bank to crack your password. I don't know how that's entropic at all in a objective sense.

In fact, the suggestion of associating your personal information with your bitcoins puts a very bad taste in my mouth. Why would you suggest this, Gavin?

[justusranvier]

To make a truly secure brainwallet passphrase take the output of

Code:

dd bs=32 count=1 if=/dev/random | hexdump -e '"%x"'

and convert it to PGP words

[coretechs]

Don't use anything that can be found in a book.  "Really obscure" doesn't mean anything in the context of a brute force attack.

[twolifeinexile]

Don't use anything that can be found in a book.  "Really obscure" doesn't mean anything in the context of a brute force attack.

But that also means brain could not handle it well

[mpfrank]

Don't use anything that can be found in a book.  "Really obscure" doesn't mean anything in the context of a brute force attack.

Hm, perhaps it might be OK to use a sentence from a very old/rare book that hasn't been scanned into Google Books yet?     Although I guess it could always still get scanned in the future...

[casascius]

This is the essence of what I intend to propose as a standard brainwallet replacement for sha256:

First, I propose scrypt as the key derivation algorithm.

Second, I propose the following standardized method for creating salt: a user should enter their own birthdate and their postal code that was current at the time their brainwallet was created.  The postal code should be stripped only to alphanumeric characters (no spaces or dashes).  These should be provided as salt to the scrypt algorithm in the form YYYY-MM-DD-x where x is the stripped postal code.  The purpose of these is that it's unlikely the user will forget these (even if they move) while still providing satisfactory entropy to substantially prevent parallel cracking of the entire brainwallet universe.  If all brainwallet generators and decrypters follow the same method for generating salt, users won't be burdened with having to remember how they created their salt, nor how they formatted their information.

Third, I propose the scrypt parameters 16384,8,8 as a starting point.  I propose that brainwallet creators offer a checkable option called "additional security" that will result in using sensible power-of-two multiples of these parameters instead (which multiples to use are the implementer's choice, but should be appropriate for the current state-of-the-art in potential cracking threats).  For example, 32768,8,8, 32768,16,8 are logical next steps when more difficulty is needed.

Brainwallet decrypters should consider the possibility that a user may have enabled "additional security".  After trying the default parameters, a decrypter should be prepared to bruteforce 8 to 16 of the most likely possible alternates, looking for something that results in a private key with funds.  This should happen if and when a user fails to decrypt a brainwallet having funds, or indicates that they have enabled "additional security".  The user does not have to remember specifically whether or not they enabled it - the worst case for a user is that they don't remember, and are forced to wait a while for the brute forcing process to either find their correct private key, which will succeed regardless of whether they enabled it, or fail, if they have entered the wrong passphrase.

[mpfrank]

To make a truly secure brainwallet passphrase take the output of

Code:

dd bs=32 count=1 if=/dev/random | hexdump -e '"%x"'

and convert it to PGP words

That might be OK except that your average grandma isn't Linux literate. 

[justusranvier]

That might be OK except that your average grandma isn't Linux literate. 

That's the problem with brainwallets. Anything less than 256 bits of entropy will probably be brute forced at some point.

[mpfrank]

That might be OK except that your average grandma isn't Linux literate. 

That's the problem with brainwallets. Anything less than 256 bits of entropy will probably be brute forced at some point.

What about Casascius' new suggestion?  With a salt and a computationally-intensive keygen function, doesn't the situation improve considerably?

[justusranvier]

What about Casascius' new suggestion?  With a salt and a computationally-intensive keygen function, doesn't the situation improve considerably?

It's an improvement but Moore's law is ruthless, especially considering the economic incentives to recover those keys and how bitcoin mining causes people to accumulate massive amounts of computing power.

Imagine how many keys an FPGA rig made obsolete by ASICs could test.

[mpfrank]

What about Casascius' new suggestion?  With a salt and a computationally-intensive keygen function, doesn't the situation improve considerably?

It's an improvement but Moore's law is ruthless, especially considering the economic incentives to recover those keys and how bitcoin mining causes people to accumulate massive amounts of computing power.

Imagine how many keys an FPGA rig made obsolete by ASICs could test.

Yeah but scrypt isn't a very good fit for an FPGA since it is memory-intensive...

[Gavin Andresen]

In fact, the suggestion of associating your personal information with your bitcoins puts a very bad taste in my mouth. Why would you suggest this, Gavin?

Because it is critical that YOUR passphrase be different from EVERYBODY ELSE'S passphrase.

Adding your email address or driver's license number or some other certainly-unique-for-you information makes that work.

That shifts the problem from "attacker is trying to guess EVERYBODY's passphrase" to "attacker happens to know that you have a bunch of BTC in a brainwallet and is trying to attack YOUR brainwallet, specifically."

It's an improvement but Moore's law is ruthless, especially considering the economic incentives to recover those keys and how bitcoin mining causes people to accumulate massive amounts of computing power.

Nicely said.

Again: we are really bad at thinking up good, unique passphrases. We share so much experience and culture that whatever you think of, somebody else will probably think of, too.  Or some attacker will think of something similar enough to crack your passphrase.

And we are really bad at imaging what it means that an attacker might try a few hundred BILLION passphrases to try to crack everybody's brainwallet.