Does this brainwallet have sufficient entropy ?

[jambola2]

This is not exactly a randomly generated brainwallet, just one I have thought up.

Step 1 :- 35 character key , consisting of letters , numbers and special characters
Step 2 :- Encrypted with AES encryption with a 20 character password
Step 3 :- Result is used to generate a brainwallet

I will also print a copy of the 35 character key as a QR code , which I can use as a paper wallet , with around the same security as a BIP-38 encrypted private key.

Are there any noticeable flaws ?

[Gleb Goodston]

It's pretty good but I wouldn't use a brain wallet anyway.

[jonald_fyookball]

if the 35 characters are randomly chosen, then yes.  if they
start with "Mary had a little lamb" then probably not.

[Razick]

This is not exactly a randomly generated brainwallet, just one I have thought up.

Step 1 :- 35 character key , consisting of letters , numbers and special characters
Step 2 :- Encrypted with AES encryption with a 20 character password
Step 3 :- Result is used to generate a brainwallet

I will also print a copy of the 35 character key as a QR code , which I can use as a paper wallet , with around the same security as a BIP-38 encrypted private key.

Are there any noticeable flaws ?

It's generally better to just make a good password as opposed to doing something complicated like this. AES can be implemented in different ways as far as how it uses initialization vectors and salts, and how key stretching works. If you don't know what that means, don't worry, but the point is you'll have to encrypt with the same program, or a compatible one, or the result will be different. This might be a problem if you try to recover your wallet a few years down the line and can't find the program you used.

Also, although in this case the 20 character password may help to add entrophy to the 35 character password, it's generally bad practice to use "tricks" in an attempt to add entropy. For example if you hash 1234 with sha1(), although it may make guessing harder, it technically doesn't increase the entropy of the password. Encryption never adds entropy since it's deterministic. You only get the amount of entropy that you put in.

I would recommend that instead of doing that you just make one good password of at least 16 characters (longer if you use a non-random password or passphrase). Beyond 16 characters IMHO the increased risk of forgetting your password by far exceeds any additional security.

[LiteCoinGuy]

"It's generally better to just make a good password as opposed to doing something complicated like this. "


i agree here. dont make it to complicated or you lose/miss something.

one thing is more important: make sure your PC is maleware free.

[Bizmark13]

Isn't there something about human-generated pass phrases having poor entropy/randomness compared to computer-generated ones that might be applicable here?

I would recommend that instead of doing that you just make one good password of at least 16 characters (longer if you use a non-random password or passphrase). Beyond 16 characters IMHO the increased risk of forgetting your password by far exceeds any additional security.

I'm not quite sure about this one. For example, my laptop is currently encrypted with a 40+ character password with symbols, uppercase letters, lowercase letters, and numbers. Part of it even incorporates a verse in a poem that I wrote in a conlang (a made up language) which only I can understand. It looks like complete gibberish but I've been using it on my laptop without a problem for over two years. I wouldn't use it as my brainwallet because I'd be worried about the above but even that being said, I'd still be surprised if it were easily crackable.

[jonald_fyookball]

Isn't there something about human-generated pass phrases having poor entropy/randomness compared to computer-generated ones that might be applicable here?

I would recommend that instead of doing that you just make one good password of at least 16 characters (longer if you use a non-random password or passphrase). Beyond 16 characters IMHO the increased risk of forgetting your password by far exceeds any additional security.

I'm not quite sure about this one. For example, my laptop is currently encrypted with a 40+ character password with symbols, uppercase letters, lowercase letters, and numbers. Part of it even incorporates a verse in a poem that I wrote in a conlang (a made up language) which only I can understand. It looks like complete gibberish but I've been using it on my laptop without a problem for over two years. I wouldn't use it as my brainwallet because I'd be worried about the above but even that being said, I'd still be surprised if it were easily crackable.

The problem with human passphrases comes when people use phrases from books, songs, movies,etc,
that could be in a database, and so anything derived from those (including adding random numbers etc)
should be considered weak.  

Theoretically, original poetry of sufficient length is fine if it's never been written/typed before.  But
why not simply use computer generated entropy encoded into poetry (like Electrum does).  Then
you can be sure about the entropy level.

[Sheldor333]

I think there are better ways to store btc then brainwallets, I don't think they will last.

[jonald_fyookball]

I think there are better ways to store btc then brainwallets, I don't think they will last.

main disadvantages of a brain wallet is that is susceptible to extortion and forgetting.
the main advantages are ultimate portability and high security.

[zedicus]

With brain wallets the question of sufficient entropy is not so much as to how long the paraphrase is, but is more how close to being truly random it is. If parts of it contain words that can be found in any piece of literature (backwards or forwards - including the dictionary - in any language) then you are likely vulnerable. If there is not any kind of pattern to your paraphrase then even a shorter paraphrase could potentially keep your funds safe.

A word to the wise: using a brain wallet is very similar to using an address that was generated with a flawed RNG. It may provide some level of security, but you have a much greater chance of having your coins stolen at some point in time.

[jambola2]

With brain wallets the question of sufficient entropy is not so much as to how long the paraphrase is, but is more how close to being truly random it is. If parts of it contain words that can be found in any piece of literature (backwards or forwards - including the dictionary - in any language) then you are likely vulnerable. If there is not any kind of pattern to your paraphrase then even a shorter paraphrase could potentially keep your funds safe.

A word to the wise: using a brain wallet is very similar to using an address that was generated with a flawed RNG. It may provide some level of security, but you have a much greater chance of having your coins stolen at some point in time.

That's why I was encrypting it again.

Even if it is likely that my first key is not random enough , shouldn't the second key fix it regardless ?

Let's say I use an obscure song title as the first one and another as the second , shouldn't it be impossible to guess if both aren't very related ?

[jambola2]

It's generally better to just make a good password as opposed to doing something complicated like this. AES can be implemented in different ways as far as how it uses initialization vectors and salts, and how key stretching works. If you don't know what that means, don't worry, but the point is you'll have to encrypt with the same program, or a compatible one, or the result will be different. This might be a problem if you try to recover your wallet a few years down the line and can't find the program you used.

I'm pretty sure I will remember how the wallet containing all my funds is encrypted , I'll probably write it down too.

Also, although in this case the 20 character password may help to add entrophy to the 35 character password, it's generally bad practice to use "tricks" in an attempt to add entropy. For example if you hash 1234 with sha1(), although it may make guessing harder, it technically doesn't increase the entropy of the password. Encryption never adds entropy since it's deterministic. You only get the amount of entropy that you put in.

Yeah, it seems like I had not understood what entropy means.
But overall , would this improve the security , by making it harder to guess ?

I need the second password also because I'm going to try to create a paper version of the first one , just in case.

I would recommend that instead of doing that you just make one good password of at least 16 characters (longer if you use a non-random password or passphrase). Beyond 16 characters IMHO the increased risk of forgetting your password by far exceeds any additional security.

It is non random , so I was aiming for 25 - 50 characters. I was hoping 35 characters would be enough.

[jonald_fyookball]

jambola, you really need to work out the math. there are brain wallet hackers trying billions of combinations.  terahash rigs only cost thousands of dollars.  if you choose an obscure song title that is say one in a million, then two of them would be one in a trillion.  that's only 10^12. 

you should have 128 bits of entropy or more which is equal to 3.4 x 10^38, which is a much bigger number.

[Beliathon]

Let's say I use an obscure song title as the first one and another as the second , shouldn't it be impossible to guess if both aren't very related ?

NO!

This is how you DON'T do a brain wallet. There is NO SUCH THING as obscure when it comes to passwords protecting your money!!!!

If it's anything that has ever been written down and known to people other than yourself, it is UNSUITABLE for a brain wallet!

[DeboraMeeks]

jambola, you really need to work out the math. there are brain wallet hackers trying billions of combinations.  terahash rigs only cost thousands of dollars.  if you choose an obscure song title that is say one in a million, then two of them would be one in a trillion.  that's only 10^12. 

you should have 128 bits of entropy or more which is equal to 3.4 x 10^38, which is a much bigger number.

256 would be ideal however and as for hacking attempts on the device you must BIP 38 encrypt it!

[Razick]

It's generally better to just make a good password as opposed to doing something complicated like this. AES can be implemented in different ways as far as how it uses initialization vectors and salts, and how key stretching works. If you don't know what that means, don't worry, but the point is you'll have to encrypt with the same program, or a compatible one, or the result will be different. This might be a problem if you try to recover your wallet a few years down the line and can't find the program you used.

I'm pretty sure I will remember how the wallet containing all my funds is encrypted , I'll probably write it down too.

Also, although in this case the 20 character password may help to add entrophy to the 35 character password, it's generally bad practice to use "tricks" in an attempt to add entropy. For example if you hash 1234 with sha1(), although it may make guessing harder, it technically doesn't increase the entropy of the password. Encryption never adds entropy since it's deterministic. You only get the amount of entropy that you put in.

Yeah, it seems like I had not understood what entropy means.
But overall , would this improve the security , by making it harder to guess ?

I need the second password also because I'm going to try to create a paper version of the first one , just in case.

I would recommend that instead of doing that you just make one good password of at least 16 characters (longer if you use a non-random password or passphrase). Beyond 16 characters IMHO the increased risk of forgetting your password by far exceeds any additional security.

It is non random , so I was aiming for 25 - 50 characters. I was hoping 35 characters would be enough.

What I mean by that is that the program might not exist at some point in the future. If the password is non-random it might help make it harder to guess. That length might be good or it might not... If it contains words, you should only count every word as one character.

[Soros Shorts]

Also, although in this case the 20 character password may help to add entrophy to the 35 character password, it's generally bad practice to use "tricks" in an attempt to add entropy. For example if you hash 1234 with sha1(), although it may make guessing harder, it technically doesn't increase the entropy of the password. Encryption never adds entropy since it's deterministic. You only get the amount of entropy that you put in.

Yeah, it seems like I had not understood what entropy means.
But overall , would this improve the security , by making it harder to guess ?

Since you have publicly revealed your method, you have to assume that all that is protecting you is a pair of 35 character and 20 character passwords.