Here is how to make a brain wallet 100 times more secure.

[luv2drnkbr]

Even better, create 3 secure brain wallets, and turn them into a 3-of-3 multisig address.  I have some of my cold storage in a a number of different multisigs, created with

createmultisig 2 [main key in online wallet],[nth randomly generated seed HD offline wallet],[deterministic brain wallet + nth squared hash of another brain wallet]

and then I have the list of public keys of the HD offline wallet PGP encrypted and saved, so that if I lose my offline comp, I can still use my main key and brain wallet to unlock everything.  (I need the offline public keys to recreate the redeem script.)

Also, none of my brain wallets are as simple as the first round hash of a phrase.  They are deterministically generated in a manner that I can remember how to recreate, so they are technically "brain wallets", but I consider them secure in their own right.

The nice thing about multisigs is that if you haven't spent from them, then the redeem script isn't published, so nobody even knows which public keys to try to match.  It's a nice extra n^3 layer of hassle for an attacker.

[1715018246]

1715018246

[1715018246]

1715018246

[1715018246]

1715018246

[1715018246]

1715018246

[Pente]

I keep hearing that brain wallets are not viable solutions and that we have to use hardware/software wallets with a bitcoin client to have a secure wallet, because of the lack of entropy in wallets generated by brainwallet passwords. Rubbish! There is a really simple way to fix this problem and make your brain wallet 100 times more secure.

Code:

Private key = SHA256(salt+passphrase)

Just generate a giant random alphanumber (at least 256 bits to provide maximum entropy) and store it somewhere. You can call this your 'entropy key', your 'salt', your 'seed', or whatever. Then use it in addition to a memorized password when generating a brainwallet.  For example could store a salt somewhere "a3fE3f92kOe2p4d0" (it would actualy be much longer than this), memorize a password "correcthorsebatterystaple",  and then your password would be "a3fE3f92kOe2p4d0correcthorsebatterystaple".  So now instead of your private key being SHA256(passphrase), it is SHA256(salt+passphrase), or you could make it something more complicated than that - it's up to you.

This completely solves the entropy problem of a brainwallet by adding the maximum amount of entropy possible to your password right off the bat. It's kind of like two-factor authentication.  It is also solves the physical security issue of a paper wallet where if the wallet is stolen, it is compromised. If an attacker steals your seed, no big deal - they still don't have the password component. An attacker would have to first know that what they were looking at was a brainwallet seed and then they'd have a to run a bruteforce cracking operation just on your brainwallet seed specifically. Of course this is not impossible but it is kind of far fetched and much less easy/likely than the attacks involved in a plain brainwallet, a plain paperwallet, or even hardware/software wallets.

Now some people might complain that this isn't a true brainwallet solution, because there is some information you need to store somewhere outside of your brain. That is true. However, it is the closest you can get and is a much easier solution than running a dedicated hardware or software bitcoin client. Also, to mitigate this issue, you could take measures to make it very easy for yourself to access your seed and make sure that it is always available to you. You can store it in one, many, or all of many places. For example, you could
-Store it on a pc
-Store it on a thumbrive
-Write it down or print it on paper
-Keep it in a bank vault
-Store it hidden away somewhere on some websites you can log into
-Embed it inside the code of an image you post on facebook
-Store it in a file on your web server, possibly behind password protection/htaccess
-Store it in a database
-Email it yourself
-If you are really brave, store it on the blockchain - then you know even in a worst case apocalytic scenario, as long as bitcoin still exists you will have access to your seed.

You can be really lax with security on your seed because as I said earlier, you also need the memorized password to add to it. If you are concerned with security, you can also encrypt your seed using some encryption algorithm and another password that you use to decrypt the seed before using it. You can also use multiple seeds and store them in different places, and then use them all together with your password to generate your wallet.

Secure solution

Code:

Private key = SHA256(seed1+password1+seed2+password2+seed3)

I hope this helps.  Once I got serious about moving into cold storage and was ready to send, it only took me a few hours to think of and perfect this solution. I'm surprised more people aren't doing it.

Already a fan of brainwallets:
https://bitcointalk.org/index.php?topic=342691.msg5733567#msg5733567

especially the:

Code:

Private key = SHA256(salt+passphrase)

[MaxwellsDemon]

There is a really simple way to fix this problem and make your brain wallet 100 times more secure.

The biggest advantage of a brain wallet is that all the information needed to redeem your money is in your brain (arguably, that is the only advantage of a brain wallet).

The biggest disadvantage of a brain wallet is that people tend to forget passphrases (if your passphrase has even slightly reasonable entropy, it is much more likely to be forgotten than brute-forced).

So your method does not enjoy the main advantage of brain wallets, but it does suffer from the main disadvantage. Clever.


You should pick one option: Either make a very strong brain wallet (using some clever key stretching, like warpwallet) and try really hard not to forget it, or make a split paper wallet and store the pieces in several places. That way you at least gain one of the advantages.


Oh and by the way - how is your method any different from storing a BIP38-encrypted private key?

[Dabs]

That warp wallet is something that I've been looking for. It takes several seconds to generate a private key, however, it does not create compressed keys.

That is easily fixed, by feeding the non-compressed key into bitaddress.

[boumalo]

Think you should think about your brain wallet and the password for months before you send any significant value to the address to be sure you thought about it

Am a big fan of having a few lawyers of security, for a brain wallet don't forget not to talk about your brain wallet or password to anyone

Wonder what method the owners of the biggest addresses used (http://bitcoinrichlist.com/); probably a lot of paper wallet, bitcoin-qt on dedicated devices and a few brain wallets

[odolvlobo]

...
Just generate a giant random alphanumber (at least 256 bits to provide maximum entropy) and store it somewhere....

Of course that makes it more secure, but your wallet is no longer a "brain" wallet. If you are going to write down some 256 bit random number, you might as well just write down the private key (encrypted with BIP-38, if you prefer).

The most effective way to make a brain wallet more secure is to use a different hash algorithm. SHA-256 is designed to be fast and is not suitable. Use one specifically designed for hashing passwords, such as bcrypt.

[blumangroup]

...
Just generate a giant random alphanumber (at least 256 bits to provide maximum entropy) and store it somewhere....

Of course that makes it more secure, but your wallet is no longer a "brain" wallet. If you are going to write down some 256 bit random number, you might as well just write down the private key.

The most effective way to make a brain wallet more secure is to use a different hash algorithm. SHA-256 is designed to be fast and is not suitable. Use one specifically designed for hashing passwords, such as bcrypt.

Exactly. The kind of wallet described in the OP would likely be less secure then a brain wallet that is sufficiently unique. An attacker could potentially find the copy of the "key" that you use with your passphraise and either destroy it or hold it hostage pending you giving them money to allow you to access it again. Also it would encourage someone to use a weak passphraise could find the private key with a small number of "guesses"

[snakus44]

Could you use a 8 word pass phrase, "thisisthegreatestpassphraseintheworld", run that thru a sha256 calculator, then use all or a portion of that output + "this is the greatest pass phrase in the world"?  Maybe repeat with "this1is1the1greatest1passphase1in1the1world"

[Razick]

If you are storing the salt, why not just store the private key in the first place?

Also, lest someone get the idea to do this without a salt, sha256 does NOT add any entropy, it only makes the result LOOK more random. If someone found out, or just assumed, that people were using sha256 to hash brain wallet passwords, they could brute force your wallet (they might try to brute force all wallets at the same time) by running each attempt through sha256.

I have a way that is better, but if I told you then everybody would know!

If publishing your method would weaken it, then it is probably not secure to begin with. Security through obscurity is rarely a good idea.

[boumalo]

If you are storing the salt, why not just store the private key in the first place?

Also, lest someone get the idea to do this without a salt, sha256 does NOT add any entropy, it only makes the result LOOK more random. If someone found out, or just assumed, that people were using sha256 to hash brain wallet passwords, they could brute force your wallet (they might try to brute force all wallets at the same time) by running each attempt through sha256.

I have a way that is better, but if I told you then everybody would know!

If publishing your method would weaken it, then it is probably not secure to begin with. Security through obscurity is rarely a good idea.

If you say the method you use you weaken at least a little bit your security

Let's say someone from your entourage is trying to sc.am you if you said online that you had a password on a piece of paper at home + a simple password he can get the simple password from you and steal the piece of paper that you have at home

If you didn't say anything and no one knew you had a brain wallet it is safer but the coins will be lost if you die or lose your mind

[luv2drnkbr]

I have a way that is better, but if I told you then everybody would know!

Then it is not secure.  Security must work even if everybody knows the full algorithm.  That's why strong passwords and good entropy sources are necessary.

If the algorithm itself is not known, then it hasn't had a chance to be publicly vetted and may be extremely insecure, and you just wouldn't know it until one day you get hacked and you can't figure out why.

All good security is open source.

[silversurfer1958]

Isn't This    Sha256(BCrypt(PassPhrase)) an easier solution.

Bcrypt or some slower solution, even better if you let the slow down factor for Bcrypt be your birthdate.

[ruins]

Not buying that, brain wallets are just too damn risky!

can't agree more, but what if do the transaction offline? that could be more safer.

[Reynaldo]

The reason I completely avoid using brainwallets is because we as humans are not as random as we think. If a word or phrase can be read, then it's not completely random. Even if you have the salt + passphrase format, the "correcthorsebatterystaple" element is still not random. Yes it's more secure, but still not totally random.

Picking words from a dictionary by closing your eyes, flicking through 500 pages and sticking your finger on a "random" page , is random enough for all necessary purposes. 

I'd go one step further. Turn the dictionary upside down prior to flipping the pages and poking for words.

Pick 5 words.
Alphabetize them, and remember that order.
Chain them together.
Spell the first, third and fifth (or second and forth) word backwards.
Convert all the o;s and i;s to zeros and ones.
Voilà.

This actually seems like a good idea...Why dont you just hash with sha256 some phrase around 100,000 times ?

[btchris]

A brain wallet, with a given password, will always be significantly less secure than a traditional wallet encrypted with that same password. Hopefully this is self-evident to everyone here.

Given this significant disadvantage, there would have to be some significant advantage a brain wallet could give you that no other wallet can before any reasonable person would prefer a brain wallet. So.... what is this advantage?

[Triffin]

A brain wallet, with a given password, will always be significantly less secure than a traditional wallet encrypted with that same password. Hopefully this is self-evident to everyone here.
Given this significant disadvantage, there would have to be some significant advantage a brain wallet could give you that no other wallet can before any reasonable person would prefer a brain wallet.
So.... what is this advantage?

I use my 'brain' wallets as 'hot' wallets vs keeping coins on exchanges long term ..
Cold storage is just too cumbersome and I don't have enough 'value' in crypto
or the desire to hold any particular coin long term to where cold storage would be practical ..

So, exchanges for coins I'm trading ..
Brain wallets for off exchange holding ..

Advantages ??

No downloading a virus embedded in various wallets ..
Hard drive crashes
stolen wallet.dat files
blue screen of death or other local device failure
Utility and ease of use


Triff ..

[btchris]

So.... what is this advantage?

Advantages ??

No downloading a virus embedded in various wallets ..
Hard drive crashes
stolen wallet.dat files
blue screen of death or other local device failure
Utility and ease of use


Triff ..

Regarding "a virus embedded in various wallets": In order to send a transaction from any wallet (brain or traditional), you need to run software. It's then just a question of where you get the software, and do you trust the software's authors. Because traditional wallets are more popular, they have many more eyes on them, and there is much more peer review. Due to this, I'd argue that popular traditional wallets are safer and less likely to have embedded viruses than less popular software.

Regarding stolen wallet.dat files, and malware in general: Brain wallets offer no additional protection over traditional encrypted wallets.

• If your brain wallet password is weak, your brain wallet is vulnerable to anybody (which I'm sure you already know). If your traditional wallet password is weak, your traditional wallet is vulnerable only to locally installed malware. In other words, having a wallet.dat file on a hard drive is not less secure than using a brain wallet, as long as the password is strong, and given a weak password, a brain wallet is far more vulnerable.
• Both wallet types are equally vulnerable to malware the instant you type your password in order to send bitcoin.

Regarding hardware failures: Backing up an HD wallet is no more difficult than backing up a brain wallet. You simply write it down or print it out (once). Such a backup will protect you against any type of hardware or wetware failure.

Regarding ease of use: this is more a personal opinion -- if you think brain wallets are easier to use, that's your prerogative. However you should weigh this ease-of-use against the inherent security risks of using a brain wallet: is it really that much easier to make it worthwhile?

[LitcoinCollector]

The whole point of a brain wallet is store nothing on any device.

Agree

[btchris]

The whole point of a brain wallet is store nothing on any device.

Agree

If that's the only advantage, it's a pretty small one compared to the inherent decrease in security.

Can you really not afford the storage space of a 100 kilobyte wallet file?

[dashen]

Not buying that, brain wallets are just too damn risky!

no venture, no gain, you know.