Brain wallet, step-by-step guide (FIXED!)[Mod note: DO NOT USE BRAINWALLETS]

[piotr_n]

I mean, seriously?
What kind of idiot do you think would chose any of the above passwords to protect his life's savings?

Clearly multiple people chose those passwords to protect some amount of Bitcoin.

Or for a different reason.
E. g. to research brain wallets.

This "research" paper does not say how many bitcoins they have collected as the result of cracking brain wallets.
The logical assumption is: because they haven't collected any significant amount, even though they "have been able to crack thousands of passwords including some quite difficult ones".
Because (most likely) they only cracked the passwords that nobody really cared about in the first place.
Proving only how silly the conclusion from their paper is.

The point is that people think those passwords are strong passwords because online password checkers say that those passwords are strong. If you are recommending people to use brainwallets, they are likely to use those types of passwords thinking that they are strong passwords when in actuality they are not.

Your claim would be true, if you had found at least one person who thinks that "those passwords are strong".
Otherwise it's just what you believe.

I will tell you what.
If you want to prove your point, all you need to do is take any password from the list (e.g. " say hello to my little friend"), find the address it came down to and see how many coins this address ever carried, for a longer period of time. If it was a significant amount, then you are right and I am wrong.
It's all in the blockchain - be my guest.

Alternatively, you can contact the authors of this paper and just ask them how many bitcoins they found on the addresses they cracked.
Tell them that there is a guy on bitcointalk.org who claims that they are a fraud and you are trying to clear their names...

[1715308047]

1715308047

[CyberKuro]

Please don't use words like "horribly" or "probably" trying to discuss technical issues.

Why? I understand not using probably (I thought this was in beginners and help so it was primarily as a warning to noobs) but what is wrong with "horribly insecure"?

Because how can anyone objectively disagree (or agree) with a complexity of a technical challenge described by such words?

Do you even understand that cracking a brain-wallet's seed password is a serious technical challenge?

Which tool/approach would you have chosen to crack my brain wallet?

It is possible to securely use brainwallets, but it should not be something that is recommended to newbies and those who do not understand technical aspects of Bitcoin IMO.

Which is exactly why guides like this can be very useful.
Unlike dogmatic statements based on someone's beliefs, basically coming down to: don't use a brain wallet, because you are too stupid to make a proper password.
IMHO, there is nothing more stupid (or arrogant) than assuming that all the other people are stupid, except greg and theymos

A brainwallet refers to the concept of storing Bitcoins in one's own mind by memorizing a mnemonic recovery seed
I just find out of this kind of wallet, looks interesting. Need to learn about it later.
Yes, it's so hard to cracking brain wallet as the seed is memorized by the owner.
But, you still have to write it down, right? Just in case, because > If a brainwallet is forgotten or the person dies or is permanently incapacitated, the Bitcoins are lost forever.

[DannyHamilton]

Generally, my assumption is that when an otherwise intelligent person advocates for brainwallets, it's because they are hoping that foolish people with weak passphrases will store significant sums of bitcoin that they can later steal.

If you want to personally use a brainwallet. Go ahead.  None of us are stopping you. However, if you are going to advocate for them, then foolish people will read what you write and will lose money.

Anecdotal evidence (such as examples of brain wallets that haven't yet been cracked) aren't proof of anything.  The fact that something hasn't been broken yet is not proof that it can't be broken. I'd think that would be obvious.

[Evil-Knievel]

I am really surprised by the collective refusal of brain wallets. It all started roughly two years ago when suddenly a secret society of crypto guys started a war on brain wallets ... including popular ones like brainwallet.org that I have used thoroughly back then.
I guess it would be sufficient to just clearly state that the "passphrase" has to be unique and not "guessable" by anyone else, but that would be just to simple, wouldn't it?

I have personally lost BTC, that were stored in my mobile wallet (when my mobile was "borrowed" by a worthless asshat in the subway).
I have lost BTC that were stored in a wallet.dat when my SSD suddenly failed.
I have lost BTC that were stored in a wallet.dat when I accidently typed rm -rf / into the console.
But I am yet to lose any of my BTC that I have stored in a brain wallet.

People have tried to convince me to store it in an online wallet (where the owner may pull of Houdini's magic disappearence act anytime) or on a crappy 100$ SSD (which failure is a poisson distribution around it's END-OF-LIFETIME point) before, but that's not gonna happen!

Saying "all brainwallets will be emptied" is just as wrong as claiming that "alternative storage methods" are fool-proof.

[DannyHamilton]

- snip -
just clearly state that the "passphrase" has to be unique and not "guessable" by anyone else, but that would be just to simple, wouldn't it?

Yes.  That would DEFINITELY be "just to simple".

I have personally lost BTC, that were stored in my mobile wallet (when my mobile was "borrowed" by a worthless asshat in the subway).

You didn't have a backup?

I have lost BTC that were stored in a wallet.dat when my SSD suddenly failed.

You didn't learn your lesson and create a backup?

I have lost BTC that were stored in a wallet.dat when I accidently typed rm -rf / into the console.

You STILL didn't learn your lessong and store a backup?

How can someone that is incapable of learning to backup valuable data (and careless enough to type "rm -rf /" into the console of the sole computer storing their wallet) think that they would be any good at all at choosing a secure brainwallet?

Oh, wait. I know...
It's the Dunning-Kruger effect isn't it?  Which is just one more reason to discourage brainwallet use.

But I am yet to lose any of my BTC that I have stored in a brain wallet.

"Yet" being the key word in that sentence.  You could have said the exact same thing about your mobile wallet seconds before it was "borrowed".  You could have said the exact same thing about your wallet.dat seconds before the SSD died and seconds before you typed "rm -rf /".

People have tried to convince me to store it in an online wallet (where the owner may pull of Houdini's magic disappearence act anytime)

Not anyone that knows what they're talking about.  Perhaps some newbies or other unknowledgeable individuals.

or on a crappy 100$ SSD (which failure is a poisson distribution around it's END-OF-LIFETIME point) before, but that's not gonna happen!

You really need to learn the concept of secure backups.

Saying "all brainwallets will be emptied" is just as wrong as claiming that "alternative storage methods" are fool-proof.

I've never said that "all brainwallets will be emptied".  I'm confident though in saying that MOST people that think a brainwallet is a good idea for themselves are making a bad decision.

[Evil-Knievel]

You really need to learn the concept of secure backups.

I highly doubt that there is such thing as a secure backup.

You back up in the cloud? Big brother and his 3rd party affiliates are watching you!
You back up on an external hard disk? What if your place get's robbed? What if it burns down?
You back up on a "safe" RAID? Have fun if the RAID controller totals itself.
You back up in several redundant places? WIth every place the potential attack vectors for thiefs and/or social engineers increase.
You have a perfect encrypted non-flammable never-failing backup? Big brother can still subpoena you to decrypt your stuff.

Doesn't sound "secure" to me after all.

Regards
Dunning-Kruger

[ryanc]

I was asked by someone to comment here, since I wrote brainflayer and have coauthored two papers about brainwallet cracking.

I am really surprised by the collective refusal of brain wallets. It all started roughly two years ago when suddenly a secret society of crypto guys started a war on brain wallets ... including popular ones like brainwallet.org that I have used thoroughly back then.

Haven't I seen you posting https://bitcointalk.org/index.php?topic=421842.0 in the past about cracking bitcoin keys? Hard to tell, since you've tried to purge your old posts, but your motivation here is highly suspect.

What motivation do you think us "crypto guys" have for trying to prevent people from using brainwallets, other than to save people from themselves?

This "research" paper does not say how many bitcoins they have collected as the result of cracking brain wallets.

You didn't read the paper, then. Threads on bitcoin talk where people are bragging about cracking brain wallets are listed. Hundreds of BTC have been taken.

I have personally had correspondence with people who have lost over 100BTC due to forgetting their brainwallet passphrase. I spoke on the phone with someone who lost about 47k ether from a brainwallet.

If someone wants to store bitcoin using a memorized secret, they should use BIP39, optionally combined with BIP32, and use spaced repetition to memorize the seed.

If you absolutely insist on coming up with a passphrase yourself and storing bitcoin with it, go use WarpWallet with your email address, name, or phone number as a salt. It's several orders of magnitude more secure against cracking, and multiple independent implementations of the algorithm exist.

[piotr_n]

your motivation here is highly suspect.

[...]

What motivation do you think us "crypto guys" have for trying to prevent people from using brainwallets, other than to save people from themselves?

Your motivation is pretty obvious and I think I already said that.
You are trying to say that the "people" are too stupid to make a password that you "crypto guys"  cannot crack.
And what other reason for that if not to indulge one's poor ego?
Well, you are wrong. And we are here to help them proving that you are wrong - that is our motivation.
Maybe not because we care about them, but because wy love proving arrogant people to be wrong.

Crack my password, mr crypto guy, if you are as smart as you are pretending to be.
It holds thousands of bitcoins - that should be enough of the motivation.

[piotr_n]

Also, if you would not mind sharing what does it actually take to become a "crypto guy"?

I am not asking because I want to become one.
I am asking because I do not want to be associated with a "crypto science" like yours..
I prefer a "crypto practice" - so whatever else you do not do, will likely also work for me

[DannyHamilton]

Also, if you would not mind sharing what does it actually take to become a "crypto guy"?

Ask Evil-Knievel.  It was his term.  That's why ryanc put it in quotes when he used it:

- snip -
roughly two years ago when suddenly a secret society of crypto guys started a war on brain wallets
- snip -

[DannyHamilton]

You are trying to say that the "people" are too stupid to make a password that you "crypto guys"  cannot crack.

The problem with brainwallets isn't just the possibility that "crypto guys" might crack them.  It's also that they generally have insufficient entropy and are therefore significantly more risky.

That might mean being cracked by a hacker, or "crypto guy", but it also might just mean that another of the billions of humans on the planet could end up making the same choices as you.  

And what other reason for that if not to indulge one's poor ego?

Perhaps to help protect others from experiencing preventable losses?

Maybe not because we care about them,

Clearly.

Crack my password, mr crypto guy, if you are as smart as you are pretending to be.
It holds thousands of bitcoins - that should be enough of the motivation.

"Cracking your password" doesn't require intelligence.  It just requires that someone somewhere has the same misconceptions as you.

[piotr_n]

Ask Evil-Knievel.  It was his term.  That's why ryanc put it in quotes when he used it:

Whatever - it's just silly joking.

But you are wrong @Danny, because backup is a very weak and very fragile point of a wallet's security.
That's mostly why I choose a brain wallet.
Another is convenience - why would I have to carry a file with me if all I need is my brain.

And no, I do not have my passwords written anywhere.
However I do have some hints written down.
But they are designed in a way that only I can understand their meaning.
Actually, only I can understand that these are the hints.

Start using your brains - that's all I have to say.
Don't buy into the bullshit that your brain is not smart enough to make a password that other people's brains can't hack.

[piotr_n]

I just want to add that I think that this is a very interesting topic and I wish we could just discuss it in a cold professional manner, putting emotions and dick measuring aside.

I wish we were able to discuss the complexity of cracking brain wallets and the important aspects around their security.

So why won't I start.

I think it would be fair to assume that the throttle is set by the EC function that multiplies a number repesenting a potential private key by the G point of the curve.
To simplify, let's put the times of any hashings aside - let's say they are zero.

In the library I currently use, my i7 Intel CPU, needs about 120 nanoseconds to perform such an operation.
But it is obviously not the most optimal implementation - so let's assume that the optimal implementation is more than one million times faster than it: it can calculate 1 million public keys within 100 nanoseconds, which comes to 10000000000000 (1e13) operations per second.

Now, let's take a simple password - only low case characters: 'a' to 'z'

For 8 characters long password, at this speed of brute forcing, it would take 26^8/1e13 = 0.02 second (in the worst case) to find the password.
Meaning: you do not want to use 8 characters long password - 8 characters long brain wallets are shit!
But it does not yet mean that all the brain wallets are not secure...

Because, what would the time be for 16 characters long password?
Well, the number is 26^16/1e13/3600/365 = 3318 years.

How about 32 characters password?
According to my calculator, 26^32/1e13/3600/365 equals 144727736474009759620915358 [years] - I'm sure we don't have that much time.

This is 32 characters long password, with only lower case letters ('a' to 'z')!

And here we come to the point.
Some people out there are saying that they can program a software to predict what my brain had been thinking while generating the 32 characters long password.
They are going to use dictionaries and all kind of technics to only check the sequences that my brain would think of, skipping those that it would not...
And this software will be so efficient that it will simplify the problem by about 144727736474009759620915358 times, so they can find my password within a year.
Right!
I am really dying to learn about these breakthrough technics and their ingenious algos.
Because what I have seen so far is only making me to say: spare your efforts little boys, before you shit yourself trying.
And forgive me concluding with this humorous metaphor.

Now, please prove me wrong.

[philipma1957]

I mean, seriously?
What kind of idiot do you think would chose any of the above passwords to protect his life's savings?

Clearly multiple people chose those passwords to protect some amount of Bitcoin.

The point is that people think those passwords are strong passwords because online password checkers say that those passwords are strong. If you are recommending people to use brainwallets, they are likely to use those types of passwords thinking that they are strong passwords when in actuality they are not.

A six digit random number picker
A six letter word
A six digit random number picker
A six letter word

Is fairly strong.

Then put a copy of it in a safe deposit box

Then do it again with 24 different letters and numbers.

Combine the two giving you a 48 place password

Put the second set of 24 in a second safe deposit box.

I would like to see a program crack that.

[ryanc]

Now, please prove me wrong.

You're using math that assumes people generate their passphrases or passwords randomly. It is possible for people to do this. A small number of them do. The problem is that, as every database leak that's included hashed passwords has shown, the vast majority of people choose weak passwords. This is a problem, since brainwallets automatically leak what amounts to a hash immediately on use.

So yes, I believe that most people are not capable of choosing a password or passphrase that is sufficiently strong to use as a brainwallet, and there is a mountain of evidence to support me. This is not a matter of ego. I would not feel comfortable in my ability to come up with a password or passphrase that could not be cracked without a secure random number generator. Is it really so hard to believe that I, and others like me, genuinely want to help prevent people from losing money?

I am not saying "it's impossible to create a brainwallet that won't be cracked". My argument is that so many people are not able to evaluate whether their passwords or passphrases are strong enough that assisting them in creating a brainwallet is an act of gross negligence.

[ArcCsch]

Strong passphrases are very important, and many people choose weak ones, a famous example is the following:
how much wood could a woodchuck chuck if a woodchuck could chuck wood
Which results in:
1GjjGLYR7UhtM1n6z7QDpQskBicgmsHW9k
Someone put 250BTC on that address, that was hacked by a white hat hacker, who tried to warn the owner (and did not simply take the coins, yes, people like this exist) by adding more and taking it back, but the owner did not notice, so the hacker traced the owner to a mining pool, and found the owner's phone number, and called to explain...this lengthy story was presented during a DEFCON conference.

I think brain wallets should be strengthened by salting, and by using key-stretching, as in BIP38, this would make hacking all but the weakest passphrases totally impractical.
With this post, I request from software developers to include a new brain wallet generator, with separate boxes for passphrase and salt, and with some heavy key-stretching to slow down those hackers.
Something like this:
key=GenerateKey[scrypt[Hash[passphrase]||Hash[salt]]]

[ryanc]

1GjjGLYR7UhtM1n6z7QDpQskBicgmsHW9k
Someone put 250BTC on that address, that was hacked by a white hat hacker, who tried to warn the owner (and did not simply take the coins, yes, people like this exist) by adding more and taking it back, but the owner did not notice, so the hacker traced the owner to a mining pool, and found the owner's phone number, and called to explain...this lengthy story was presented during a DEFCON conference.

That was me.

I think brain wallets should be strengthened by salting, and by using key-stretching, as in BIP38, this would make hacking all but the weakest passphrases totally impractical.
With this post, I request from software developers to include a new brain wallet generator, with separate boxes for passphrase and salt, and with some heavy key-stretching to slow down those hackers.
Something like this:
key=GenerateKey[scrypt[Hash[passphrase]||Hash[salt]]]

WarpWallet does something like that. Using it with a salt and six diceware words (use actual dice!) should be sufficient unless you're Satoshi. I still strongly recommend against coming up with your own password or passphrase, and BIP39 + BIP32 is better for a number of other reasons.

[ArcCsch]

WarpWallet does something like that. Using it with a salt and six diceware words (use actual dice!) should be sufficient unless you're Satoshi. I still strongly recommend against coming up with your own password or passphrase, and BIP39 + BIP32 is better for a number of other reasons.

I checked Warp Wallet, and it appears that people still use passphrases like "a", " ", "correct horse battery staple" and "bitcoin".
You can't fix stupid, not even with key-stretching.

[ryanc]

You can't fix stupid, not even with key-stretching.

True, but you can mitigate it, at least to some extent. I probably should try getting WarpWallet to accept my patches again.

[piotr_n]

Now, please prove me wrong.

You're using math that assumes people generate their passphrases or passwords randomly. It is possible for people to do this. A small number of them do. The problem is that, as every database leak that's included hashed passwords has shown, the vast majority of people choose weak passwords. This is a problem, since brainwallets automatically leak what amounts to a hash immediately on use.

So yes, I believe that most people are not capable of choosing a password or passphrase that is sufficiently strong to use as a brainwallet, and there is a mountain of evidence to support me. This is not a matter of ego. I would not feel comfortable in my ability to come up with a password or passphrase that could not be cracked without a secure random number generator. Is it really so hard to believe that I, and others like me, genuinely want to help prevent people from losing money?

I am not saying "it's impossible to create a brainwallet that won't be cracked". My argument is that so many people are not able to evaluate whether their passwords or passphrases are strong enough that assisting them in creating a brainwallet is an act of gross negligence.

Of couse I am using math - what else am I supposed to be using?
Math is the only objective language to describe the complexity of the problem. Or a lack of it, if you prefer...

Without the math we are only debating our belives.
What you are saying it that you belive people are not smart enough to think of a strong password.
However, you seem to belive that the same people are smart enough to secure their file system from the hackers, plus to secure all the possible storage places (for the backup) from accessing by unwanted parties. Not to mention a physical access to the actual storage.

Well this is where we disagree.

I believe it is much easier to come out with the password that no other person on earth can crack/think-of, then to find a file storage that no other person can access.

And is it really so hard to believe that I, and others like me, genuinely want to help prevent people from losing money?

And again: I wish we could discuss technical and numbers here (exactly the math), instead of playing politics on which demagogy is going to get a bigger applause.

So, coming back to "how much wood could a woodchuck chuck if a woodchuck could chuck wood" - obviously it is a very bad password.
It is not better than my 8-random-characters example.
Anything that can be searched in Google is a very bad password.
Even the entire Tolkien's trilogy would be a bad idea to use as a brain wallet... unless you pick a set of words from the trilogy, by the system that only you know and remember - such could be a very strong password.
Now, if you don't know the system by which I chose the words from a book, how can you possibly write a software to crack it, even had you known the book?

Anyway, do you have any other "strong" passwords that you or anyone else have cracked?
Because so far I have not seen an example of a cracked password that I'd consider strong.

IMO, there is absolutely no backup to conclude that [any] "research demonstrates [again] that brain wallets are not secure and no one should use them".
This is a bunch of bollocks and people claiming such nonsens, calling it a research, are embarrassing themselves.