Passphrase utility

[theymos]

I've written a little Python utility for securely creating keys (private keys, encryption keys, deterministic wallet seeds, etc.) from passphrases. It asks you for some impossible-to-forget info about yourself for use as seed to prevent hash precomputation attacks, and it hashes your passphrase over one million times to make brute-force attacks very slow.

I created this because several tools seem to be handling passphrases wrongly. brainwallet.org just does one unsalted sha256 hash of passphrases, which is terribly insecure. Electrum wants you to memorize 12 words, which is unnecessarily long. With this tool, a totally random and unique 6-word or 11-character passphrase should be secure.

I tried to make it so non-ASCII characters are hashed the same across all platforms, but I'm not sure whether I got it right. I'd be careful about using non-ASCII characters.

[1715196824]

1715196824

[1715196824]

1715196824

[1715196824]

1715196824

[btcusr]

good one. 

I had similar idea of passphrase utility which would generate passphrase from constant webpage content, like this. I am just using wikipedia article at point of time (date / version), but it can be anything like, even a image / photo, from national geographic, picasa, or google drive, or youtube video, etc.

[Stephen Gornick]

I've written a little Python utility

Y U NO use GitHub (or gitorius or whatever ...)?

[misterbigg]

This would be great if it was in javascript...how am I supposed to run Python? I don't have that installed on my Windows 7 machine.

[nimda]

Why not use python 3?

[theymos]

I don't have that installed on my Windows 7 machine.

Then install it...

Why not use python 3?

I was originally writing this as an patch to Electrum, but it seemed like it'd take too much time to integrate so I decided to make a standalone utility. This is also why I wrote it in Python at all (which I'm not a big fan of).

[theymos]

Y U NO use GitHub (or gitorius or whatever ...)?

https://github.com/theymos/passphrase

[ThomasV]

I was originally writing this as an patch to Electrum, but it seemed like it'd take too much time to integrate so I decided to make a standalone utility. This is also why I wrote it in Python at all (which I'm not a big fan of).

please read my answer here: https://bitcointalk.org/index.php?topic=153990.msg1641145#msg1641145
I do not know how much entropy you get from those 6 words, but that really is the only question you should ask yourself.

[Technologov]

1. Where can I get your utility?
2. Which license is it ? (needs to be open-source, preferably BSD-style, so it can be integrated into Android and FreeBSD later on)

[TimS]

1. Where can I get your utility?
2. Which license is it ? (needs to be open-source, preferably BSD-style, so it can be integrated into Android and FreeBSD later on)

1. Two posts above yours is: https://github.com/theymos/passphrase
2. The source at the above link says "Public domain"

I would highly recommend that nobody use this to create a wallet. This is highly insecure. Practically anyone who knows you could get in based on what they already know, or with a tiny amount of work (e.g. researching you on Facebook). People who don't know you would first need to identify you, and then get in with a tiny amount of work. And "but the attackers wouldn't know I'm using that algorithm!" is not a good assumption or argument. "A cryptosystem should be secure even if everything about the system, except the key, is public knowledge." (Kerckhoffs's principle)
Someone could also brute-force randomly-generated names/birth dates/cities.

[DeathAndTaxes]

Agreed with Tim.  Please let this post die.  It is a horribly insecure method.

Lets assume that it can only be brute forced (in reality many of your friends you steal your coins on the first attempt).   If we consider all possible birthdates in the last century that is 16 bits of entropy.  However we can shave 2 bits off by looking at only likely birthdates (say between ages of 16 and 66).  The US census provides name lists which cover 90% of the population and that consists of only ~887K last names and ~3K first names.  In the US there are only 30,000 recognized cities, towns, and unincorporated areas.  Put all together you could cover ~90% of all possible permutations of US Bitcoiners with 9.7 * 10^16 attempts.  This might sound like a lot until you consider that the Bitcoin network to date has made 1.2*10^24 hashing attempts (12,433,044x as much). 

[theymos]

You seem to think that this generates keys based only on personal info, but that's just the salt used to prevent pre-computation attacks. You also need a strong passphrase.

I wouldn't use this code for large sums of money because it doesn't have much review, but I think that the basic principle is very solid if the user can make a decent passphrase (which is maybe not a good assumption in general).

[DeathAndTaxes]

56 bits is pretty weak for a salt and worse they would be heavily biased.  Due to non-random distribution an attacker could choose to start from the most probable values and expand on the precomputation tables as time permits.  Taking a ballpark guess the majority (51%) of Americans would have less than 20 bits of salt.  Granted if your name is Olef-Olef-Olefz WashingFrankenburg and you were born in Greater Bumfuck, Uganda in 1999 you probably are safe.  On the other hand if you are John Smith born in 1980 in New York well you just have a false sense of security.  I would advocate against using this type of system but if you absolutely felt the need to use such a system it should involve more questions and ones with a flatter distribution and that are less likely to be known through casual contact:
What is the name of the street where you first lived (enter just the base word excluding any prefixes or suffixes "Main" vs "E Main St")?

What is your mothers maiden name?
What is your grandmother's middle name?
On what date did your grandparent who died the youngest die?
etc

if the user can make a decent passphrase (which is maybe not a good assumption in general)

I agree this is better than just a single hash brain wallet but the implicit zero factor nature of brainwallets means that better is probably still going to result in lost funds.  The difficulty is that humans are both BAD at entropy and BAD at recognizing low entropy values.  Most users simply fail at picking a strong password.  However in most applications there is a second factor.  To steal a desktop wallet requires the passphrase (probably weak) AND the actual file.  To break into a website (which hopefully disables logins after failed attempts) requires the weak passphrase AND the hashed password table.  Brian Wallets don't have that luxury.

[intron]

Y U NO use GitHub (or gitorius or whatever ...)?

https://github.com/theymos/passphrase

Thanks, very useful.