How to Generate and Use a STRONG Bitcoin Password / Pasphrase

[BADecker]

The basics about how to generate a strong password/passphrase using a random character generator.

You start with a program that can generate random characters. The scripting for a simple html page that uses javascript to generate a list of 10,000 random characters is listed below.

You generate a list of at least 10,000 random characters. Inside this list of random characters, you select a group of consecutive characters as your password. Here is a potential password taken from a real randomly generated character list:

ySpx2DtPFqAUY5Bxkn7VNdESw5Q4skZPZ9UlGjgJ19CQpfIerebOKxCMe3H4pF

The password can be any length. Usually, the longer the password, the better safety you have.

Now, how do you remember the password? You do it by making a password key. A simple password key for the above password might be "ySpx262". The first 5 characters of this password key are the first 5 characters of the password. The "62" at the end of the key indicates that there are 62 characters in the password. There are many other ways for making password keys. Use your imagination.

You have saved the list of 10,000 random characters in a text file. You have made many copies of this file, and even printed out paper copies. You are making sure that you always have backups of your password available.

To get your password from the list using your password key, you search the computer or paper file for the first 5 characters of your key: "ySpx2". Then you simply count out a total of 62 characters to find your password. Copy and paste the password (or type it if it is on a paper list), and you have it.

The odds are great that nobody will be able to guess your password out of the 10,000 characters, if they happen to find your random character file. And it is even more difficult because they don't know how many characters long it might be. Yet, you can always find your password easily from the simple key... a key that you can easily memorize, or one that you can hide on a slip of paper behind the closet door, etc. Even if someone found the key, they wouldn't know how or where to use it - what its purpose was.

There are simpler ways to make the random character than the generator script below, using arrays, for example. This script may not work with some older browsers because javascript has evolved over the years.

-------------------- THE HTML CODE

<html>
<head>

<script type="text/javascript" language="JavaScript">
<!--

var i = 0;
var characters = '';
var newchar = 0;

function calc3(){
  characters = "";
  document.validate.activegenerate.value = characters;
  calc1();
}

function calc1(){
  for (i=0; i<10000; i==i){
    newchar = Math.floor((Math.random()*70)+1);
    if (newchar == 1){ characters += "a"; i++; }
    if (newchar == 2){ characters += "b"; i++; }
    if (newchar == 3){ characters += "c"; i++; }
    if (newchar == 4){ characters += "d"; i++; }
    if (newchar == 5){ characters += "e"; i++; }
    if (newchar == 6){ characters += "f"; i++; }
    if (newchar == 7){ characters += "g"; i++; }
    if (newchar ==8){ characters += "h"; i++; }
    if (newchar == 9){ characters += "i"; i++; }
    if (newchar == 10){ characters += "j"; i++; }
    if (newchar == 11){ characters += "k"; i++; }
    if (newchar == 12){ characters += "l"; i++; }
    if (newchar == 13){ characters += "m"; i++; }
    if (newchar == 14){ characters += "n"; i++; }
    if (newchar == 15){ characters += "o"; i++; }
    if (newchar == 16){ characters += "p"; i++; }
    if (newchar == 17){ characters += "q"; i++; }
    if (newchar == 18){ characters += "r"; i++; }
    if (newchar == 19){ characters += "s"; i++; }
    if (newchar == 20){ characters += "y"; i++; }
    if (newchar == 21){ characters += "u"; i++; }
    if (newchar == 22){ characters += "v"; i++; }
    if (newchar == 23){ characters += "w"; i++; }
    if (newchar == 24){ characters += "z"; i++; }
    if (newchar == 25){ characters += "y"; i++; }
    if (newchar == 26){ characters += "z"; i++; }
    if (newchar == 27){ characters += "A"; i++; }
    if (newchar == 28){ characters += "B"; i++; }
    if (newchar == 29){ characters += "C"; i++; }
    if (newchar == 30){ characters += "D"; i++; }
    if (newchar == 31){ characters += "E"; i++; }
    if (newchar == 32){ characters += "F"; i++; }
    if (newchar == 33){ characters += "G"; i++; }
    if (newchar == 34){ characters += "H"; i++; }
    if (newchar == 35){ characters += "I"; i++; }
    if (newchar == 36){ characters += "J"; i++; }
    if (newchar == 37){ characters += "K"; i++; }
    if (newchar == 38){ characters += "L"; i++; }
    if (newchar == 39){ characters += "M"; i++; }
    if (newchar == 40){ characters += "N"; i++; }
    if (newchar == 41){ characters += "O"; i++; }
    if (newchar == 42){ characters += "P"; i++; }
    if (newchar == 43){ characters += "Q"; i++; }
    if (newchar == 44){ characters += "R"; i++; }
    if (newchar == 45){ characters += "S"; i++; }
    if (newchar == 46){ characters += "Y"; i++; }
    if (newchar == 47){ characters += "U"; i++; }
    if (newchar == 48){ characters += "V"; i++; }
    if (newchar == 49){ characters += "W"; i++; }
    if (newchar == 50){ characters += "X"; i++; }
    if (newchar == 51){ characters += "Y"; i++; }
    if (newchar == 52){ characters += "Z"; i++; }
    if (newchar == 53){ characters += "0"; i++; }
    if (newchar == 54){ characters += "1"; i++; }
    if (newchar == 55){ characters += "2"; i++; }
    if (newchar == 56){ characters += "3"; i++; }
    if (newchar == 57){ characters += "4"; i++; }
    if (newchar == 58){ characters += "5"; i++; }
    if (newchar == 59){ characters += "6"; i++; }
    if (newchar == 60){ characters += "7"; i++; }
    if (newchar == 61){ characters += "8"; i++; }
    if (newchar == 62){ characters += "9"; i++; }
  }
  document.validate.activegenerate.value = characters;
}

-->
</script>
</head>
<body >
&nbsp;
<table ALIGN=CENTER BORDER CELLSPACING=0 CELLPADDING=10 WIDTH="80%" >
<tr>
<td>
<form name="validate">
<input onClick="return calc3()" type="button" name="" value="Click to create the character content in the box.">
<center><textarea name="activegenerate" id="activegenerate" cols=80 rows=15 wrap="hard" ></textarea></center>
</form>
</td>
</tr>
</table>
</body>
</html>

[xDan]

but you probably shouldn't use that for a brainwallet or a private key.

[jongameson]

encrypt something everybody knows like, take pi-billion.txt (pi to a billion places)
then to a sha256sum on it

bingo, there's your brainwallet key!!   

[hilariousandco]

The length/strength of your password wont mean shit if you've got a keylogger.

[Bostonbitcoin]

The length/strength of your password wont mean shit if you've got a keylogger.

That's excellent, I've had 1000 coins on Mt Gox for a while with password 12345 which someone told me was bad, I've now changed the password to ySpx262.  I understand perfectly, thank you.








Seriously, good post, thanks

[BADecker]

The length/strength of your password wont mean shit if you've got a keylogger.

Thank Goodness that you can do all your Bitcoining offline. If you don't have enough sense to protect your computer from hacking... well, it's your own fault.

[BADecker]

The length/strength of your password wont mean shit if you've got a keylogger.

That's excellent, I've had 1000 coins on Mt Gox for a while with password 12345 which someone told me was bad, I've now changed the password to ySpx262.  I understand perfectly, thank you.








Seriously, good post, thanks

Ha, ha, ha, chuckle, chuckle, snicker, snicker!

[Phrenico]

The odds are great that nobody will be able to guess your password out of the 10,000 characters, if they happen to find your random character file. And it is even more difficult because they don't know how many characters long it might be.

However, if they do find the file, it will take about 10,000^2 attempts to brute force the password. That's less than 27 bits of entropy. I would print out the text for added security.

[BADecker]

The odds are great that nobody will be able to guess your password out of the 10,000 characters, if they happen to find your random character file. And it is even more difficult because they don't know how many characters long it might be.

However, if they do find the file, it will take about 10,000^2 attempts to brute force the password. That's less than 27 bits of entropy. I would print out the text for added security.

I really wanted to use Auntie's middle name...

[porcupine87]

encrypt something everybody knows like, take pi-billion.txt (pi to a billion places)
then to a sha256sum on it

bingo, there's your brainwallet key!!   

interesting idea. Just remeber a number like 20031980 (which seem to be your birthday) and take the first 20031980 numbers to make a sha256. But if the attacker knows your strategy, you are fucked

[cbeast]

Everyone talks about dictionary attacks, so fool them with a thesaurus. 

[bitcoiner49er]

During a recent password audit, it was found that a blonde was using the following password:

"Mickey Minnie Pluto Huey Louie Dewey Donald Goofy Sacramento"

When asked why she had such a long  password, she said she was told that it had to be at least 8 characters long and include at least one capital.

 

[jbrnt]

During a recent password audit, it was found that a blonde was using the following password:

"Mickey Minnie Pluto Huey Louie Dewey Donald Goofy Sacramento"

When asked why she had such a long  password, she said she was told that it had to be at least 8 characters long and include at least one capital.

 

I like this one, put a smile on my face