Brainwallet.org safe to use?

[lyth0s]

So i'm considering using a brain wallet and I was wondering if anyone can take a look at brainwallet.org 's source code and tell me if it truly is all client side javascript? I'm curious to know if the site has any way to get/use the private keys I generate there? I know I can also download the source and run it locally (which I have done), but I already used a passphrase I would like to keep on their main website.


Any advice is greatly appreciated!

Under network activity on my web browser all I see is "get" upon page loads (and no activity when i enter a passphrase), which I believe means nothing was sent to their server...not sure though

[Financisto]

Before going any further, I'd suggest that you read the discussion about using it right here: https://bitcointalk.org/index.php?topic=251037.0

For the rest, all I've got to say is: keep doing it all (address creation, transactions, storage, signing etc.) offline.

IMHO, that javascript application was meant for using offline.

EDIT: don't ever trust this implementation because they don't even use KDF.

[lyth0s]

Thank you sir

[Financisto]

Thank you sir

You're welcome.

At last, but not least: everytime you spend funds from an address, do it with all its funds.

e.g. You wanna send 2 BTC from an address funded with 3 BTC.

1) Right way to do it:

yoursendaddress: 3 BTC

BTC sent to:

receiveaddress: 2 BTC + fees

yourchangeaddress: ~ 1 BTC


2) Wrong way to do it:

yoursendaddress1: 3 BTC

BTC sent (only) to:

receiveaddres: 2 BTC

i.e. always consider the change (and fees). Because of bitcoin and its blockchain architecture, all funds from one address has to be spent as follows:

address1 (all funds) -> address2 + fees

OR

address1 (all funds) -> address2 + changeaddress + fees

Hope that explanation helps you avoiding future problems.

[lyth0s]

Would the change not automatically go back to the sending address?

[Financisto]

Can't remember by now.

But as far as I can tell, when you broadcast the transaction (generated with brainwallet app) and do not set an change address, blockchain will reject it.

[TheButterZone]

Can't not remember by now.

But as far as I can tell, when you broadcast the transaction (generated with brainwallet app) and do not set an change address, blockchain will reject it.

It used to automatically make the address you're sending from the change address, but IIRC I got errors from bc.i/pushtx when I last tried to use BW. I just went over to Electrum without looking into it. Maybe that's why.