Mental Bitcoin Wallet: I have real bitcoins stored in my head.

[netrin]

...or the last letter of every line. Assume every page of this book is a potential key and you don't write anything down at all. History is littered with similarly cracked methods. No matter your method, if you can't trust your friends, family or self, your bitcoins will die with you.

[1713286529]

1713286529

[1713286529]

1713286529

[1713286529]

1713286529

[1713286529]

1713286529

[jtimon]

...or the last letter of every line. Assume every page of this book is a potential key and you don't write anything down at all. History is littered with similarly cracked methods. No matter your method, if you can't trust your friends, family or self, your bitcoins will die with you.

Yes, but if your family doesn't know what your printed QR-code in your drawer is, your bitcoins are also going to disappear if you die.

[netrin]

Yes, but if your family doesn't know what your printed QR-code in your drawer is, your bitcoins are also going to disappear if you die.

Exactly. I think a memorized 'travel wallet' is perfectly fine. But one really needs to print a deterministic 'savings wallet' and including it in the will (or a ceramic piggie bank).

[Boussac]

Yes, but if your family doesn't know what your printed QR-code in your drawer is, your bitcoins are also going to disappear if you die.

I kind of like the idea that the bitcoins disappear with their owner: it's like a donation to the bitcoin community since the value of the remaining bitcoins is increased in proportion of the lost coins.
That's the beauty of a limited money supply combined with infinite divisibility.

[JoelKatz]

83 posts and only one post about how using this method can lose all your bitcoins because the change gets sent to a different address that gets stored in the wallet.dat that is generated when using the paper/wetware-stored key in the client. 

Or is that just FUD, 'cause it seems an important detail and shouldn't be glossed over.  How about a disclaimer at the top of the thread like: Warning using this technique improperly, even once, could result in a loss of all your bitcoins

Am I totally off base here?  It seems rather scary to attempt this technique with any large amount of btc.

The technique is only appropriate for holding coins to be transferred whole. Once the coins are claimed, they are no longer stored in a "mental wallet", period.

[netrin]

The technique is only appropriate for holding coins to be transferred whole. Once the coins are claimed, they are no longer stored in a "mental wallet", period.

That is true for the current implementation of the C++ client, which, considering it's still beta is not a trivial point. Alternate change output is an unintuitive hack which fails to create anonymity but successfully creates confusion and lost coins.

EDIT: Demonstrating the point are 3 of 4 posters on this page with a presumably static bitcoin address in their signature.

[FreeMoney]

EDIT: Demonstrating the point are 3 of 4 posters on this page with a presumably static bitcoin address in their signature.

Are you saying that sending change to a fresh address is useless because some people will publicly announce their address and reuse it?

[JoelKatz]

EDIT: Demonstrating the point are 3 of 4 posters on this page with a presumably static bitcoin address in their signature.

Are you saying that sending change to a fresh address is useless because some people will publicly announce their address and reuse it?

I think his point is that people will continue to use the same receiving address even after they've transferred some coins from it, leaving some coins at their known account and some at various accounts unknown to them. This makes it very hard for human beings to know what they need to protect in order to be assured of not losing their coins.

[netrin]

I think his point is that people will continue to use the same receiving address even after they've transferred some coins from it (Clearly), leaving some coins at their known account and some at various accounts unknown to them (Ideally, not by default). This makes it very hard for human beings to know what they need to protect in order to be assured of not losing their coins (Bingo).

I think he applauds the mental bitcoin idea. He's only bitching that the 'might lose coins after spending' problem is a problem with the client, not with mental bitcoin wallets. Rather than warn people about the numerous ways they might lose coins after sending, the client might instead return change to the sending address by default, just as anyone would intuitively expect.

EDIT: Demonstrating the point are 3 of 4 (4 of 5) posters on this page with a presumably static bitcoin address in their signature.

Are you saying that sending change to a fresh address is useless because some people will publicly announce their address and reuse it (and it does not provide the originally intended anonymity anyway)?

In order for mental bitcoin wallets to be well supported, standard clients will need to (a) return change to the same address or (b) deterministic wallets where the 'key' is really a seed or (c) some other brilliant yet unknown to me feature or (d) continually explain the 100 key pool problem to users after they've lost their fortune polish bitomat style.

[jtimon]

Yes, but if your family doesn't know what your printed QR-code in your drawer is, your bitcoins are also going to disappear if you die.

Exactly. I think a memorized 'travel wallet' is perfectly fine. But one really needs to print a deterministic 'savings wallet' and including it in the will (or a ceramic piggie bank).

You're right.
For the piggie bank you can leave precise instructions so family can redeem the bitcoins.

[luv2drnkbr]

casascius, is there any way you could compile a Windows binary for your bitcoin address utility.  :-D  I am not a techie, and although I MIGHT be able to figure out how to compile it myself, there's a good chance I'd fuck it up.  Similarly, I have to wait until bitcoin v0.4 comes out before I can take advantage of the import/export private keys patch (assuming it's included in that build).  But when the official client does have the capability to import new keys, having your program so that I could create addresses out of my own password would be very very handy!  I'm just not enough of a computer guy to do it myself--even though I see that the ability is out there...

[casascius]

Sure.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

btcaddress.zip SHA256 hash: 6475b20ab235ea685b73ef117283aaf0c8d9f021dd0a3434dfc6e7ab7f0da3d5

http://www.casascius.com/btcaddress.zip
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJObU1dAAoJEFou6PHxF1ojUqIIAInIKSS8aitXDHANGtBfeQbi
SUejbeqsiVtLZsPzSeC4jdWCYfOSXfAMbo0Lg3IXMgHLZjlJCTSK7tRElMwBYAwm
zscUPpJnA7mv9fziAZjAzcluJ+WMuHiINvZeiTWEFVhZdSXnWdm1T1kLO7gJdjww
4wVD+fiZJkTqi6Asgs0nreDDNTv051e+U9gnEkBfB+k8kJedFiUGsmiFQZGyPTVd
lnRMursoWX9wHnZ6C/7xsJKf/nW6++9Y8YIVHdjiMvC6UE/Ai7Pi6vh2BQNSEatk
iazs6w7htVcUlo0OMX1AxTN1R4JDNHak6F/ueEOgOZEeyaMDjoECj7tlPFM532A=
=xzg7
-----END PGP SIGNATURE-----

[luv2drnkbr]

Sure.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

btcaddress.zip SHA256 hash: 6475b20ab235ea685b73ef117283aaf0c8d9f021dd0a3434dfc6e7ab7f0da3d5

http://www.casascius.com/btcaddress.zip
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJObU1dAAoJEFou6PHxF1ojUqIIAInIKSS8aitXDHANGtBfeQbi
SUejbeqsiVtLZsPzSeC4jdWCYfOSXfAMbo0Lg3IXMgHLZjlJCTSK7tRElMwBYAwm
zscUPpJnA7mv9fziAZjAzcluJ+WMuHiINvZeiTWEFVhZdSXnWdm1T1kLO7gJdjww
4wVD+fiZJkTqi6Asgs0nreDDNTv051e+U9gnEkBfB+k8kJedFiUGsmiFQZGyPTVd
lnRMursoWX9wHnZ6C/7xsJKf/nW6++9Y8YIVHdjiMvC6UE/Ai7Pi6vh2BQNSEatk
iazs6w7htVcUlo0OMX1AxTN1R4JDNHak6F/ueEOgOZEeyaMDjoECj7tlPFM532A=
=xzg7
-----END PGP SIGNATURE-----

Words cannot describe how grateful I am, so here's a picture accurately representing it.

[PrintCoins]

Assuming a dumb user who uses a simple password (this is always a starting condition for designing any system) this means that when they pick their bad password, they will eventually lose all their money to someone who just brute forces it.

I could see just using a large random alphanumeric string for the seed for the wallet, so in essence a user could just copy their entire wallet by just copying that string.

You could have a client that when it starts up it generates the string, or asks if you already have one. At that point, bang, you have any number of addresses at your disposal. If you want to backup, all you need is the seed string for the client. If you want to move (or keep in sync) with another client, you just copy the string into it. A client could handle multiple wallets, each with their own string. Your wife and you (or a group of people in an organization) could share a joint wallet that both have the same string, but you would each also have your individual wallets.

Your wallet becomes a minuscule line of text. The only thing that might add some weight is if you use an address book.

[phillipsjk]

Assuming a dumb user who uses a simple password (this is always a starting condition for designing any system) this means that when they pick their bad password, they will eventually lose all their money to someone who just brute forces it.

This is a valid concern, even for the example passphrases given.

If the passphrase has ever been published on the Internet, it may cost a suprisingly small amount to determine if any substrings on the the Internet (of limited complexity) correspond to a public address in the block-chain when hashed. If you use a dictionary word, you have no chance: it does not take any special hardware to check.

You only need 3 things:

• The ability to buy CPU time.
  
• The ability to break the problem into small parts.
  
• Access to a copy of the Internet. (The block chain is easy to get a copy of.)
  

Now the SHA-2 function is likely expenive enough, as is the address conversion, that simple queries will likely cost more than $100. However, I would be surprised it the cost rose more than an order of magnitude larger (Read: $10,000 budget, not including coding time).

[PrintCoins]

Assuming a dumb user who uses a simple password (this is always a starting condition for designing any system) this means that when they pick their bad password, they will eventually lose all their money to someone who just brute forces it.

This is a valid concern, even for the example passphrases given.

If the passphrase has ever been published on the Internet, it may cost a suprisingly small amount to determine if any substrings on the the Internet (of limited complexity) correspond to a public address in the block-chain when hashed. If you use a dictionary word, you have no chance: it does not take any special hardware to check.

You only need 3 things:

• The ability to buy CPU time.
  
• The ability to break the problem into small parts.
  
• Access to a copy of the Internet. (The block chain is easy to get a copy of.)
  

Now the SHA-2 function is likely expenive enough, as is the address conversion, that simple queries will likely cost more than $100. However, I would be surprised it the cost rose more than an order of magnitude larger (Read: $10,000 budget, not including coding time).

That is why the passcode itself shouldn't be something the user created, and is some very long string. Though this isn't a mental bitcoin wallet, it makes for a very easy to copy, sync, backup, and even printout and archive wallet.

Just for fun I may eventually take a common top 1000 passwords list create addresses based up them, and see if they ever pop up as being funded.

[bitjet]

If the blockchain gets any bigger you might get a nose bleed!

[cbeast]

If the blockchain gets any bigger you might get a nose bleed!

Then your head explodes.