A Proposal for Brainwallets (v2)

[spin]

Someone has took them
19aREH3jaDba1xt14zhaUvzyAhzphdAwJN

http://1209k.com/brainv2/

Lol, that was silly.

[1714505326]

1714505326

[1714505326]

1714505326

[1714505326]

1714505326

[1714505326]

1714505326

[jonald_fyookball]

I agree it would be unethical to promote this method and I do not doubt
many have screwed themselves.  so if anyone is reading this I am
merely discussing the possibilities, not endorsing human chosen
randomness.

at the same time, it kind of seems like an insult to human creativity
to suggest we can't come up with unique phrases.  

something like "budwhacker beaver and Tim jones had a conversation with
captain despond about the lollipop mugshankery and the BOX of why everythinggg
vinyl 4017"

It can even rhyme if you want it to:

"frick-frack newfangled clamshack tishnyiak the fishman cried
my poor lady in red died bee-cause bell made me yell for
my poor grandma maybelle SLIDER mc-chachagagaya ooo 355"

While you can't measure it, seems hard to believe that either
of those phrases has less than 128 bits of entropy, especially
the latter because of its length.

[Triffin]

Go easy on me because I haven't understood 95% of this thread  

But, I do know that if BitCoin and it's offspring are ever going to go
mainstream for the average Joe non-technical user ( me ) the wallet security issue
has to be resolved one way or another without requiring the owner to
engage in numerous incomprehensible steps to guarantee 'security' ..

I do know that a functional wallet must

1) Not reside on the owner's local computer ( hard drive crashes/keyloggers/viruses )
2) Be a 'hot' wallet for easy 'coin' transactions, both 'send' and 'receive'
3) Be suitable for 'cold' storeage
4) Feature one 'click' download and self install
5) Capable of handling multiple 'coins'
 
You folks are the experts and understand the ways various security features can be defeated ..
But .. The whole process needs to be orders of magnitude 'dumbed' down for mass utility ..
It's got to have the perceived utility and security? of the typical online brokerage account ..

In my limited ( less than 2 years ) exposure to cryptocurrency, the
NXT wallet is the closest to what i think is needed and I'm sure that
it has several security issue flaws ( though I have no idea what they may be )
that would make it a less than 'perfect' solution ..

Thanks for listening ..

Triff ..  

[jonald_fyookball]

Brain wallets are somewhat advanced topic but there are many user friendly wallets.  See Electrum.

[bluemeanie1]

Key stretching does nothing to improve entropy, which is the real problem with so-called brainwallets.
It is simply impossible to have a human-chosen passphrase as a secure key, no matter how you do it.
A high-entropy passphrase will almost certainly be very difficult to memorise for a human.

While that is true, attackers do not have unlimited resources and there are some situations where people really like brain wallets.  I wouldn't say it is appropriate for many use cases, but I'd say it is for some.

you're absolutely correct.

beefing up the hash function will make it considerably more difficult to enumerate passphrases and crack the brain wallet.  It is possible to make a mnemonic passphrase that is nearly impossible to crack in this scenario - just don't use simple and plain NL text.

ex. it's best to think up some method to include numbers in the passphrase, so take some memorable english text

"The common curse of mankind, - folly and ignorance" , and find some way to include numbers that is easy to remember

"1The 2common 3curse 4of 5mankind, - 6folly 7and 8ignorance"  and maybe an additional way to include special characters

"1The% 2common% 3curse% 4of% 5mankind%, - 6folly% 7and% 8ignorance%"

and you have a brainwallet with fairly good security.

-bm




-bm

[gmaxwell]

and you have a brainwallet with fairly good security.

There are attackers that are already precisely searching patterns like this.  Every sentence in every book in your local library (much less just the memorable ones) is only about 32 bits of entropy. Scheme selection is 8 bits. The prefix template of decimal digits (assuming uniform probability, which you probably won't get with a human selecting them) is at most 26 more bits.  This is not an impressively secure scheme, though you've just convinced yourself that it is.

This is why you should not be using anything like this, the human capacity for self deception is too great.

[bluemeanie1]

and you have a brainwallet with fairly good security.

There are attackers that are already precisely searching patterns like this.  Every sentence in every book in your local library (much less just the memorable ones) is only about 32 bits of entropy. Scheme selection is 8 bits. The prefix template of decimal digits (assuming uniform probability, which you probably won't get with a human selecting them) is at most 26 more bits.  This is not an impressively secure scheme, though you've just convinced yourself that it is.

This is why you should not be using anything like this, the human capacity for self deception is too great.

You're right it's not a good idea to use plain text from literature(my original base text is Shakespeare).  Someone had their brainwallet cracked who used 'one small step for man one great leap for mankind'.  So yes you should use something that is personally memorable but not universally identifiable.  The technique I suggested though makes it virtually impossible to crack with any known NL processing technique, and fairly easy to remember.

Plain text Shakespeare is absolutely not a good idea.

-bm

[gmaxwell]

The technique I suggested

Is _already_ modeled by existing cracking software: They already try thousands of schemes like adding characters before and after the words in input phrases.

You are taking a bet that the cracker's parametrization of likely modifications won't include yours— but the community of attackers spends in total more than your _lifetime_ in time thinking about this problem every couple of years, and they have access to stolen password databases to test their theory against the behavior of great many people.  You might get lucky and choose a scheme they don't think of or that they consider too unlikely to search— or you might not, but as a user you are likely to do the likely thing, and not likely to know better.

[bluemeanie1]

which cracking software are you referring to?

[gmaxwell]

which cracking software are you referring to?

E.g. JTR rules mode is a publicly available example... though there are more powerful tools which are non-public.

An example of JTR rules on the single input word "hello world", with the minimal default rules— there are thousands of extra rules that can be enabled, and but even the default set produces a great many examples.


6hello World6
Olleh world0
World0 HELLO
Helling 8world
olleh worlD
helling dlroW
5hello dlroW
world. Olleh
HelloHello worlded
Hello0 world
5world 3hello
Dlrow Hello0
hello worlds
world7 Hello5
Hello3 World9
3hello 3world
hellohello World6
hello6 world5
Hello1 World4
Olleh world6
hello? world.
3hello world3
olleH Worlds
Hello3 7world
Hello9 world
5hello 8world
9hello world.
3hello World3
hellos dlroW
Hello9 world9
WorldWorld Hello8
olleH 3world
olleh world?
Hello5 world6
Olleh 8world
Helloed 6world
1hello World8
helloolleh world1
Hello7 worlD
Olleh World.
Hello6 1world
Hello4 World0
hellohello 1world
Hello5 wrld


Turning on some more rules:


Hello66666 Yworld
Hello07 world1111
HELLO9 world58
HelloR world1914
Hellov world15
dr.hello Qieks
Hello10 world1997
hello45 Wor1d
fqjju world1965
4hellos world1938
hellol world42
hello2012 world40
Hello222222 World14
Hello85 WORLD1
hellof World51
Hll WORLD7
Hello04 World66
Hello999999 2world
<hello> Worldy
Hello44444 world1923
Hello78 'world'
HelloC r[y'g
hello2009 World\
hello71 ld
%hello% Wor1d
Hello55 worlding
hello} World97

[bluemeanie1]

Certainly interesting but even in my example you are very far combinatorially from what you might call *easily computable*.  Remember first they have to guess the basic passphrase, then run through each and every numbering schema, and even manage to arrive at the % special character usage.  So lets say there are a few billion base passphrases that the cracker wants to cover, lets say a million numbering schema, another million special character schema, and lets say a thousand capitalization schema.

that would be:

BILLION X MILLION X MILLION X THOUSAND = very large number of private keys to compute

Back to OP, so if you increase the computation required for each one of these possibilities(as you suggest), you are miles away from crackability.  You might be able to enhance the security a bit by using a non-standard hashing algo(back to the commodification problem).  You could even have a custom definable hashing exponent, this would make the keys even more difficult to enumerate ie. you pick how many times the brain wallet system hashes your basic passphrase.

It is true that a fully randomized private key is the best security by far.  If you have a large Bitcoin balance a brain wallet is simply not recommended.

-bm

[bluemeanie1]

btw Greg, if you're into JTR I'd be interested to know how quickly it would arrive at my example.

Lets say for demonstration purposes that we already know it's Shakespeare.  Even that alone would be a massive computation.

-bm

[jonald_fyookball]

It is true that a fully randomized private key is the best security by far.  If you have a large Bitcoin balance a brain wallet is simply not recommended.

-bm

Let's choose our words carefully and differentiate between brain wallets and human chosen passphrases.
For example, Electrum can be used as a brain wallet but you cannot choose an arbitrary seed.

To me, the main problem with brain wallets is the $5 wrench, which is why I
advocate stealth quick-transfer mechanisms to other wallets.

[bluemeanie1]

I gave this some thought last night-

(somewhat reiterating on what I already stated)

A very secure Brain Wallet would employ both a passphrase and a numerical exponent.  The user would need to remember both the phrase and the exponent.  This way they can choose the level of security.  If the exponent is a variable, then the number of keys required to compute would be enormous(not to mention the number of keys the hacker would need to track).  This would offer fairly good security for a mnemonic security token.

You could easily modify the java code supplied above to perform this.



-bm