Brain master private key

[velhoti]

I have searched and I was not able to find some method for generate master key from some password, just like abundantly available brain wallet software generate private key from password.

I believe that brain master key is as (in)secure as as brain wallets, and it is simple to implement, none technical issue.

Am I missing something, why there are no brain master private key generators? 

[nc50lc]

I believe that brain master key is as (in)secure as as brain wallets, and it is simple to implement, none technical issue.

It can be very simple, for example: one could use SHA512 instead of SHA256 to get the desired size for a master private key.
Then the 512-bit result can be encoded into an xprv key.

But it's as you said, it's as insecure as a Brainwallet.

Am I missing something, why there are no brain master private key generators?  

The reason is the above.
Since Brainwallet isn't recommended and actually proven insecure, why would anyone create something that's an HD version of it?
Even if someone does, they would label it "not for practical use" or not even share it.

[pooya87]

Maybe because real developers always try to expand ideas that are good and useful. For example we had BIP-32 which was a solid proposal and a safe key derivation method, so they expanded it by introducing BIP-39 which improved it. Because of its popularity, the improvements continued: we have BIP-43, BIP-44, BIP-47, BIP-48, BIP-49, BIP-84, BIP-85, BIP-86 even SLIP-32.

They usually don't try to build on top of a bad/broken ideas, in this case "brainwallets". This is why all these years we've only seen people change the hash function in brainwallets (eg. increasing rounds, replacing SHA256 with scrypt) in a failed attempt to fix a broken idea that never gained any popularity either.

[velhoti]

Since Brainwallet isn't recommended and actually proven insecure, why would anyone create something that's an HD version of it?

I guess brain wallets were designed as cold wallets, and it adds an extra layer of security if it neves signs something, although still insecure.

Brain HD wallets may preserve privacy even when it sign txs. Seems less bad.

[ABCbits]

Am I missing something, why there are no brain master private key generators?  

The reason is the above.
Since Brainwallet isn't recommended and actually proven insecure, why would anyone create something that's an HD version of it?
Even if someone does, they would label it "not for practical use" or not even share it.

FWIW, warpwallet[1] attempt to reduce security issue by using "salt" and scrypt (that replace SHA-256) with about half million rounds.

[1] https://github.com/keybase/warpwallet

[CryptoVoyager24]

I agree with @nc50lc. Building dedicated tools for this encourages dangerous habits.
​However, users who insist on a 'brain key' setup effectively already have it with the BIP39 Passphrase feature (the 13th word). If you take a standard seed and add a very complex memorized passphrase, you get the benefits of a brainwallet (useless without the password) combined with the cryptographic strength of the random seed. This is the only 'brain' approach that doesn't sacrifice security.

[LoyceV]

why there are no brain master private key generators?

I created my own system as an experiment years ago. I can create unlimited private keys from this. See I REGAINED access to Bitcoins in my made-up brainwallet!
Note: I don't dare use it for any serious amount

[nc50lc]

I guess brain wallets were designed as cold wallets, and it adds an extra layer of security if it neves signs something, although still insecure.

Brain HD wallets may preserve privacy even when it sign txs. Seems less bad.

Ah since you mentioned "signs something", it's about the future and QC resistance then?
It may be true if it's not used to spend, but the actual underlying issue is the weakness of "human entropy".
This is proven that even a long brainwallet is susceptible to bruteforce attacks.

On the other hand, some others who made their "creative" security patches ended up with lost funds due to the complexity of its recovery or having no standard to follow.
I'm not saying that most of them lost their bitcoins;
But since the main problem of not using RNG isn't solved by using the same concept as Brainwallet, not a single version of it became popular.

[velhoti]

Ah since you mentioned "signs something", it's about the future and QC resistance then?
It may be true if it's not used to spend, but the actual underlying issue is the weakness of "human entropy".

I didn't really think about QC, I thought about security from classical attacks, and yes, I know the main problem is most people's low entropy.

The point is that brainwallets do not preserve privacy because they use a single address in all UTXOs, if you are going to use one, it is better to use a BrainHDWallet.

Regarding entropy, I admit that it is a broken idea and the only thing that comes to my mind are body metrics as RNG (fingerprint, iris...), to give entropy to some password. Still "human", not sure if it has high entropy.

I created my own system as an experiment years ago. I can create unlimited private keys from this. See I REGAINED access to Bitcoins in my made-up brainwallet!
Note: I don't dare use it for any serious amount

It seems to be very important in this case to store the generation method safely and redundantly. And since you have to store something, it might be better to store a passphrase instead.

[Eze BTC]

Ah since you mentioned "signs something", it's about the future and QC resistance then?
It may be true if it's not used to spend, but the actual underlying issue is the weakness of "human entropy".

I didn't really think about QC, I thought about security from classical attacks, and yes, I know the main problem is most people's low entropy.

The point is that brainwallets do not preserve privacy because they use a single address in all UTXOs, if you are going to use one, it is better to use a BrainHDWallet.

Regarding entropy, I admit that it is a broken idea and the only thing that comes to my mind are body metrics as RNG (fingerprint, iris...), to give entropy to some password. Still "human", not sure if it has high entropy.

I created my own system as an experiment years ago. I can create unlimited private keys from this. See I REGAINED access to Bitcoins in my made-up brainwallet!
Note: I don't dare use it for any serious amount

It seems to be very important in this case to store the generation method safely and redundantly. And since you have to store something, it might be better to store a passphrase instead.

A passphrase is better for real. You can easily get it backed up and as well stored in several locations. This will handle and minimize risks of failure. Also, when passphrase has been compromised, it can easily be changed.

[nc50lc]

Also, when passphrase has been compromised, it can easily be changed.

Please expand this part, I'm very interested to know your thoughts on why you think it's easy to change.

IMO, while BIP39 passphrase is indeed better than using an HD version of Brainwallet, it can't be changed that easily.
Because changing the passphrase will entirely change the wallet's binary seed, thus its master private key, private keys to addresses.
So if you want to change it, the whole HD wallet's BTC has to be sent to the new wallet with the new passphrase, same seed phrase or not.
I think it's not an easy task with security and privacy in consideration.

[Eze BTC]

Also, when passphrase has been compromised, it can easily be changed.

Please expand this part, I'm very interested to know your thoughts on why you think it's easy to change.

IMO, while BIP39 passphrase is indeed better than using an HD version of Brainwallet, it can't be changed that easily.
Because changing the passphrase will entirely change the wallet's binary seed, thus its master private key, private keys to addresses.
So if you want to change it, the whole HD wallet's BTC has to be sent to the new wallet with the new passphrase, same seed phrase or not.
I think it's not an easy task with security and privacy in consideration.

You're not far from the truth in most of things said.

Howbeit, it's important to know that, just like you agree, it is better BIP39 passphrase is better than using HD version of Brainwallet, being easier to change shouldn't be a sole reason one would prefer the later.

Now, to respond to you, that I said it's easy doesn't mean it is easier. My point is, changing passphrase is not difficult, not really against HD version, but it's something you can do without much difficulties. If we can all agree that it's better, why should the mere fact that the other is easier to change make us prefer it? It must not be easier to change compared to the other, in fact, not being easier shows how much better it is regarding security. The point is, it is possible to change without one crying his way out. You get me now?

On the second issue, you seem to point that one will be trapped in one passphrase. I disagree with that. Lots of wallets give you privilege to get many passphrases saved to microSD or keep them associated with another PINs. This suggests you can migrate funds progressively and run both wallets in parallel till movement is completed.

I sincerely hope you get my points bro, especially the issue of being easy and it's different with being easier

[ABCbits]

--snip--

A passphrase is better for real. You can easily get it backed up and as well stored in several locations. This will handle and minimize risks of failure. Also, when passphrase has been compromised, it can easily be changed.

Do you realize the security would be reduced if someone follow your advice? Previously attacker need to guess both BIP39 words and passphrase, but afterwards the attack only need to guess new passphrase.

[Eze BTC]

--snip--

A passphrase is better for real. You can easily get it backed up and as well stored in several locations. This will handle and minimize risks of failure. Also, when passphrase has been compromised, it can easily be changed.

Do you realize the security would be reduced if someone follow your advice? Previously attacker need to guess both BIP39 words and passphrase, but afterwards the attack only need to guess new passphrase.

I disagree with that though. There are thousands of possibilities that need to be guessed to arrive at new phrase. The possibility of attacker guessing right is very low. Just like when we were kids and tried guessing numbers of mobile service providers airtime recharge numbers. It may seem easy, but when you make attempts, you'd notice that it's nearly impossible.

[ABCbits]

--snip--

A passphrase is better for real. You can easily get it backed up and as well stored in several locations. This will handle and minimize risks of failure. Also, when passphrase has been compromised, it can easily be changed.

Do you realize the security would be reduced if someone follow your advice? Previously attacker need to guess both BIP39 words and passphrase, but afterwards the attack only need to guess new passphrase.

I disagree with that though. There are thousands of possibilities that need to be guessed to arrive at new phrase. The possibility of attacker guessing right is very low. Just like when we were kids and tried guessing numbers of mobile service providers airtime recharge numbers. It may seem easy, but when you make attempts, you'd notice that it's nearly impossible.

Your analogy is a poor one, because computer can guess/brute-force much faster than human. BTCRecover have speed over 100 thousand per second using GPU released 6 years ago[1]. BIP39 use 2048 rounds[2] while average brainwallet only use 1 round, but human usually can't avoid using guessable passphrase[3].

[1] https://docs.btcrecover.org/en/latest/GPU_Acceleration/#performance-notes
[2] https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#from-mnemonic-to-seed
[3] https://bitcointalk.org/index.php?topic=4768828.0

[Eze BTC]

--snip--

A passphrase is better for real. You can easily get it backed up and as well stored in several locations. This will handle and minimize risks of failure. Also, when passphrase has been compromised, it can easily be changed.

Do you realize the security would be reduced if someone follow your advice? Previously attacker need to guess both BIP39 words and passphrase, but afterwards the attack only need to guess new passphrase.

I disagree with that though. There are thousands of possibilities that need to be guessed to arrive at new phrase. The possibility of attacker guessing right is very low. Just like when we were kids and tried guessing numbers of mobile service providers airtime recharge numbers. It may seem easy, but when you make attempts, you'd notice that it's nearly impossible.

Your analogy is a poor one, because computer can guess/brute-force much faster than human. BTCRecover have speed over 100 thousand per second using GPU released 6 years ago[1]. BIP39 use 2048 rounds[2] while average brainwallet only use 1 round, but human usually can't avoid using guessable passphrase[3].

[1] https://docs.btcrecover.org/en/latest/GPU_Acceleration/#performance-notes
[2] https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#from-mnemonic-to-seed
[3] https://bitcointalk.org/index.php?topic=4768828.0

The irony is that, your analogy is wrong. Having a strong, long and confidential passphrase makes it difficult to brutforce and arrive at expected result. Don't get me wrong, nothing is 100% perfect. The main point is that, it is not easy as you think.

https://api.cms.eset.com/au/cyber-resilience-why-cyber-risk-audit-makes-you-stronger

[ABCbits]

--snip--
Your analogy is a poor one, because computer can guess/brute-force much faster than human. BTCRecover have speed over 100 thousand per second using GPU released 6 years ago[1]. BIP39 use 2048 rounds[2] while average brainwallet only use 1 round, but human usually can't avoid using guessable passphrase[3].

[1] https://docs.btcrecover.org/en/latest/GPU_Acceleration/#performance-notes
[2] https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#from-mnemonic-to-seed
[3] https://bitcointalk.org/index.php?topic=4768828.0

The irony is that, your analogy is wrong. Having a strong, long and confidential passphrase makes it difficult to brutforce and arrive at expected result. Don't get me wrong, nothing is 100% perfect. The main point is that, it is not easy as you think.

https://api.cms.eset.com/au/cyber-resilience-why-cyber-risk-audit-makes-you-stronger

1. Stop lying. My reply that you quoted doesn't contain any analogy.
2. Link you shared is invalid with message "404 Not Found". Why are you trying to share link to certain API?
3. Your statement doesn't change the reduced security.

--snip--
Do you realize the security would be reduced if someone follow your advice? Previously attacker need to guess both BIP39 words and passphrase, but afterwards the attack only need to guess new passphrase.