Can I generate a brain wallet offline?

[cryptonia]

Is there a service that will let me do this?

[1715552345]

1715552345

[1715552345]

1715552345

[TryNinja]

Yes... You can do that with Bitaddress (check the 'Brain wallet' tab). Download its source code and run offline.

But note that this generally isn't the best idea. See this.

[keychainX]

Is there a service that will let me do this?

https://brainwalletx.github.io/

go offline before you try it.

/KX

[DaCryptoRaccoon]

If you have the ability to run Python you can create your brain wallet with this.

https://github.com/arzzen/python-simple-brainwallet

Download remove network connection create wallets, Store secure. Double check them then Destroy the HD or DBAN clear.

[o_e_l_e_o]

-snip-

3. The human brain is an exceptionally delicate organ, and anything from a simple blow to the head to a bad case of the flu can cause problems with memory and recall, and if you can't remember your password then all your coins are lost forever (unless your password is brute forceable, in which case your coins will sooner or later be stolen). There's a reason that you are supposed to write down your 12/24 word mnemonic phrase and not solely rely on committing it to memory.

[crofrihosl]

-snip-

3. The human brain is an exceptionally delicate organ, and anything from a simple blow to the head to a bad case of the flu can cause problems with memory and recall, and if you can't remember your password then all your coins are lost forever (unless your password is brute forceable, in which case your coins will sooner or later be stolen). There's a reason that you are supposed to write down your 12/24 word mnemonic phrase and not solely rely on committing it to memory.

are the mnemonic phrase safe?
will in 2020 upgrade to 48/96 word?

[pooya87]

-snip-

3. The human brain is an exceptionally delicate organ, and anything from a simple blow to the head to a bad case of the flu can cause problems with memory and recall, and if you can't remember your password then all your coins are lost forever (unless your password is brute forceable, in which case your coins will sooner or later be stolen). There's a reason that you are supposed to write down your 12/24 word mnemonic phrase and not solely rely on committing it to memory.

are the mnemonic phrase safe?
will in 2020 upgrade to 48/96 word?

yes they are very safe. the smallest word count (12) is coming from a 128 bits of entropy which is strong. there is no need to change this entropy strength any time soon, specially no in one year. probably in another 50 years or more depending on whether things are going to change in efficiency of computing the underlying algorithms.

[o_e_l_e_o]

As pooya87 says, the smallest amount of entropy with a seed phrase is 128 bits, if you use a 12 word phrase. 24 word phrases give you 256 bits of entropy, which is exponentially more difficult to brute force. The reason for these numbers is that each word from the list of 2048 words corresponds to an 11 bit number. 12*11 = 132 bits, but the last 4 bits are a checksum, giving 128 bits of entropy. For 24 word phrases, 24*11 = 264, but the last 8 bits are a checksum, giving 256 bits of entropy.

Taking the smaller of these two numbers, 128 bits, gives you this many possibilities for a seed:

2¹²⁸ = 340,282,366,920,938,463,463,374,607,431,768,211,456 = 3.4*10³⁸

Now, think of it this way. Lets say everybody on Earth (all 7 billion people) have 1 million computers each. Each computer can check 1 million possible seed numbers per second, with no duplications in the entire world. Lets say we let all these computers check 1 million seeds per second for 1 million years. This gives the following calculation:

7 billion * 1 million * 1 million * 1 million * 365 * 24 * 60 * 60 = 2.2*10³⁵

So in our hypothetical experiment, even after 7000 trillion computers running for a million years, we would still only have checked somewhere in the region of 0.06% of all possible 12 word seeds.

If you are using a 24 word seed, the numbers become hilariously stupid. Something along the lines of 0.*insert 39 zeros here*2%

Only significant breakthroughs in the power of computing would necessitate a move away from this, but such breakthroughs would also affect all other services which depend on encryption, such as all online shopping and banking.

[crofrihosl]

i get it = don't waste your time

i think you right guy to fulfill my curiosity 

for bitcoin addresses that start with 1D

Code:

1DbvVigRB6M5Nw5Ak6hGKDnzDPeCWbudqo

what are the chances of getting this address if keep you generating only addresses starting with 1D , and how many years you need

[mocacinno]

--snip--
what are the chances of getting this address if keep you generating only addresses starting with 1D , and how many years you need

You can't "just" generate private keys that result in an address that starts with "1D".

The private key is used to generate the public key. The public key is hashed to generate the address.
Both steps are one-directional, they cannot be reversed. You can't say: my address has to start with "1D", so i'll reverse the hash function to find all possible public keys, nor can you start with a public key and calculate the private key...

The only thing you can do is scan the complete private key space, calculate the public keys belonging to the private keys, then hash the public keys and filter out addresses starting with "1D"... This would take even more time than  scanning the complete private key keyspace, calculating the public keys, hashing the public key and NOT filtering out addresses starting with "1D". Do realise that scanning the complete keyspace is ludicrous, even if you pool all computers in existence together, the earth will have ceased to exist before you can scan a significant part of the keyspace

[o_e_l_e_o]

what are the chances of getting this address if keep you generating only addresses starting with 1D , and how many years you need

As mocacinno says, what you are suggesting is impossible.

Think of this analogy. You have a mixed up pack of cards face down, and someone says "Pick the Queen of Hearts without turning over any other card". What you are saying is the same as saying "What if I only choose from the subset of Hearts". It is impossible for you to know which cards are the Hearts without also turning them (and many incorrect cards) over first. There is no way to "only" turn over the Hearts. All you can do is turn over random cards and hope for the best. In the same way, there is no way to "only" generate addresses starting with "1D". All you can do is generate random addresses, and see if they fit your criteria. For that reason, there is no way to narrow down your search to the address you listed. The only way to guarantee you generate that specific address is to generate every private key, which as we said, is completely impossible.

Now, if you wanted to generate ANY address which began with "1D" (and you didn't care what the other 32 characters were), then you could brute force that quite easily. There exist a number of programs (such as VanitySearch) which you can input the first few characters to an address, and they will brute force private keys until they find a match. Brute forcing 1, 2 or 3 characters is pretty trivial, but it gets exponentially more difficult with each additional character. By the time you are up to 7 or 8 characters you are looking at weeks or months depending on your hardware, and beyond that you are looking at years or decades.

[crofrihosl]

--snip--
what are the chances of getting this address if keep you generating only addresses starting with 1D , and how many years you need

You can't "just" generate private keys that result in an address that starts with "1D".

The private key is used to generate the public key. The public key is hashed to generate the address.
Both steps are one-directional, they cannot be reversed. You can't say: my address has to start with "1D", so i'll reverse the hash function to find all possible public keys, nor can you start with a public key and calculate the private key...

The only thing you can do is scan the complete private key space, calculate the public keys belonging to the private keys, then hash the public keys and filter out addresses starting with "1D"... This would take even more time than  scanning the complete private key keyspace, calculating the public keys, hashing the public key and NOT filtering out addresses starting with "1D". Do realise that scanning the complete keyspace is ludicrous, even if you pool all computers in existence together, the earth will have ceased to exist before you can scan a significant part of the keyspace

i have enough time with the md5 encryption i know what you want  me to understand one way cannot be reversed
also i think i understand how vanity addresses works
i thought filtering and focusing for specific address will reduce my times and my chances will increase 

-my big problem i can't check every address that i generate for balance or tx (0 experience with api)

- one of the methods i try:
from random hex64 number extract both comp and uncompressed private key and finally the public address (this part very low) run it for a day and got bored and back to vanity addresses 

[crofrihosl]

By the time you are up to 7 or 8 characters you are looking at weeks or months depending on your hardware, and beyond that you are looking at years or decades.

by the time with vanitysearch 8 char you can find 1 match every 2day
vanitygen for the same result took about 13 to 14 days

you time will decrease depende on your cpu/ram/ssd..etc

[o_e_l_e_o]

i thought filtering and focusing for specific address will reduce my times and my chances will increase  

The rate limiting step is generating the addresses in the first place. For each address, you have to first generate a private key, then perform elliptical curve multiplication to get the public key, then hash that to get an address. Once you have the address, you've already done the hard part, and it is trivial then to reject addresses which don't begin with "1D".

-my big problem i can't check every address that i generate for balance or tx (0 experience with api)

I don't understand what you are trying to achieve here? Why are you generating so many addresses and looking for a balance? Are you trying to brute force access to someone else's coins? Not only is that pretty immoral, we will reach the heat death of the universe before you come close to a collision.

by the time with vanitysearch 8 char you can find 1 match every 2day

Depends on the characters you choose, and whether or not you choose case sensitive or insensitive. Some strings will be much easier to find than others.

[crofrihosl]

Are you trying to brute force access to someone else's coins?.

no, if i want to do that isn't easy just targeting dummy people with low diff passphrase, easy guessing password and other things...
 
thanks for shearing your opinions 

[Welsh]

no, if i want to do that isn't easy just targeting dummy people with low diff passphrase, easy guessing password and other things...
 
thanks for shearing your opinions  

Only if you've got physical access to their wallet file or if they're using a online wallet which  if the latter is the case you would be likely getting the account locked from trying to bruteforce it. I'll admit, it seems oddly specific to generate a vanity address, and check for a balance at the same time. What would be the reason for this?

[bob123]

Since i didn't see the IMO best solution to generate a brain wallet offline yet in this thread:

1. Take your 'password' and hash it using sha256. This is your private key now.
2. Convert this private key into the WIF (Wallet import format) following all steps from https://en.bitcoin.it/wiki/Wallet_import_format
3. Generate the public key and address out of this private key.


All can be done completely offline and you don't need to download a 3rd party website. Neither do you have to trust any javascript library etc.

But, please note. Brainwallets are insecure. Always. You will never be able to create a passphrase which is even close to being as random as one created by a computer.

[koch44]

i get it = don't waste your time

i think you right guy to fulfill my curiosity 

for bitcoin addresses that start with 1D

Code:

1DbvVigRB6M5Nw5Ak6hGKDnzDPeCWbudqo

what are the chances of getting this address if keep you generating only addresses starting with 1D , and how many years you need

Theoretically it will never happen. You can try a tool called vanitygen and use the prefix 1D or whatever you want, it will take quite some time.

[mocacinno]

Theoretically it will never happen. You can try a tool called vanitygen and use the prefix 1D or whatever you want, it will take quite some time.

"Quite some time" is an understatement.

There's a lack of benchmark results for oclvanitygen (the optimized, GPU version of vanitygen)... But one of the results i found was this one: https://www.reddit.com/r/Bitcoin/comments/1sntt7/48_hours_of_gpu_vanitygen_and_4_trillion/

This user claims to have generated 4 000 000 000 000 addresses in 24 hours using "a" GPU. That's about 23.148.148 keys per second. That's feasible, given that i've found "other" vanitygen (not oclvanitygen) benchmarks in the 5 Mk/s range, so throwing a gpu in the mix could result in a 23 Mk/s result.

Let's, for the sake of argument say that this user's setup was using an old GPU and inefficient coding, and a top-shelve GPU with decent address mining software could churn out a tenfold (230.000.000 keys per second).
Let's say you have a theoretical farm of 100 of these GPU's, churning out 23.000.000.000 keys per second...

They'll need to test 2^256 keys... This means your farm will need 2^256  /23.000.000.000 seconds to scan the complete keyspace.

If execute this calculation and convert the results from seconds to years, you'll end up with a total scantime of 159641002742643597687626818499610000000000000000000000000000 years to scan the complete keyspace.
If you want to scan 0.01% of the total keyspace (thus have 0.01% chance of finding the exact private key whose public key hash was funded), you'll need 15964100274264359768762681849961000000000000000000000000 years...
For people that are not used to read such large numbers, i've looked up the proper naming convention... This allows me to say:

If you have 100 High performing, latest gen GPU's and good drivers and software, you'll need to run your farm for 16 Septen-decillion years in order to have a 0.01% (that's percent, that's 0.01 chance in 100) to find a private key that belongs to one specific address..

[bartekjagoda]

Theoretically it will never happen. You can try a tool called vanitygen and use the prefix 1D or whatever you want, it will take quite some time.

"Quite some time" is an understatement.

There's a lack of benchmark results for oclvanitygen (the optimized, GPU version of vanitygen)... But one of the results i found was this one: https://www.reddit.com/r/Bitcoin/comments/1sntt7/48_hours_of_gpu_vanitygen_and_4_trillion/

This user claims to have generated 4 000 000 000 000 addresses in 24 hours using "a" GPU. That's about 23.148.148 keys per second. That's feasible, given that i've found "other" vanitygen (not oclvanitygen) benchmarks in the 5 Mk/s range, so throwing a gpu in the mix could result in a 23 Mk/s result.

Let's, for the sake of argument say that this user's setup was using an old GPU and inefficient coding, and a top-shelve GPU with decent address mining software could churn out a tenfold (230.000.000 keys per second).
Let's say you have a theoretical farm of 100 of these GPU's, churning out 23.000.000.000 keys per second...

They'll need to test 2^256 keys... This means your farm will need 2^256  /23.000.000.000 seconds to scan the complete keyspace.

Its quite strange to have a talk about something you have no idea about. Vanitygen goes up to 250 million keys per second with an old gpu card, so I dont understand why you spend such a long post explaining something that is not accurate and misleading, then get cudos from "friends" who cheer your errors.

[bob123]

Its quite strange to have a talk about something you have no idea about. Vanitygen goes up to 250 million keys per second with an old gpu card, so I dont understand why you spend such a long post explaining something that is not accurate and misleading, then get cudos from "friends" who cheer your errors.

Just read his post again.

Look at the numbers. Do you really think it makes a difference whether it is 5M or 250M keys per second ? That's a factor of 50. That's nothing.
Whether it is 15964100274264359768762681849961000000000000000000000000 years to have 0.01% of the space scanned or 3192820100000000000000000000000000000000000000000000000000000 years doesn't make any difference at all.

It wouldn't even matter if you'd have 5.000.000M keys per second.

[mocacinno]

Its quite strange to have a talk about something you have no idea about. Vanitygen goes up to 250 million keys per second with an old gpu card, so I dont understand why you spend such a long post explaining something that is not accurate and misleading, then get cudos from "friends" who cheer your errors.

If you would have taken the time to read the complete post, it would have had to be obvious for you the only inaccurate part is the fact that I have found no good oclvanitygen gpu benchmarks, so I had to work with data from a Reddit post... I clearly indicated this, it was rather hard to mis IMHO.

In my post, I already used 230.000.000 keys per second in my calculation.. now you say 250.000.000... don't get worked up about the difference, it's bad for your heart health...

Even if a new gpu would generate a tenfold of this, it wouldn't matter: the conclusion of my initial post stays exactly the same.. 16 Septen-decillion years or 1.6 Septen-decillion years for a 0.01 percent chance,  the sun will probably die in 7 billion years, so neither of us will be around in 1,6 septen-decillion years anyways... Why would you say my post is misleading? Would you say you'll be able to bruteforce a private key within a single lifetime? My address is in my profile, if you pm me my full private key (preferably pgp encrypted with my keybase public key), I'll immediately apologize to you and the full community, and let you pick my personal text for a full year (as long as the text is not illegal or gets me banned)

I wonder if you are trying to draw attention to your(?) business in your signature by acting rather condescending and focussing on the wrong things ?

[Saint-loup]

But note that this generally isn't the best idea. See this.

While it's possible, it's strongly encouraged not to use brain wallet because it could be brute forced easily because :
1. Most users uses short passphrase
2. Human brain is far less than you think, your passphrase could be guessed if the attacker know a lot about you (hobby, password template, birth date, etc.)

Check Collection of 18.509 found and used Brainwallets to see how many brainwallet has been guessed

I don't understand those arguments, a brain wallet is still the simplest way to make a transaction by phone or in the street. You just need to say the "passphrase" to the other guy and the transaction is done. So it's still a useful "technology" IMO.

Since i didn't see the IMO best solution to generate a brain wallet offline yet in this thread:

1. Take your 'password' and hash it using sha256. This is your private key now.
2. Convert this private key into the WIF (Wallet import format) following all steps from https://en.bitcoin.it/wiki/Wallet_import_format
3. Generate the public key and address out of this private key.

Which tool do you use to get the ECDSA public key if you don't want to import your DIY private key in a software wallet please?
Thank you

[bob123]

I don't understand those arguments, a brain wallet is still the simplest way to make a transaction by phone or in the street. You just need to say the "passphrase" to the other guy and the transaction is done. So it's still a useful "technology" IMO.

The transaction is not done until there has been a transaction recorded on the blockchain.

As ETFbitcoin has pointed out, this only works if both parties trust each other.
And if you trust each other, you can also promise to pay later when at home.

For real transaction on-the-go, you'd simply use a mobile wallet.

Which tool do you use to get the ECDSA public key if you don't want to import your DIY private key in a software wallet please?

Commandline tool: openssl.

[Saint-loup]

Your example only works if both party trust each other. What stops the "sender" give wrong passphrase or attempt to double-spend it with very high fees.

Of course, you can't consider to be paid until you've swept the wallet. So if you don't trust the guy, you just need to sweep the wallet while he's still with you.  

I don't understand those arguments, a brain wallet is still the simplest way to make a transaction by phone or in the street. You just need to say the "passphrase" to the other guy and the transaction is done. So it's still a useful "technology" IMO.

The transaction is not done until there has been a transaction recorded on the blockchain.

As ETFbitcoin has pointed out, this only works if both parties trust each other.
And if you trust each other, you can also promise to pay later when at home.

For real transaction on-the-go, you'd simply use a mobile wallet.

If the guy tell you the passphrase by phone or in the street you can sweep the wallet "on-the-go" too.

Which tool do you use to get the ECDSA public key if you don't want to import your DIY private key in a software wallet please?

Commandline tool: openssl.

Thank you.

[o_e_l_e_o]

Of course, you can't consider to be paid until you've swept the wallet. So if you don't trust the guy, you just need to sweep the wallet while he's still with you.

I spend bitcoin out and about in person at least once a week. My purchases vary from anything from a couple of bucks up to a hundred bucks. Lets say I have memorized a passphrase to wallet holding 0.01 BTC, and I need to pay 0.002 BTC. What then? I give him the passphrase, he sweeps it, then sends me some back? I give him the passphrase, and he promises to only take the amount needed? Either way, you are now introducing an element of trust which is unnecessary. The only way around this using brain wallets would be for me to create, fund, and memorize multiple passphrases to multiple wallets, each holding a different denomination of bitcoin, so I can always pay close to the amount needed.

I really don't see any benefit to using this over a mobile wallet, considering I carry my mobile with me 24/7.

[bob123]

If the guy tell you the passphrase by phone or in the street you can sweep the wallet "on-the-go" too.

In this case.. why not simply use a mobile wallet to transact immediately ?
Or hand over a printed private key, which would also require trust.

Both ways would be better than using a brainwallet and handing over a passphrase.
Brainwallets are generally a bad idea.

[crofrihosl]

If the guy tell you the passphrase by phone or in the street you can sweep the wallet "on-the-go" too.

people who think like this usually are same who pick the friendly family dog name as "passphrase "
don't walk your dog, or anyone in the street can sweep your wallet if he call the dog 

[Saint-loup]

If the guy tell you the passphrase by phone or in the street you can sweep the wallet "on-the-go" too.

In this case.. why not simply use a mobile wallet to transact immediately ?

If you've lost your smartphone or if you're abroad and you can't connect to the local 3G/4G network?
Moreover in third world countries not everyone owns a smartphone, and in many places of the world there is no 3G/4G network available. These people shouldn't be able to use bitcoin?

Or hand over a printed private key, which would also require trust.

Yes it's another solution, but the first guy need a printer, to travel with the private key on him, and the other guy need a cam if it's a Qr code.

Of course, you can't consider to be paid until you've swept the wallet. So if you don't trust the guy, you just need to sweep the wallet while he's still with you.

I spend bitcoin out and about in person at least once a week. My purchases vary from anything from a couple of bucks up to a hundred bucks. Lets say I have memorized a passphrase to wallet holding 0.01 BTC, and I need to pay 0.002 BTC. What then? I give him the passphrase, he sweeps it, then sends me some back? I give him the passphrase, and he promises to only take the amount needed? Either way, you are now introducing an element of trust which is unnecessary. The only way around this using brain wallets would be for me to create, fund, and memorize multiple passphrases to multiple wallets, each holding a different denomination of bitcoin, so I can always pay close to the amount needed.

I really don't see any benefit to using this over a mobile wallet, considering I carry my mobile with me 24/7.

Yes it's true, it's the same problem for Opendime and Tangem.
But "standard" transactions aren't always perfect  too. If the fees of the guy are too low, you can't wait 1 hour with him to get a mined transaction... so you must trust a 0 conf transaction and he can cancel it once he is away(double spent utxo with higher fees)

[bob123]

If the guy tell you the passphrase by phone or in the street you can sweep the wallet "on-the-go" too.

In this case.. why not simply use a mobile wallet to transact immediately ?

If you've lost your smartphone or if you're abroad and you can't connect to the local 3G/4G network?
Moreover in third world countries not everyone owns a smartphone, and in many places of the world there is no 3G/4G network available. These people shouldn't be able to use bitcoin?

Or hand over a printed private key, which would also require trust.

Yes it's another solution, but the first guy need a printer, to travel with the private key on him, and the other guy need a cam if it is a Qr code.

If no printer is available, write it down.
Private keys - when generated properly - are far more secure than a brainwallet. The entropy of a human brain is horrible.

Both parties at least need any digital device. Whether a PC or mobile doesn't matter.
Without any of this, using BTC is not possible. As simple as that.


And if both parties have a computer, but no mobile.. then my earlier made suggestion still stands.
The promise of "i will pay you later".

Both require trust. But the one is secure (no low-entropy private key).

[HCP]

Private keys - when generated properly - are far more secure than a brainwallet. The entropy of a human brain is horrible.

I concur. I can't really think of any situation where a brainwallet would be preferable to a properly (randomly) generated wallet/private key...

It seems that because brainwallets aren't in common use, we don't see all the "my brainwallet got 'hacked'!!?!" stories/posts that popped up in the "Good ol'day"™ when they were still popular and the less than morale types were busy running various "dictionary" attacks using all sorts of datasets (poems, lyrics, basic words, dates, names etc)... As such, history threatens to repeat as newcomers don't seem to realise the dangers of using them.

[o_e_l_e_o]

Moreover in third world countries not everyone owns a smartphone, and in many places of the world there is no 3G/4G network available. These people shouldn't be able to use bitcoin?

How are they going to use bitcoin with access to the internet?

But "standard" transactions aren't always perfect  too. If the fees of the guy are too low, you can't wait 1 hour with him to get a mined transaction... so you must trust a 0 conf transaction and he can cancel it once he is away(double spent utxo with higher fees)

So either don't hand over the goods until you have a few confirmations, or do CPFP on the transaction to get it to confirm faster.

As such, history threatens to repeat as newcomers don't seem to realise the dangers of using them.

Whenever I see someone considering using a brain wallet, I usually direct them to the following places:

Collection of 18.509 found and used Brainwallets
https://eli5.eu/brainwallet/

Ask them to have a quick read of that thread and click on some of the transactions linked, or pick a few random addresses from the second site and again look at the transactions, paying particular attention to the times of the deposit and withdrawal transactions, and see that the withdrawal (stealing) transaction is generated and broadcast usually within a second of their deposit transaction.

[Saint-loup]

It seems that because brainwallets aren't in common use, we don't see all the "my brainwallet got 'hacked'!!?!" stories/posts that popped up in the "Good ol'day"™ when they were still popular and the less than morale types were busy running various "dictionary" attacks using all sorts of datasets (poems, lyrics, basic words, dates, names etc)... As such, history threatens to repeat as newcomers don't seem to realise the dangers of using them.

You can use salts to avoid that.
Moreover brainwallets are not designed for big transactions, neither to hold funds during several weeks as anyone understands, it's just some kind of vehicle.

I concur. I can't really think of any situation where a brainwallet would be preferable to a properly (randomly) generated wallet/private key...

Why bip39 mnemonic codes have been created? It's because hex and base58 strings are not convenient for humans. You can't deny that. You can't surely remember a new btc address, you can't easily spell it by phone, when you write it down you can make mistakes since it's 0 error-tolerant, etc.

Motivation
A mnemonic code or sentence is superior for human interaction compared to the handling of raw binary or hexadecimal representations of a wallet seed. The sentence could be written on paper or spoken over the telephone.

This guide is meant to be a way to transport computer-generated randomness with a human readable transcription.

https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki

Moreover in third world countries not everyone owns a smartphone, and in many places of the world there is no 3G/4G network available. These people shouldn't be able to use bitcoin?

How are they going to use bitcoin with access to the internet?

Except maybe on some small islands, I think nowadays you can find "wired" internet in every country.  
In worst case, you can use the blockstream satellites to get the blockchain and send signed raw transactions to people having internet in order to broadcast them.

As such, history threatens to repeat as newcomers don't seem to realise the dangers of using them.

Whenever I see someone considering using a brain wallet, I usually direct them to the following places:

Collection of 18.509 found and used Brainwallets
https://eli5.eu/brainwallet/

Ask them to have a quick read of that thread and click on some of the transactions linked, or pick a few random addresses from the second site and again look at the transactions, paying particular attention to the times of the deposit and withdrawal transactions, and see that the withdrawal (stealing) transaction is generated and broadcast usually within a second of their deposit transaction.

So you are implying some people are monitoring billions of billions of addresses?
As I said above you can use a salt to avoid that.

[o_e_l_e_o]

Why bip39 mnemonic codes have been created?

A mnemonic phrase has been specifically designed to have a massive amount of entropy. Although it could be memorized (although not having a physical back up is a very bad idea), it is not the same as a brain wallet by any means.

In worst case, you can use the blockstream satellites to get the blockchain and send signed raw transactions to people having internet in order to broadcast them.

If they have a device capable of broadcasting to blockstream satellites, then they definitely have a device capable of running an Electrum wallet (for example). Provided it is already synced, a wallet does not require an internet connection to sign a transaction.

So you are implying some people are monitoring billions of billions of addresses?

Not billion, but hundreds of thousands, yes. You can see the proof on the second link in my previous post. All of those address have been cleared out within seconds of being used.

As I said above you can use a salt to avoid that.

Well, then we are back to square one. Humans are bad at generating entropy. In the same way that people generally use easily guessed passwords, people will generally use easily guessed salts, such as their date of birth or phone number.

[Saint-loup]

Why bip39 mnemonic codes have been created?

A mnemonic phrase has been specifically designed to have a massive amount of entropy. Although it could be memorized (although not having a physical back up is a very bad idea), it is not the same as a brain wallet by any means.

If Bip39 evokes brain wallets there is a reason, it's because at the end, it answers the same issue : humans are not computers, they don't communicate in bits or hexadecimal strings, they use words.  

In worst case, you can use the blockstream satellites to get the blockchain and send signed raw transactions to people having internet in order to broadcast them.

If they have a device capable of broadcasting to blockstream satellites, then they definitely have a device capable of running an Electrum wallet (for example). Provided it is already synced, a wallet does not require an internet connection to sign a transaction.

No in fact, it's not a bidirectional service, it's only a downlink communication, you can only download the blockchain but it's free.
So you have to send your transactions in another way to broadcast them.

So you are implying some people are monitoring billions of billions of addresses?

Not billion, but hundreds of thousands, yes. You can see the proof on the second link in my previous post. All of those address have been cleared out within seconds of being used.

Yes I saw your link, the last address is "only" the number 18 982, the Oxford english dictionary contains 200,000 words, so the number of the most common single words in english is certainly above that.

[o_e_l_e_o]

If Bip39 evokes brain wallets there is a reason, it's because at the end, it answers the same issue : humans are not computers, they don't communicate in bits or hexadecimal strings, they use words.

True, but this says nothing about the security (or lack thereof) of using a brain wallet.

Yes I saw your link, the last address is "only" the number 18 982, the Oxford english dictionary contains 200,000 words, so the number of the most common single words in english is certainly above that.

Sure, but not every possible word in the English language has been utilized as a brain wallet. I would bet a good amount of bitcoin that all the corresponding wallets are being actively monitored by various bots, though. Even more complex strings, such as a phrase or a word and numbers are being cleared out within a second or two of being used.

The 19 thousand refers to the number of brainwallets which have actually been used (and immediately emptied), not the number of brainwallets being actively monitored.

[Saint-loup]

If Bip39 evokes brain wallets there is a reason, it's because at the end, it answers the same issue : humans are not computers, they don't communicate in bits or hexadecimal strings, they use words.

True, but this says nothing about the security (or lack thereof) of using a brain wallet.

Yes I saw your link, the last address is "only" the number 18 982, the Oxford english dictionary contains 200,000 words, so the number of the most common single words in english is certainly above that.

Sure, but not every possible word in the English language has been utilized as a brain wallet. I would bet a good amount of bitcoin that all the corresponding wallets are being actively monitored by various bots, though. Even more complex strings, such as a phrase or a word and numbers are being cleared out within a second or two of being used.

The 19 thousand refers to the number of brainwallets which have actually been used (and immediately emptied), not the number of brainwallets being actively monitored.

As you can see in this famous XKCD comic, 44 bits of entropy, that is to say 4 words of the 2000 most common words in english (like for bip39 seeds), reprents 550 years of computing at 1000results/s so I doubt some hackers have already try to compute and check all those addresses, and I'm not even talking about the ability of monitoring all of them...
65 000 words of the english dictionary it's almost 16bits of entropy for each word of the passphrase+a salt of 3characters it's 19 more bits...  

I like this conclusion in this article from the protonmail blog "“Security at the expense of usability comes at the expense of security.” In other words, if your “secure system” isn’t easy to use, people won’t use it, negating the security benefit."
https://protonmail.com/blog/protonmail-com-blog-password-vs-passphrase/

[o_e_l_e_o]

As you can see in this famous XKCD comic, 44 bits of entropy, that is to say 4 words of the 2000 most common words in english (like for bip39 seeds), reprents 550 years of computing at 1000results/s so I doubt some hackers have already try to compute and check all those addresses, and I'm not even talking about the ability of monitoring all of them...

That's a different scenario, though. That's someone trying to brute force access to an account login, not generate private keys. With the right hardware, programs such as Vanity Search can generate in excess of a billion keys per second (See here for benchmarks: https://bitcointalk.org/index.php?topic=5112311.msg50823897#msg50823897). 44 bits of entropy can now be broken in around 4 hours. Bear in mind this only has to be done once, and the attacker can simply then generate a look-up table of public addresses. As soon as one of those public addresses is used, he already knows the private key and can automatically generate a transaction to steal the funds. In fact, that's exactly what one of them was doing years ago: https://news.ycombinator.com/item?id=7368283

And this is only considering a single attacker. We know there are many of these attackers out there. If you read through the other thread I linked to before, in some of the cases of a brain wallet being used, there were 4 or 5 different transactions generated within a second all trying to steal the funds to different addresses.