Fighting brainwallets... with brainwallets!

[flatfly]

I keep seeing brainwallets getting hacked every other week. I would like to start the following little campaign to discourage the use of weak passphrases in brainwallets:

If you currently own a brainwallet that matches the below criteria, you can qualify for a nice 0.1 BTC bounty (exact amount to be confirmed) simply by transferring your funds to a strong/randomly generated brainwallet (or any other robust form of storage), and then disclosing the old (weaker) passphrase in this thread.

- passphrase length 20 characters or less.
- consisting mostly (at least 75%) of English words. 
- only 25+ BTC brainwallets will be considered.

Example: "bitcoin is awesome"   
 
Also, the funds must have stayed in the weaker brainwallet for at least 10 days to qualify.

People willing to contribute to the bounty can do so by donating to:
 1337sfeChyyzZLzdHLewXzcaAaJSNTM893

I am planning to run this campaign for the long run.

Note: Since this is quite a new idea, I reserve the right to change some of the rules during the first few weeks.

So let's give this a try!

[davout]

So you want to make some money off of that big rainbow table you just generated ? :-)

[takagari]

Great idea,

Kinda drives me nuts seeing this over and over, because some encypt's 20 grand of usd with the pass word (Myname1985) lol

[flatfly]

So you want to make some money off of that big rainbow table you just generated ? :-)

This would be the slowest way to build a rainbow table ever!

[davout]

I just had a superficial look at your passphrase utility, it sounds pretty neat!

My passphrase was generated with diceware + raspberrypi + bitcoin-ruby + copying everything with pen and paper.

I think it's really nice to make this level of security accessible to noobs too

[flatfly]

I just had a superficial look at your passphrase utility, it sounds pretty neat!

My passphrase was generated with diceware + raspberrypi + bitcoin-ruby + copying everything with pen and paper.

I think it's really nice to make this level of security accessible to noobs too

Thanks for checking it out! IMO, raising awareness of the risks associated with brainwallets is really important.

[12648430]

20 random characters typable on a regular keyboard have a little over 126 bits of entropy (electrum seeds have 128), so if you're going to do this you'll need to be strict about non-randomness of qualifying passwords.

[davout]

20 random characters typable on a regular keyboard have a little over 126 bits of entropy (electrum seeds have 128), so if you're going to do this you'll need to be strict about non-randomness of qualifying passwords.

Passwords suck, passphrases rock, they have a much better rememberability/entropy ratio.
With a 10 words passphrase you get approximately the same entropy as your 20 characters passwords and it's much easier for a human brain to remember, we're simply wired that way.
Like you said the quality of the generation process is of utmost importance.

[malevolent]

I can see this being very easily gamed, someone can generate a secure albeit not-truly-random passphrase (without using a computer or dice, per your rules); how will you determine whether or not someone wasn't actually using a computer or dice? It is very easy to generate a passphrase that will "look" random but that won't actually be random according to your definition of randomness. You should ask people to submit a lot more data to be sufficiently sure, e.g. at least several hundred passphrases (most people being poor sources of randomness, patterns would emerge).

[flatfly]

I can see this being very easily gamed, someone can generate a secure albeit not-truly-random passphrase (without using a computer or dice, per your rules); how will you determine whether or not someone wasn't actually using a computer or dice? It is very easy to generate a passphrase that will "look" random but that won't actually be random according to your definition of randomness. You should ask people to submit a lot more data to be sufficiently sure, e.g. at least several hundred passphrases (most people being poor sources of randomness, patterns would emerge).

Thanks for your remarks. I was thinking of making the criteria a little bit stricter and better defined, while keeping this as simple as possible.

I will update the first post with some additional constraints.