Brain wallet, step-by-step guide (FIXED!)[Mod note: DO NOT USE BRAINWALLETS]

[ArcCsch]

(1)
Download the generator from https://bitcoinpaperwallet.com/, open it and skip randomness generation:



(2)
Use a strong passphrase, enter it into the "brain-wallet" box, ad a backslash, and add a salt (something you can easily remember but is quite unique, to prevent hackers from going after everyone at once, such as your name or phone number) type the same thing into the BIP38 encryption:



(3)
Copy the encrypted private key (6PRUVtdGSuoypYyf2hAWukGzZVrtE2b89QrXXyVXuVHRQgWA8oj4N9fumC) to the "brain-wallet" box, turn off BIP38, and create the wallet:




(4)
Use this as your brain wallet, it is more secure than a regular brain wallet because BIP38 key-stretching prevents hackers from searching quickly, and the salting in step 3 prevents hackers from attacking everyone at once.
Note that this is a way to improvise on existing software to create a secure brain wallet, a better solution would be software that automatically uses scrypt stretching for brain wallets, but this is not currently available.
EDIT: Use Warp Wallet.
Also, don't use any suggestion (specially one from a n00b like myself) for large amounts of Bitcoin until it has been adequately peer-reviewed.

[1715257030]

1715257030

[1715257030]

1715257030

[OmegaStarScream]

I believe that your birth date , your name or your phone number are the first things that a hacker would try to use before trying to crack/brute anything so I don't really see how this could be more secure then anything else , using a random password in the other hand or something that make no sense to you may be very hard to remember over the years and you could finish by losing your coins.

[piotr_n]

All fine, but which part of this guide is actually making it "strong"?

Perhaps I can link to my other post from this forum:
https://bitcointalk.org/index.php?topic=1690812.msg17129122#msg17129122

Personally I prefer brain wallets, because I'm paranoid about having a physical backup of my keys.
But a strong password is the key to the security here - and there are many attack vectors on passwords.
Plus obviously a way to never forget it, while not having it written anywhere.

[achow101]

It is highly NOT RECOMMENDED to use brainwallets. Humans are a horrendously low source of entropy. There are multiple research papers and programs that show that brainwallets are horribly insecure and easily cracked as what you think is a strong password probably is not a strong password.

BIP 38 paper wallets will not be particularly helpful here. It only protects against someone stealing your paper wallet and trying to get the keys. BIP 38 does not protect against someone just guessing the password you used to create your brainwallet.

[CIYAM]

It is highly NOT RECOMMENDED to use brainwallets. Humans are a horrendously low source of entropy. There are multiple research papers and programs that show that brainwallets are horribly insecure and easily cracked as what you think is a strong password probably is not a strong password.

And yet if you look here: https://blockchain.info/address/1Au4v6dZacFVsWXeKUMJd99AtyBZeqti2L

1 BTC that has been there since 2012 is still there - I posted about this here: https://bitcointalk.org/index.php?topic=885616.0

It certainly isn't a simple thing to create an effective brainwallet but it also certainly isn't impossible (as I've demonstrated for four years).

[btchris]

It is highly NOT RECOMMENDED to use brainwallets. Humans are a horrendously low source of entropy. There are multiple research papers and programs that show that brainwallets are horribly insecure and easily cracked as what you think is a strong password probably is not a strong password.

And yet if you look here: https://blockchain.info/address/1Au4v6dZacFVsWXeKUMJd99AtyBZeqti2L

1 BTC that has been there since 2012 is still there - I posted about this here: https://bitcointalk.org/index.php?topic=885616.0

It certainly isn't a simple thing to create an effective brainwallet but it also certainly isn't impossible (as I've demonstrated for four years).

That last sentence is rather important, and usually gets lost in the noise.

It's not a question of whether or not it's theoretically possible to create a safe brain wallet, it's one of whether or not it's a wise idea to promote them.

I've no problem if CIYAM wants to create a brain wallet because he's demonstrated that he generally knows what he's talking about, and is willing to accept the risks.

I've a big problem with OP (or anyone else for that matter) promoting brain wallets in general because of the damage it can cause. This is further compounded by the fact that most people (I'm no exception) tend to overestimate their knowledge of a subject they haven't thoroughly studied ("maybe someone else will choose a bad brain wallet, or forget their brain wallet due to a wetware malfunction, but surely I'm smart enough to avoid these problems").

In short: please don't use brain wallets. Please don't promote them (that includes you, CIYAM).

[CIYAM]

In short: please don't use brain wallets. Please don't promote them (that includes you, CIYAM).

I haven't "promoted" the use of brain wallets but have simply stated (and have proven) that they "can be safe" as I think it is not reasonable for people to constantly state that *no brainwallet can be safe* due to being a human being (but I won't deny that perhaps for the vast majority it is probably not going to be safe).

I am considering to move that 1 BTC and then reveal the brainwallet passphrase that was used as an illustration of how one might go about creating such a thing (but I will not be *recommending* others to do this).

[ArcCsch]

The purpose of this thread is to create a way to make brain wallet more secure using the BIP38 key stretching algorithm, I, however, bungled it, and the instructions are not nearly as secure as they can be. I am surprised that peer-review did not adequately explain this vulnerability, I will fix the instructions as soon as possible. They are still more secure than the normal brain wallet.

[btchris]

I haven't "promoted" the use of brain wallets but have simply stated (and have proven) that they "can be safe" as I think it is not reasonable for people to constantly state that *no brainwallet can be safe* due to being a human being (but I won't deny that perhaps for the vast majority it is probably not going to be safe).

I am considering to move that 1 BTC and then reveal the brainwallet passphrase that was used as an illustration of how one might go about creating such a thing (but I will not be *recommending* others to do this).

I appreciate that you don't explicitly promote brain wallets, but you must admit that you did post a response in a thread that was started by OP to promote a "good" way of creating brain wallets (it wasn't) showing that your brain wallet was still safe as pro-brain-wallet evidence. Depending on how some will read that response, it could be misinterpreted as a general promotion of brain wallets (how many people will follow your link and read that entire thread? or even read the context in this thread?).... that was my complaint.

[piotr_n]

There are multiple research papers and programs that show that brainwallets are horribly insecure and easily cracked as what you think is a strong password probably is not a strong password.

Please don't use words like "horribly" or "probably" trying to discuss technical issues.

Please refer me to the multiple research papers (and programs) you've mentioned.

I am able to discuss technical aspects (numbers, codes, algorithms) and science behind them.
I am not however willing to argue with your emotions or believes.

I use brain wallets myself, have been for years.
For me they are more secure, reliable and convenient than wallets which require to be stored and backed up.

[achow101]

Please don't use words like "horribly" or "probably" trying to discuss technical issues.

Why? I understand not using probably (I thought this was in beginners and help so it was primarily as a warning to noobs) but what is wrong with "horribly insecure"?

Please refer me to the multiple research papers (and programs) you've mentioned.

Cracking programs:

• https://github.com/ryancdotorg/brainflayer
• https://bitcointalk.org/index.php?topic=1573035.0 (semi related to cracking brainwallets, although geared towards cracking addresses in general)

Research:

• https://rya.nc/cracking_cryptocurrency_brainwallets.pdf (defcon talk, not research paper but close enough)
• http://fc16.ifca.ai/preproceedings/36_Vasek.pdf
• https://eprint.iacr.org/2016/103.pdf

I am able to discuss technical aspects (numbers, codes, algorithms) and science behind them.
I am not however willing to argue with your emotions or believes.

This is not just something that I believe or my emotions. Many other people in the Bitcoin technical area have discussed how brainwallets are insecure and not recommended for general use. Off the top of my head, I know that greg and theymos has discussed this before.

I use brain wallets myself, have been for years.
For me they are more secure, reliable and convenient than wallets which require to be stored and backed up.

It is possible to securely use brainwallets, but it should not be something that is recommended to newbies and those who do not understand technical aspects of Bitcoin IMO.

[Evil-Knievel]

I have my entire BTC holdings in brain wallets, there is no safer place for them imho.

[piotr_n]

Please don't use words like "horribly" or "probably" trying to discuss technical issues.

Why? I understand not using probably (I thought this was in beginners and help so it was primarily as a warning to noobs) but what is wrong with "horribly insecure"?

Because how can anyone objectively disagree (or agree) with a complexity of a technical challenge described by such words?

Do you even understand that cracking a brain-wallet's seed password is a serious technical challenge?

Which tool/approach would you have chosen to crack my brain wallet?

It is possible to securely use brainwallets, but it should not be something that is recommended to newbies and those who do not understand technical aspects of Bitcoin IMO.

Which is exactly why guides like this can be very useful.
Unlike dogmatic statements based on someone's beliefs, basically coming down to: don't use a brain wallet, because you are too stupid to make a proper password.
IMHO, there is nothing more stupid (or arrogant) than assuming that all the other people are stupid, except greg and theymos

[piotr_n]

I actually read it quite often and I always ignore it, but it was always upsetting me.

People saying basically "I know what I am talking about, don't us a brain wallet and if you do don't come to me crying after you loose your bitcoins".

I just wonder whether in such case people can come to you crying when they used a non-brain wallet and then either lost it because they had no backup or because someone stole their (backup) wallet file.
Can they?

[Evil-Knievel]

I actually read it quite often and I always ignore it, but it was always upsetting me.

People saying basically "I know what I am talking about, don't us a brain wallet and if you do don't come to me crying after you loose your bitcoins".

I just wonder whether in such case people can come to you crying when they used a non-brain wallet and then either lost it because they had no backup or because someone stole their (backup) wallet file.
Can they?

If you like you can take a look at my brain wallet.
It will even try to sign and verify a message to ensure that the generated key is working fine: https://github.com/OrdinaryDude/brain-wallet

[piotr_n]

No thanks, I have my own.

I don't trust other people with their wallet software - no matter if it would be a brain wallet, a core wallet or a hardware wallet.

[Evil-Knievel]

No thanks, I have my own.

I don't trust other people with their wallet software - no matter if it would be a brain wallet, a core wallet or a hardware wallet.

This is the best attitude ! That's why I have created my own as well.

[piotr_n]

Cracking programs:

• https://github.com/ryancdotorg/brainflayer
• https://bitcointalk.org/index.php?topic=1573035.0 (semi related to cracking brainwallets, although geared towards cracking addresses in general)

Research:

• https://rya.nc/cracking_cryptocurrency_brainwallets.pdf (defcon talk, not research paper but close enough)
• http://fc16.ifca.ai/preproceedings/36_Vasek.pdf
• https://eprint.iacr.org/2016/103.pdf

Sorry mate, but I've gone through these programs and "research" papers and I must say that if they have any value then it's rather entertaining than scientific.

Let me just refer to the last one from the list - this is their "conclusion" sections:

As an example application of this research, we have been able to crack thousands of passwords including some quite difficult ones. Our research demonstrates again that brain wallets are not secure and no one should use them.

And this is the list of the "quite difficult ones" that they are so proud of cracking:

1. say hello to my little friend
2. to be or not to be
3. Walk Into This Room
4. party like it’s 1999
5. yohohoandabottleofrum
6. dudewheresmycar
7. dajiahao
8. hankou
9. {1summer2leo3phoebe
10. 0racle9i
11. andreas antonopoulos
12. Arnold Schwarzenegger
13. blablablablablablabla
14. for the longest time
15. captain spaulding

I mean, seriously?
What kind of idiot do you think would chose any of the above passwords to protect his life's savings?

[philipma1957]

Cracking programs:

• https://github.com/ryancdotorg/brainflayer
• https://bitcointalk.org/index.php?topic=1573035.0 (semi related to cracking brainwallets, although geared towards cracking addresses in general)

Research:

• https://rya.nc/cracking_cryptocurrency_brainwallets.pdf (defcon talk, not research paper but close enough)
• http://fc16.ifca.ai/preproceedings/36_Vasek.pdf
• https://eprint.iacr.org/2016/103.pdf

Sorry mate, but I've gone through these programs and "research" papers and I must say that if they have any value then it's rather entertaining than scientific.

Let me just refer to the last one from the list - this is their "conclusion" sections:

As an example application of this research, we have been able to crack thousands of passwords including some quite difficult ones. Our research demonstrates again that brain wallets are not secure and no one should use them.

And this is the list of the "quite difficult ones" that they are so proud of cracking:

1. say hello to my little friend
2. to be or not to be
3. Walk Into This Room
4. party like it’s 1999
5. yohohoandabottleofrum
6. dudewheresmycar
7. dajiahao
8. hankou
9. {1summer2leo3phoebe
10. 0racle9i
11. andreas antonopoulos
12. Arnold Schwarzenegger
13. blablablablablablabla
14. for the longest time
15. captain spaulding

I mean, seriously?
What kind of idiot do you think would chose any of the above passwords to protect his life's savings?

Those are pretty weak.

[achow101]

I mean, seriously?
What kind of idiot do you think would chose any of the above passwords to protect his life's savings?

Clearly multiple people chose those passwords to protect some amount of Bitcoin.

The point is that people think those passwords are strong passwords because online password checkers say that those passwords are strong. If you are recommending people to use brainwallets, they are likely to use those types of passwords thinking that they are strong passwords when in actuality they are not.

[piotr_n]

I mean, seriously?
What kind of idiot do you think would chose any of the above passwords to protect his life's savings?

Clearly multiple people chose those passwords to protect some amount of Bitcoin.

Or for a different reason.
E. g. to research brain wallets.

This "research" paper does not say how many bitcoins they have collected as the result of cracking brain wallets.
The logical assumption is: because they haven't collected any significant amount, even though they "have been able to crack thousands of passwords including some quite difficult ones".
Because (most likely) they only cracked the passwords that nobody really cared about in the first place.
Proving only how silly the conclusion from their paper is.

The point is that people think those passwords are strong passwords because online password checkers say that those passwords are strong. If you are recommending people to use brainwallets, they are likely to use those types of passwords thinking that they are strong passwords when in actuality they are not.

Your claim would be true, if you had found at least one person who thinks that "those passwords are strong".
Otherwise it's just what you believe.

I will tell you what.
If you want to prove your point, all you need to do is take any password from the list (e.g. " say hello to my little friend"), find the address it came down to and see how many coins this address ever carried, for a longer period of time. If it was a significant amount, then you are right and I am wrong.
It's all in the blockchain - be my guest.

Alternatively, you can contact the authors of this paper and just ask them how many bitcoins they found on the addresses they cracked.
Tell them that there is a guy on bitcointalk.org who claims that they are a fraud and you are trying to clear their names...

[CyberKuro]

Please don't use words like "horribly" or "probably" trying to discuss technical issues.

Why? I understand not using probably (I thought this was in beginners and help so it was primarily as a warning to noobs) but what is wrong with "horribly insecure"?

Because how can anyone objectively disagree (or agree) with a complexity of a technical challenge described by such words?

Do you even understand that cracking a brain-wallet's seed password is a serious technical challenge?

Which tool/approach would you have chosen to crack my brain wallet?

It is possible to securely use brainwallets, but it should not be something that is recommended to newbies and those who do not understand technical aspects of Bitcoin IMO.

Which is exactly why guides like this can be very useful.
Unlike dogmatic statements based on someone's beliefs, basically coming down to: don't use a brain wallet, because you are too stupid to make a proper password.
IMHO, there is nothing more stupid (or arrogant) than assuming that all the other people are stupid, except greg and theymos

A brainwallet refers to the concept of storing Bitcoins in one's own mind by memorizing a mnemonic recovery seed
I just find out of this kind of wallet, looks interesting. Need to learn about it later.
Yes, it's so hard to cracking brain wallet as the seed is memorized by the owner.
But, you still have to write it down, right? Just in case, because > If a brainwallet is forgotten or the person dies or is permanently incapacitated, the Bitcoins are lost forever.

[DannyHamilton]

Generally, my assumption is that when an otherwise intelligent person advocates for brainwallets, it's because they are hoping that foolish people with weak passphrases will store significant sums of bitcoin that they can later steal.

If you want to personally use a brainwallet. Go ahead.  None of us are stopping you. However, if you are going to advocate for them, then foolish people will read what you write and will lose money.

Anecdotal evidence (such as examples of brain wallets that haven't yet been cracked) aren't proof of anything.  The fact that something hasn't been broken yet is not proof that it can't be broken. I'd think that would be obvious.

[Evil-Knievel]

I am really surprised by the collective refusal of brain wallets. It all started roughly two years ago when suddenly a secret society of crypto guys started a war on brain wallets ... including popular ones like brainwallet.org that I have used thoroughly back then.
I guess it would be sufficient to just clearly state that the "passphrase" has to be unique and not "guessable" by anyone else, but that would be just to simple, wouldn't it?

I have personally lost BTC, that were stored in my mobile wallet (when my mobile was "borrowed" by a worthless asshat in the subway).
I have lost BTC that were stored in a wallet.dat when my SSD suddenly failed.
I have lost BTC that were stored in a wallet.dat when I accidently typed rm -rf / into the console.
But I am yet to lose any of my BTC that I have stored in a brain wallet.

People have tried to convince me to store it in an online wallet (where the owner may pull of Houdini's magic disappearence act anytime) or on a crappy 100$ SSD (which failure is a poisson distribution around it's END-OF-LIFETIME point) before, but that's not gonna happen!

Saying "all brainwallets will be emptied" is just as wrong as claiming that "alternative storage methods" are fool-proof.

[DannyHamilton]

- snip -
just clearly state that the "passphrase" has to be unique and not "guessable" by anyone else, but that would be just to simple, wouldn't it?

Yes.  That would DEFINITELY be "just to simple".

I have personally lost BTC, that were stored in my mobile wallet (when my mobile was "borrowed" by a worthless asshat in the subway).

You didn't have a backup?

I have lost BTC that were stored in a wallet.dat when my SSD suddenly failed.

You didn't learn your lesson and create a backup?

I have lost BTC that were stored in a wallet.dat when I accidently typed rm -rf / into the console.

You STILL didn't learn your lessong and store a backup?

How can someone that is incapable of learning to backup valuable data (and careless enough to type "rm -rf /" into the console of the sole computer storing their wallet) think that they would be any good at all at choosing a secure brainwallet?

Oh, wait. I know...
It's the Dunning-Kruger effect isn't it?  Which is just one more reason to discourage brainwallet use.

But I am yet to lose any of my BTC that I have stored in a brain wallet.

"Yet" being the key word in that sentence.  You could have said the exact same thing about your mobile wallet seconds before it was "borrowed".  You could have said the exact same thing about your wallet.dat seconds before the SSD died and seconds before you typed "rm -rf /".

People have tried to convince me to store it in an online wallet (where the owner may pull of Houdini's magic disappearence act anytime)

Not anyone that knows what they're talking about.  Perhaps some newbies or other unknowledgeable individuals.

or on a crappy 100$ SSD (which failure is a poisson distribution around it's END-OF-LIFETIME point) before, but that's not gonna happen!

You really need to learn the concept of secure backups.

Saying "all brainwallets will be emptied" is just as wrong as claiming that "alternative storage methods" are fool-proof.

I've never said that "all brainwallets will be emptied".  I'm confident though in saying that MOST people that think a brainwallet is a good idea for themselves are making a bad decision.

[Evil-Knievel]

You really need to learn the concept of secure backups.

I highly doubt that there is such thing as a secure backup.

You back up in the cloud? Big brother and his 3rd party affiliates are watching you!
You back up on an external hard disk? What if your place get's robbed? What if it burns down?
You back up on a "safe" RAID? Have fun if the RAID controller totals itself.
You back up in several redundant places? WIth every place the potential attack vectors for thiefs and/or social engineers increase.
You have a perfect encrypted non-flammable never-failing backup? Big brother can still subpoena you to decrypt your stuff.

Doesn't sound "secure" to me after all.

Regards
Dunning-Kruger

[ryanc]

I was asked by someone to comment here, since I wrote brainflayer and have coauthored two papers about brainwallet cracking.

I am really surprised by the collective refusal of brain wallets. It all started roughly two years ago when suddenly a secret society of crypto guys started a war on brain wallets ... including popular ones like brainwallet.org that I have used thoroughly back then.

Haven't I seen you posting https://bitcointalk.org/index.php?topic=421842.0 in the past about cracking bitcoin keys? Hard to tell, since you've tried to purge your old posts, but your motivation here is highly suspect.

What motivation do you think us "crypto guys" have for trying to prevent people from using brainwallets, other than to save people from themselves?

This "research" paper does not say how many bitcoins they have collected as the result of cracking brain wallets.

You didn't read the paper, then. Threads on bitcoin talk where people are bragging about cracking brain wallets are listed. Hundreds of BTC have been taken.

I have personally had correspondence with people who have lost over 100BTC due to forgetting their brainwallet passphrase. I spoke on the phone with someone who lost about 47k ether from a brainwallet.

If someone wants to store bitcoin using a memorized secret, they should use BIP39, optionally combined with BIP32, and use spaced repetition to memorize the seed.

If you absolutely insist on coming up with a passphrase yourself and storing bitcoin with it, go use WarpWallet with your email address, name, or phone number as a salt. It's several orders of magnitude more secure against cracking, and multiple independent implementations of the algorithm exist.

[piotr_n]

your motivation here is highly suspect.

[...]

What motivation do you think us "crypto guys" have for trying to prevent people from using brainwallets, other than to save people from themselves?

Your motivation is pretty obvious and I think I already said that.
You are trying to say that the "people" are too stupid to make a password that you "crypto guys"  cannot crack.
And what other reason for that if not to indulge one's poor ego?
Well, you are wrong. And we are here to help them proving that you are wrong - that is our motivation.
Maybe not because we care about them, but because wy love proving arrogant people to be wrong.

Crack my password, mr crypto guy, if you are as smart as you are pretending to be.
It holds thousands of bitcoins - that should be enough of the motivation.

[piotr_n]

Also, if you would not mind sharing what does it actually take to become a "crypto guy"?

I am not asking because I want to become one.
I am asking because I do not want to be associated with a "crypto science" like yours..
I prefer a "crypto practice" - so whatever else you do not do, will likely also work for me

[DannyHamilton]

Also, if you would not mind sharing what does it actually take to become a "crypto guy"?

Ask Evil-Knievel.  It was his term.  That's why ryanc put it in quotes when he used it:

- snip -
roughly two years ago when suddenly a secret society of crypto guys started a war on brain wallets
- snip -

[DannyHamilton]

You are trying to say that the "people" are too stupid to make a password that you "crypto guys"  cannot crack.

The problem with brainwallets isn't just the possibility that "crypto guys" might crack them.  It's also that they generally have insufficient entropy and are therefore significantly more risky.

That might mean being cracked by a hacker, or "crypto guy", but it also might just mean that another of the billions of humans on the planet could end up making the same choices as you.  

And what other reason for that if not to indulge one's poor ego?

Perhaps to help protect others from experiencing preventable losses?

Maybe not because we care about them,

Clearly.

Crack my password, mr crypto guy, if you are as smart as you are pretending to be.
It holds thousands of bitcoins - that should be enough of the motivation.

"Cracking your password" doesn't require intelligence.  It just requires that someone somewhere has the same misconceptions as you.

[piotr_n]

Ask Evil-Knievel.  It was his term.  That's why ryanc put it in quotes when he used it:

Whatever - it's just silly joking.

But you are wrong @Danny, because backup is a very weak and very fragile point of a wallet's security.
That's mostly why I choose a brain wallet.
Another is convenience - why would I have to carry a file with me if all I need is my brain.

And no, I do not have my passwords written anywhere.
However I do have some hints written down.
But they are designed in a way that only I can understand their meaning.
Actually, only I can understand that these are the hints.

Start using your brains - that's all I have to say.
Don't buy into the bullshit that your brain is not smart enough to make a password that other people's brains can't hack.

[piotr_n]

I just want to add that I think that this is a very interesting topic and I wish we could just discuss it in a cold professional manner, putting emotions and dick measuring aside.

I wish we were able to discuss the complexity of cracking brain wallets and the important aspects around their security.

So why won't I start.

I think it would be fair to assume that the throttle is set by the EC function that multiplies a number repesenting a potential private key by the G point of the curve.
To simplify, let's put the times of any hashings aside - let's say they are zero.

In the library I currently use, my i7 Intel CPU, needs about 120 nanoseconds to perform such an operation.
But it is obviously not the most optimal implementation - so let's assume that the optimal implementation is more than one million times faster than it: it can calculate 1 million public keys within 100 nanoseconds, which comes to 10000000000000 (1e13) operations per second.

Now, let's take a simple password - only low case characters: 'a' to 'z'

For 8 characters long password, at this speed of brute forcing, it would take 26^8/1e13 = 0.02 second (in the worst case) to find the password.
Meaning: you do not want to use 8 characters long password - 8 characters long brain wallets are shit!
But it does not yet mean that all the brain wallets are not secure...

Because, what would the time be for 16 characters long password?
Well, the number is 26^16/1e13/3600/365 = 3318 years.

How about 32 characters password?
According to my calculator, 26^32/1e13/3600/365 equals 144727736474009759620915358 [years] - I'm sure we don't have that much time.

This is 32 characters long password, with only lower case letters ('a' to 'z')!

And here we come to the point.
Some people out there are saying that they can program a software to predict what my brain had been thinking while generating the 32 characters long password.
They are going to use dictionaries and all kind of technics to only check the sequences that my brain would think of, skipping those that it would not...
And this software will be so efficient that it will simplify the problem by about 144727736474009759620915358 times, so they can find my password within a year.
Right!
I am really dying to learn about these breakthrough technics and their ingenious algos.
Because what I have seen so far is only making me to say: spare your efforts little boys, before you shit yourself trying.
And forgive me concluding with this humorous metaphor.

Now, please prove me wrong.

[philipma1957]

I mean, seriously?
What kind of idiot do you think would chose any of the above passwords to protect his life's savings?

Clearly multiple people chose those passwords to protect some amount of Bitcoin.

The point is that people think those passwords are strong passwords because online password checkers say that those passwords are strong. If you are recommending people to use brainwallets, they are likely to use those types of passwords thinking that they are strong passwords when in actuality they are not.

A six digit random number picker
A six letter word
A six digit random number picker
A six letter word

Is fairly strong.

Then put a copy of it in a safe deposit box

Then do it again with 24 different letters and numbers.

Combine the two giving you a 48 place password

Put the second set of 24 in a second safe deposit box.

I would like to see a program crack that.

[ryanc]

Now, please prove me wrong.

You're using math that assumes people generate their passphrases or passwords randomly. It is possible for people to do this. A small number of them do. The problem is that, as every database leak that's included hashed passwords has shown, the vast majority of people choose weak passwords. This is a problem, since brainwallets automatically leak what amounts to a hash immediately on use.

So yes, I believe that most people are not capable of choosing a password or passphrase that is sufficiently strong to use as a brainwallet, and there is a mountain of evidence to support me. This is not a matter of ego. I would not feel comfortable in my ability to come up with a password or passphrase that could not be cracked without a secure random number generator. Is it really so hard to believe that I, and others like me, genuinely want to help prevent people from losing money?

I am not saying "it's impossible to create a brainwallet that won't be cracked". My argument is that so many people are not able to evaluate whether their passwords or passphrases are strong enough that assisting them in creating a brainwallet is an act of gross negligence.

[ArcCsch]

Strong passphrases are very important, and many people choose weak ones, a famous example is the following:
how much wood could a woodchuck chuck if a woodchuck could chuck wood
Which results in:
1GjjGLYR7UhtM1n6z7QDpQskBicgmsHW9k
Someone put 250BTC on that address, that was hacked by a white hat hacker, who tried to warn the owner (and did not simply take the coins, yes, people like this exist) by adding more and taking it back, but the owner did not notice, so the hacker traced the owner to a mining pool, and found the owner's phone number, and called to explain...this lengthy story was presented during a DEFCON conference.

I think brain wallets should be strengthened by salting, and by using key-stretching, as in BIP38, this would make hacking all but the weakest passphrases totally impractical.
With this post, I request from software developers to include a new brain wallet generator, with separate boxes for passphrase and salt, and with some heavy key-stretching to slow down those hackers.
Something like this:
key=GenerateKey[scrypt[Hash[passphrase]||Hash[salt]]]

[ryanc]

1GjjGLYR7UhtM1n6z7QDpQskBicgmsHW9k
Someone put 250BTC on that address, that was hacked by a white hat hacker, who tried to warn the owner (and did not simply take the coins, yes, people like this exist) by adding more and taking it back, but the owner did not notice, so the hacker traced the owner to a mining pool, and found the owner's phone number, and called to explain...this lengthy story was presented during a DEFCON conference.

That was me.

I think brain wallets should be strengthened by salting, and by using key-stretching, as in BIP38, this would make hacking all but the weakest passphrases totally impractical.
With this post, I request from software developers to include a new brain wallet generator, with separate boxes for passphrase and salt, and with some heavy key-stretching to slow down those hackers.
Something like this:
key=GenerateKey[scrypt[Hash[passphrase]||Hash[salt]]]

WarpWallet does something like that. Using it with a salt and six diceware words (use actual dice!) should be sufficient unless you're Satoshi. I still strongly recommend against coming up with your own password or passphrase, and BIP39 + BIP32 is better for a number of other reasons.

[ArcCsch]

WarpWallet does something like that. Using it with a salt and six diceware words (use actual dice!) should be sufficient unless you're Satoshi. I still strongly recommend against coming up with your own password or passphrase, and BIP39 + BIP32 is better for a number of other reasons.

I checked Warp Wallet, and it appears that people still use passphrases like "a", " ", "correct horse battery staple" and "bitcoin".
You can't fix stupid, not even with key-stretching.

[ryanc]

You can't fix stupid, not even with key-stretching.

True, but you can mitigate it, at least to some extent. I probably should try getting WarpWallet to accept my patches again.

[piotr_n]

Now, please prove me wrong.

You're using math that assumes people generate their passphrases or passwords randomly. It is possible for people to do this. A small number of them do. The problem is that, as every database leak that's included hashed passwords has shown, the vast majority of people choose weak passwords. This is a problem, since brainwallets automatically leak what amounts to a hash immediately on use.

So yes, I believe that most people are not capable of choosing a password or passphrase that is sufficiently strong to use as a brainwallet, and there is a mountain of evidence to support me. This is not a matter of ego. I would not feel comfortable in my ability to come up with a password or passphrase that could not be cracked without a secure random number generator. Is it really so hard to believe that I, and others like me, genuinely want to help prevent people from losing money?

I am not saying "it's impossible to create a brainwallet that won't be cracked". My argument is that so many people are not able to evaluate whether their passwords or passphrases are strong enough that assisting them in creating a brainwallet is an act of gross negligence.

Of couse I am using math - what else am I supposed to be using?
Math is the only objective language to describe the complexity of the problem. Or a lack of it, if you prefer...

Without the math we are only debating our belives.
What you are saying it that you belive people are not smart enough to think of a strong password.
However, you seem to belive that the same people are smart enough to secure their file system from the hackers, plus to secure all the possible storage places (for the backup) from accessing by unwanted parties. Not to mention a physical access to the actual storage.

Well this is where we disagree.

I believe it is much easier to come out with the password that no other person on earth can crack/think-of, then to find a file storage that no other person can access.

And is it really so hard to believe that I, and others like me, genuinely want to help prevent people from losing money?

And again: I wish we could discuss technical and numbers here (exactly the math), instead of playing politics on which demagogy is going to get a bigger applause.

So, coming back to "how much wood could a woodchuck chuck if a woodchuck could chuck wood" - obviously it is a very bad password.
It is not better than my 8-random-characters example.
Anything that can be searched in Google is a very bad password.
Even the entire Tolkien's trilogy would be a bad idea to use as a brain wallet... unless you pick a set of words from the trilogy, by the system that only you know and remember - such could be a very strong password.
Now, if you don't know the system by which I chose the words from a book, how can you possibly write a software to crack it, even had you known the book?

Anyway, do you have any other "strong" passwords that you or anyone else have cracked?
Because so far I have not seen an example of a cracked password that I'd consider strong.

IMO, there is absolutely no backup to conclude that [any] "research demonstrates [again] that brain wallets are not secure and no one should use them".
This is a bunch of bollocks and people claiming such nonsens, calling it a research, are embarrassing themselves.

[DannyHamilton]

I wish we could discuss technical and numbers here (exactly the math), instead of playing politics on which demagogy is going to get a bigger applause.

That would be a lot easier if you'd take the time to actually read what was posted and not run off on a rant from taking a few words out of context.

For example:

You're using math that assumes people generate their passphrases or passwords randomly. It is possible for people to do this. A small number of them do. The problem is that, as every database leak that's included hashed passwords has shown, the vast majority of people choose weak passwords. This is a problem, since brainwallets automatically leak what amounts to a hash immediately on use.

Of couse I am using math - what else am I supposed to be using?
Math is the only objective language to describe the complexity of the problem. Or a lack of it, if you prefer...

Without the math we are only debating our belives.

Seriously?  That's what you took from what ryanc wrote?  That he was complaining that you were using math?

Come on.  You're the one that keeps saying that you want to discuss technical details here.  Then pay attention to the details.

So yes, I believe that most people are not capable of choosing a password or passphrase that is sufficiently strong to use as a brainwallet, and there is a mountain of evidence to support me. This is not a matter of ego. I would not feel comfortable in my ability to come up with a password or passphrase that could not be cracked without a secure random number generator.

What you are saying it that you belive people are not smart enough to think of a strong password.

That's not what he's saying at all.

What he's saying is that really smart people understand the importance of entropy and the lack of entropy in their own minds.  Therefore, they tend to acknowledge that they are not capable of thinking of a strong password.  Those that are most likely to believe that their password is strong enough are the ones that are most likely to be wrong about that belief.  Not everyone.  Just most.  Perhaps you actually have come up with enough entropy in your brainwallet, but that doesn't mean you should encourage the average person to try.

And is it really so hard to believe that I, and others like me, genuinely want to help prevent people from losing money?

No.  I believe that you are trying to help.  I just believe that your advice is flawed, and that in your attempt to help, you are making things worse for the average person.

Even the entire Tolkien's trilogy would be a bad idea to use as a brain wallet... unless you pick a set of words from the trilogy, by the system that only you know and remember - such could be a very strong password.

Well, if that "system" was to use a good source of entropy to, at least a dozen times, choose a RANDOM page, and then a RANDOM word on that page, then perhaps.  Although some words occur FAR more frequently than others, so even that is a risky proposition.  If your "system" is to make a conscious choice about which pages and words to choose, then it sounds like a bad idea to me.
 

Now, if you don't know the system by which I chose the words from a book, how can you possibly write a software to crack it, even had you known the book?

It's not that I can crack your specific wallet.  It's that if enough people do it, I can crack the AVERAGE user's wallet.  There will be outliers (perhaps including yourself), but on AVERAGE there will be a tendency to choose certain pages and certain words. It will be a bell shaped distribution, and the hacker will get the 80% of users that are closest to the mean.

[piotr_n]

What he's saying is that really smart people understand the importance of entropy and the lack of entropy in their own minds.  Therefore, they tend to acknowledge that they are not capable of thinking of a strong password.  Those that are most likely to believe that their password is strong enough are the ones that are most likely to be wrong about that belief.  Not everyone.  Just most.  Perhaps you actually have come up with enough entropy in your brainwallet, but that doesn't mean you should encourage the average person to try.

Stop talking this nonsense about entropy.
What's this obsession of you guys, with the entropy of brain wallets?
Entropy has nothing to do with it - the security of brain wallets is solely about complexity of breaking the password.

How much entropy the EC multiply function gives you?
Fucking zero!
Each time it calculates exactly the same public key, for the same private key.
And yet, all the bitcoin security is based on this zero-entropy calculation.
Why?
Because reversing this function is too complex for anyone to calculate the private key, from the public key.
Just like cracking a good brain wallet is too complex.

[DannyHamilton]

Stop talking this nonsense about entropy.
What's this obsession of you guys, with the entropy of brain wallets?

You are the one that said that you wanted to talk about the technical details.  Now you want to skip the details and go with your opinion instead?

Entropy has nothing to do with it - the security of brain wallets is solely about complexity of breaking the password.

Nope.  It also is about the likelihood that someone else will choose something similar by coincidence.

How much entropy the EC multiply function gives you?
Fucking zero!
Each time it calculates exactly the same public key, for the same private key.
And yet, all the bitcoin security is based on this zero-entropy calculation.

Nope.  The security of bitcoin is based entirely on the entropy of the private key.  If you choose a truly random number between 1 and 115792089237316195423570985008687907852837564279074904382605163141518161494336 then the likelihood that someone else will choose (or find) the exact same number is close enough to impossible that it can be considered secure.

If you use a system with too little entropy, then the likelihood that someone else chooses (or finds) that exact same number increases.  There is a threshold where the likelihood becomes so great that it can no longer be considered secure.

Why?
Because reversing this function is too complex for anyone to calculate the private key, from the public key.
Just like cracking a good brain wallet is too complex.

This discussion has nothing to do with "reversing the function" or "calculating the private key from the public key".

[piotr_n]

It also is about the likelihood that someone else will choose something similar by coincidence.

Now you've made me intrigued, how is it possible that nobody have painted a second Mona Lisa, just by coincidence

The security of bitcoin is based entirely on the entropy of the private key.  

What???
Man, you don't know what you are talking about.

If you don't understand that the security of ECDSA is all about complexity of reversing the EC multiply function, then we have nothing to discuss any further.

You're wasting my time and the time of people reading this topic.

[DannyHamilton]

Now you've made me intrigued, how is it possible that nobody have painted a second Mona Lisa, just by coincidence

https://en.wikipedia.org/wiki/Mona_Lisa_replicas_and_reinterpretations  

If you don't understand that the security of ECDSA is all about complexity of reversing the EC multiply function, then we have nothing to discuss any further.

Finally, we can agree on something.

Certainly Bitcoin would be broken if it was possible to quickly calculate a private key from a given ECDSA public key.  However, without sufficient entropy in the selection of the private key, the security is lost before you ever even know the public key.

You're wasting my time and the time of people reading this topic.

One of us is.

[piotr_n]

Now you've made me intrigued, how is it possible that nobody have painted a second Mona Lisa, just by coincidence

https://en.wikipedia.org/wiki/Mona_Lisa_replicas_and_reinterpretations  

If you don't understand that the security of ECDSA is all about complexity of reversing the EC multiply function, then we have nothing to discuss any further.

Finally, we can agree on something.

Certainly Bitcoin would be broken if it was possible to quickly calculate a private key from a given ECDSA public key.  However, without sufficient entropy in the selection of the private key, the security is lost before you ever even know the public key.

You're wasting my time and the time of people reading this topic.

One of us is.

You're embarrassing yourself.

[ArcCsch]

There are two different types of attacks on a cryptographic system; analytical attacks, and brute force.
Entropy protects against brute force, but not against analytical attacks.
A strong system is needed to guard against analytical attacks.

Entropy is necessary for security, but not sufficient.

[piotr_n]

Mind that entropy is just an abstract concept that basically quantifies the amount of chaos within a certain set of data.

Trust me: there is no chaos inside the data provided by the random number generators that you guys use and praise to be so much more secure than my brain.
Software based (pseudo) random number generators follow an algorithm, that is just a mathematical function which turns input data into the pseudo-random numbers.
The input data for this function are things like: current time, content of your system's memory, the keys you're pressing on your keyboard, or your mouse cursor movements - that's it.

There are some implementations of a hardware-based random number generators, which are supposed to provide a real random numbers, but they are so shady that smart people will rather stick to the software solutions - pseudo random number generators.
And why?
Because at least with the software PRNG they can audit the code and quantify the complexity of recovering the seed by an attacker.
Which is exactly where the security of the brain wallet is - in the complexity of recovering the seed by an attacker.

http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/

[piotr_n]

Every now and then we hear about people coins getting lost, because their wallet was using a fucked up random number generator.

Fucking Google distributed a "secure" random number source to millions of android devices and it was only discovered by lost bitcoins that it was being initiated with 31 bit seed.
They claimed that it was a bug, but who the hell knows - might had just as well been a mistake by design.

How many more fuck ups have to come out in PRNG implementations, before you guys start considering a thesis that your brain combined with a simple sha256 hash might be actually far better source of (pseudo) entropy than all of these corporate solutions that nobody is able to fully audit?

[ArcCsch]

Also, it makes little sense to talk about the entropy of a specific string, entropy is defined only for distributions.
If, you pick a random list of ten words from a list of 6^5 words, the entropy is log2[6^50], which is 129.248125036 bits, if an attacker tries to brute force this, it would take, on average, more than 2^128 tries.
The specific passphrase "correct horse battery staple" for example, does not have a well defined entropy:
If each word is chosen at random from a large list, this particular sequence is very unlikely to be chosen, and the distribution would have high entropy, choosing a well known password from a high entropy distribution is very bad luck, and is about as likely as a brute force attacker who starts at a random point and searches from there happening to crack your key in a very short time.
The more likely scenario is that it was copied from xkcd, this is a stupid thing to do because the distribution "first thing to come to mind when a passphrase is needed", has a very low entropy for most people, and yet, unfortunately, is how most people choose passwords.

[TransaDox]

Security is a trade-off between complexity and convenience. Binary arguments about security mean that your data might never get stolen but no-one uses the software - just ask PGP.

My opinion is that brain wallets aren't the most secure but they are secure enough for many non technical users. If it is a commercial service that is being offered then there are other measures to mitigate the risk of loss like insurance-an admission that it can occur and allow compensation according to risk probability.

[gmaxwell]

Brainwallets were literally invented by someone who was out to rip people off; no joke!

piotr_n: Errors like you talk about are what happen sometimes when technical experts given all the time in the world work on secure entropy.  What do you think will happen when you ask less technical end users to take care of it for themselves?

Predictable failure, that is what results. And, of course, if your crypto code is broken-- your security is toast anyways: your signatures will give away your key.

People _massively_ overestimate their ability to choose unguessable strings. They come up with absurd munging schemes that are easily predicted and exploited by attackers.  The result is that brainwallets cause funds loss _constantly_.

Why is it when it turns out that some website was using an unsalted hashing scheme to store their users password hashes in a private database people pull out the torches about how incompetent the web developer is-- but when people construct brainwallet software which stores the users hashed password in a PUBLIC database-- unsalted-- where every found password results in an irreversable theft of Bitcoin, some people fall over themselves to recommend it?

... because that is exactly what a brainwallet is doing:  A public key is a hash of the private key (with special homomorphic properties that makes it useful for signatures). When you use a brainwallet you are computing an unsalted password hash and sticking it in a public database along with the amount you can steal by cracking it.  Because they are unsalted, an attacker can target N users with ~O(1) effort just like any other unsalted password hash.

[piotr_n]

piotr_n: Errors like you talk about are what happen sometimes when technical experts given all the time in the world work on secure entropy.  What do you think will happen when you ask less technical end users to take care of it for themselves?

By this logic: what do you think will happen if you ask an average John to secure his backup of the wallet file?

Is this a forum for Development & Technical Discussion - or not?
If it is, then why are you bringing politics into it?

If people _massively_ overestimate their ability to choose unguessable strings then shouldn't we be discussing and advertising methods of choosing unguessable strings?
Instead of not-discussing brain wallets at all, because you believe that people are too stupid to choose a password that cannot be "easily predicted and exploited by attackers".


I believe that a brain wallet is the most secure wallet for me - and I am putting my money behind it, because I use such wallets myself.
I am willing to share my knowledge of choosing a complex enough passwords with anyone who wants to learn about the topic.
But I am not interested to argue with your "research demonstrates again that brain wallets are not secure and no one should use them" propaganda, because I have no time for such bullshit.

[gmaxwell]

The advice would be to have a computer generate it randomly.  (the next best advice is to choose it with dice but it takes so many rolls to even get 128 bits, that I have found that users don't actually comply with the procedure; a treatment that the patient will not follow is not a good treatment, no matter how perfect it is if used flawlessly). Studying the result in practice isn't politics, it's science.  Developers are not magically anointed with an ability to not make these errors, they appear to be even more vulnerable: to quick to enamor themselves with fancy schemes but just as unable to really comprehend billions of attempts per second as any other human. It isn't a question of being stupid, I do not think I can securely use a brainwallet and I do not think I am stupid.

[piotr_n]

Also nobody is talking about the advantages of (strong) brain wallets, that are actually making them more secure than PRNG based wallets.

Besides of the two I mentioned already:
- They don't rely on anyone's (publicly known) implementation of the "entropy"
- They don't require backups

There is more:
- They cannot be seized
- They don't need to be carried
- Their existence can be denied / can't be proven
- Even if someone can prove that a brain wallet had existed at some point in time, he's still unable to prove that you have not forgotten the password

These are mostly about legal security, but isn't Bitcoin's success itself exactly about it?
You see, in my opinion, the biggest enemy of the brain wallets should be the government.

[gmaxwell]

Also nobody is talking about the advantages of (strong) brain wallets, that are actually making them more secure than PRNG based wallets.

Besides of the two I mentioned already:
- They don't rely on anyone's (publicly known) implementation of the "entropy"

Unless you never intend to sign a message they do... and they also depend on a human's easily predictable production of "entropy".

There are hundreds of millions of dollars worth of Bitcoin secured by the CSPRNG setup in Bitcoin Core. It is peer reviewed by quite a few subject matter experts. That is a pretty strong bit of auditing there, ... can you say the same for your scheme?

- They don't require backups

Human memory is very fallible.  We often just don't remember what we don't remember so we don't often realize how bad it is.   A fever, blow to the head, or other illness can easily kill single memories even of things you used frequently-- a brain wallet is the hardest kind to remember: to be secure it must be unusually random, and you should not be using it frequently (if you use it frequently, you will end up leaking it somehow) and being almost right is not good enough!

Backups are also easy if you don't need to redo them. They are practically free:  A small USB stick costs a few dollars, paper costs cents. You can make many backups and secure them with a weak password that your family also knows and really can never be forgotten-- but attackers with a FPGA farm in china cannot crack your password protected backed up wallet!

There is more:
- They cannot be seized

Equally true of a pasword protected backup wallet.  And both can be seized after finding evidence of you using them in the blockchain or on your computer and then liberally applying a hammer to your non-dominant hand.

- They don't need to be carried

Yes, this is perhaps the one advantage-- if you are a refugee who can literally carry _nothing_ without severe risk of losing it. But even there you would be much better off with a few backups of that key securely hidden back at home in case you do forget it and do someday find yourself in a place where you can pick it up.

- Their existence can be denied
- Even if someone can prove that a brain wallet had existed at some point in time, he's still unable to prove that you have not forgotten the password

Both equally true for an encrypted non-brainwallet.

You see, in my opinion, the biggest enemy of the brain wallets should be the government.

Brainwallets are irrelevant to the government-- they don't add any protection from the a government except in the refugee case, but they are the friend of the coin thieves -- no surprise considering they were invented by one.

You seem to have ignored my point that a brainwallet is equivalent to storing an unsalted password hash in a public database. Do you consider that incompetent security?

[piotr_n]

- They cannot be seized

Equally true of a pasword protected backup wallet.  And both can be seized after finding evidence of you using them in the blockchain or on your computer and then liberally applying a hammer to your non-dominant hand.

Sorry, I didn't mean that they cannot be seized by any type of government.
Mine isn't running a torture camp in Guantanamo - applying a hammer to my head would be illegal where I live.
Plus then I'd most definitely forget it

[gmaxwell]

Sorry, I didn't mean that they cannot be seized by any type of government.
Mine isn't running a torture camp in Guantanamo - applying a hammer to my head would be illegal where I live.
Plus then I'd most definitely forget it

Hand, not head, for that reason!   (also, hitting people in the head tends to make them unconscious and then they can't answer. Hitting them in the hand is very painful but leaves them able to talk.)

Especially if you're not worried about torture-- use encryption! it also resists seizure in just the same way-- but: it works like a salted password hash stored privately. O(N*M) work to try N passwords for M people, and to even start you must steal a copy of the private data which you have hopefully not posted in a public database.  If you want to generate it securely and _also_ attempt to memorize it, sure knock yourself out, an extra backup doesn't hurt.

[piotr_n]

You seem to have ignored my point that a brainwallet is equivalent to storing an unsalted password hash in a public database. Do you consider that incompetent security?

Of course, a randomly generated and then password-encrypted wallet is by definition more secure than a brain wallet made by the same password.

But then you come back to the problem of choosing the secure password, don't you?
Which brings you back to the point that you need to learn about choosing secure passwords.
And after you learn to choose passwords that are secure enough, you might just as well use brain-only solution.

[gmaxwell]

But then you come back to the problem of choosing the secure password, don't you?
Which brings you back to the point that you need to learn about choosing secure passwords.

Ah ha, but no-- the requirements for the password security are much lower.

With a brainwallet, the moment you use it everyone in the world can begin cracking it-- in parallel with all other keys they are cracking at no extra cost.  They can also apply precomputed rainbow tables to try may of the passwords they tested in the past against it-- at low cost. They also can see the bounty attached to it.

If a wallet is encrypted it has a salt and (hopefully) an expensive KDF. The attacker cannot attack multiple files in parallel. If the whole wallet is encrypted, they don't know what their payoff will be and most importantly they can't even begin cracking until they get the file.  The security becomes multi-factor: You must have the file and the passphrase.  Theft of the file may also be noticed, giving you time to react.

So if your passphrase is a little weaker than you intended it to be-- there is likely no great harm.

[piotr_n]

What we maybe should also mention here are a kind of wallets that actually require a file, but the key to their existence is only in your brain.

A bit like a system with a book I mentioned before, but slightly different...

Think of a photo of your wife. A jpeg file would be good, as it has nice "entropy".
Now, think of two numbers - e.g. her birthday and age... or whatever big enough.
Then cut (from the file) the number of bytes expressed by the second numer, from the file's offset expressed by the first number.
All you need for that is "dd" command. You can concat two or three such fragments, to increase security... Maybe even append some simple string (e.g. your last name) at the end of the extracted data...
Then get a 256-bit hash of it - that would be your master private key.


A photo of your wife you can have stored anywhere, even in the cloud - nobody is going to find it suspicious. Perhaps they will even let you to have it in a prison.
But the key to the wallet is only in your brain.
Now, if nobody knows that the wife's picture is actually the wallet, there is no way to crack it.

This is just one of unlimited methods for making a secure brain wallet.
Just use your brain and imagination and you can create a very secure brain wallet, that no person on earth can crack, find or seize - while you always have it with you.
This is a security and convenience that no random generator based wallet will ever give you.

[piotr_n]

But I still think that the brain wallets in the traditional sense of the word should be secure enough, if their owner only puts enough effort into their complexity and uniqueness.

Like the example I mentioned in the other thread: Make a poem and remember it.
Not a short poem, but it also doesn't need to be very long one - a haiku might be long enough, although two haiku (one after another) would be much better.

Despite of what some people might be claiming, there is no way to paint a second Mona Lisa just by coincidence.
Almost every human being (there might be some brain damaged ones) is able to create an original artistic constructs inside his brain.
And the one thing computers can't do is artistic - the only way to crack an original poem is through brute forcing.
So, to make it even harder for dictionary-based, lexical-whatever-sf-enforced brute forcing, do not use the words as they are.
Modify the words inside your poem, using a system that only you know.
For example:
 - Use only the first and the last letter of each word
 - Skip words of certain lengths
 - Repeat some words or some characters
 - Use customised separation characters between the words (e.g. - | & * @)
 - Swap the letters (all or only two of them) inside each word
 - Add the salt (e.g. your name, phone umber, your email's password) at the end, the beginning or (best) somewhere in the middle.
 - etc. etc. etc. - use your imagination - it's limitless!  

Also: the last thing you should do is following the exact system I just described.
It was good, before I posted it, though.
Anyway, I hope you catch my point.


Mind that you can also combine one or more of the methods/technics/systems, if you are still unsure about a security of a single one.
So for instance: the book, combined with the wife's photo, combined with the poem - even god himself armed with an MRI connected to your head won't crack that, if you don't screw it up.

[piotr_n]

Excuse me posting the third time in a row, but I was rushing out in the morning and didn't have much time to write down all my thoughts.

Brainwallets were literally invented by someone who was out to rip people off; no joke!

Well, if it's not a joke, then let me explain how you are wrong.

Nobody invented brain wallets!

Perhaps there was a person who named it like that (nice naming, BTW), but he did not invent it!

Brain wallets are natural, just like using the fingers for picking your nose is natural.
You don't invent it - it's just there, ready to be used.

I use brain wallet not because someone showed it to me.
I use it because one day I found it to be a perfect method for creating a seed for a master private key of a bitcoin wallet.
And it didn't take a process - it was just a thought; a natural thought, like thinking of having a swim in a hot weather.

So please stop spreading such disinformation, because not only that it isn't helpful to anyone, but it's also not good for you.
Unless your goal is not to be perceived as a bitcoin scientist/technician, but rather as a bitcoin apostle/preacher.


EDIT:
In the other part of your argument, you mentioned that "rainbow tables" can be used to crack the brain wallets..
I mean, come on, man - are you kidding me?
There is no fucking way you don't know that rainbow tables are completely useless for cracking 256-bit hashes..
Why would you even bring such a term into the discussion?
What is a purpose of that if not trying to convince clueless people that your thesis is right, without providing any actual arguments?

EDIT2:
I have been fascinated with passwords-cracking ever since I was 20.
They almost kicked me out of the university, because of that.
But it wasn't my fault - I was just a kid harmlessly experimenting with stuff.
Back then, in the 90s, cracking unix account passwords was as easy as looking for the match inside the /etc/passwd file.
John the Ripper - is the software I will always remember. It's old school, but still great software.
I know very well how much progress has been made on the filed for the past 20 years.
And today I choose brain wallet.  It's not preaching - it's experience.

I am not telling anyone what he should or should not do - I'm just telling him what I know.
Well, maybe I'm also preaching a bit: Believe in your brain and its limitless imagination - it's far more sophisticated than any PRNG invented by man.

EDIT3:
When I read about all these "research" papers and browse through slideshows from some DEFCON meetings - for me it's just some kids looking for attention, playing with 30 years old technology, which they don't really understand. Had they understood it, they would have had much bigger respect to the very complex problem of cracking passwords. But all I see is an infant boosting and patronising with statements that have absolutely no technical backup.
You kids...

[Danydee]

I believe that your birth date , your name or your phone number are the first things that a hacker would try to use before trying to crack/brute anything so I don't really see how this could be more secure then anything else , using a random password in the other hand or something that make no sense to you may be very hard to remember over the years and you could finish by losing your coins.

Yes hackers use and have already use by the past dictionary attacks, so I think that is isn't necessary to use a same tool, you can simply use a transaction hash, btc address, private key, a key issued on creating brain wallet or even combine between many to access your "Wallet".

[piotr_n]

For me cracking brain wallets is not quite about dictionary attack.

Obviously if anyone is using a single  word from a dictionary as the seed for his  brain wallet then he is an idiot. Idiots get hit by buses every day - we can't save them.
But... any modern wallet can bring it's actual seed to a sequence of 12 or 24 words - and that's from a 'dictionary'  of 2048 words.
Because that's what 256 bits of data come down to.
Plus Bitcoin address have only 160 bit security - so,  it's even fewer words.

So what if I am to choose my seed to be a sentence made of 12 or 24 words? From an undefined dictionary...
Should it not be at least as much secure as the other 12/24 words method???

And they say: NO - because we have 'researched' it and our 'studies' have proven [again!]  that if you choose 12/24 words from the unlimited dictionary, then we can guess what these words were!
There is absolutely no published science to back this up.
It's fucking bollocks - show how you do it,  or you are a fraud! And I haven't seen a single paper,  let alone a software, on how anyone would be choosing the words to mimic  my thinking.
What I've seen so far was only a primitive software that either uses brute forcing on characters or requires the list of the passwords to be provided to it -  that's it.  That's all their 'research'.

Where is a research  showing  that a software can choose/guess/predict  a set of words in a way to 'guess' what a human being was thinking?
There isn't any.
Because it's nowhere even close as simple as they suggest. People publishing these papers are too stupid to even understand the problem - they have absolutely zero chance to start approaching it from the right angle.

[ArcCsch]

Obviously if anyone is using a single  word from a dictionary as the seed for his  brain wallet then he is an idiot. Idiots get hit by buses every day - we can't save them.

I agree, there are far too many pseudo-intellectuals using bitcoin simply because it's cool and the new "in thing" and losing coins to change addresses, weak brain wallets, web wallet hacks, and assorted scams.

And they say: NO - because we have 'researched' it and our 'studies' have proven [again!]  that if you choose 12/24 words from the unlimited dictionary, then we can guess what these words were!
There is absolutely no published science to back this up.
It's fucking bollocks - show how you do it,  or you are a fraud! And I haven't seen a single paper,  let alone a software, on how anyone would be choosing the words to mimic  my thinking.
What I've seen so far was only a primitive software that either uses brute forcing on characters or requires the list of the passwords to be provided to it -  that's it.  That's all their 'research'.

Where is a research  showing  that a software can choose/guess/predict  a set of words in a way to 'guess' what a human being was thinking?
There isn't any.
Because it's nowhere even close as simple as they suggest. People publishing these papers are too stupid to even understand the problem - they have absolutely zero chance to start approaching it from the right angle.

12/24 words are secure if chosen in a reasonably random fashion.
The lyrics of a song, a quote, or, for that matter, any sentence that makes sense, are very insecure.
Unfortunately, many people chose things like "how much wood could a woodchuck chuck if a woodchuck could chuck wood" and get hacked.

Brain wallets do have their advantages, it is by far the most effective way to hide bitcoin from oppressive authorities, specially if they have no proof of its existence.

[piotr_n]

The lyrics of a song, a quote, or, for that matter, any sentence that makes sense, are very insecure.

Yes - that is what one should assume making a password that will protect his life's savings.
That's what I assume...

But I'm still dying to see any research that would approach a problem of cracking brain wallets passwords being a "sentences that makes sense".
Let me give you few examples:

Code:

I met a girl, her name was Marlena Witchenberg, I asked her out and she said NO.

Code:

When I was a kid my dad used to take me out for fishing - to a place called Bloodrocks

Code:

One day I will be a milioner, because the only one bitcoin I own will be worth more than 1 million :)

These are all sentences - grammatically correct and quite easy to remember if they have sentimental value for you.
But according to my knowledge and understanding, as of today, they are (were, before I posted them) impossible to crack.
There is loads of research to be done, before anyone can even start cracking these kind of wallets.
Obviously it cannot be done by a man thinking of sentences and typing them in - he would die behind the keyboard with zero hits.
But there is no software that can brute-force "sentences that make sense", preferably only those that have a sentimental value to a targeted person.
Even if there is some software like that, it is not very fast, because creating all kind of "sentences that make sense" is a very complex problem to solve by a machine.
For a machine, it might actually be easier to reverse the EC multiplication function.

[Evil-Knievel]

Why does the title say "Mod note: Do not use brain wallets"?
I explicitly want to use brain wallets, and as a free human being it is my right to do so! It's my individual decision! When reading the title I feel somewhat "patronized": "the community" openly displays that it thinks I (and other users) are too dumb to make their own decision. Not nice  

EDIT: I *AM* a good source of entropy!

[piotr_n]

Why does the title say "Mod note: Do not use brain wallets"?

Because the mod is a type of person that prefers to run a forum for kids who he can impress and patronise all the time.
Rather than a forum for adults who can challenge his thinking, so he could sometimes learn something more here.

[gmaxwell]

I think it's amusing that the two people in this thread loudly trumpeting brainwallets are someone who says they have a fetish for cracking passwords and someone who has posted extensively about wallet cracking and tried to sell scam wallet cracking tools.

This fits right in with the fact that person who popularized the idea and created brainwallet.org was cracking these kinds of keys and complaining about how few he was finding online before creating the site.

Food for thought.

[BillyBobZorton]

I think it's amusing that the two people in this thread loudly trumpeting brainwallets are someone who says they have a fetish for cracking passwords and someone who has posted extensively about wallet cracking and tried to sell scam wallet cracking tools.

This fits right in with the fact that person who popularized the idea and created brainwallet.org was cracking these kinds of keys and complaining about how few he was finding online before creating the site.

Food for thought.

I have learned recently that brainwallets are not a good idea, mostly because I lurk the bitcoin reddit and I think I saw you posting about it.

Now my fear/question is: are Electrum seeds also compromised? In theory isn't it the same as brainwallets? It creates a seed and this seed contains everything. I think the new HD wallet in bitcoin core is not like that (you can't "spawn" everything with a single seed) but with electrum it seems the same idea to me than brainwallets and now im worried... (im not a coder or anything so I dont understand the details, it just seems the same to me in practice)

[piotr_n]

I think it's amusing that the two people in this thread loudly trumpeting brainwallets are someone who says they have a fetish for cracking passwords and someone who has posted extensively about wallet cracking and tried to sell scam wallet cracking tools.

This fits right in with the fact that person who popularized the idea and created brainwallet.org was cracking these kinds of keys and complaining about how few he was finding online before creating the site.

Food for thought.

Give me a break

By this logic nobody should trust your expertise on cryptography because you know too much about the topic and your advice might be luring unconscious  people into using solutions that you claim are secured,  but personally know how to break.

How are you going to answer that?

If you want to have an adult debate with me,  question the technical aspects of what I'm saying, instead of trying to undermine my motives.  It's just pathetic, man. How old are you?

[gmaxwell]

I have learned recently that brainwallets are not a good idea, mostly because I lurk the bitcoin reddit and I think I saw you posting about it.

Now my fear/question is: are Electrum seeds also compromised? In theory isn't it the same as brainwallets? It creates a seed and this seed contains everything. I think the new HD wallet in bitcoin core is not like that (you can't "spawn" everything with a single seed) but with electrum it seems the same idea to me than brainwallets and now im worried... (im not a coder or anything so I dont understand the details, it just seems the same to me in practice)

The two main problems problems with brainwallets is that (1) humans created the randomness and humans are surprisingly bad at that (and, worse, can't tell how bad they are) and (2) they depend on human memory to perfectly remember a long highly random string.  Human memory is not very good at this either.

Electrum seeds, used correctly, don't have either of these problems.

[gmaxwell]

question the technical aspects of what I'm saying, instead of trying to undermine my motives.  It's just pathetic, man. How old are you?

Because the mod is a type of person that prefers to run a forum for kids who he can impress and patronise all the time.

...

By this logic nobody should trust your expertise on cryptography because you know too much about the topic and your advice might be luring unconscious  people into using solutions that you claim are secured,  but personally know how to break.

How are you going to answer that?

Ask me again if you ever see me advocating solutions which are have resulted in lots of funds loss in practice... or selling wallet cracking tools.

[piotr_n]

question the technical aspects of what I'm saying, instead of trying to undermine my motives.  It's just pathetic, man. How old are you?

Because the mod is a type of person that prefers to run a forum for kids who he can impress and patronise all the time.

...

By this logic nobody should trust your expertise on cryptography because you know too much about the topic and your advice might be luring unconscious  people into using solutions that you claim are secured,  but personally know how to break.

How are you going to answer that?

Ask me again if you ever see me advocating solutions which are have resulted in lots of funds loss in practice... or selling wallet cracking tools.

Are you not advocating Bitcoin?

[Evil-Knievel]

I don't wanna tilt with windmills, and I am fine with the brainwallets-are-bad-mantra; it might be true for the average (but not general) case.

Still, just for the fun of it, I am willing to take a challenge with any of the low-entropy-is-bad guys here  
Suggestion: I will put 5 BTC into an address which is secured by an entropy of 32 bits only. The entropy will even come from my brain. If anyone is able to crack my brainwallet within one week, feel free to take the money. If not, you consent to double my stake. I am even willing to tell you how my brainwallet will be constructed beforehand.  

... remember, its not about the entropy, it's about the time that is required to scan through the search space defined by the specific amount of entropy.

[piotr_n]

Suggestion: I will put 5 BTC into an address which is secured by an entropy of 32 bits only.

what do you mean?
you will post the public address and 224 bits of its private key - and we only have to guess the remaining 32 bits?
sign me in!

to go through all the 4294967296 combinations within a week (604800 seconds), one would only have to check 7101 keys per second.
that's totally doable - you will loose your money, man.
however, that will have nothing to do with cracking brain wallets - it's just pure brute forcing of random values.

[piotr_n]

I'm going to go back to publishing my thoughts on best practices in brain wallets security.

Despite of attacks on my credibility and honesty (which I'm going to ignore, as they are not worth my time), I'm standing behind all my previous statements on how to choose a secure brain wallet seed.
I think all the solutions I described in this topic are secure enough.
But it doesn't mean we cannot make them even more secure, using other kind of tricks.

Think of your life's savings - millions of dollars worth of bitcoins, which you want to protect only by passwords memorised in your brain.

This method is what I would call insurance fund security countermeasure.
You can take e.g. 2% of your life savings and put it on the insurance fund.
Worst case scenario: if your brain wallet gets cracked one day, it will cost you 1% of your savings, assuming you quickly act upon it.


Here is the method:

Note: a brain wallet can lead to practically unlimited number of addresses, but to simplify my guide I will assume that one brain wallet = one address.

So:

1. Make two or more brain wallets and deposit the insurance fund in their P2KH addresses (spreading the entire fund across them - evenly or however you like).

2. Make a multisig address 2-of-2 (or N-of-N if you made more brain wallets in point one) and deposit the rest of your savings there.

3. Do not spend from your multisig address, as it would disclose (to a potential attacker) that there is a much bigger stake to take than just the insurance.

Now, for the insurance to work, you will have to monitor the balance on your insurance addresses - use whatever method you want; manual or automatic.

If any of your passwords gets cracked, its insurance address will get emptied.
Important note here: the insurance address must carry enough coins, to tempt the attacker.

Anyway, when an insurance address gets emptied - this tells you to move the funds from your multisig savings address to a new one.
Also, you can draw conclusions that the password you used for that address was too weak - and learn from it...

[Evil-Knievel]

Suggestion: I will put 5 BTC into an address which is secured by an entropy of 32 bits only.

what do you mean?
you will post the public address and 224 bits of its private key - and we only have to guess the remaining 32 bits?
sign me in!

to go through all the 4294967296 combinations within a week (604800 seconds), one would only have to check 7101 keys per second.
that's totally doable - you will loose your money, man.
however, that will have nothing to do with cracking brain wallets - it's just pure brute forcing of random values.

I did not say, that 32 bits will be missing!    I said that my private key will have 32 bits of entropy.

I thought maybe something along these lines:

Let x be a 32bit integer (the only source of entropy). Then the private key k is
k = pbkdf2(scrypt(key=sha3("bull testicles" + sha3(x), salt=sha3(sha3(x)), N=2^(sha3(x)%1000000000000), r=8, p=1, dkLen=32), salt=sha3(sha3(x)), c=2^(sha3(x)%1000000000000), dkLen=32, prf=HMAC_SHA256)

I am quite sure that this very simple brainwallet cannot be cracked within one week, even for low entropies. Of course, for 32bit of entropy, I wouldnt keep the wallet live for more than a few months / maybe years. But for any four word english phrase that my mind comes up with, I would say it's pretty secure.

Disclaimer: if in doubt assume my approach is unsafe as hell and will lead to a total loss of your funds!

[piotr_n]

I thought maybe something along these lines:

Let x be a 32bit integer (the only source of entropy). Then the private key k is
k = pbkdf2(scrypt(key=sha3("bull testicles" + sha3(x), salt=sha3(sha3(x)), N=2^(sha3(x)%1000000000000), r=8, p=1, dkLen=32), salt=sha3(sha3(x)), c=2^(sha3(x)%1000000000000), dkLen=32, prf=HMAC_SHA256)

I am quite sure that this very simple brainwallet cannot be cracked within one week, even for low entropies. Of course, for 32bit of entropy, I wouldnt keep the wallet live for more than a few months / maybe years. But for any four word english phrase that my mind comes up with, I would say it's pretty secure.

Disclaimer: if in doubt assume my approach is unsafe as hell and will lead to a total loss of your funds!

Yes, it's actually another thing worth mentioning.

Despite of what some people claim (or may think) not everybody uses brainwallet.org (which BTW doesn't work), or bitcoinpaperwallet.com, or brainwallet.io or BIP38 or any other "standard" generously acknowledged by the ever patronising us bitcoin celebrities.

You just gave an example for quite a complex hashing mechanism - it takes quite a lot of time to just calc one hash.
Myself, I use much more simple hashing - calculates in an instant, but I'm still comfortable with it, as I focus on making strong passwords.

And it is not only about how you generate the first address, but also others originating from the same seed.

My point is: whoever is going to crack brain wallets cannot really do all-at-once as the function that turns the password into the 256 bit private key can be literally anything. He needs to address each one separately - first having to learn what it actually is.

Suit yourself with the method of the guy who "invented Brainwallets", using the breakthrough science-fiction sentence cracking solution that you have allegedly researched [again!], but don't want to disclose...
But still, if you want to crack my password, you will have to launch a slightly different software.

[BillyBobZorton]

I have learned recently that brainwallets are not a good idea, mostly because I lurk the bitcoin reddit and I think I saw you posting about it.

Now my fear/question is: are Electrum seeds also compromised? In theory isn't it the same as brainwallets? It creates a seed and this seed contains everything. I think the new HD wallet in bitcoin core is not like that (you can't "spawn" everything with a single seed) but with electrum it seems the same idea to me than brainwallets and now im worried... (im not a coder or anything so I dont understand the details, it just seems the same to me in practice)

The two main problems problems with brainwallets is that (1) humans created the randomness and humans are surprisingly bad at that (and, worse, can't tell how bad they are) and (2) they depend on human memory to perfectly remember a long highly random string.  Human memory is not very good at this either.

Electrum seeds, used correctly, don't have either of these problems.

The electrum seeds claim to be as safe as keeping your bitcoins in your bitcoin core wallet.dat...

What is the Seed?

The seed is a random phrase that is used to generate your private keys.

Example:

constant forest adore false green weave stop guy fur freeze giggle clock

Your wallet can be entirely recovered from its seed. For this, select the “restore wallet” option in the startup.
How secure is the seed?

The seed created by Electrum has 128 bits of entropy. This means that it provides the same level of security as a Bitcoin private key (of length 256 bits). Indeed, an elliptic curve key of length n provides n/2 bits of security.

Is this really the case? and how do you "correctly use" Electrum seeds? because you made a "if used correctly" remark.

I think the fact that you can memory the Electrum seed is cool, and if it's as safe as the way Bitcoin Core stores the keys, then why not also give us a way to generate our wallet.dat from an human readable seed like Electrum's if its as safe? now that Bitcoin Core supports HD wallet wouldn't this be possible? maybe im mixing things up tho, just using common sense im too dumb for the math/coding.

[gmaxwell]

Is this really the case? and how do you "correctly use" Electrum seeds? because you made a "if used correctly" remark.

Coming up with the string on your own rather than having the software do it or storing it only in your memory.

[ArcCsch]

There are security guarantees if you generate passphrases correctly.
If you generate a passphrase uniformly and at random from a set of size S, you can be sure (well...not really sure, there is always a chance an attacker will randomly guess your passphrase, but this is unavoidable) that an attacker preforming N computations, the probability of getting hacked is not more than P=N/S.
If you use words from a book, or a sentence that makes sense, or anything you come up with without a high quality source of randomness (dice, for example), you have no such security guarantee, and it is impossible to estimate the chances of getting hacked.
If you use Diceware with Warp Wallet, you will be safe as long as you don't forget the passphrase.

[Abdussamad]

Is this really the case? and how do you "correctly use" Electrum seeds? because you made a "if used correctly" remark.

Coming up with the string on your own rather than having the software do it or storing it only in your memory.

I think you mean using the software generated one and not coming up with a string on your own. Just saying that your answer is not clear and might confuse newbies.

Besides, since electrum v2.x you* can't make your own seed coz it has to have a checksum in it. You have to rely on the software.



* i mean lay people.