Brain wallet, step-by-step guide (FIXED!)[Mod note: DO NOT USE BRAINWALLETS]

[DannyHamilton]

I wish we could discuss technical and numbers here (exactly the math), instead of playing politics on which demagogy is going to get a bigger applause.

That would be a lot easier if you'd take the time to actually read what was posted and not run off on a rant from taking a few words out of context.

For example:

You're using math that assumes people generate their passphrases or passwords randomly. It is possible for people to do this. A small number of them do. The problem is that, as every database leak that's included hashed passwords has shown, the vast majority of people choose weak passwords. This is a problem, since brainwallets automatically leak what amounts to a hash immediately on use.

Of couse I am using math - what else am I supposed to be using?
Math is the only objective language to describe the complexity of the problem. Or a lack of it, if you prefer...

Without the math we are only debating our belives.

Seriously?  That's what you took from what ryanc wrote?  That he was complaining that you were using math?

Come on.  You're the one that keeps saying that you want to discuss technical details here.  Then pay attention to the details.

So yes, I believe that most people are not capable of choosing a password or passphrase that is sufficiently strong to use as a brainwallet, and there is a mountain of evidence to support me. This is not a matter of ego. I would not feel comfortable in my ability to come up with a password or passphrase that could not be cracked without a secure random number generator.

What you are saying it that you belive people are not smart enough to think of a strong password.

That's not what he's saying at all.

What he's saying is that really smart people understand the importance of entropy and the lack of entropy in their own minds.  Therefore, they tend to acknowledge that they are not capable of thinking of a strong password.  Those that are most likely to believe that their password is strong enough are the ones that are most likely to be wrong about that belief.  Not everyone.  Just most.  Perhaps you actually have come up with enough entropy in your brainwallet, but that doesn't mean you should encourage the average person to try.

And is it really so hard to believe that I, and others like me, genuinely want to help prevent people from losing money?

No.  I believe that you are trying to help.  I just believe that your advice is flawed, and that in your attempt to help, you are making things worse for the average person.

Even the entire Tolkien's trilogy would be a bad idea to use as a brain wallet... unless you pick a set of words from the trilogy, by the system that only you know and remember - such could be a very strong password.

Well, if that "system" was to use a good source of entropy to, at least a dozen times, choose a RANDOM page, and then a RANDOM word on that page, then perhaps.  Although some words occur FAR more frequently than others, so even that is a risky proposition.  If your "system" is to make a conscious choice about which pages and words to choose, then it sounds like a bad idea to me.
 

Now, if you don't know the system by which I chose the words from a book, how can you possibly write a software to crack it, even had you known the book?

It's not that I can crack your specific wallet.  It's that if enough people do it, I can crack the AVERAGE user's wallet.  There will be outliers (perhaps including yourself), but on AVERAGE there will be a tendency to choose certain pages and certain words. It will be a bell shaped distribution, and the hacker will get the 80% of users that are closest to the mean.

[1715201619]

1715201619

[piotr_n]

What he's saying is that really smart people understand the importance of entropy and the lack of entropy in their own minds.  Therefore, they tend to acknowledge that they are not capable of thinking of a strong password.  Those that are most likely to believe that their password is strong enough are the ones that are most likely to be wrong about that belief.  Not everyone.  Just most.  Perhaps you actually have come up with enough entropy in your brainwallet, but that doesn't mean you should encourage the average person to try.

Stop talking this nonsense about entropy.
What's this obsession of you guys, with the entropy of brain wallets?
Entropy has nothing to do with it - the security of brain wallets is solely about complexity of breaking the password.

How much entropy the EC multiply function gives you?
Fucking zero!
Each time it calculates exactly the same public key, for the same private key.
And yet, all the bitcoin security is based on this zero-entropy calculation.
Why?
Because reversing this function is too complex for anyone to calculate the private key, from the public key.
Just like cracking a good brain wallet is too complex.

[DannyHamilton]

Stop talking this nonsense about entropy.
What's this obsession of you guys, with the entropy of brain wallets?

You are the one that said that you wanted to talk about the technical details.  Now you want to skip the details and go with your opinion instead?

Entropy has nothing to do with it - the security of brain wallets is solely about complexity of breaking the password.

Nope.  It also is about the likelihood that someone else will choose something similar by coincidence.

How much entropy the EC multiply function gives you?
Fucking zero!
Each time it calculates exactly the same public key, for the same private key.
And yet, all the bitcoin security is based on this zero-entropy calculation.

Nope.  The security of bitcoin is based entirely on the entropy of the private key.  If you choose a truly random number between 1 and 115792089237316195423570985008687907852837564279074904382605163141518161494336 then the likelihood that someone else will choose (or find) the exact same number is close enough to impossible that it can be considered secure.

If you use a system with too little entropy, then the likelihood that someone else chooses (or finds) that exact same number increases.  There is a threshold where the likelihood becomes so great that it can no longer be considered secure.

Why?
Because reversing this function is too complex for anyone to calculate the private key, from the public key.
Just like cracking a good brain wallet is too complex.

This discussion has nothing to do with "reversing the function" or "calculating the private key from the public key".

[piotr_n]

It also is about the likelihood that someone else will choose something similar by coincidence.

Now you've made me intrigued, how is it possible that nobody have painted a second Mona Lisa, just by coincidence

The security of bitcoin is based entirely on the entropy of the private key.  

What???
Man, you don't know what you are talking about.

If you don't understand that the security of ECDSA is all about complexity of reversing the EC multiply function, then we have nothing to discuss any further.

You're wasting my time and the time of people reading this topic.

[DannyHamilton]

Now you've made me intrigued, how is it possible that nobody have painted a second Mona Lisa, just by coincidence

https://en.wikipedia.org/wiki/Mona_Lisa_replicas_and_reinterpretations  

If you don't understand that the security of ECDSA is all about complexity of reversing the EC multiply function, then we have nothing to discuss any further.

Finally, we can agree on something.

Certainly Bitcoin would be broken if it was possible to quickly calculate a private key from a given ECDSA public key.  However, without sufficient entropy in the selection of the private key, the security is lost before you ever even know the public key.

You're wasting my time and the time of people reading this topic.

One of us is.

[piotr_n]

Now you've made me intrigued, how is it possible that nobody have painted a second Mona Lisa, just by coincidence

https://en.wikipedia.org/wiki/Mona_Lisa_replicas_and_reinterpretations  

If you don't understand that the security of ECDSA is all about complexity of reversing the EC multiply function, then we have nothing to discuss any further.

Finally, we can agree on something.

Certainly Bitcoin would be broken if it was possible to quickly calculate a private key from a given ECDSA public key.  However, without sufficient entropy in the selection of the private key, the security is lost before you ever even know the public key.

You're wasting my time and the time of people reading this topic.

One of us is.

You're embarrassing yourself.

[ArcCsch]

There are two different types of attacks on a cryptographic system; analytical attacks, and brute force.
Entropy protects against brute force, but not against analytical attacks.
A strong system is needed to guard against analytical attacks.

Entropy is necessary for security, but not sufficient.

[piotr_n]

Mind that entropy is just an abstract concept that basically quantifies the amount of chaos within a certain set of data.

Trust me: there is no chaos inside the data provided by the random number generators that you guys use and praise to be so much more secure than my brain.
Software based (pseudo) random number generators follow an algorithm, that is just a mathematical function which turns input data into the pseudo-random numbers.
The input data for this function are things like: current time, content of your system's memory, the keys you're pressing on your keyboard, or your mouse cursor movements - that's it.

There are some implementations of a hardware-based random number generators, which are supposed to provide a real random numbers, but they are so shady that smart people will rather stick to the software solutions - pseudo random number generators.
And why?
Because at least with the software PRNG they can audit the code and quantify the complexity of recovering the seed by an attacker.
Which is exactly where the security of the brain wallet is - in the complexity of recovering the seed by an attacker.

http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/

[piotr_n]

Every now and then we hear about people coins getting lost, because their wallet was using a fucked up random number generator.

Fucking Google distributed a "secure" random number source to millions of android devices and it was only discovered by lost bitcoins that it was being initiated with 31 bit seed.
They claimed that it was a bug, but who the hell knows - might had just as well been a mistake by design.

How many more fuck ups have to come out in PRNG implementations, before you guys start considering a thesis that your brain combined with a simple sha256 hash might be actually far better source of (pseudo) entropy than all of these corporate solutions that nobody is able to fully audit?

[ArcCsch]

Also, it makes little sense to talk about the entropy of a specific string, entropy is defined only for distributions.
If, you pick a random list of ten words from a list of 6^5 words, the entropy is log2[6^50], which is 129.248125036 bits, if an attacker tries to brute force this, it would take, on average, more than 2^128 tries.
The specific passphrase "correct horse battery staple" for example, does not have a well defined entropy:
If each word is chosen at random from a large list, this particular sequence is very unlikely to be chosen, and the distribution would have high entropy, choosing a well known password from a high entropy distribution is very bad luck, and is about as likely as a brute force attacker who starts at a random point and searches from there happening to crack your key in a very short time.
The more likely scenario is that it was copied from xkcd, this is a stupid thing to do because the distribution "first thing to come to mind when a passphrase is needed", has a very low entropy for most people, and yet, unfortunately, is how most people choose passwords.

[TransaDox]

Security is a trade-off between complexity and convenience. Binary arguments about security mean that your data might never get stolen but no-one uses the software - just ask PGP.

My opinion is that brain wallets aren't the most secure but they are secure enough for many non technical users. If it is a commercial service that is being offered then there are other measures to mitigate the risk of loss like insurance-an admission that it can occur and allow compensation according to risk probability.

[gmaxwell]

Brainwallets were literally invented by someone who was out to rip people off; no joke!

piotr_n: Errors like you talk about are what happen sometimes when technical experts given all the time in the world work on secure entropy.  What do you think will happen when you ask less technical end users to take care of it for themselves?

Predictable failure, that is what results. And, of course, if your crypto code is broken-- your security is toast anyways: your signatures will give away your key.

People _massively_ overestimate their ability to choose unguessable strings. They come up with absurd munging schemes that are easily predicted and exploited by attackers.  The result is that brainwallets cause funds loss _constantly_.

Why is it when it turns out that some website was using an unsalted hashing scheme to store their users password hashes in a private database people pull out the torches about how incompetent the web developer is-- but when people construct brainwallet software which stores the users hashed password in a PUBLIC database-- unsalted-- where every found password results in an irreversable theft of Bitcoin, some people fall over themselves to recommend it?

... because that is exactly what a brainwallet is doing:  A public key is a hash of the private key (with special homomorphic properties that makes it useful for signatures). When you use a brainwallet you are computing an unsalted password hash and sticking it in a public database along with the amount you can steal by cracking it.  Because they are unsalted, an attacker can target N users with ~O(1) effort just like any other unsalted password hash.

[piotr_n]

piotr_n: Errors like you talk about are what happen sometimes when technical experts given all the time in the world work on secure entropy.  What do you think will happen when you ask less technical end users to take care of it for themselves?

By this logic: what do you think will happen if you ask an average John to secure his backup of the wallet file?

Is this a forum for Development & Technical Discussion - or not?
If it is, then why are you bringing politics into it?

If people _massively_ overestimate their ability to choose unguessable strings then shouldn't we be discussing and advertising methods of choosing unguessable strings?
Instead of not-discussing brain wallets at all, because you believe that people are too stupid to choose a password that cannot be "easily predicted and exploited by attackers".


I believe that a brain wallet is the most secure wallet for me - and I am putting my money behind it, because I use such wallets myself.
I am willing to share my knowledge of choosing a complex enough passwords with anyone who wants to learn about the topic.
But I am not interested to argue with your "research demonstrates again that brain wallets are not secure and no one should use them" propaganda, because I have no time for such bullshit.

[gmaxwell]

The advice would be to have a computer generate it randomly.  (the next best advice is to choose it with dice but it takes so many rolls to even get 128 bits, that I have found that users don't actually comply with the procedure; a treatment that the patient will not follow is not a good treatment, no matter how perfect it is if used flawlessly). Studying the result in practice isn't politics, it's science.  Developers are not magically anointed with an ability to not make these errors, they appear to be even more vulnerable: to quick to enamor themselves with fancy schemes but just as unable to really comprehend billions of attempts per second as any other human. It isn't a question of being stupid, I do not think I can securely use a brainwallet and I do not think I am stupid.

[piotr_n]

Also nobody is talking about the advantages of (strong) brain wallets, that are actually making them more secure than PRNG based wallets.

Besides of the two I mentioned already:
- They don't rely on anyone's (publicly known) implementation of the "entropy"
- They don't require backups

There is more:
- They cannot be seized
- They don't need to be carried
- Their existence can be denied / can't be proven
- Even if someone can prove that a brain wallet had existed at some point in time, he's still unable to prove that you have not forgotten the password

These are mostly about legal security, but isn't Bitcoin's success itself exactly about it?
You see, in my opinion, the biggest enemy of the brain wallets should be the government.

[gmaxwell]

Also nobody is talking about the advantages of (strong) brain wallets, that are actually making them more secure than PRNG based wallets.

Besides of the two I mentioned already:
- They don't rely on anyone's (publicly known) implementation of the "entropy"

Unless you never intend to sign a message they do... and they also depend on a human's easily predictable production of "entropy".

There are hundreds of millions of dollars worth of Bitcoin secured by the CSPRNG setup in Bitcoin Core. It is peer reviewed by quite a few subject matter experts. That is a pretty strong bit of auditing there, ... can you say the same for your scheme?

- They don't require backups

Human memory is very fallible.  We often just don't remember what we don't remember so we don't often realize how bad it is.   A fever, blow to the head, or other illness can easily kill single memories even of things you used frequently-- a brain wallet is the hardest kind to remember: to be secure it must be unusually random, and you should not be using it frequently (if you use it frequently, you will end up leaking it somehow) and being almost right is not good enough!

Backups are also easy if you don't need to redo them. They are practically free:  A small USB stick costs a few dollars, paper costs cents. You can make many backups and secure them with a weak password that your family also knows and really can never be forgotten-- but attackers with a FPGA farm in china cannot crack your password protected backed up wallet!

There is more:
- They cannot be seized

Equally true of a pasword protected backup wallet.  And both can be seized after finding evidence of you using them in the blockchain or on your computer and then liberally applying a hammer to your non-dominant hand.

- They don't need to be carried

Yes, this is perhaps the one advantage-- if you are a refugee who can literally carry _nothing_ without severe risk of losing it. But even there you would be much better off with a few backups of that key securely hidden back at home in case you do forget it and do someday find yourself in a place where you can pick it up.

- Their existence can be denied
- Even if someone can prove that a brain wallet had existed at some point in time, he's still unable to prove that you have not forgotten the password

Both equally true for an encrypted non-brainwallet.

You see, in my opinion, the biggest enemy of the brain wallets should be the government.

Brainwallets are irrelevant to the government-- they don't add any protection from the a government except in the refugee case, but they are the friend of the coin thieves -- no surprise considering they were invented by one.

You seem to have ignored my point that a brainwallet is equivalent to storing an unsalted password hash in a public database. Do you consider that incompetent security?

[piotr_n]

- They cannot be seized

Equally true of a pasword protected backup wallet.  And both can be seized after finding evidence of you using them in the blockchain or on your computer and then liberally applying a hammer to your non-dominant hand.

Sorry, I didn't mean that they cannot be seized by any type of government.
Mine isn't running a torture camp in Guantanamo - applying a hammer to my head would be illegal where I live.
Plus then I'd most definitely forget it

[gmaxwell]

Sorry, I didn't mean that they cannot be seized by any type of government.
Mine isn't running a torture camp in Guantanamo - applying a hammer to my head would be illegal where I live.
Plus then I'd most definitely forget it

Hand, not head, for that reason!   (also, hitting people in the head tends to make them unconscious and then they can't answer. Hitting them in the hand is very painful but leaves them able to talk.)

Especially if you're not worried about torture-- use encryption! it also resists seizure in just the same way-- but: it works like a salted password hash stored privately. O(N*M) work to try N passwords for M people, and to even start you must steal a copy of the private data which you have hopefully not posted in a public database.  If you want to generate it securely and _also_ attempt to memorize it, sure knock yourself out, an extra backup doesn't hurt.

[piotr_n]

You seem to have ignored my point that a brainwallet is equivalent to storing an unsalted password hash in a public database. Do you consider that incompetent security?

Of course, a randomly generated and then password-encrypted wallet is by definition more secure than a brain wallet made by the same password.

But then you come back to the problem of choosing the secure password, don't you?
Which brings you back to the point that you need to learn about choosing secure passwords.
And after you learn to choose passwords that are secure enough, you might just as well use brain-only solution.

[gmaxwell]

But then you come back to the problem of choosing the secure password, don't you?
Which brings you back to the point that you need to learn about choosing secure passwords.

Ah ha, but no-- the requirements for the password security are much lower.

With a brainwallet, the moment you use it everyone in the world can begin cracking it-- in parallel with all other keys they are cracking at no extra cost.  They can also apply precomputed rainbow tables to try may of the passwords they tested in the past against it-- at low cost. They also can see the bounty attached to it.

If a wallet is encrypted it has a salt and (hopefully) an expensive KDF. The attacker cannot attack multiple files in parallel. If the whole wallet is encrypted, they don't know what their payoff will be and most importantly they can't even begin cracking until they get the file.  The security becomes multi-factor: You must have the file and the passphrase.  Theft of the file may also be noticed, giving you time to react.

So if your passphrase is a little weaker than you intended it to be-- there is likely no great harm.