Suggestion: A simple way to protect new users from losing their wallet.dat's

[casascius]

Here is a very simple suggestion I thought of, that would make it virtually impossible for someone to lose their wallet, in a way even Grandma could understand.  By lose, I mean lose access.  But it could also be extended to be an effective wallet encryption method.

Upon first run for a NEW bitcoin user, the client would simply ask for a passphrase, or generate one at random that met the security requirements, and offer to send it to the user's printer so they could stash it in their safe.  Example:

BITCOIN WALLET EMERGENCY BACKUP SHEET

In case your computer crashes, you can recover all your Bitcoins by entering the following passphrase when installing Bitcoin on a new computer:

"Eleven of Clarkson's singles became Top 20 hits on the Billboard Hot 100."

KEEP THIS SHEET IN A SAFE PLACE.  Anyone with this passphrase can take all your coins - including ones you receive in the future - without needing any access to your computer.  This passphrase cannot be changed.  This backup sheet only protects you against losing unspent Bitcoins if your computer crashes, and offers no protection if your coins are spent by you or anyone else.

The SHA256 of the passphrase would be used as a PRNG seed to generate the user's first 1000 or 2000 or more invisible addresses (the same way 100 addresses are pre-generated for future use), and then would be completely discarded.  The logic is very simple and straightforward, runs once at wallet creation and would require no modification to the way bitcoind works internally.

This would also be a safe way to do wallet encryption.  Part of the fear of encrypting a wallet is, what if the encryption code is buggy or something and irreversibly trashes the private keys in the process.  If you know the entire wallet can be re-generated from scratch with nothing more than the passphrase on paper, it would be safe to provide an option that disposes of the private keys completely, the passphrase on paper being the only way to recover them.  The Bitcoin client could be used in receive-only mode (e.g. to verify incoming payments and keep track of total balance of BTC wallet-wide, or to remain able to spend a subset of the wallet whose keys have not been discarded).

With this methodology, the only real drawback is that one cannot change their passphrase without basically sending all their coins to a different wallet.  The simplicity though, both for developers implementing and users understanding it, may make it still worth it.

[1713559777]

1713559777

[1713559777]

1713559777

[SmokeTooMuch]

Sounds good, but:

The SHA256 of the passphrase would be used as a PRNG seed to generate the user's first 1000 or 2000 or more invisible addresses (the same way 100 addresses are pre-generated for future use), and then would be completely discarded.

Wouldn't that mean that if two people are using the same password they will generate the same addresses ?
(I'm not very educated when it comes to the Bitcoin internals.)

[casascius]

Wouldn't that mean that if two people are using the same password they will generate the same addresses ?

Yes exactly, they would generate identical wallets and the client would behave the same way as if you copied one wallet to two computers now.  They could spend/steal each other's coins.

At the rate passwords can be brute forced, any password that wasn't super strong and long would be quickly hacked.  

Because a hacker could theoretically start brute forcing your passphrase just by knowing any ONE of your bitcoin addresses, it would be an absolute requirement to use a strong passphrase that's astronomically unlikely to be guessed by anyone else.  Even a sentence off a random page off Wikipedia (what I chose) would be a dictionary vulnerability.  The phrase would have to be so long and contain so much entropy to be safe, that printing it directly to paper (rather than relying on the user to write it down) would pretty much be mandatory to be of any benefit.

[riX]

Great idea, but as SmokeTooMuch noted, identical passphrases would generate the same keys, although this could be easily solved by appending some random string to the passphrase.

I've actually printed the private key for my savings address.


Built in import/export of private keys is one of the features I miss the most right now.

[SmokeTooMuch]

I guess printing all private keys on paper and find a way to scan them in a way to build a new wallet or importing these keys into an existing wallet would be more secure.

[casascius]

I guess printing all private keys on paper and find a way to scan them in a way to build a new wallet or importing these keys into an existing wallet would be more secure.

Perhaps someone could implement that as an external utility.

I wish Wallet.dat were something more cross-platform and easier to work with, such as XML.  A Wallet-to-XML and XML-to-Wallet utility would be mighty useful in and of itself.

[TiagoTiago]

Would QR codes of the PrivKeys be too big to be practical?

[TiagoTiago]

How many bits would you need to have a secure password for regenerating the first few thousands addresses? Would that fit in a QR code?

[anisoptera]

Wouldn't that mean that if two people are using the same password they will generate the same addresses ?

Yes exactly, they would generate identical wallets and the client would behave the same way as if you copied one wallet to two computers now.  They could spend/steal each other's coins.

At the rate passwords can be brute forced, any password that wasn't super strong and long would be quickly hacked.  

Because a hacker could theoretically start brute forcing your passphrase just by knowing any ONE of your bitcoin addresses, it would be an absolute requirement to use a strong passphrase that's astronomically unlikely to be guessed by anyone else.  Even a sentence off a random page off Wikipedia (what I chose) would be a dictionary vulnerability.  The phrase would have to be so long and contain so much entropy to be safe, that printing it directly to paper (rather than relying on the user to write it down) would pretty much be mandatory to be of any benefit.

What if it automatically did this? What if it literally went to Wikipedia, or made a google search and went to a random page, picked a sentence off of that page, and presented it to the user as their passphrase?

They'd need to be able to reject a given phrase and get a new one an arbitrary number of times, and there'd have to be a manual override as well, but if we could automatically present the user with a reasonable passphrase it would go a long way. Then we can disallow anything with less than X bits of entropy (and apply this requirement also to our auto-generated passphrases)

[casascius]

What if it automatically did this? What if it literally went to Wikipedia, or made a google search and went to a random page, picked a sentence off of that page, and presented it to the user as their passphrase?

They'd need to be able to reject a given phrase and get a new one an arbitrary number of times, and there'd have to be a manual override as well, but if we could automatically present the user with a reasonable passphrase it would go a long way. Then we can disallow anything with less than X bits of entropy (and apply this requirement also to our auto-generated passphrases)

I think the idea was fine for my example, but not for real world usage.  In the real world, the passphrase would have to be nonsensical, maybe ten to fifteen randomly chosen words from the dictionary, if not sequences of gibberish letters.

If it was known that all wallets were based upon a sentence from Wikipedia, as ridiculous as it sounds, someone could (and would) write a program that generates a wallet from every sentence in Wikipedia and then look for the resulting addresses in the block chain.

The idea of using a QR code is viable, in that it indeed holds enough bits for this purpose.  I am not sure how one would scan the QR code and get the resulting passphrase into the Bitcoin client and how that would be any easier than typing the passphrase when needed, but I suppose a recovery page that included the same thing both in plain text and QR couldn't do any harm (other than, at worst, to make this feature idea more complicated and less likely to get a developer to bite on).

[TiagoTiago]

either read it with a mobile or scan the printed page and run the image thru a reader program; the Bitcoin client itself could do that to make sure the scanned image don't even get saved as a file on the computer

[anisoptera]

If it was known that all wallets were based upon a sentence from Wikipedia, as ridiculous as it sounds, someone could (and would) write a program that generates a wallet from every sentence in Wikipedia and then look for the resulting addresses in the block chain.

This seems infeasible. Wikipedia is edited all the time. Articles are deleted, changed. You would have to hash every single sequence of words ever posted to Wikipedia; maybe we randomly drop a word.

I was not suggesting that it be the sole source, as well; could also do a google search and pick a sentence off that page. Or pick two sentences on Wikipedia. Or train a Markov chain generator and use that. Having a sentence that at least makes some grammatical sense to the user makes it easier for them to remember. A sequence of 10 random words will not be remembered, but something that the user can at least read will help.

In any case the implementation details are unimportant, but we need to provide the user a sensible default.

[casascius]

This seems infeasible. Wikipedia is edited all the time. Articles are deleted, changed. You would have to hash every single sequence of words ever posted to Wikipedia; maybe we randomly drop a word.

...

In any case the implementation details are unimportant, but we need to provide the user a sensible default.

Wikipedia allows its entire database, including edit history, to be downloaded as compressed tarballs available to the public.  Hashing every single sequence of words ever posted to Wikipedia isn't that outrageous when you consider the number of words will be what, billions? trillions? and yet network wide, we are already computing into the trillions of hashes every second just for mining.  Dropping a word out of every sentence would maybe increase the difficulty by a factor of ten, but far away from an ideal bit count of entropy.  It would take it from maybe 48-bit security to 51-bit security.  If stealing the entire Bitcoin network's Bitcoins would be the reward for pulling off such a thing, it will surely get done.

To me, a sensible default would be to allow the user to pick their own passphrase, and then provide built-in controls to detect poor ones.

[LZ]

Yes exactly, they would generate identical wallets and the client would behave the same way as if you copied one wallet to two computers now.  They could spend/steal each other's coins.

It seems that you do not understand how Bitcoin works. The wallet encryption may be useful in 0.4 but no more.

Your idea is possible as the third party service. But I really do not want something like that in the standard Bitcoin.

[Matt Corallo]

Yes exactly, they would generate identical wallets and the client would behave the same way as if you copied one wallet to two computers now.  They could spend/steal each other's coins.

It seems that you do not understand how Bitcoin works. The wallet encryption may be useful in 0.4 but no more.

Your idea is possible as the third party service. But I really do not want something like that in the standard Bitcoin.

Under the OP's suggestion, what casascius said is completely true.  Maybe I'm misunderstanding what you mean, but as long as the passphrase/pass sentence is secure, wallet encryption is still useful/required as generating of addresses will be unpredictable. 

As long as we don't let users generate their own passphrases (users are terrible at them), it is perfectly secure (assuming we generate passphrases/words well).

[ffe]

How about using the seeding method PGP used. Have the user bang on the keyboard randomly while giving him feedback on the entropy until both he and the program are satisfied. If he likes the idea of regenerating his wallet, he can print out the random sequence. If not, he can just bypass that step and the client is just the regular client with a very strong seed.

In all the years PGP has been used I don't think there was ever a danger that two PGP clients ended up with the same seed. I think the same would be true of the wallet in bitcoin.

[Matt Corallo]

How about using the seeding method PGP used. Have the user bang on the keyboard randomly while giving him feedback on the entropy until both he and the program are satisfied. If he likes the idea of regenerating his wallet, he can print out the random sequence. If not, he can just bypass that step and the client is just the regular client with a very strong seed.

In all the years PGP has been used I don't think there was ever a danger that two PGP clients ended up with the same seed. I think the same would be true of the wallet in bitcoin.

Yep, some variation on random input with a minimum length is what would be needed.  Whether its then printed as text or pass sentences (or random words) doesn't really matter as long as its random and of a good enough length.

[casascius]

Yes exactly, they would generate identical wallets and the client would behave the same way as if you copied one wallet to two computers now.  They could spend/steal each other's coins.

It seems that you do not understand how Bitcoin works. The wallet encryption may be useful in 0.4 but no more.

Your idea is possible as the third party service. But I really do not want something like that in the standard Bitcoin.

With all due respect, I don't think you understand the original suggestion clearly, because even though I do believe I understand how Bitcoin works, the suggestion would still hold water even if I didn't, because of the following known principles:

• Bitcoin addresses in wallets are generated in a deterministic process based on random numbers
• Pseudo random number generation by definition is repeatable with the same algorithm and seed
• Therefore, generating two wallets using identical pseudo-random numbers as input, because they were generated by the same algorithm and seed, will result in a wallet with the same keys.

Where is it that you suppose I have gone wrong?

The idea, stated in another way, is to generate addresses in a predictable fashion, but only predictable to someone with the appropriate passphrase (whose hash yields the seed that will be used in the PRNG).

BTW, the "bang on the keyboard" idea is solid and sound in my opinion... assuming of course this refers to generating a truly random passphrase.

[sebastian]

I think this would be a good idea. Not only for backup, but allow user to "create" a password (enter a password) and that password is used to create ONE bitcoin adress.

The good thing for this is situations where theres no local storage, for example live-CD systems and such. It would be bery good to be able to embed a bitcoin client in a such system, and the user just enter their password and everything is generated and fetched based on the password.

[casascius]

...and that password is used to create ONE bitcoin adress.

Why only one?