Bitcoin Forum
December 12, 2024, 08:54:53 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Suggestion: A simple way to protect new users from losing their wallet.dat's  (Read 5789 times)
casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
April 30, 2011, 08:58:11 PM
Last edit: April 30, 2011, 09:11:10 PM by casascius
Merited by krogothmanhattan (1)
 #1

Here is a very simple suggestion I thought of, that would make it virtually impossible for someone to lose their wallet, in a way even Grandma could understand.  By lose, I mean lose access.  But it could also be extended to be an effective wallet encryption method.

Upon first run for a NEW bitcoin user, the client would simply ask for a passphrase, or generate one at random that met the security requirements, and offer to send it to the user's printer so they could stash it in their safe.  Example:

BITCOIN WALLET EMERGENCY BACKUP SHEET

In case your computer crashes, you can recover all your Bitcoins by entering the following passphrase when installing Bitcoin on a new computer:

"Eleven of Clarkson's singles became Top 20 hits on the Billboard Hot 100."

KEEP THIS SHEET IN A SAFE PLACE.  Anyone with this passphrase can take all your coins - including ones you receive in the future - without needing any access to your computer.  This passphrase cannot be changed.  This backup sheet only protects you against losing unspent Bitcoins if your computer crashes, and offers no protection if your coins are spent by you or anyone else.

The SHA256 of the passphrase would be used as a PRNG seed to generate the user's first 1000 or 2000 or more invisible addresses (the same way 100 addresses are pre-generated for future use), and then would be completely discarded.  The logic is very simple and straightforward, runs once at wallet creation and would require no modification to the way bitcoind works internally.

This would also be a safe way to do wallet encryption.  Part of the fear of encrypting a wallet is, what if the encryption code is buggy or something and irreversibly trashes the private keys in the process.  If you know the entire wallet can be re-generated from scratch with nothing more than the passphrase on paper, it would be safe to provide an option that disposes of the private keys completely, the passphrase on paper being the only way to recover them.  The Bitcoin client could be used in receive-only mode (e.g. to verify incoming payments and keep track of total balance of BTC wallet-wide, or to remain able to spend a subset of the wallet whose keys have not been discarded).

With this methodology, the only real drawback is that one cannot change their passphrase without basically sending all their coins to a different wallet.  The simplicity though, both for developers implementing and users understanding it, may make it still worth it.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
SmokeTooMuch
Legendary
*
Offline Offline

Activity: 860
Merit: 1026


View Profile
April 30, 2011, 09:09:58 PM
Last edit: April 30, 2011, 10:56:57 PM by SmokeTooMuch
 #2

Sounds good, but:
The SHA256 of the passphrase would be used as a PRNG seed to generate the user's first 1000 or 2000 or more invisible addresses (the same way 100 addresses are pre-generated for future use), and then would be completely discarded.
Wouldn't that mean that if two people are using the same password they will generate the same addresses ?
(I'm not very educated when it comes to the Bitcoin internals.)

Date Registered: 2009-12-10 | I'm using GPG, pm me for my public key. | Bitcoin on Reddit: https://www.reddit.com/r/btc
casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
April 30, 2011, 09:13:33 PM
 #3

Wouldn't that mean that if two people are using the same password they will generate the same addresses ?


Yes exactly, they would generate identical wallets and the client would behave the same way as if you copied one wallet to two computers now.  They could spend/steal each other's coins.

At the rate passwords can be brute forced, any password that wasn't super strong and long would be quickly hacked.  

Because a hacker could theoretically start brute forcing your passphrase just by knowing any ONE of your bitcoin addresses, it would be an absolute requirement to use a strong passphrase that's astronomically unlikely to be guessed by anyone else.  Even a sentence off a random page off Wikipedia (what I chose) would be a dictionary vulnerability.  The phrase would have to be so long and contain so much entropy to be safe, that printing it directly to paper (rather than relying on the user to write it down) would pretty much be mandatory to be of any benefit.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
riX
Sr. Member
****
Offline Offline

Activity: 326
Merit: 254



View Profile
April 30, 2011, 09:17:27 PM
 #4

Great idea, but as SmokeTooMuch noted, identical passphrases would generate the same keys, although this could be easily solved by appending some random string to the passphrase.

I've actually printed the private key for my savings address.


Built in import/export of private keys is one of the features I miss the most right now.

Sorry, I can't help you with your lost password.

PGP key: 0x9F31802C79642F25
SmokeTooMuch
Legendary
*
Offline Offline

Activity: 860
Merit: 1026


View Profile
April 30, 2011, 11:00:08 PM
 #5

I guess printing all private keys on paper and find a way to scan them in a way to build a new wallet or importing these keys into an existing wallet would be more secure.

Date Registered: 2009-12-10 | I'm using GPG, pm me for my public key. | Bitcoin on Reddit: https://www.reddit.com/r/btc
casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
April 30, 2011, 11:15:02 PM
 #6

I guess printing all private keys on paper and find a way to scan them in a way to build a new wallet or importing these keys into an existing wallet would be more secure.

Perhaps someone could implement that as an external utility.

I wish Wallet.dat were something more cross-platform and easier to work with, such as XML.  A Wallet-to-XML and XML-to-Wallet utility would be mighty useful in and of itself.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
TiagoTiago
Hero Member
*****
Offline Offline

Activity: 616
Merit: 500


Firstbits.com/1fg4i :)


View Profile
May 01, 2011, 09:51:29 AM
 #7

Would QR codes of the PrivKeys be too big to be practical?

(I dont always get new reply notifications, pls send a pm when you think it has happened)

Wanna gimme some BTC/BCH for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX Smiley

The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!

Do you like mmmBananas?!
TiagoTiago
Hero Member
*****
Offline Offline

Activity: 616
Merit: 500


Firstbits.com/1fg4i :)


View Profile
May 01, 2011, 09:53:08 AM
 #8

How many bits would you need to have a secure password for regenerating the first few thousands addresses? Would that fit in a QR code?

(I dont always get new reply notifications, pls send a pm when you think it has happened)

Wanna gimme some BTC/BCH for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX Smiley

The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!

Do you like mmmBananas?!
anisoptera
Member
**
Offline Offline

Activity: 308
Merit: 10



View Profile
May 01, 2011, 09:17:22 PM
 #9

Wouldn't that mean that if two people are using the same password they will generate the same addresses ?


Yes exactly, they would generate identical wallets and the client would behave the same way as if you copied one wallet to two computers now.  They could spend/steal each other's coins.

At the rate passwords can be brute forced, any password that wasn't super strong and long would be quickly hacked.  

Because a hacker could theoretically start brute forcing your passphrase just by knowing any ONE of your bitcoin addresses, it would be an absolute requirement to use a strong passphrase that's astronomically unlikely to be guessed by anyone else.  Even a sentence off a random page off Wikipedia (what I chose) would be a dictionary vulnerability.  The phrase would have to be so long and contain so much entropy to be safe, that printing it directly to paper (rather than relying on the user to write it down) would pretty much be mandatory to be of any benefit.

What if it automatically did this? What if it literally went to Wikipedia, or made a google search and went to a random page, picked a sentence off of that page, and presented it to the user as their passphrase?

They'd need to be able to reject a given phrase and get a new one an arbitrary number of times, and there'd have to be a manual override as well, but if we could automatically present the user with a reasonable passphrase it would go a long way. Then we can disallow anything with less than X bits of entropy (and apply this requirement also to our auto-generated passphrases)

casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
May 01, 2011, 10:24:42 PM
 #10

What if it automatically did this? What if it literally went to Wikipedia, or made a google search and went to a random page, picked a sentence off of that page, and presented it to the user as their passphrase?

They'd need to be able to reject a given phrase and get a new one an arbitrary number of times, and there'd have to be a manual override as well, but if we could automatically present the user with a reasonable passphrase it would go a long way. Then we can disallow anything with less than X bits of entropy (and apply this requirement also to our auto-generated passphrases)

I think the idea was fine for my example, but not for real world usage.  In the real world, the passphrase would have to be nonsensical, maybe ten to fifteen randomly chosen words from the dictionary, if not sequences of gibberish letters.

If it was known that all wallets were based upon a sentence from Wikipedia, as ridiculous as it sounds, someone could (and would) write a program that generates a wallet from every sentence in Wikipedia and then look for the resulting addresses in the block chain.

The idea of using a QR code is viable, in that it indeed holds enough bits for this purpose.  I am not sure how one would scan the QR code and get the resulting passphrase into the Bitcoin client and how that would be any easier than typing the passphrase when needed, but I suppose a recovery page that included the same thing both in plain text and QR couldn't do any harm (other than, at worst, to make this feature idea more complicated and less likely to get a developer to bite on).

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
TiagoTiago
Hero Member
*****
Offline Offline

Activity: 616
Merit: 500


Firstbits.com/1fg4i :)


View Profile
May 02, 2011, 01:38:50 AM
 #11

either read it with a mobile or scan the printed page and run the image thru a reader program; the Bitcoin client itself could do that to make sure the scanned image don't even get saved as a file on the computer

(I dont always get new reply notifications, pls send a pm when you think it has happened)

Wanna gimme some BTC/BCH for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX Smiley

The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!

Do you like mmmBananas?!
anisoptera
Member
**
Offline Offline

Activity: 308
Merit: 10



View Profile
May 02, 2011, 07:24:21 PM
 #12

If it was known that all wallets were based upon a sentence from Wikipedia, as ridiculous as it sounds, someone could (and would) write a program that generates a wallet from every sentence in Wikipedia and then look for the resulting addresses in the block chain.

This seems infeasible. Wikipedia is edited all the time. Articles are deleted, changed. You would have to hash every single sequence of words ever posted to Wikipedia; maybe we randomly drop a word.

I was not suggesting that it be the sole source, as well; could also do a google search and pick a sentence off that page. Or pick two sentences on Wikipedia. Or train a Markov chain generator and use that. Having a sentence that at least makes some grammatical sense to the user makes it easier for them to remember. A sequence of 10 random words will not be remembered, but something that the user can at least read will help.

In any case the implementation details are unimportant, but we need to provide the user a sensible default.

casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
May 02, 2011, 08:37:26 PM
 #13

This seems infeasible. Wikipedia is edited all the time. Articles are deleted, changed. You would have to hash every single sequence of words ever posted to Wikipedia; maybe we randomly drop a word.

...

In any case the implementation details are unimportant, but we need to provide the user a sensible default.

Wikipedia allows its entire database, including edit history, to be downloaded as compressed tarballs available to the public.  Hashing every single sequence of words ever posted to Wikipedia isn't that outrageous when you consider the number of words will be what, billions? trillions? and yet network wide, we are already computing into the trillions of hashes every second just for mining.  Dropping a word out of every sentence would maybe increase the difficulty by a factor of ten, but far away from an ideal bit count of entropy.  It would take it from maybe 48-bit security to 51-bit security.  If stealing the entire Bitcoin network's Bitcoins would be the reward for pulling off such a thing, it will surely get done.

To me, a sensible default would be to allow the user to pick their own passphrase, and then provide built-in controls to detect poor ones.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
LZ
Legendary
*
Offline Offline

Activity: 1722
Merit: 1072


P2P Cryptocurrency


View Profile
May 03, 2011, 11:20:05 AM
 #14

Yes exactly, they would generate identical wallets and the client would behave the same way as if you copied one wallet to two computers now.  They could spend/steal each other's coins.
It seems that you do not understand how Bitcoin works. The wallet encryption may be useful in 0.4 but no more. Undecided

Your idea is possible as the third party service. But I really do not want something like that in the standard Bitcoin.

My OpenPGP fingerprint: 5099EB8C0F2E68C63B4ECBB9A9D0993E04143362
Matt Corallo
Hero Member
*****
expert
Offline Offline

Activity: 755
Merit: 515


View Profile
May 03, 2011, 04:55:48 PM
 #15

Yes exactly, they would generate identical wallets and the client would behave the same way as if you copied one wallet to two computers now.  They could spend/steal each other's coins.
It seems that you do not understand how Bitcoin works. The wallet encryption may be useful in 0.4 but no more. Undecided

Your idea is possible as the third party service. But I really do not want something like that in the standard Bitcoin.
Under the OP's suggestion, what casascius said is completely true.  Maybe I'm misunderstanding what you mean, but as long as the passphrase/pass sentence is secure, wallet encryption is still useful/required as generating of addresses will be unpredictable. 

As long as we don't let users generate their own passphrases (users are terrible at them), it is perfectly secure (assuming we generate passphrases/words well).

Bitcoin Core, rust-lightning, http://bitcoinfibre.org etc.
PGP ID: 07DF 3E57 A548 CCFB 7530  7091 89BB B866 3E2E65CE
ffe
Sr. Member
****
Offline Offline

Activity: 308
Merit: 250



View Profile
May 03, 2011, 05:30:00 PM
 #16

How about using the seeding method PGP used. Have the user bang on the keyboard randomly while giving him feedback on the entropy until both he and the program are satisfied. If he likes the idea of regenerating his wallet, he can print out the random sequence. If not, he can just bypass that step and the client is just the regular client with a very strong seed.

In all the years PGP has been used I don't think there was ever a danger that two PGP clients ended up with the same seed. I think the same would be true of the wallet in bitcoin.

Matt Corallo
Hero Member
*****
expert
Offline Offline

Activity: 755
Merit: 515


View Profile
May 03, 2011, 06:17:12 PM
 #17

How about using the seeding method PGP used. Have the user bang on the keyboard randomly while giving him feedback on the entropy until both he and the program are satisfied. If he likes the idea of regenerating his wallet, he can print out the random sequence. If not, he can just bypass that step and the client is just the regular client with a very strong seed.

In all the years PGP has been used I don't think there was ever a danger that two PGP clients ended up with the same seed. I think the same would be true of the wallet in bitcoin.
Yep, some variation on random input with a minimum length is what would be needed.  Whether its then printed as text or pass sentences (or random words) doesn't really matter as long as its random and of a good enough length.

Bitcoin Core, rust-lightning, http://bitcoinfibre.org etc.
PGP ID: 07DF 3E57 A548 CCFB 7530  7091 89BB B866 3E2E65CE
casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
May 03, 2011, 09:38:43 PM
 #18

Yes exactly, they would generate identical wallets and the client would behave the same way as if you copied one wallet to two computers now.  They could spend/steal each other's coins.
It seems that you do not understand how Bitcoin works. The wallet encryption may be useful in 0.4 but no more. Undecided

Your idea is possible as the third party service. But I really do not want something like that in the standard Bitcoin.

With all due respect, I don't think you understand the original suggestion clearly, because even though I do believe I understand how Bitcoin works, the suggestion would still hold water even if I didn't, because of the following known principles:

  • Bitcoin addresses in wallets are generated in a deterministic process based on random numbers
  • Pseudo random number generation by definition is repeatable with the same algorithm and seed
  • Therefore, generating two wallets using identical pseudo-random numbers as input, because they were generated by the same algorithm and seed, will result in a wallet with the same keys.

Where is it that you suppose I have gone wrong?

The idea, stated in another way, is to generate addresses in a predictable fashion, but only predictable to someone with the appropriate passphrase (whose hash yields the seed that will be used in the PRNG).

BTW, the "bang on the keyboard" idea is solid and sound in my opinion... assuming of course this refers to generating a truly random passphrase.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
sebastian
Full Member
***
Offline Offline

Activity: 129
Merit: 119


View Profile
May 03, 2011, 10:52:17 PM
 #19

I think this would be a good idea. Not only for backup, but allow user to "create" a password (enter a password) and that password is used to create ONE bitcoin adress.

The good thing for this is situations where theres no local storage, for example live-CD systems and such. It would be bery good to be able to embed a bitcoin client in a such system, and the user just enter their password and everything is generated and fetched based on the password.
casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
May 03, 2011, 11:26:04 PM
 #20

...and that password is used to create ONE bitcoin adress.


Why only one?

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!