Brain wallet, step-by-step guide (FIXED!)[Mod note: DO NOT USE BRAINWALLETS]

[piotr_n]

What we maybe should also mention here are a kind of wallets that actually require a file, but the key to their existence is only in your brain.

A bit like a system with a book I mentioned before, but slightly different...

Think of a photo of your wife. A jpeg file would be good, as it has nice "entropy".
Now, think of two numbers - e.g. her birthday and age... or whatever big enough.
Then cut (from the file) the number of bytes expressed by the second numer, from the file's offset expressed by the first number.
All you need for that is "dd" command. You can concat two or three such fragments, to increase security... Maybe even append some simple string (e.g. your last name) at the end of the extracted data...
Then get a 256-bit hash of it - that would be your master private key.


A photo of your wife you can have stored anywhere, even in the cloud - nobody is going to find it suspicious. Perhaps they will even let you to have it in a prison.
But the key to the wallet is only in your brain.
Now, if nobody knows that the wife's picture is actually the wallet, there is no way to crack it.

This is just one of unlimited methods for making a secure brain wallet.
Just use your brain and imagination and you can create a very secure brain wallet, that no person on earth can crack, find or seize - while you always have it with you.
This is a security and convenience that no random generator based wallet will ever give you.

[1715284809]

1715284809

[1715284809]

1715284809

[1715284809]

1715284809

[piotr_n]

But I still think that the brain wallets in the traditional sense of the word should be secure enough, if their owner only puts enough effort into their complexity and uniqueness.

Like the example I mentioned in the other thread: Make a poem and remember it.
Not a short poem, but it also doesn't need to be very long one - a haiku might be long enough, although two haiku (one after another) would be much better.

Despite of what some people might be claiming, there is no way to paint a second Mona Lisa just by coincidence.
Almost every human being (there might be some brain damaged ones) is able to create an original artistic constructs inside his brain.
And the one thing computers can't do is artistic - the only way to crack an original poem is through brute forcing.
So, to make it even harder for dictionary-based, lexical-whatever-sf-enforced brute forcing, do not use the words as they are.
Modify the words inside your poem, using a system that only you know.
For example:
 - Use only the first and the last letter of each word
 - Skip words of certain lengths
 - Repeat some words or some characters
 - Use customised separation characters between the words (e.g. - | & * @)
 - Swap the letters (all or only two of them) inside each word
 - Add the salt (e.g. your name, phone umber, your email's password) at the end, the beginning or (best) somewhere in the middle.
 - etc. etc. etc. - use your imagination - it's limitless!  

Also: the last thing you should do is following the exact system I just described.
It was good, before I posted it, though.
Anyway, I hope you catch my point.


Mind that you can also combine one or more of the methods/technics/systems, if you are still unsure about a security of a single one.
So for instance: the book, combined with the wife's photo, combined with the poem - even god himself armed with an MRI connected to your head won't crack that, if you don't screw it up.

[piotr_n]

Excuse me posting the third time in a row, but I was rushing out in the morning and didn't have much time to write down all my thoughts.

Brainwallets were literally invented by someone who was out to rip people off; no joke!

Well, if it's not a joke, then let me explain how you are wrong.

Nobody invented brain wallets!

Perhaps there was a person who named it like that (nice naming, BTW), but he did not invent it!

Brain wallets are natural, just like using the fingers for picking your nose is natural.
You don't invent it - it's just there, ready to be used.

I use brain wallet not because someone showed it to me.
I use it because one day I found it to be a perfect method for creating a seed for a master private key of a bitcoin wallet.
And it didn't take a process - it was just a thought; a natural thought, like thinking of having a swim in a hot weather.

So please stop spreading such disinformation, because not only that it isn't helpful to anyone, but it's also not good for you.
Unless your goal is not to be perceived as a bitcoin scientist/technician, but rather as a bitcoin apostle/preacher.


EDIT:
In the other part of your argument, you mentioned that "rainbow tables" can be used to crack the brain wallets..
I mean, come on, man - are you kidding me?
There is no fucking way you don't know that rainbow tables are completely useless for cracking 256-bit hashes..
Why would you even bring such a term into the discussion?
What is a purpose of that if not trying to convince clueless people that your thesis is right, without providing any actual arguments?

EDIT2:
I have been fascinated with passwords-cracking ever since I was 20.
They almost kicked me out of the university, because of that.
But it wasn't my fault - I was just a kid harmlessly experimenting with stuff.
Back then, in the 90s, cracking unix account passwords was as easy as looking for the match inside the /etc/passwd file.
John the Ripper - is the software I will always remember. It's old school, but still great software.
I know very well how much progress has been made on the filed for the past 20 years.
And today I choose brain wallet.  It's not preaching - it's experience.

I am not telling anyone what he should or should not do - I'm just telling him what I know.
Well, maybe I'm also preaching a bit: Believe in your brain and its limitless imagination - it's far more sophisticated than any PRNG invented by man.

EDIT3:
When I read about all these "research" papers and browse through slideshows from some DEFCON meetings - for me it's just some kids looking for attention, playing with 30 years old technology, which they don't really understand. Had they understood it, they would have had much bigger respect to the very complex problem of cracking passwords. But all I see is an infant boosting and patronising with statements that have absolutely no technical backup.
You kids...

[Danydee]

I believe that your birth date , your name or your phone number are the first things that a hacker would try to use before trying to crack/brute anything so I don't really see how this could be more secure then anything else , using a random password in the other hand or something that make no sense to you may be very hard to remember over the years and you could finish by losing your coins.

Yes hackers use and have already use by the past dictionary attacks, so I think that is isn't necessary to use a same tool, you can simply use a transaction hash, btc address, private key, a key issued on creating brain wallet or even combine between many to access your "Wallet".

[piotr_n]

For me cracking brain wallets is not quite about dictionary attack.

Obviously if anyone is using a single  word from a dictionary as the seed for his  brain wallet then he is an idiot. Idiots get hit by buses every day - we can't save them.
But... any modern wallet can bring it's actual seed to a sequence of 12 or 24 words - and that's from a 'dictionary'  of 2048 words.
Because that's what 256 bits of data come down to.
Plus Bitcoin address have only 160 bit security - so,  it's even fewer words.

So what if I am to choose my seed to be a sentence made of 12 or 24 words? From an undefined dictionary...
Should it not be at least as much secure as the other 12/24 words method???

And they say: NO - because we have 'researched' it and our 'studies' have proven [again!]  that if you choose 12/24 words from the unlimited dictionary, then we can guess what these words were!
There is absolutely no published science to back this up.
It's fucking bollocks - show how you do it,  or you are a fraud! And I haven't seen a single paper,  let alone a software, on how anyone would be choosing the words to mimic  my thinking.
What I've seen so far was only a primitive software that either uses brute forcing on characters or requires the list of the passwords to be provided to it -  that's it.  That's all their 'research'.

Where is a research  showing  that a software can choose/guess/predict  a set of words in a way to 'guess' what a human being was thinking?
There isn't any.
Because it's nowhere even close as simple as they suggest. People publishing these papers are too stupid to even understand the problem - they have absolutely zero chance to start approaching it from the right angle.

[ArcCsch]

Obviously if anyone is using a single  word from a dictionary as the seed for his  brain wallet then he is an idiot. Idiots get hit by buses every day - we can't save them.

I agree, there are far too many pseudo-intellectuals using bitcoin simply because it's cool and the new "in thing" and losing coins to change addresses, weak brain wallets, web wallet hacks, and assorted scams.

And they say: NO - because we have 'researched' it and our 'studies' have proven [again!]  that if you choose 12/24 words from the unlimited dictionary, then we can guess what these words were!
There is absolutely no published science to back this up.
It's fucking bollocks - show how you do it,  or you are a fraud! And I haven't seen a single paper,  let alone a software, on how anyone would be choosing the words to mimic  my thinking.
What I've seen so far was only a primitive software that either uses brute forcing on characters or requires the list of the passwords to be provided to it -  that's it.  That's all their 'research'.

Where is a research  showing  that a software can choose/guess/predict  a set of words in a way to 'guess' what a human being was thinking?
There isn't any.
Because it's nowhere even close as simple as they suggest. People publishing these papers are too stupid to even understand the problem - they have absolutely zero chance to start approaching it from the right angle.

12/24 words are secure if chosen in a reasonably random fashion.
The lyrics of a song, a quote, or, for that matter, any sentence that makes sense, are very insecure.
Unfortunately, many people chose things like "how much wood could a woodchuck chuck if a woodchuck could chuck wood" and get hacked.

Brain wallets do have their advantages, it is by far the most effective way to hide bitcoin from oppressive authorities, specially if they have no proof of its existence.

[piotr_n]

The lyrics of a song, a quote, or, for that matter, any sentence that makes sense, are very insecure.

Yes - that is what one should assume making a password that will protect his life's savings.
That's what I assume...

But I'm still dying to see any research that would approach a problem of cracking brain wallets passwords being a "sentences that makes sense".
Let me give you few examples:

Code:

I met a girl, her name was Marlena Witchenberg, I asked her out and she said NO.

Code:

When I was a kid my dad used to take me out for fishing - to a place called Bloodrocks

Code:

One day I will be a milioner, because the only one bitcoin I own will be worth more than 1 million :)

These are all sentences - grammatically correct and quite easy to remember if they have sentimental value for you.
But according to my knowledge and understanding, as of today, they are (were, before I posted them) impossible to crack.
There is loads of research to be done, before anyone can even start cracking these kind of wallets.
Obviously it cannot be done by a man thinking of sentences and typing them in - he would die behind the keyboard with zero hits.
But there is no software that can brute-force "sentences that make sense", preferably only those that have a sentimental value to a targeted person.
Even if there is some software like that, it is not very fast, because creating all kind of "sentences that make sense" is a very complex problem to solve by a machine.
For a machine, it might actually be easier to reverse the EC multiplication function.

[Evil-Knievel]

Why does the title say "Mod note: Do not use brain wallets"?
I explicitly want to use brain wallets, and as a free human being it is my right to do so! It's my individual decision! When reading the title I feel somewhat "patronized": "the community" openly displays that it thinks I (and other users) are too dumb to make their own decision. Not nice  

EDIT: I *AM* a good source of entropy!

[piotr_n]

Why does the title say "Mod note: Do not use brain wallets"?

Because the mod is a type of person that prefers to run a forum for kids who he can impress and patronise all the time.
Rather than a forum for adults who can challenge his thinking, so he could sometimes learn something more here.

[gmaxwell]

I think it's amusing that the two people in this thread loudly trumpeting brainwallets are someone who says they have a fetish for cracking passwords and someone who has posted extensively about wallet cracking and tried to sell scam wallet cracking tools.

This fits right in with the fact that person who popularized the idea and created brainwallet.org was cracking these kinds of keys and complaining about how few he was finding online before creating the site.

Food for thought.

[BillyBobZorton]

I think it's amusing that the two people in this thread loudly trumpeting brainwallets are someone who says they have a fetish for cracking passwords and someone who has posted extensively about wallet cracking and tried to sell scam wallet cracking tools.

This fits right in with the fact that person who popularized the idea and created brainwallet.org was cracking these kinds of keys and complaining about how few he was finding online before creating the site.

Food for thought.

I have learned recently that brainwallets are not a good idea, mostly because I lurk the bitcoin reddit and I think I saw you posting about it.

Now my fear/question is: are Electrum seeds also compromised? In theory isn't it the same as brainwallets? It creates a seed and this seed contains everything. I think the new HD wallet in bitcoin core is not like that (you can't "spawn" everything with a single seed) but with electrum it seems the same idea to me than brainwallets and now im worried... (im not a coder or anything so I dont understand the details, it just seems the same to me in practice)

[piotr_n]

I think it's amusing that the two people in this thread loudly trumpeting brainwallets are someone who says they have a fetish for cracking passwords and someone who has posted extensively about wallet cracking and tried to sell scam wallet cracking tools.

This fits right in with the fact that person who popularized the idea and created brainwallet.org was cracking these kinds of keys and complaining about how few he was finding online before creating the site.

Food for thought.

Give me a break

By this logic nobody should trust your expertise on cryptography because you know too much about the topic and your advice might be luring unconscious  people into using solutions that you claim are secured,  but personally know how to break.

How are you going to answer that?

If you want to have an adult debate with me,  question the technical aspects of what I'm saying, instead of trying to undermine my motives.  It's just pathetic, man. How old are you?

[gmaxwell]

I have learned recently that brainwallets are not a good idea, mostly because I lurk the bitcoin reddit and I think I saw you posting about it.

Now my fear/question is: are Electrum seeds also compromised? In theory isn't it the same as brainwallets? It creates a seed and this seed contains everything. I think the new HD wallet in bitcoin core is not like that (you can't "spawn" everything with a single seed) but with electrum it seems the same idea to me than brainwallets and now im worried... (im not a coder or anything so I dont understand the details, it just seems the same to me in practice)

The two main problems problems with brainwallets is that (1) humans created the randomness and humans are surprisingly bad at that (and, worse, can't tell how bad they are) and (2) they depend on human memory to perfectly remember a long highly random string.  Human memory is not very good at this either.

Electrum seeds, used correctly, don't have either of these problems.

[gmaxwell]

question the technical aspects of what I'm saying, instead of trying to undermine my motives.  It's just pathetic, man. How old are you?

Because the mod is a type of person that prefers to run a forum for kids who he can impress and patronise all the time.

...

By this logic nobody should trust your expertise on cryptography because you know too much about the topic and your advice might be luring unconscious  people into using solutions that you claim are secured,  but personally know how to break.

How are you going to answer that?

Ask me again if you ever see me advocating solutions which are have resulted in lots of funds loss in practice... or selling wallet cracking tools.

[piotr_n]

question the technical aspects of what I'm saying, instead of trying to undermine my motives.  It's just pathetic, man. How old are you?

Because the mod is a type of person that prefers to run a forum for kids who he can impress and patronise all the time.

...

By this logic nobody should trust your expertise on cryptography because you know too much about the topic and your advice might be luring unconscious  people into using solutions that you claim are secured,  but personally know how to break.

How are you going to answer that?

Ask me again if you ever see me advocating solutions which are have resulted in lots of funds loss in practice... or selling wallet cracking tools.

Are you not advocating Bitcoin?

[Evil-Knievel]

I don't wanna tilt with windmills, and I am fine with the brainwallets-are-bad-mantra; it might be true for the average (but not general) case.

Still, just for the fun of it, I am willing to take a challenge with any of the low-entropy-is-bad guys here  
Suggestion: I will put 5 BTC into an address which is secured by an entropy of 32 bits only. The entropy will even come from my brain. If anyone is able to crack my brainwallet within one week, feel free to take the money. If not, you consent to double my stake. I am even willing to tell you how my brainwallet will be constructed beforehand.  

... remember, its not about the entropy, it's about the time that is required to scan through the search space defined by the specific amount of entropy.

[piotr_n]

Suggestion: I will put 5 BTC into an address which is secured by an entropy of 32 bits only.

what do you mean?
you will post the public address and 224 bits of its private key - and we only have to guess the remaining 32 bits?
sign me in!

to go through all the 4294967296 combinations within a week (604800 seconds), one would only have to check 7101 keys per second.
that's totally doable - you will loose your money, man.
however, that will have nothing to do with cracking brain wallets - it's just pure brute forcing of random values.

[piotr_n]

I'm going to go back to publishing my thoughts on best practices in brain wallets security.

Despite of attacks on my credibility and honesty (which I'm going to ignore, as they are not worth my time), I'm standing behind all my previous statements on how to choose a secure brain wallet seed.
I think all the solutions I described in this topic are secure enough.
But it doesn't mean we cannot make them even more secure, using other kind of tricks.

Think of your life's savings - millions of dollars worth of bitcoins, which you want to protect only by passwords memorised in your brain.

This method is what I would call insurance fund security countermeasure.
You can take e.g. 2% of your life savings and put it on the insurance fund.
Worst case scenario: if your brain wallet gets cracked one day, it will cost you 1% of your savings, assuming you quickly act upon it.


Here is the method:

Note: a brain wallet can lead to practically unlimited number of addresses, but to simplify my guide I will assume that one brain wallet = one address.

So:

1. Make two or more brain wallets and deposit the insurance fund in their P2KH addresses (spreading the entire fund across them - evenly or however you like).

2. Make a multisig address 2-of-2 (or N-of-N if you made more brain wallets in point one) and deposit the rest of your savings there.

3. Do not spend from your multisig address, as it would disclose (to a potential attacker) that there is a much bigger stake to take than just the insurance.

Now, for the insurance to work, you will have to monitor the balance on your insurance addresses - use whatever method you want; manual or automatic.

If any of your passwords gets cracked, its insurance address will get emptied.
Important note here: the insurance address must carry enough coins, to tempt the attacker.

Anyway, when an insurance address gets emptied - this tells you to move the funds from your multisig savings address to a new one.
Also, you can draw conclusions that the password you used for that address was too weak - and learn from it...

[Evil-Knievel]

Suggestion: I will put 5 BTC into an address which is secured by an entropy of 32 bits only.

what do you mean?
you will post the public address and 224 bits of its private key - and we only have to guess the remaining 32 bits?
sign me in!

to go through all the 4294967296 combinations within a week (604800 seconds), one would only have to check 7101 keys per second.
that's totally doable - you will loose your money, man.
however, that will have nothing to do with cracking brain wallets - it's just pure brute forcing of random values.

I did not say, that 32 bits will be missing!    I said that my private key will have 32 bits of entropy.

I thought maybe something along these lines:

Let x be a 32bit integer (the only source of entropy). Then the private key k is
k = pbkdf2(scrypt(key=sha3("bull testicles" + sha3(x), salt=sha3(sha3(x)), N=2^(sha3(x)%1000000000000), r=8, p=1, dkLen=32), salt=sha3(sha3(x)), c=2^(sha3(x)%1000000000000), dkLen=32, prf=HMAC_SHA256)

I am quite sure that this very simple brainwallet cannot be cracked within one week, even for low entropies. Of course, for 32bit of entropy, I wouldnt keep the wallet live for more than a few months / maybe years. But for any four word english phrase that my mind comes up with, I would say it's pretty secure.

Disclaimer: if in doubt assume my approach is unsafe as hell and will lead to a total loss of your funds!

[piotr_n]

I thought maybe something along these lines:

Let x be a 32bit integer (the only source of entropy). Then the private key k is
k = pbkdf2(scrypt(key=sha3("bull testicles" + sha3(x), salt=sha3(sha3(x)), N=2^(sha3(x)%1000000000000), r=8, p=1, dkLen=32), salt=sha3(sha3(x)), c=2^(sha3(x)%1000000000000), dkLen=32, prf=HMAC_SHA256)

I am quite sure that this very simple brainwallet cannot be cracked within one week, even for low entropies. Of course, for 32bit of entropy, I wouldnt keep the wallet live for more than a few months / maybe years. But for any four word english phrase that my mind comes up with, I would say it's pretty secure.

Disclaimer: if in doubt assume my approach is unsafe as hell and will lead to a total loss of your funds!

Yes, it's actually another thing worth mentioning.

Despite of what some people claim (or may think) not everybody uses brainwallet.org (which BTW doesn't work), or bitcoinpaperwallet.com, or brainwallet.io or BIP38 or any other "standard" generously acknowledged by the ever patronising us bitcoin celebrities.

You just gave an example for quite a complex hashing mechanism - it takes quite a lot of time to just calc one hash.
Myself, I use much more simple hashing - calculates in an instant, but I'm still comfortable with it, as I focus on making strong passwords.

And it is not only about how you generate the first address, but also others originating from the same seed.

My point is: whoever is going to crack brain wallets cannot really do all-at-once as the function that turns the password into the 256 bit private key can be literally anything. He needs to address each one separately - first having to learn what it actually is.

Suit yourself with the method of the guy who "invented Brainwallets", using the breakthrough science-fiction sentence cracking solution that you have allegedly researched [again!], but don't want to disclose...
But still, if you want to crack my password, you will have to launch a slightly different software.