How secure is a brain wallet with a randomly generated password?

[acuriousmind]

Hello,

I plan to create a brain wallet by doing the following:

* Create securely a random seed and print its QR code
* Use the https://keybase.io/warp/warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html algorithm  with my seed as the password and a classic/human-made/weak password (that my mother can remember) as the salt.
* Instead of using Scrypt, use argon2
* Generate a wallet
* Send some satoshis
* Give the QR code to my mum as a gift

Do you think it is secure enough?

Thanks

[1714992612]

1714992612

[1714992612]

1714992612

[1714992612]

1714992612

[Charles-Tim]

Why using brain wallet when you can use HD wallet? Use HD wallet, generate the seed phrase, fund one of the addresses or the addresses of your choice and give the seed phrase as a gift to your mum, telling her how the seed phrase is very important, how to avoid it and her coin not to be stolen and telling her how the seed phrase is the coin that you gave her.

[acuriousmind]

Hello Charles,

This is because I want to give her not only the QR code, but a nice object with the QR printed on it.

So she can "feel" it, something she could put in her home and show her hosts she now has bitcoins.

[NeuroticFish]

I plan to create a brain wallet by doing the following

I think that you better skip the idea of the brain wallet. They were proven insecure for years.

Why you don't just set up a safe offline OS, maybe without persistence too, and just run from there either Electrum or Sparrow, either run there Ian Coleman's bip39 page?
Then you should have a proper HD seed to work with.

Or, if you want only to give a nice present that maybe won't be used too, you can look for a good old and reputed vanity generator you can maybe use offline (just beware, not all vanity generators are reputable!), getting a nice address like 1NfiSHBCB4qYoQZTzGe3Er5f9gb7X1hVRj, which (together with private key) you can use for some hand-made paper wallet.

In any case, I would not use printer, unless maybe if I install it from start onto that offline OS; the private key or seed should not touch systems that will ever go online.

[LoyceMobile]

No. I think you risk losing your funds. This isn't a brain wallet, how are you going to remember the random seed? The warp-site isn't the problem, your interpretation is.
If you want to print a QR-code, why not use BIP38 encryption? I wouldn't show it off though, just like you don't leave a pile of cash on the table to impress visitors.

[o_e_l_e_o]

Brain wallets are never secure. And if you are planning on displaying a QR code of the seed phrase, then the security of your wallet is reduced to only that of your weak human generated password. A recipe for disaster.

Further, if you want to have a QR code on display, then you should use the QR code of the address. This lets people scan it to see that it is a bitcoin address without risking the funds. You should instead create a seed phrase or key pair securely and give the written down seed phrase or private key to your mother to store securely. Then print the QR code of the address on to an object as you desire.

[DaveF]

1) As pointed out this is a bit of an odd way of doing things. If something goes wrong trying to undo it is going to be very difficult. Why generate more work?

2) Also as pointed out any collectable with a self generated key is also fine.
2a) A couple of small collectables each with part of a Shamir’s Secret Sharing would also work and you / trusted others could also keep parts of it.

3) Make sure someone other then you knows how to get to the funds. It's the bus tomorrow morning you could get hit by a bus. If someone comes here or to other places for support there MAY be a chance that if you use a standard method someone could help you mom get the funds out. With your way they are lost forever.

-Dave

[acuriousmind]

Thanks for all your replies,

displaying a QR code of the seed phrase, then the security of your wallet is reduced to only that of your weak human-generated password

So you think the warp wallet algorithm with argon2 and pbkdf2 does not strengthen it enough?
We are talking about wallets of 20-50 USD. I would have thought that even with the QR code stolen, brute forcing would cost too much.

BIP38 encryption

Yes this sounds a great idea, I should use BIP38 instead of my proposed algorithm, then?

"physical" Bitcoin

I want to offer this also to my friends, a different present for each of them.
I already offered a funkopop with a QR code to a friend and he was very happy to have crypto money.
Think of a painting for someone, a key chain for another etc. All of them with a QR code.

how are you going to remember the random seed

qr code / bip39

The random seed is the QR code.
I felt the QR code is more friendly to print on something and more friendly when you scan it.

Make sure someone other than you knows how to get to the funds

Yes, I want to open-source the algorithm.
I was also thinking of a website, you load it, get offline and then you can scan the QR code and enter your password, to get your private key.

The idea is not to create a multipurpose wallet, this is more like "my first crypto", so people can enter the crypto world, lose their fear about it and then maybe one day will get serious with other wallets.

[o_e_l_e_o]

So you think the warp wallet algorithm with argon2 and pbkdf2 does not strengthen it enough?

I care far less about the algorithm you use and far more about the fact that it only requires a human made weak password in order to compromise your wallet.

We are talking about wallets of 20-50 USD. I would have thought that even with the QR code stolen, brute forcing would cost too much.

50 USD today. Who knows how much it will be worth in 10, 20, 50 years?

I want to offer this also to my friends, a different present for each of them.

I do not like gifting bitcoin in this way for two reasons. First of all, the recipient needs to trust you completely, both your competence in setting up the wallet in the first place and your honesty to not keep a copy and swipe it later. Secondly, it teaches them to trust third parties instead of holding their own keys, which as we all know is a terrible idea. Much better for them to set up their own wallet, give you an address from their wallet, and then you can use that address to generate a QR code for their gift.

[pooya87]

This doesn't sound like a brain wallet at all since your passphrase is actually a randomly generated 128+ bits of entropy and you are just adding a tiny bit of entropy on top of that with your salt. That means regardless of what your salt is (even if it is "123") the result should be secure. You still have to write down the mnemonic used as passphrase which means it is not a brain-wallet!

As for argon2 and pbkdf2, the only reason why "WarpWallet" uses scrypt is because they know brainwallets are weak and people will use weak passphrases so they tried to increase the cost of brute forcing when the "entropy" is weak. In your case as I said your entropy is big and strong enough that doesn't need that extra cost.
Which also means you are reinventing the wheel! The BIP39 algorithm already has this option for you commonly known as "extra words" and sometimes referred to as "passphrase". It is the 13th word you add to your 12 word seed phrase (or the 25th to 24 words and so on) and does exactly what you want with a standardized algorithm that majority of bitcoin wallets support.

[o_e_l_e_o]

This doesn't sound like a brain wallet at all since your passphrase is actually a randomly generated 128+ bits of entropy and you are just adding a tiny bit of entropy on top of that with your salt. That means regardless of what your salt is (even if it is "123") the result should be secure.

Ordinarily yes, but OP has said he wants to print out the seed phrase he is using as a QR code so he can then put it on an object for his mother to display in her house. Going through this process probably exposes the seed phrase to the internet, but more importantly, anyone who visits his mom can scan the QR code and access the seed phrase in 2 seconds. That could be anything from families and friends to babysitters to trades people and so on. Hell, it could be someone looking through the window. I would consider that seed phrase to be highly insecure, and therefore the security of his whole set up hinges on his weak human generated password.

[pooya87]

Ordinarily yes, but OP has said he wants to print out the seed phrase he is using as a QR code so he can then put it on an object for his mother to display in her house. Going through this process probably exposes the seed phrase to the internet, but more importantly, anyone who visits his mom can scan the QR code and access the seed phrase in 2 seconds. That could be anything from families and friends to babysitters to trades people and so on. Hell, it could be someone looking through the window. I would consider that seed phrase to be highly insecure, and therefore the security of his whole set up hinges on his weak human generated password.

Yeah, but that's a storage issue not the creation process issue. The QR code could be placed behind some sort of seal that has to be broken to reveal the key itself like printed at the bottom under a seal while the front has the QR for the address. Or simply store the seed separately from the object that is used as decoration.

[o_e_l_e_o]

Yeah, but that's a storage issue not the creation process issue.

I don't think you can view the two things in isolation though. I could spend hours with airgapped systems and flipping coins and create the most secure cold storage in existence, but if I then store my seed phrase in my emails then the entire process is pointless.

If OP realizes that publicly displaying a QR code of his seed phrase is a massive security risk and instead opts to keep it secure, then sure, his system is fine. But if he does that, then he doesn't need the brain wallet part at all, and just keeping the seed phrase secure is enough. And if he does still want a human generated password as well, then I agree using a standard approach of a passphrase is better than a self created method.

[Pmalek]

I see no reason to reinvent the wheel here and create your own methods when the widely used systems in place work just fine. It would be recommended to attempt something else if bitcoin's security was flawed. 12/24-word seed have been secure for years. Strong passphrases are a security booster. Brain wallets and their derivatives aren't secure enough. 

[acuriousmind]

Hello,

I don't want to reinvent the wheel => this is why I tried to start from something existing I knew (the warp wallet) and why I post on this forum, so I can learn about stuff like the extra word in BIP 39 
So, thanks a lot for your feedback.

Pooya perfectly summarized it, right now my algorithm creates 256 bits of entropy and the password only add a bit more.
Actually, this is BIP39 + passphrase but with argon2 instead of pbkdf2 and a QR code instead of a wordlist.

I asked my girlfriend to create a 8+ letters passphrase, let's say I use BIP39, send 100 USD and post here the mnemonic, as if the qr code would have been compromised.
Do you think the cost to brute force would be low enough so people will try?
Do you think it would make a big difference if I use argon2 instead of pbkdf2? (I understand this would break compatibility)

thanks

[ABCbits]

I asked my girlfriend to create a 8+ letters passphrase, let's say I use BIP39, send 100 USD and post here the mnemonic, as if the qr code would have been compromised.
Do you think the cost to brute force would be low enough so people will try?

People can't even brute-force when they don't know all detail of your custom setup. And 100 USD isn't worth it when all you know the password has 8 character due to high possible combination (95^8 or about 6.63E15). Take note 95 refer to 26 lower case, 26 upper case, 10 number and 33 ASCII special character.

Do you think it would make a big difference if I use argon2 instead of pbkdf2? (I understand this would break compatibility)

In general, it'd be more resistant against brute-force. But without knowing additional (such as which argon2 version you use or total iteration) and some benchmark, no one can say for sure.

[o_e_l_e_o]

I don't want to reinvent the wheel => this is why I tried to start from something existing I knew (the warp wallet) and why I post on this forum, so I can learn about stuff like the extra word in BIP 39 

If you don't want to reinvent the wheel, then I would stick to using a standardized method such as BIP39 passphrases. Using a custom algorithm or set up will make brute forcing harder, but it will also vastly increase the chance of you not being able to recover your coins in the future. Or if your mom or girlfriend are trying to recover the coins in your absence, then it will be almost impossible for them if you have done something completely non-standard.

Do you think the cost to brute force would be low enough so people will try?

To put the number ETFbitcoin has given in context, if someone could brute force 10 million possibilities per second, you are still looking at 21 years of non-stop computing to exhaust the search space of 8 random ASCII characters. Using btcrecover as a benchmark, then most home hardware would struggle to try over 10,000 possibilities per second given the 2048 rounds of hashing required. Someone would need to rent a lot of computing to crack this in a reasonable amount of time, which obviously no one is going to do for $100.

[acuriousmind]

Thanks, so I will do the following then, as BIP39 describes:

• Generate the initial entropy
• Create the seed using the mnemonic + a passphrase

With those additional steps:

• Store the mnemonic in a QR Code
• Print it and paste it on the gift

[o_e_l_e_o]

Print it and paste it on the gift

If the gift is one which will be kept private, then sure, go ahead. But if, as you say above, you want it to be a gift she displays and shows to people to "show off" that she has bitcoin, then I do not see the point in putting a QR code of the seed phrase on it. Any visitors who scan the QR code and don't know the passphrase will just see an empty wallet. Surely it makes more sense to put on a QR code of the address which holds the bitcoin? That way visitors can see the address and see that she owns bitcoin, while at the same time you aren't losing the majority of security by giving out the seed phrase to anyone and everyone.

I would also give her separate written copies of the seed phrase and the passphrase in order to protect against loss or forgetfulness.

[Saint-loup]

Thanks, so I will do the following then, as BIP39 describes:

• Generate the initial entropy
• Create the seed using the mnemonic + a passphrase

With those additional steps:

• Store the mnemonic in a QR Code
• Print it and paste it on the gift

I don't see much difference with your initial project to be honest, except that you will just use the classic BIP39 algorithm instead of your own way to encrypt your mnemonic seed. But if your goal is to challenge people scanning your QR-code seed, it won't be very funny anymore, especially if one day a weakness is found in the PBKDF2 function. So if I were you I would use the classic BIP39 algorithm to generate a wallet where I would leave few satoshis as a joke and I would use your home cooked one to generate the wallet with the $50 inside.  

If you are just doing that in order to use an easy way for her to get the funds when she needs them, just using BIP39 would be less complicated for her I agree, but it would be even simpler to use BIP38 instead in this case, because she would get only one single address and key at the end and she would not be bothered by the derivation path.

[Welsh]

To expand on this for any future readers, there's been attempts in the past, success one's that have tried to demonstrate the security of a brain wallet, with a large randomly generated password, and they were never cracked. However, the problem with brain wallets is how you generate them, a lot of users will probably go to a website to generate it, and that introduces a number of attack vectors, which you wouldn't have if you generated your seed via a offline computer. You've first got to trust the website, then you've got to make sure there's no man in the middle attacks going on, and ultimately you have to either download the code or run it via the internet through your web browser.

Also, it's worth mentioning just because something is open source, it doesn't mean it's secure or isn't malicious.

[digaran]

To expand on this for any future readers, there's been attempts in the past, success one's that have tried to demonstrate the security of a brain wallet, with a large randomly generated password, and they were never cracked. However, the problem with brain wallets is how you generate them, a lot of users will probably go to a website to generate it, and that introduces a number of attack vectors, which you wouldn't have if you generated your seed via a offline computer. You've first got to trust the website, then you've got to make sure there's no man in the middle attacks going on, and ultimately you have to either download the code or run it via the internet through your web browser.

Also, it's worth mentioning just because something is open source, it doesn't mean it's secure or isn't malicious.

How would you explain some brainwallet passwords complicated enough like a bitcoin address or a long hex string which have been cracked already and people did use them with amounts as big as hundreds of bitcoins?

Brain wallet concept is a high risk method in general.
For security and privacy sake, it's better to generate several addresses with separate private keys, that way you could sever the links between wallets.

[Welsh]

I definitely don't agree with brain wallets, I just thought it was worth mentioning. The thing about brain wallets they encourage less secure standards, than traditional wallet software, and generally as humans we want to make it as easy as possible. I don't many people do use brain wallets, at least I'd hope not. However, there's been attempts in the past to try, and prove when a brain wallet is generated with high entropy they're just as safe. Now, I'm sure we could debate that until the cows go home, but it has been attempted in the past on the forum, and they didn't lose their coins.

Plus, sometimes it's not about the complexity of the password, since you can have some pretty substantial entropy to generate a brain wallet, it's the way you generate it, i.e doing it online in my opinion is a absolute no go or even doing it on a computer that has been exposed to the internet at some point, is a no go. Unless, you have the upmost confidence in its security.

[Saint-loup]

How would you explain some brainwallet passwords complicated enough like a bitcoin address or a long hex string which have been cracked already and people did use them with amounts as big as hundreds of bitcoins?

Brain wallet concept is a high risk method in general.
For security and privacy sake, it's better to generate several addresses with separate private keys, that way you could sever the links between wallets.

I don't think most people use brain wallets as their main wallet. It's just a convenient way offered by the Bitcoin technology to store, transport or transmit small amounts of funds without needing any physical or digital media. For example if you want to make a small donation to someone, or if you need to buy something from someone you trust, you can just give them the brain seed. You can even do the transaction with someone you don't trust, if he agrees to sweep the wallet in front of you or to not claim anything if something goes wrong.

[o_e_l_e_o]

However, there's been attempts in the past to try, and prove when a brain wallet is generated with high entropy they're just as safe. Now, I'm sure we could debate that until the cows go home, but it has been attempted in the past on the forum, and they didn't lose their coins.

It depends how you are defining a brain wallet. If I use a proper source of entropy such as Electrum pulling on /dev/urandom to generate a seed phrase, and then memorize that seed phrase, then technically that is a brain wallet which is completely secure against brute forcing (although still very fragile and at very high risk of loss, as is anything memorized). If you define brain wallet in the classical sense of I picked a string and then hashed it to generate a private key, then that will almost never be secure since the human brain cannot be random and will not pick a string with sufficient entropy.