Brain Wallet for BIP39

[timz]

I strongly do not recommend use brain wallet for most users!

All modern hardware and software cryptowallets are using BIP39 backup mnemonic phrases. But what if you can’t store this key in a safe place? What if you are living in the country where authorities may confiscate all your papers? For example on December 15,  2017 agents from the Ukrainian Security Service (SSU) confiscated approximately 305 ETH from Anatoly Kaplan, CEO of the Russian bitcoin news resource ForkLog. What if you are a refugee and could be subject to illegal rummage?

Sometime the best storage for your keys is your brain. But it is very difficult to remember 12 or 24 random words. That is why I developed Brain-to-BIP converter.

https://brain2bip.com/

Using this tool you may always restore access to your cryptocurrency with any BIP39 hardware or software wallets like Ledger, Trezor, Blockchain.info, Breadwallet, Multibit, Bitcoin Core, Jaxx, etc. Moreover the external entropy from your secret phrase is increasing security of your wallet.

Just enter your long strong secret phrase and “restore” wallet using generated BIP39 mnemonic.
Don't use short passphrases as well as popular sayings, parts of songs, poems or mantras! Use only strong passphrases you can't forget.

Enjoy and be safe.
Thank you.

[1715143049]

1715143049

[1715143049]

1715143049

[1715143049]

1715143049

[1715143049]

1715143049

[cr1776]

I didn’t try this, but it is always advisable to download something like this and use it in offline mode, perhaps with tails or the like.

Not to mention this merely adds an extra encoding layer to a brain wallet without adding much value.

[Taras]

What is so different between using a brainwallet and using a brainwallet that turns into a mnemonic phrase first? With either this website or that brainwallet generator from years ago, I can type "password" and get a functional* wallet. *Except someone is going to siphon the money out immediately. If that's the case, then your software just caused someone to lose money.

BIP39 was designed to be a bunch of random words. You've turned it back into something people can make themselves - passwords - and people are incredibly bad at making passwords. The longer you keep this application in public, the more likely it is someone will lose money because of it. This is a brainwallet, and we decided a long time ago that brainwallets were a dangerous idea and they lead to many people losing their life savings. Someone will misuse your tool eventually and lose their money. This site does not force someone to come up with a good password. BIP39 (when generated properly) does.

If BIP39 is too conspicuous looking, you can take steps to make it harder to recognize, like by using a different wordlist, or my using symbols instead of words, or by writing it somewhere (such as inbetween the pages of an outdated textbook) that it is not likely to be found.

Your website made sure that I know "password" is a weak password. Someone out there will not heed that warning for their terrible password! Please do not allow this site to even display a wallet until the password is conceivably secure.

[NITCoinOfficial]

Interesting website. The weakest security link is always that of human nature. People will use low entropy and get their funds stolen, then complain.
If you are planning to use this tool, please make sure to include uppercase, lowercase letters and symbols in unexpected places. Something like
"The First pr3$id3nt Of The U.nited S.tates is Washington." 

[Spendulus]

I strongly do not recommend use brain wallet for most users!

All modern hardware and software cryptowallets are using BIP39 backup mnemonic phrases. But what if you can’t store this key in a safe place? What if you are living in the country where authorities may confiscate all your papers? For example on December 15,  2017 agents from the Ukrainian Security Service (SSU) confiscated approximately 305 ETH from Anatoly Kaplan, CEO of the Russian bitcoin news resource ForkLog. What if you are a refugee and could be subject to illegal rummage?

Sometime the best storage for your keys is your brain. But it is very difficult to remember 12 or 24 random words. That is why I developed Brain-to-BIP converter.

https://brain2bip.com/

Using this tool you may always restore access to your cryptocurrency with any BIP39 hardware or software wallets like Ledger, Trezor, Blockchain.info, Breadwallet, Multibit, Bitcoin Core, Jaxx, etc. Moreover the external entropy from your secret phrase is increasing security of your wallet.

Just enter your long strong secret phrase and “restore” wallet using generated BIP39 mnemonic.
Don't use short passphrases as well as popular sayings, parts of songs, poems or mantras! Use only strong passphrases you can't forget.

Enjoy and be safe.
Thank you.

I suggest reading the entire history of the Bitcoin Improvement Protocol 39, where many issues were discussed. Issues including those you mention IIRC.

Thanks for doing this properly and making your source code available via GitHub.

However, the code's presentation as a web site might well induce some newbies to improperly use the web site to make their keys.

We know the problems that could cause.

[miky55]

I strongly do not recommend use brain wallet for most users!

All modern hardware and software cryptowallets are using BIP39 backup mnemonic phrases. But what if you can’t store this key in a safe place? What if you are living in the country where authorities may confiscate all your papers? For example on December 15,  2017 agents from the Ukrainian Security Service (SSU) confiscated approximately 305 ETH from Anatoly Kaplan, CEO of the Russian bitcoin news resource ForkLog. What if you are a refugee and could be subject to illegal rummage?

Sometime the best storage for your keys is your brain. But it is very difficult to remember 12 or 24 random words. That is why I developed Brain-to-BIP converter.

https://brain2bip.com/

Using this tool you may always restore access to your cryptocurrency with any BIP39 hardware or software wallets like Ledger, Trezor, Blockchain.info, Breadwallet, Multibit, Bitcoin Core, Jaxx, etc. Moreover the external entropy from your secret phrase is increasing security of your wallet.

Just enter your long strong secret phrase and “restore” wallet using generated BIP39 mnemonic.
Don't use short passphrases as well as popular sayings, parts of songs, poems or mantras! Use only strong passphrases you can't forget.

Enjoy and be safe.
Thank you.

Hi!

I think about such a brainwallet since many time now. Thank you for making it available and opensource.

I know brainwallets have very bas reputation and that human brain entropy is known to be very bad.
But I am still convince that for people like me it could be much better than keeping my mnemonic in some paper. wrtiting the mnemonic on paper is imo a really security issue, it can be lost, destructed or even stolen, but I can generate a strong passphrase between 40 or 60 chars, that will mix my child memories and other thing that could be very very personal and that I could not forget for years...

I also like to travel(even if not the best period now ) and whish to be able to get access to my crypto without carring anything on me.

So why using a brain to bip(mnemonic) and not only a standart brainwallet? it is obvious for me  I want to be able to use it one day with hardware or software bip complient wallet.

I am glad you did it, but I want to do my own for some reasons. Fisrt I need only to generate the mnemonic because I can use the bip39 for generate the seeds and if I use it on hardware or software wallet it will do it for me. And the sourcecode could be very short and understable.
Second reason if I use your tool and one day your website and git repo will be unavilable my passphrase will be useless... And if I put it on usb stick, this is also something I need to carry and could possibly be lost, destroyed...

Thats why I have some questions, what algorithm did u use to generate the mnemonic from the passphrase?

What I thaught is to do like this:

first word = sha256*10(passphrase) mod 2048
second world = sha256*10(first word) mod 2048
....
last word = hash(mnemonic)

*10 or maybe more if we want to make it harder to bruteforce...

Thank you for reading, will enjoy any feedback about this!

[o_e_l_e_o]

what algorithm did u use to generate the mnemonic from the passphrase?

On the site it explains your passphrase is hashed using SHA256, and the output is used as the entropy needed to create a BIP39 seed phrase.

Interestingly, if you look at the source code, since it is mostly lifted directly from https://iancoleman.io/bip39/, it copied across the feature to perform a SHA256 hash if you are not using the "raw entropy" option, so in reality, your passphrase is hashed twice.

https://github.com/armorybrainwallet/brain2bip/blob/master/js/index.js#L292
Here is the first section of code where it SHA256 hashes your brain passphrase to generate your entropy

https://github.com/armorybrainwallet/brain2bip/blob/master/js/index.js#L1132
And then the second section of code where it SHA256 hashes your entropy a second time

You can test all this yourself. For example:

Inputting the string "thisisatest" as a Brain Passphrase, generates the following 24 word seed phrase: couch machine virus lion good camp topic maid common plunge history love where online case chest library shuffle obvious post okay force envelope birth

If you perform a SHA256 hash on "thisisatest", you generate the following 256 bit output: a7c96262c21db9a06fd49e307d694fd95f624569f9b35bb3ffacd880440f9787
If you perform a SHA256 hash on the above number, you generate the following: 30f0b3d241164641b944302e74ddb0c23fa535c8c93c8118ee62d4599eb612f0
If you then convert that second number in to binary, you get the following (which I've split in to groupings of 11):

Code:

00110000111 10000101100 11110100100 10000010001
01100100011 00100000110 11100101000 10000110000
00101110011 10100110111 01101100001 10000100011
11111010010 10011010111 00100011001 00100111100
10000001000 11000111011 10011000101 10101000101
10011001111 01011011000 01001011110 000

You can then take each grouping of 11, convert it back in to decimal, and map it the relevant BIP39 word. 00110000111 in decimal is 391, which maps to "couch" at position 392 on the BIP39 word list (remembering to add one since your converted numbers will start at 0, whereas the word list starts at 1). 10000101100 in decimal is 1068, which maps to "machine" at position 1069. And so on.

[miky55]

You can then take each grouping of 11, convert it back in to decimal, and map it the relevant BIP39 word. 00110000111 in decimal is 391, which maps to "couch" at position 392 on the BIP39 word list (remembering to add one since your converted numbers will start at 0, whereas the word list starts at 1). 10000101100 in decimal is 1068, which maps to "machine" at position 1069. And so on.

Thank you this was very helpful, I added an iteration field which will loop sha256 before generating the mnemonic to discourage bruteforce attack, in my browser  1000000 will take approx 20 seconds to compute.

Code:

    	var hash = sjcl.hash.sha256.hash(DOM.longpassphrase.val());
    	var hex = sjcl.codec.hex.fromBits(hash);
        for (var i = 0; i < DOM.iterations.val() - 1; i++) {
            var hash = sjcl.hash.sha256.hash(hex);
            var hex = sjcl.codec.hex.fromBits(hash);
        }
    	DOM.entropy.val(hex);
    	setMnemonicFromEntropy();

[pooya87]

I added an iteration field which will loop sha256 before generating the mnemonic to discourage bruteforce attack, in my browser  1000000 will take approx 20 seconds to compute.

that does nothing not to mention that your code has a bottleneck otherwise 1 million SHA256 of a small input (passphrase) would only take half a second to complete. even if it were 20 second it still doesn't increase the security at all because the idea of using a brainwallet is flawed on its own whether it is creating a key or a mnemonic.

[miky55]

I added an iteration field which will loop sha256 before generating the mnemonic to discourage bruteforce attack, in my browser  1000000 will take approx 20 seconds to compute.

that does nothing not to mention that your code has a bottleneck otherwise 1 million SHA256 of a small input (passphrase) would only take half a second to complete. even if it were 20 second it still doesn't increase the security at all because the idea of using a brainwallet is flawed on its own whether it is creating a key or a mnemonic.

Like I said, I todly understand that human brain is very weak at making entropy compaired to the randomness of computer.

But there are imo some issues of keeping the keys or random generated mnemonics, it can be stolen, loose or destroyed. How many people did already experienced that? (I did)

We know that it is pretty much impossible to find collision in SHA256, so if I use it with my passphrase there is no other way for attacker to guess it, am I wrong?

Lets assume that I use a passphrase from my memories like "At christmas 2002 my oncle Joe came drunk for the dinner. My first girlfriend did not like french fries" and use 1000000 iterations what are the chance somebody will bruteforce it ever seriously?

I can understand that in this case 1 or 1M iterations will not really mater.

Lets now assume somebody will use with something weaker like "I like pasta with chocolate" and use iteration of 5555 wont it be fair enough that no bruteforce atack will ever solve it? I think that in this case the iteration.

In conclusion, from my experience I know I have much more chance to loose a peace of paper where I wrote the mnemonic than forgetting a long personal passphrase.

How do you guys are carring your keys or mnemonics? how can you be so confident you won't loose the access to it one day?

[HCP]

We know that it is pretty much impossible to find collision in SHA256, so if I use it with my passphrase there is no other way for attacker to guess it, am I wrong?

Yes, you are wrong, as I think you're misunderstanding what a "collision" actually is...

A collision is not someone being able to guess whatever it was you have hashed... a collision is two different values that will generate the same hash result. ie. SHA256(X) == SHA256(Y) would be a collision.


Regardless of whether or not you use SHA256, the strength of your brainwallet lies purely in how long and complicated the passphrase actually is... and generally speaking, it is simply not going to be as random and have as much entropy as a properly (randomly) generated seed/private key.

Given some of the stories that have been floating around (ie: https://www.reddit.com/r/Bitcoin/comments/1ptuf3/brain_wallet_disaster/ and https://www.reddit.com/r/Bitcoin/comments/1zti1p/17956_hacked_brainwallet_passwords/) There have been (and there probably currently are) a lot of people running all sorts of scripts and bots that generate/monitor various Bitcoin addresses that are generated from brainwallets (essentially SHA256(passphrase)).

Therefore, it is not out of the realms of possibility, that some users have also considered using something similar to generate BIP39 seeds the same way... after all, you thought of it!

"At christmas 2002 my oncle Joe came drunk for the dinner. My first girlfriend did not like french fries"

It is interesting to note that the fact that you are using 'proper' English sentence structure and grammar is already reducing the entropy... as there is a relationship and pattern to the words.

Compared with something like: "extra card place track tower violin slim window soul identify tray galaxy" where they are in no way related to each other and there is no defined structure.

[miky55]

A collision is not someone being able to guess whatever it was you have hashed... a collision is two different values that will generate the same hash result. ie. SHA256(X) == SHA256(Y) would be a collision.

Thank you, but I know what a collision is.

Given some of the stories that have been floating around (ie: https://www.reddit.com/r/Bitcoin/comments/1ptuf3/brain_wallet_disaster/ and https://www.reddit.com/r/Bitcoin/comments/1zti1p/17956_hacked_brainwallet_passwords/) There have been (and there probably currently are) a lot of people running all sorts of scripts and bots that generate/monitor various Bitcoin addresses that are generated from brainwallets (essentially SHA256(passphrase)).

Therefore, it is not out of the realms of possibility, that some users have also considered using something similar to generate BIP39 seeds the same way... after all, you thought of it!

Of course I know those stories but imo the cases are from weak passphrases, or some quote of poems, movies lyrics... And how many other stories of people loosing there keys/mnemonics???

"At christmas 2002 my oncle Joe came drunk for the dinner. My first girlfriend did not like french fries"

It is interesting to note that the fact that you are using 'proper' English sentence structure and grammar is already reducing the entropy... as there is a relationship and pattern to the words.

Compared with something like: "extra card place track tower violin slim window soul identify tray galaxy" where they are in no way related to each other and there is no defined structure.

Of course again, the grammatical structure of a phrase make it easier to guess for a well done bruteforce tool that will mix with a language AI construction. but this is the compromise of total randomness and the probability I will forget it someday... I belive evrybody have some intimate memories which are very personal and he won't forget ever. that's why my example passphrase was a mix of 2 sentences not related at all to each other. I strongly beleive that even it is in correct in english that is not the kind of passphrase that may be hacked one day.

Anyway for my real passphrase I plan to use much more intimate souvenirs and mix my 2 natives languages (how you can guess are not english)

Thanks for your answer!

[o_e_l_e_o]

How do you guys are carring your keys or mnemonics? how can you be so confident you won't loose the access to it one day?

Multiple back ups and redundancy. For my main cold storage, I have my seed phrase backed up on paper in two separate places and my passphrase backed up on paper in two separate places. Add those back ups to the actual wallet itself (which is encrypted and on a permanently offline device), then I would at a minimum need to suffer complete and simultaneous data loss in at least three geographically separate and very safe/secure locations to mean I lose access. This is incredibly more robust than having everything stored in only one place, especially a place so fragile as your brain.

I belive evrybody have some intimate memories which are very personal and he won't forget ever.

You are wrong here. There are hundreds of reasons someone might suffer memory loss, and many of them are completely unpredictable and can happen to anybody at any time with no warning. Everything from head trauma from a simple trip or fall, through to an aneurysm in your brain you didn't know existed rupturing. Even with slow onset memory loss, many people don't realize their memory is fading until they've already forgotten significant amounts of details, by which time it would probably be too late for you to access your coins. 15 million people have a stroke each year. 70 million people suffer a traumatic brain injury each year. 10 million people develop dementia each year. That's an awful lot of people with the potential for memory loss. I don't like those odds.

[miky55]

Multiple back ups and redundancy. For my main cold storage, I have my seed phrase backed up on paper in two separate places and my passphrase backed up on paper in two separate places. Add those back ups to the actual wallet itself (which is encrypted and on a permanently offline device), then I would at a minimum need to suffer complete and simultaneous data loss in at least three geographically separate and very safe/secure locations to mean I lose access. This is incredibly more robust than having everything stored in only one place, especially a place so fragile as your brain.

Yes, this are good ideas indeed, but the problem of to much redundancy is the abilty to be stolen, the places need to be really really safe and commercial safes are way to weaks. You can also have the need to get access to your funds when far from home or other place you store it.

You are wrong here. There are hundreds of reasons someone might suffer memory loss, and many of them are completely unpredictable and can happen to anybody at any time with no warning. Everything from head trauma from a simple trip or fall, through to an aneurysm in your brain you didn't know existed rupturing. Even with slow onset memory loss, many people don't realize their memory is fading until they've already forgotten significant amounts of details, by which time it would probably be too late for you to access your coins. 15 million people have a stroke each year. 70 million people suffer a traumatic brain injury each year. 10 million people develop dementia each year. That's an awful lot of people with the potential for memory loss. I don't like those odds.

You mark here some points the memory can be an issue also, there is no 100 percent magic method to have those seeds safe forever. I may part my funds in brain wallet and another one on paper with some redundancy. Imo a really long passphrase have to be test at least once a week, and of course in secure offline device.

[o_e_l_e_o]

but the problem of to much redundancy is the abilty to be stolen

Hence the beauty of a passphrase. If your seed is stolen, it is useless on its own, and if your passphrase is stolen, it is similarly useless on its own. If you want even more security then you can store your seed encrypted or even split it in to a 2-of-3 or similar secret sharing configuration.

You can also have the need to get access to your funds when far from home or other place you store it.

Then use different wallets. I have a mobile wallet I use which I simply back up with a seed written on paper in one place. It's easy to use and portable, but much higher risk of being stolen than my cold storage. But I only store a small amount of bitcoin on it compared to my main cold storage. In the same way that you have cash in your wallet, a checking account, a savings account, a credit card, you should have different bitcoin wallets for different purposes.

[HCP]

Imo a really long passphrase have to be test at least once a week, and of course in secure offline device.

Not just really long passphrases to be honest... I noted with interest that a Google Authenticator App I have been using (Aegis), will actually prompt you after a certain number of numbers to use your master password rather than the fingerprint to sign in. "It's been a while since you logged in with your password, do you still remember it"... I thought that was a great feature.

But yes, with regards to all this, it really comes down to your own personal level of risk aversion/acceptance. If you're happy with the system you've got, understand any risks involved and take appropriate steps to mitigate those risks, then you should be OK.

It's the folks who don't understand what they're getting into and don't take adequate steps to mitigate the risks that get in trouble.