Can I generate a brain wallet offline?

[bob123]

Its quite strange to have a talk about something you have no idea about. Vanitygen goes up to 250 million keys per second with an old gpu card, so I dont understand why you spend such a long post explaining something that is not accurate and misleading, then get cudos from "friends" who cheer your errors.

Just read his post again.

Look at the numbers. Do you really think it makes a difference whether it is 5M or 250M keys per second ? That's a factor of 50. That's nothing.
Whether it is 15964100274264359768762681849961000000000000000000000000 years to have 0.01% of the space scanned or 3192820100000000000000000000000000000000000000000000000000000 years doesn't make any difference at all.

It wouldn't even matter if you'd have 5.000.000M keys per second.

[mocacinno]

Its quite strange to have a talk about something you have no idea about. Vanitygen goes up to 250 million keys per second with an old gpu card, so I dont understand why you spend such a long post explaining something that is not accurate and misleading, then get cudos from "friends" who cheer your errors.

If you would have taken the time to read the complete post, it would have had to be obvious for you the only inaccurate part is the fact that I have found no good oclvanitygen gpu benchmarks, so I had to work with data from a Reddit post... I clearly indicated this, it was rather hard to mis IMHO.

In my post, I already used 230.000.000 keys per second in my calculation.. now you say 250.000.000... don't get worked up about the difference, it's bad for your heart health...

Even if a new gpu would generate a tenfold of this, it wouldn't matter: the conclusion of my initial post stays exactly the same.. 16 Septen-decillion years or 1.6 Septen-decillion years for a 0.01 percent chance,  the sun will probably die in 7 billion years, so neither of us will be around in 1,6 septen-decillion years anyways... Why would you say my post is misleading? Would you say you'll be able to bruteforce a private key within a single lifetime? My address is in my profile, if you pm me my full private key (preferably pgp encrypted with my keybase public key), I'll immediately apologize to you and the full community, and let you pick my personal text for a full year (as long as the text is not illegal or gets me banned)

I wonder if you are trying to draw attention to your(?) business in your signature by acting rather condescending and focussing on the wrong things ?

[Saint-loup]

But note that this generally isn't the best idea. See this.

While it's possible, it's strongly encouraged not to use brain wallet because it could be brute forced easily because :
1. Most users uses short passphrase
2. Human brain is far less than you think, your passphrase could be guessed if the attacker know a lot about you (hobby, password template, birth date, etc.)

Check Collection of 18.509 found and used Brainwallets to see how many brainwallet has been guessed

I don't understand those arguments, a brain wallet is still the simplest way to make a transaction by phone or in the street. You just need to say the "passphrase" to the other guy and the transaction is done. So it's still a useful "technology" IMO.

Since i didn't see the IMO best solution to generate a brain wallet offline yet in this thread:

1. Take your 'password' and hash it using sha256. This is your private key now.
2. Convert this private key into the WIF (Wallet import format) following all steps from https://en.bitcoin.it/wiki/Wallet_import_format
3. Generate the public key and address out of this private key.

Which tool do you use to get the ECDSA public key if you don't want to import your DIY private key in a software wallet please?
Thank you

[bob123]

I don't understand those arguments, a brain wallet is still the simplest way to make a transaction by phone or in the street. You just need to say the "passphrase" to the other guy and the transaction is done. So it's still a useful "technology" IMO.

The transaction is not done until there has been a transaction recorded on the blockchain.

As ETFbitcoin has pointed out, this only works if both parties trust each other.
And if you trust each other, you can also promise to pay later when at home.

For real transaction on-the-go, you'd simply use a mobile wallet.

Which tool do you use to get the ECDSA public key if you don't want to import your DIY private key in a software wallet please?

Commandline tool: openssl.

[Saint-loup]

Your example only works if both party trust each other. What stops the "sender" give wrong passphrase or attempt to double-spend it with very high fees.

Of course, you can't consider to be paid until you've swept the wallet. So if you don't trust the guy, you just need to sweep the wallet while he's still with you.  

I don't understand those arguments, a brain wallet is still the simplest way to make a transaction by phone or in the street. You just need to say the "passphrase" to the other guy and the transaction is done. So it's still a useful "technology" IMO.

The transaction is not done until there has been a transaction recorded on the blockchain.

As ETFbitcoin has pointed out, this only works if both parties trust each other.
And if you trust each other, you can also promise to pay later when at home.

For real transaction on-the-go, you'd simply use a mobile wallet.

If the guy tell you the passphrase by phone or in the street you can sweep the wallet "on-the-go" too.

Which tool do you use to get the ECDSA public key if you don't want to import your DIY private key in a software wallet please?

Commandline tool: openssl.

Thank you.

[o_e_l_e_o]

Of course, you can't consider to be paid until you've swept the wallet. So if you don't trust the guy, you just need to sweep the wallet while he's still with you.

I spend bitcoin out and about in person at least once a week. My purchases vary from anything from a couple of bucks up to a hundred bucks. Lets say I have memorized a passphrase to wallet holding 0.01 BTC, and I need to pay 0.002 BTC. What then? I give him the passphrase, he sweeps it, then sends me some back? I give him the passphrase, and he promises to only take the amount needed? Either way, you are now introducing an element of trust which is unnecessary. The only way around this using brain wallets would be for me to create, fund, and memorize multiple passphrases to multiple wallets, each holding a different denomination of bitcoin, so I can always pay close to the amount needed.

I really don't see any benefit to using this over a mobile wallet, considering I carry my mobile with me 24/7.

[bob123]

If the guy tell you the passphrase by phone or in the street you can sweep the wallet "on-the-go" too.

In this case.. why not simply use a mobile wallet to transact immediately ?
Or hand over a printed private key, which would also require trust.

Both ways would be better than using a brainwallet and handing over a passphrase.
Brainwallets are generally a bad idea.

[crofrihosl]

If the guy tell you the passphrase by phone or in the street you can sweep the wallet "on-the-go" too.

people who think like this usually are same who pick the friendly family dog name as "passphrase "
don't walk your dog, or anyone in the street can sweep your wallet if he call the dog 

[Saint-loup]

If the guy tell you the passphrase by phone or in the street you can sweep the wallet "on-the-go" too.

In this case.. why not simply use a mobile wallet to transact immediately ?

If you've lost your smartphone or if you're abroad and you can't connect to the local 3G/4G network?
Moreover in third world countries not everyone owns a smartphone, and in many places of the world there is no 3G/4G network available. These people shouldn't be able to use bitcoin?

Or hand over a printed private key, which would also require trust.

Yes it's another solution, but the first guy need a printer, to travel with the private key on him, and the other guy need a cam if it's a Qr code.

Of course, you can't consider to be paid until you've swept the wallet. So if you don't trust the guy, you just need to sweep the wallet while he's still with you.

I spend bitcoin out and about in person at least once a week. My purchases vary from anything from a couple of bucks up to a hundred bucks. Lets say I have memorized a passphrase to wallet holding 0.01 BTC, and I need to pay 0.002 BTC. What then? I give him the passphrase, he sweeps it, then sends me some back? I give him the passphrase, and he promises to only take the amount needed? Either way, you are now introducing an element of trust which is unnecessary. The only way around this using brain wallets would be for me to create, fund, and memorize multiple passphrases to multiple wallets, each holding a different denomination of bitcoin, so I can always pay close to the amount needed.

I really don't see any benefit to using this over a mobile wallet, considering I carry my mobile with me 24/7.

Yes it's true, it's the same problem for Opendime and Tangem.
But "standard" transactions aren't always perfect  too. If the fees of the guy are too low, you can't wait 1 hour with him to get a mined transaction... so you must trust a 0 conf transaction and he can cancel it once he is away(double spent utxo with higher fees)

[bob123]

If the guy tell you the passphrase by phone or in the street you can sweep the wallet "on-the-go" too.

In this case.. why not simply use a mobile wallet to transact immediately ?

If you've lost your smartphone or if you're abroad and you can't connect to the local 3G/4G network?
Moreover in third world countries not everyone owns a smartphone, and in many places of the world there is no 3G/4G network available. These people shouldn't be able to use bitcoin?

Or hand over a printed private key, which would also require trust.

Yes it's another solution, but the first guy need a printer, to travel with the private key on him, and the other guy need a cam if it is a Qr code.

If no printer is available, write it down.
Private keys - when generated properly - are far more secure than a brainwallet. The entropy of a human brain is horrible.

Both parties at least need any digital device. Whether a PC or mobile doesn't matter.
Without any of this, using BTC is not possible. As simple as that.


And if both parties have a computer, but no mobile.. then my earlier made suggestion still stands.
The promise of "i will pay you later".

Both require trust. But the one is secure (no low-entropy private key).

[HCP]

Private keys - when generated properly - are far more secure than a brainwallet. The entropy of a human brain is horrible.

I concur. I can't really think of any situation where a brainwallet would be preferable to a properly (randomly) generated wallet/private key...

It seems that because brainwallets aren't in common use, we don't see all the "my brainwallet got 'hacked'!!?!" stories/posts that popped up in the "Good ol'day"™ when they were still popular and the less than morale types were busy running various "dictionary" attacks using all sorts of datasets (poems, lyrics, basic words, dates, names etc)... As such, history threatens to repeat as newcomers don't seem to realise the dangers of using them.

[o_e_l_e_o]

Moreover in third world countries not everyone owns a smartphone, and in many places of the world there is no 3G/4G network available. These people shouldn't be able to use bitcoin?

How are they going to use bitcoin with access to the internet?

But "standard" transactions aren't always perfect  too. If the fees of the guy are too low, you can't wait 1 hour with him to get a mined transaction... so you must trust a 0 conf transaction and he can cancel it once he is away(double spent utxo with higher fees)

So either don't hand over the goods until you have a few confirmations, or do CPFP on the transaction to get it to confirm faster.

As such, history threatens to repeat as newcomers don't seem to realise the dangers of using them.

Whenever I see someone considering using a brain wallet, I usually direct them to the following places:

Collection of 18.509 found and used Brainwallets
https://eli5.eu/brainwallet/

Ask them to have a quick read of that thread and click on some of the transactions linked, or pick a few random addresses from the second site and again look at the transactions, paying particular attention to the times of the deposit and withdrawal transactions, and see that the withdrawal (stealing) transaction is generated and broadcast usually within a second of their deposit transaction.

[Saint-loup]

It seems that because brainwallets aren't in common use, we don't see all the "my brainwallet got 'hacked'!!?!" stories/posts that popped up in the "Good ol'day"™ when they were still popular and the less than morale types were busy running various "dictionary" attacks using all sorts of datasets (poems, lyrics, basic words, dates, names etc)... As such, history threatens to repeat as newcomers don't seem to realise the dangers of using them.

You can use salts to avoid that.
Moreover brainwallets are not designed for big transactions, neither to hold funds during several weeks as anyone understands, it's just some kind of vehicle.

I concur. I can't really think of any situation where a brainwallet would be preferable to a properly (randomly) generated wallet/private key...

Why bip39 mnemonic codes have been created? It's because hex and base58 strings are not convenient for humans. You can't deny that. You can't surely remember a new btc address, you can't easily spell it by phone, when you write it down you can make mistakes since it's 0 error-tolerant, etc.

Motivation
A mnemonic code or sentence is superior for human interaction compared to the handling of raw binary or hexadecimal representations of a wallet seed. The sentence could be written on paper or spoken over the telephone.

This guide is meant to be a way to transport computer-generated randomness with a human readable transcription.

https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki

Moreover in third world countries not everyone owns a smartphone, and in many places of the world there is no 3G/4G network available. These people shouldn't be able to use bitcoin?

How are they going to use bitcoin with access to the internet?

Except maybe on some small islands, I think nowadays you can find "wired" internet in every country.  
In worst case, you can use the blockstream satellites to get the blockchain and send signed raw transactions to people having internet in order to broadcast them.

As such, history threatens to repeat as newcomers don't seem to realise the dangers of using them.

Whenever I see someone considering using a brain wallet, I usually direct them to the following places:

Collection of 18.509 found and used Brainwallets
https://eli5.eu/brainwallet/

Ask them to have a quick read of that thread and click on some of the transactions linked, or pick a few random addresses from the second site and again look at the transactions, paying particular attention to the times of the deposit and withdrawal transactions, and see that the withdrawal (stealing) transaction is generated and broadcast usually within a second of their deposit transaction.

So you are implying some people are monitoring billions of billions of addresses?
As I said above you can use a salt to avoid that.

[o_e_l_e_o]

Why bip39 mnemonic codes have been created?

A mnemonic phrase has been specifically designed to have a massive amount of entropy. Although it could be memorized (although not having a physical back up is a very bad idea), it is not the same as a brain wallet by any means.

In worst case, you can use the blockstream satellites to get the blockchain and send signed raw transactions to people having internet in order to broadcast them.

If they have a device capable of broadcasting to blockstream satellites, then they definitely have a device capable of running an Electrum wallet (for example). Provided it is already synced, a wallet does not require an internet connection to sign a transaction.

So you are implying some people are monitoring billions of billions of addresses?

Not billion, but hundreds of thousands, yes. You can see the proof on the second link in my previous post. All of those address have been cleared out within seconds of being used.

As I said above you can use a salt to avoid that.

Well, then we are back to square one. Humans are bad at generating entropy. In the same way that people generally use easily guessed passwords, people will generally use easily guessed salts, such as their date of birth or phone number.

[Saint-loup]

Why bip39 mnemonic codes have been created?

A mnemonic phrase has been specifically designed to have a massive amount of entropy. Although it could be memorized (although not having a physical back up is a very bad idea), it is not the same as a brain wallet by any means.

If Bip39 evokes brain wallets there is a reason, it's because at the end, it answers the same issue : humans are not computers, they don't communicate in bits or hexadecimal strings, they use words.  

In worst case, you can use the blockstream satellites to get the blockchain and send signed raw transactions to people having internet in order to broadcast them.

If they have a device capable of broadcasting to blockstream satellites, then they definitely have a device capable of running an Electrum wallet (for example). Provided it is already synced, a wallet does not require an internet connection to sign a transaction.

No in fact, it's not a bidirectional service, it's only a downlink communication, you can only download the blockchain but it's free.
So you have to send your transactions in another way to broadcast them.

So you are implying some people are monitoring billions of billions of addresses?

Not billion, but hundreds of thousands, yes. You can see the proof on the second link in my previous post. All of those address have been cleared out within seconds of being used.

Yes I saw your link, the last address is "only" the number 18 982, the Oxford english dictionary contains 200,000 words, so the number of the most common single words in english is certainly above that.

[o_e_l_e_o]

If Bip39 evokes brain wallets there is a reason, it's because at the end, it answers the same issue : humans are not computers, they don't communicate in bits or hexadecimal strings, they use words.

True, but this says nothing about the security (or lack thereof) of using a brain wallet.

Yes I saw your link, the last address is "only" the number 18 982, the Oxford english dictionary contains 200,000 words, so the number of the most common single words in english is certainly above that.

Sure, but not every possible word in the English language has been utilized as a brain wallet. I would bet a good amount of bitcoin that all the corresponding wallets are being actively monitored by various bots, though. Even more complex strings, such as a phrase or a word and numbers are being cleared out within a second or two of being used.

The 19 thousand refers to the number of brainwallets which have actually been used (and immediately emptied), not the number of brainwallets being actively monitored.

[Saint-loup]

If Bip39 evokes brain wallets there is a reason, it's because at the end, it answers the same issue : humans are not computers, they don't communicate in bits or hexadecimal strings, they use words.

True, but this says nothing about the security (or lack thereof) of using a brain wallet.

Yes I saw your link, the last address is "only" the number 18 982, the Oxford english dictionary contains 200,000 words, so the number of the most common single words in english is certainly above that.

Sure, but not every possible word in the English language has been utilized as a brain wallet. I would bet a good amount of bitcoin that all the corresponding wallets are being actively monitored by various bots, though. Even more complex strings, such as a phrase or a word and numbers are being cleared out within a second or two of being used.

The 19 thousand refers to the number of brainwallets which have actually been used (and immediately emptied), not the number of brainwallets being actively monitored.

As you can see in this famous XKCD comic, 44 bits of entropy, that is to say 4 words of the 2000 most common words in english (like for bip39 seeds), reprents 550 years of computing at 1000results/s so I doubt some hackers have already try to compute and check all those addresses, and I'm not even talking about the ability of monitoring all of them...
65 000 words of the english dictionary it's almost 16bits of entropy for each word of the passphrase+a salt of 3characters it's 19 more bits...  

I like this conclusion in this article from the protonmail blog "“Security at the expense of usability comes at the expense of security.” In other words, if your “secure system” isn’t easy to use, people won’t use it, negating the security benefit."
https://protonmail.com/blog/protonmail-com-blog-password-vs-passphrase/

[o_e_l_e_o]

As you can see in this famous XKCD comic, 44 bits of entropy, that is to say 4 words of the 2000 most common words in english (like for bip39 seeds), reprents 550 years of computing at 1000results/s so I doubt some hackers have already try to compute and check all those addresses, and I'm not even talking about the ability of monitoring all of them...

That's a different scenario, though. That's someone trying to brute force access to an account login, not generate private keys. With the right hardware, programs such as Vanity Search can generate in excess of a billion keys per second (See here for benchmarks: https://bitcointalk.org/index.php?topic=5112311.msg50823897#msg50823897). 44 bits of entropy can now be broken in around 4 hours. Bear in mind this only has to be done once, and the attacker can simply then generate a look-up table of public addresses. As soon as one of those public addresses is used, he already knows the private key and can automatically generate a transaction to steal the funds. In fact, that's exactly what one of them was doing years ago: https://news.ycombinator.com/item?id=7368283

And this is only considering a single attacker. We know there are many of these attackers out there. If you read through the other thread I linked to before, in some of the cases of a brain wallet being used, there were 4 or 5 different transactions generated within a second all trying to steal the funds to different addresses.