Bitcoin Forum
November 15, 2024, 03:57:34 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 [3] 4 »  All
  Print  
Author Topic: New blog post: Hiding Bitcoins in Your Brain  (Read 7280 times)
UncleBobs
Member
**
Offline Offline

Activity: 103
Merit: 10


It From Bit


View Profile WWW
January 28, 2013, 06:24:54 PM
 #41

I found a good technical article here:

https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/


and two more strength tests:

https://dl.dropbox.com/u/209/zxcvbn/test/index.html

http://howsecureismypassword.net/

Disobey the Thought Police.  Resist Totalitarian Humanism.
http://attackthesystem.com/?s=totalitarian+humanism
Timo Y
Legendary
*
Offline Offline

Activity: 938
Merit: 1001


bitcoin - the aerogel of money


View Profile
January 28, 2013, 09:30:08 PM
 #42

Humans are really bad at remembering phrases and numbers. 

Even a seemingly easy to remember phrase like "category platypus ennui toast" will not last more than 3-6 months in most peoples' long term memory, unless they rehearse it regularly.  Most regular bitcoin users are too busy/lazy to keep rehearsing their passphrases.  Also, rehearsal can accumulate errors over the years and overwrite the original memory, so to be safe you would have to write down the passphrase to remind yourself once in a while, which defeats the whole point of a brain wallet.

Humans are good at remembering images, however.

Instead of memorizing phrases, I would recommend employing your visual memory, for example like this: Go for a jog/walk/bike ride along a particular route once a week, for a period of 6 months. Then use the GPS coordinates of certain key points along the route as your passphrase. Even if you forget the coordinates, you are unlikely to forget the locations, and you can always look them up on a map.

Implicit memory is even more reliable than visual memory.

Though time consuming, this is probably the most secure way to set up a brain wallet:

http://www.extremetech.com/extreme/133067-unbreakable-crypto-store-a-30-character-password-in-your-brains-subconscious-memory




GPG ID: FA868D77   bitcoin-otc:forever-d
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
January 28, 2013, 10:17:54 PM
 #43

One time when I needed a temporary bitcoin receiving address in a pinch, but before paper wallets were easy to print and carry, I just thought of a silly song I had made up in elementary school which contained some non-words, and took a line from it.  Since I had remembered it that long despite having no use for it, there was no concern of forgetting it, and since it contained nonsense, there was no chance of anyone guessing it.

I would venture to guess that anything that can be reliably recalled from childhood should be suitable candidate material.  The work of embedding it into your brain has already been done.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
oOoOo
Full Member
***
Offline Offline

Activity: 238
Merit: 100


View Profile
January 28, 2013, 11:57:10 PM
 #44


Here's a crazy idea.


Neat idea! Did you come up with this on your own?

I see one possible weakness however:
What if someone manages to record the exact times "Joespass" decides to log in?
Perhaps there is a way to make this even more secure..?
mpfrank (OP)
Sr. Member
****
Offline Offline

Activity: 247
Merit: 250


Cosmic Cubist


View Profile
January 29, 2013, 12:27:07 AM
Last edit: January 29, 2013, 03:39:54 AM by mpfrank
 #45

@UncleBobs
a) You can test your passphrase' entropy there:
http://blog.shay.co/password-entropy/

Remember this is only approximation, and not
 exact measurement of entropy.

--------------------
+1 to the both posts of CIYAM Open.
Brainwallet is only good for several years,
and after that it must be replaced with more
 appropriate new software( and coins must be
 transferred to new addresses).

Well, entropy of a string is not really even an objectively definable quantity.  For example, if you type "3.141592653589793238462643"
into that calculator, it thinks it has 139.6 bits of entropy, but to remember it, I only have to remember "pi to 24 decimal places" and then compute it (or look it up) when I need it.

Another example is a page from an old book, which looks like it has a lot of entropy, until you know the book and page number and have access to a library.

In general, even a very long and apparently random string could have been computed by a very short algorithm (e.g., compute pi to 24 places; or, go to library, get that book, turn to page 37) and therefore could be feasible to guess (e.g. by trying all algorithms with minimum description length below a certain size).

This leads to a "pseudo-objective" measure of string entropy called Kolmogorov complexity, http://en.wikipedia.org/wiki/Kolmogorov_complexity, but it is intractable to compute in general.

The only way to be sure that a given passphrase has high Kolmogorov complexity would be to actually try cracking it by searching all algorithms below a certain length.  To be comprehensive, the algorithm should also have read access to all the world's published information.  (To prevent passphrases like, "Page 37 of such-and-such book available on Google.")

I'd say that memorizing randomly-generated stories, or using detailed, already-existing memories that you already know, or some of the other ideas suggested is the way to go, to be confident in ultra-high passphrase security...

Of course, people on this thread would also be well advised to remember this other xkcd comic...  Smiley

http://xkcd.com/538/

If all the sovereign non-cryptocurrencies will eventually collapse from hyperinflation, you can't afford *not* to invest in Bitcoin...  See my blog at http://minetopics.blogspot.com/ .

Donations accepted at:  17twYNyqTiCTM2gJmumkytvhZh4sCVSKNH
mpfrank (OP)
Sr. Member
****
Offline Offline

Activity: 247
Merit: 250


Cosmic Cubist


View Profile
January 29, 2013, 12:50:57 AM
 #46

I agree with the use of scrypt (which I use in my offline key generation) and many of the other good suggestions.

Creating a secure "brainwallet" is actually very difficult (as Gavin has pointed out).

The "memory key" idea I have created (http://ciyam.org/memory_key.html) is another way to help - but of course if you want to create something "impossible" to brute force you need to be "creative" and you need to "work at it" (it can take quite a while to come up with something good enough).

I am willing to "test" publicly what *I* can come up with but of course I don't think that the same approach would necessarily work for others.

The problem of creating "secure" passwords has become "the problem" of our time as the "brute force power' has become so strong that a "new approach" is very much needed (if we are ever going to be able to get the "mums and dads" little own "grandmas and grandpas" using it successfully).


Is there something like CIYAM with a larger set of locations?

If all the sovereign non-cryptocurrencies will eventually collapse from hyperinflation, you can't afford *not* to invest in Bitcoin...  See my blog at http://minetopics.blogspot.com/ .

Donations accepted at:  17twYNyqTiCTM2gJmumkytvhZh4sCVSKNH
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
January 29, 2013, 02:21:31 AM
 #47

Is there something like CIYAM with a larger set of locations?

It's can be very easily edited/extended (just do a view source and you'll see it's quite readable) - also if anyone has enough interest to dedicate some time working on extending this then I will be happy to put up a task for it on CIYAM Open and allocate at least a bitcoin or two towards the effort.

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
mpfrank (OP)
Sr. Member
****
Offline Offline

Activity: 247
Merit: 250


Cosmic Cubist


View Profile
January 29, 2013, 02:57:57 AM
 #48

So, I'm currently trying Diceware (http://world.std.com/~reinhold/diceware.html) (advantage - the original random data never even touches a potentially-compromised computer) with the English word list (http://world.std.com/~reinhold/diceware.wordlist.asc).  It takes about 100 rolls of a 6-sided die (grouped 5 at a time to produce 20 diceware words) to get 256 bits of entropy.  Then I take the resulting 20-word list, break it into 4 chunks of 5 words each (about 64 bits of entropy each), and embed the 5 words in each chunk into a memorable sentence or pair of sentences.  I think I could remember these four chunks, with practice.  Would I still remember them in 20 years?  Doubtful, although I might try using a free spaced-repetition tool like Menemosyne (http://mnemosyne-proj.org/download-mnemosyne.php) to do it.

Example die rolls and the corresponding words:

Chunk #1:
----------
1.  46623 = pz
2.  16546 = chump
3.  23146 = dint
4.  25324 = feed
5.  51335 = rangy

Chunk #2:
----------
6.  14212 = bigot
7.  31325 = glory
8.  25661 = flour
9.  51153 = quinn
10. 14225 = bind

Chunk #3:
----------
11. 43133 = mugho
12. 21541 = crane
13. 45145 = parse
14. 42656 = movie
15. 21146 = louse

Chunk #4:
----------
16. 36634 = loeb
17. 14314 = bland
18. 31623 = grim
19. 33214 = holdup
20. 24566 = et

Full passphrase:  "pz chump dint feed rangy bigot glory flour quinn bind mugho crane parse movie louse loeb bland grim holdup et" - Suitable to feed into SHA-256 or scrypt.

Mnemonics for the four chunks:

1. PZ Myers made me feel like a chump, by dint of making me feed on the rangy grounds of his estate.
2. Call me a bigot, but I find no glory in grinding flour.  Harley Quinn had me in a bind.
3. I hoisted a mugho pine shrub up with my crane.  If only I could parse the meaning of that movie about a louse.
4. Even the Loeb classical library seemed bland to me these days.  But the grim logic of a holdup, et cetera, wouldn't let me go.

So, if you can remember these four passages, and which words in them are the important ones, then you can memorize a passphrase with 256 bits of entropy.  Smiley

If all the sovereign non-cryptocurrencies will eventually collapse from hyperinflation, you can't afford *not* to invest in Bitcoin...  See my blog at http://minetopics.blogspot.com/ .

Donations accepted at:  17twYNyqTiCTM2gJmumkytvhZh4sCVSKNH
constitution
Newbie
*
Offline Offline

Activity: 28
Merit: 0



View Profile
January 29, 2013, 06:12:49 AM
 #49

Blockchain and electrum work quite well enough for me!
sangaman
Sr. Member
****
Offline Offline

Activity: 342
Merit: 250



View Profile WWW
January 29, 2013, 03:00:14 PM
 #50

I have a brainwallet with a passphrase of two sentences that I'm almost certainly never going to forget. It has unconventional punctuation, made up words, and it doesn't appear anywhere either online or in print. Is it safe to assume that this will be safe for a long, long time?
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1086


Ian Knowles - CIYAM Lead Developer


View Profile WWW
January 29, 2013, 03:06:00 PM
 #51

I think that if you are smart then a brainwallet is really not too hard to do. The problem that we are really trying to deal with here (as far as I can tell) is to help those that are "not so smart" (and therefore are unable to create a secure brainwallet).

So I would think that your brainwallet is safe (as I do mine and I welcome the challenge of anyone that wants to try and crack mine - there is a *lot* of BTC there to steal if you can).

Smiley

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
Gavin Andresen
Legendary
*
Offline Offline

Activity: 1652
Merit: 2301


Chief Scientist


View Profile WWW
January 29, 2013, 04:45:33 PM
 #52

I have a brainwallet with a passphrase of two sentences that I'm almost certainly never going to forget. It has unconventional punctuation, made up words, and it doesn't appear anywhere either online or in print. Is it safe to assume that this will be safe for a long, long time?

I don't think anybody knows. But you can find out:

Send a token amount of bitcoin to two more brainwallets, made from each of the sentences.

When somebody else either spends those bitcoins or sends more bitcoins to them, you know that your main brainwallet isn't safe any more.  (are the services that will send you an email when there is activity on a bitcoin address still around?)

How often do you get the chance to work on a potentially world-changing project?
mpfrank (OP)
Sr. Member
****
Offline Offline

Activity: 247
Merit: 250


Cosmic Cubist


View Profile
January 30, 2013, 02:09:11 PM
 #53

I have a brainwallet with a passphrase of two sentences that I'm almost certainly never going to forget. It has unconventional punctuation, made up words, and it doesn't appear anywhere either online or in print. Is it safe to assume that this will be safe for a long, long time?

I don't think anybody knows. But you can find out:

Send a token amount of bitcoin to two more brainwallets, made from each of the sentences.

When somebody else either spends those bitcoins or sends more bitcoins to them, you know that your main brainwallet isn't safe any more.  (are the services that will send you an email when there is activity on a bitcoin address still around?)


So, there is a flaw with that strategy, Gavin:  A shrewd attacker who is systematically scouring passphrase space for coin balances might intentionally pass up most of the smaller, more easily-found jackpots so as not to alert the community that he has this search capability; he may be waiting to pounce until he finds a single, sufficiently-large stash.  Kind of like how the British code-breakers in WW2 intentionally did not act to prevent many U-boat attacks because they didn't want to tip off Germany that Britain had broken the Enigma code.  A classic application of information theory to warfare...

Furthermore, if your short "test" passphrase is a substring of your real passphrase, then by using it as a probe, you've now actually made it easier for attackers to figure out your longer, real passphrase...  Since once they find the shorter passphrase with coins in it, now to find the long one, they only have to search the subspace of longer strings that includes the shorter one as a substring.  

And including ID information (as you suggested earlier) could be counterproductive if the attacker has the capability to trace the transaction graph back to Mt. Gox (say) and compel them to release the customer's dox...  Then they can easily include the ID info when searching for the longer string, AND further they will have evidence that the big stash still belongs to you when they do find it.  

If all the sovereign non-cryptocurrencies will eventually collapse from hyperinflation, you can't afford *not* to invest in Bitcoin...  See my blog at http://minetopics.blogspot.com/ .

Donations accepted at:  17twYNyqTiCTM2gJmumkytvhZh4sCVSKNH
Gavin Andresen
Legendary
*
Offline Offline

Activity: 1652
Merit: 2301


Chief Scientist


View Profile WWW
January 30, 2013, 02:29:15 PM
 #54

Okey dokey, first I think nobody should use an easy-to-memorize brainwallet for anything more than experimenting. I predict we'll start seeing very unhappy brainwallet users reporting huge losses sooner or later.

Second: the 'sentinel wallet' idea is all about incentives.

You need to put enough BTC in the sentinel wallet so it is economically rational for an attacker to "take the money and run" rather than spend time and money trying to crack a bigger brainwallet that might not even exist.

Again, I don't think you should use a brainwallet, so I'm not motivated to do the math to figure out how many BTC you should put into the sentinel wallet so a ration attacker will just take it, but that is the way you should think about it.

How often do you get the chance to work on a potentially world-changing project?
mpfrank (OP)
Sr. Member
****
Offline Offline

Activity: 247
Merit: 250


Cosmic Cubist


View Profile
January 30, 2013, 03:12:39 PM
 #55

Okey dokey, first I think nobody should use an easy-to-memorize brainwallet for anything more than experimenting. I predict we'll start seeing very unhappy brainwallet users reporting huge losses sooner or later.

Second: the 'sentinel wallet' idea is all about incentives.

You need to put enough BTC in the sentinel wallet so it is economically rational for an attacker to "take the money and run" rather than spend time and money trying to crack a bigger brainwallet that might not even exist.

Again, I don't think you should use a brainwallet, so I'm not motivated to do the math to figure out how many BTC you should put into the sentinel wallet so a ration attacker will just take it, but that is the way you should think about it.

Sure, but I'm just saying that, if you do use sentinel wallets, their passphrases should most certainly NOT be a substring of any longer passphrases for your other brainwallets; that is just asking for trouble.  They could be shorter passphrases designed in a similar way, however, to still give you some idea about the security (or lack thereof) of your other brainwallets.

If all the sovereign non-cryptocurrencies will eventually collapse from hyperinflation, you can't afford *not* to invest in Bitcoin...  See my blog at http://minetopics.blogspot.com/ .

Donations accepted at:  17twYNyqTiCTM2gJmumkytvhZh4sCVSKNH
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
January 30, 2013, 03:34:53 PM
Last edit: January 31, 2013, 12:22:00 AM by casascius
 #56

Here is another idea: split your funds across 10 or 20 brainwallets whose passphrases don't easily lead to one another.

Admittedly though, this is far easier said than done.

I have long thought that being able to have 10 or 20 distinct brainwallets would be a killer application for Bitcoin.  The catch is that each of those brainwallets must not be clues as to how to hack the other ones, otherwise someone will do it.

The prototypical application for such a thing would be an activist in prison, or someone stuck in another country and robbed of everything but their underwear.  The prisoner would want the ability to have a brainwallet so that he could reliably secure legal counsel and pay bills, but without being stuck with the choice of giving access to nothing or everything.  He could use brainwallet #1 for his retainer (if in prison) and release the remaining ones to pay bills as they came due.  The robbery victim could call somebody back home and ask for fiat via Western Union (assuming no way to sell BTC locally), without the risk that the person could rip them off for more than 10% of their brain money (and have it 1/10 the temptation at the same time).

Of course, the problem is that it's bad enough just learning a single passphrase with sufficient entropy, let alone a dozen.  For someone really interested in it, they'd probably have to learn some sort of algorithm that they could sort out in their head or with nothing more than a pencil and paper, so they could derive their own private keys by hand.  (In this case, it's safe to assume they've got relatively unlimited time on their hands)

For example if one memorized the SHA256 algorithm and could compute a SHA256 hash on paper with unlimited time, he could remember "n bottles of beer on the wall in my grandmother's basement at 20205 poppy lane in Witchita" where n was a number he could increment.  He could hand-hash in his prison cell without divulging his passphrase (assuming he had a way to not get his notes confiscated).

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
cbeast
Donator
Legendary
*
Offline Offline

Activity: 1736
Merit: 1014

Let's talk governance, lipstick, and pigs.


View Profile
January 30, 2013, 03:56:37 PM
 #57

How secure is this type of brainwallet?
1. Memorize a short phrase like a song lyric or quotation.
2. Make an algorithm that converts the letters to numbers.
3. Use those numbers to find words in a book making sure of the exact edition.
4. Use those words as the actual brainwallet passphrase.

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
mpfrank (OP)
Sr. Member
****
Offline Offline

Activity: 247
Merit: 250


Cosmic Cubist


View Profile
January 30, 2013, 04:44:08 PM
 #58

How secure is this type of brainwallet?
1. Memorize a short phrase like a song lyric or quotation.
2. Make an algorithm that converts the letters to numbers.
3. Use those numbers to find words in a book making sure of the exact edition.
4. Use those words as the actual brainwallet passphrase.

As long as the code used is obscure, it might be OK, but the need to have access to the book makes it unsuitable for some scenarios (e.g. you're on the run and have to quickly access your stash, you don't have the book w. you, and there's no time to visit the library).

If all the sovereign non-cryptocurrencies will eventually collapse from hyperinflation, you can't afford *not* to invest in Bitcoin...  See my blog at http://minetopics.blogspot.com/ .

Donations accepted at:  17twYNyqTiCTM2gJmumkytvhZh4sCVSKNH
UncleBobs
Member
**
Offline Offline

Activity: 103
Merit: 10


It From Bit


View Profile WWW
January 30, 2013, 04:50:41 PM
 #59


Though time consuming, this is probably the most secure way to set up a brain wallet:

http://www.extremetech.com/extreme/133067-unbreakable-crypto-store-a-30-character-password-in-your-brains-subconscious-memory

There was a discussion of this on HN a few months ago:
https://news.ycombinator.com/item?id=4266115

Disobey the Thought Police.  Resist Totalitarian Humanism.
http://attackthesystem.com/?s=totalitarian+humanism
mpfrank (OP)
Sr. Member
****
Offline Offline

Activity: 247
Merit: 250


Cosmic Cubist


View Profile
January 31, 2013, 12:00:08 AM
 #60


Well, in addition to all the critiques on that thread, it seems rather cumbersome and unwieldy.  And I think it's unlikely to be widely adopted.  Also, I would be nervous that maybe my subconscious wouldn't meet expectations when I need it to the most.

If all the sovereign non-cryptocurrencies will eventually collapse from hyperinflation, you can't afford *not* to invest in Bitcoin...  See my blog at http://minetopics.blogspot.com/ .

Donations accepted at:  17twYNyqTiCTM2gJmumkytvhZh4sCVSKNH
Pages: « 1 2 [3] 4 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!