Brain Wallet standardization

[flipperfish]

You are right, I thought only of entropy of single characters. What i meant was: Entropy of single characters is not everything.
Nevertheless, it maybe easy to remember 4 words, but to reach entropy levels of 128+ bits you would have to remember at least 12 words (assuming an alphabet of 2000 words). Remembering 12 words (randomly chosen, without grammar) is far more difficult.

Maybe instead of using 10000 rounds of SHA256 it would be better to use something like scrypt, to slow down the attack.

[DeathAndTaxes]

agreed however even a 6,000 word list has pretty common words.  Increases the size of the word list decreases the number of words required for a given strength.  I would also point out that key hardening can be used.  Most passwords have only 30 bits of entropy. 

60 bits of entropy in a 6,000 word list requires 5 words.    Using a chained iterative function (like PBKDF2) one can make it computationally in-feasible to brute force that 60 bit passphrase.  The downside (yes there is no free lunch) is the need to use salt to prevent precomputation attacks.  This will have to be recorded by the user.  Remember salt isn't a secret so it doesn't need to be safeguarded (use could email it to himself, print a copy and put it in a safe, put it in his drop box, and leave it in plaintext on his computer) but it does need to be recorded.

[nevafuse]

One good little piece of standardization I'm seeing that has developed is that both brainwallet.org and bitaddress.org use SHA256(passphrase) for their single address generation. Now we just could use some standardization for the deterministic wallet idea. I really don't like how Electrum won't let you make your own passphrase.

I haven't tried importing private keys into bitcoind(-qt) yet, but its pretty easy to sha256sum a phrase & feed it into brainwallet or bitaddress to get the private & public keys.  There's also a few transaction makers out there that will even give you the raw transaction (most only support sending the full balance tho - be careful or you might end up giving the miner a huge fee).  Now I just need to figure out how to send that transaction out.  I think bitcoind(-qt) is working on it since I saw they have a sendrawtransaction method.  I also heard electrum will do it.  I think blockchain will send it for a fee.  Then you don't even ever have to import or create a wallet & the private key can be stored on an offline computer the whole time.

[Ente]

One good little piece of standardization I'm seeing that has developed is that both brainwallet.org and bitaddress.org use SHA256(passphrase) for their single address generation. Now we just could use some standardization for the deterministic wallet idea. I really don't like how Electrum won't let you make your own passphrase.

I haven't tried importing private keys into bitcoind(-qt) yet, but its pretty easy to sha256sum a phrase & feed it into brainwallet or bitaddress to get the private & public keys.  There's also a few transaction makers out there that will even give you the raw transaction (most only support sending the full balance tho - be careful or you might end up giving the miner a huge fee).  Now I just need to figure out how to send that transaction out.  I think bitcoind(-qt) is working on it since I saw they have a sendrawtransaction method.  I also heard electrum will do it.  I think blockchain will send it for a fee.  Then you don't even ever have to import or create a wallet & the private key can be stored on an offline computer the whole time.

All that stuff is bread&butter of Armory! :-)

Ente

[mb300sd]

My approach:

PrivKey1: sha256 x5 "my long passphrase"
PrivKey2: sha256 x6 "my long passphrase"
PrivKey3: sha256 x7 "my long passphrase"
PrivKey4: sha256 x8 "my long passphrase"
etc.

I might forget that I started at x5 at some point, but it doesn't matter much.

This is probably a bad solution, because as soon as sha256 x5 "passphrase" is known to the attacker, he gains knowledge of the other private keys, too.

Didn't think about that, but not too worried. I only use this for a cold storage/long term savings wallet that I don't plan on spending from any time soon, and the passphrase was hashed and bitcoind addresses generated on a livecd. I'll probably switch to this approach some day.

PrivKey1: sha256("my long passphrase1")
PrivKey2: sha256("my long passphrase2")
PrivKey3: sha256("my long passphrase3")
PrivKey4: sha256("my long passphrase4")

anything wrong with that?

[Topazan]

My approach:

PrivKey1: sha256 x5 "my long passphrase"
PrivKey2: sha256 x6 "my long passphrase"
PrivKey3: sha256 x7 "my long passphrase"
PrivKey4: sha256 x8 "my long passphrase"
etc.

I might forget that I started at x5 at some point, but it doesn't matter much.

This sounds pretty good.  I might use a variant on that at one point.

To address the criticism that using one passphrase means the whole wallet is lost once the passphrase is gained, there's no reason you can't have multiple passphrases.  It seems to me that any deterministic wallet generation scheme is vulnerable if the seed is compromised.

Is there a tool that can be used offline that generates a public key from a sha256?  Preferably in javascript or shell script?

[mb300sd]

My approach:

PrivKey1: sha256 x5 "my long passphrase"
PrivKey2: sha256 x6 "my long passphrase"
PrivKey3: sha256 x7 "my long passphrase"
PrivKey4: sha256 x8 "my long passphrase"
etc.

I might forget that I started at x5 at some point, but it doesn't matter much.

This sounds pretty good.  I might use a variant on that at one point.

To address the criticism that using one passphrase means the whole wallet is lost once the passphrase is gained, there's no reason you can't have multiple passphrases.  It seems to me that any deterministic wallet generation scheme is vulnerable if the seed is compromised.

Is there a tool that can be used offline that generates a public key from a sha256?  Preferably in javascript or shell script?

Bitaddress.org

[paraipan]

My approach:

PrivKey1: sha256 x5 "my long passphrase"
PrivKey2: sha256 x6 "my long passphrase"
PrivKey3: sha256 x7 "my long passphrase"
PrivKey4: sha256 x8 "my long passphrase"
etc.

I might forget that I started at x5 at some point, but it doesn't matter much.

This sounds pretty good.  I might use a variant on that at one point.

To address the criticism that using one passphrase means the whole wallet is lost once the passphrase is gained, there's no reason you can't have multiple passphrases.  It seems to me that any deterministic wallet generation scheme is vulnerable if the seed is compromised.

Is there a tool that can be used offline that generates a public key from a sha256?  Preferably in javascript or shell script?

You have the javascript from bitaddress.org available, offline if you save the page to your pc


The Bitcoin-Address-Utility
https://github.com/casascius/Bitcoin-Address-Utility


Or Casascius-compatible address tool for Android
https://bitcointalk.org/index.php?topic=86128
http://codinginmysleep.com/apps/
https://play.google.com/store/apps/details?id=com.CIMS.BitcoinAddress

[molecular]

My approach:

PrivKey1: sha256 x5 "my long passphrase"
PrivKey2: sha256 x6 "my long passphrase"
PrivKey3: sha256 x7 "my long passphrase"
PrivKey4: sha256 x8 "my long passphrase"
etc.

I might forget that I started at x5 at some point, but it doesn't matter much.

This sounds pretty good.  I might use a variant on that at one point.

To address the criticism that using one passphrase means the whole wallet is lost once the passphrase is gained, there's no reason you can't have multiple passphrases.  It seems to me that any deterministic wallet generation scheme is vulnerable if the seed is compromised.

Is there a tool that can be used offline that generates a public key from a sha256?  Preferably in javascript or shell script?

check out the strongcoin offline tx stuff, which is in js.

[anu]

Btw.: Entropy is not everything. If you generate your password from many words, which occur in a dictionary and the attacker knows that, all the entropy of single characters is worthless, because the attacker can guess your password with a wordlist.

BTW entropy is everything you are just calculating it wrong.   If the passphrases comes from a dictionary list (and the person designing it will ASSSUME the attacker knows it) the entropy is (words in list)^(number of words)

i.e. if you have a word list of 5,000 words and generate a passphrase which consists of 10 of them randomly it would have

5000^10 ~= 2^122 or 122 bits of entropy.  (that assumes selection with replacement, too lazy to did the more common selection w/o replacement).

Why are people so obsessed with dictionary attacks. It's so easy add something into the passphrase which is not in a dictionary. Just missspell a word. If you speak a local dialect, use some words from that. I doubt it is easy to run a dictionary attack on a passphrase containing bits of Bavarian, Southern Thai or Islay Gaelic.

[cbeast]

Why are people so obsessed with dictionary attacks. It's so easy add something into the passphrase which is not in a dictionary. Just missspell a word. If you speak a local dialect, use some words from that. I doubt it is easy to run a dictionary attack on a passphrase containing bits of Bavarian, Southern Thai or Islay Gaelic.

Or Igpay Atinlay 

[pointbiz]

The Brain Wallet tab on bitaddress.org v1.6 uses SHA256(passphrase) as the algorithm.

I've kept it simple for the reason others have stated:
SHA256(SHA256("a")) is easier to brute force than SHA256("a2")

I'd like to make a FAQ with advise on choosing a good passphrase. But I don't know what IS the best advice. There are two threats that can cause loss of bitcoins with respect to Brain Wallets.
1) Hacker brute forcing the passphrase
2) Forgetting the passphrase

Does anyone have good advise?

I acknowledge what gmaxwell and others have said about the challenge of choosing a passphrase with sufficient entropy. However, there are valid use cases for Brain Wallets and I received bounties and requests for these features.

[DeathAndTaxes]

Why are people so obsessed with dictionary attacks. It's so easy add something into the passphrase which is not in a dictionary. Just missspell a word. If you speak a local dialect, use some words from that. I doubt it is easy to run a dictionary attack on a passphrase containing bits of Bavarian, Southern Thai or Islay Gaelic.

I think you misunderstand.   When we talk about dictionary attack we aren't talking about Webster's English dictionary.  We are talking about lists of passwords which have been collected over the years via a variety of methods (stolen password list, old brute forced password hash tables, major hacks, social engineering, keyloggers, phishing sites, etc).  I would provide some links but not sure if the mods would approve.  A password cracker will use a database of 2 to 14 million passwords which includes misspellings, brands/names, slang, common substitutions (p@ssword), prefixes/suffixes (password123).

[anu]

Why are people so obsessed with dictionary attacks. It's so easy add something into the passphrase which is not in a dictionary. Just missspell a word. If you speak a local dialect, use some words from that. I doubt it is easy to run a dictionary attack on a passphrase containing bits of Bavarian, Southern Thai or Islay Gaelic.

I think you misunderstand.   When we talk about dictionary attack we aren't talking about Webster's English dictionary.  We are talking about lists of passwords which have been collected over the years via a variety of methods (stolen password list, old brute forced password hash tables, major hacks, social engineering, keyloggers, phishing sites, etc).  I would provide some links but not sure if the mods would approve.  A password cracker will use a database of 2 to 14 million passwords which includes misspellings, brands/names, slang, common substitutions (p@ssword), prefixes/suffixes (password123).

14 Million is not nearly enough to cover even a few languages. I think your 14 million words pw cracker will not even crack something as ridiculously trivial as
"Casascius says: `vires in numer1s`"

Now do the  sha256 * YYMMDD hash of that to make it a bit of a computational challenge. (YYMMDD) being a date of significance for you.

[anu]

Now do the  sha256 * YYMMDD hash of that to make it a bit of a computational challenge. (YYMMDD) being a date of significance for you.

In fact I think something like this is the best protection of even weak pass phrases: Going through an unknown, but very large number of re-hashes.

[molecular]

like trying to misuse a secret salt to add entropy, I think using multiple rounds of sha is just an excuse for (fear of) low entropy in the passphrase.

Just put enough entropy into your passphrase and all is good. Easiest way to do it: make it very long. Even a gramatically valid sentence constructed from 10 webster dictionary words wont be bruteforced easily (1E5^10 = 1E50). Even if the cracker uses grammar rules (unlikely), I bet there's still 1E40 gramatically valid sentences with 10 webster words.

[anu]

like trying to misuse a secret salt to add entropy, I think using multiple rounds of sha is just an excuse for (fear of) low entropy in the passphrase.

The moment you put something personal into the passphrase, an attack that can crack your passphrase becomes an attack on *your passphrase exclusively*. Unless you have a very well funded brain wallet, the whole cracking enterprise is no longer economical. [EDIT:] using many rounds of hashing plus conditionals after each round pulls the teeth of SIMD & friends to an extend.

But I think a passphrase should not only be long, it should also force the attacker to use a vast dictionary of many Billion entries to even have a chance to crack it. I think most dictionary attacks completely loose their teeth if you mix languages like ລາວ, 中文, ไทย, or even Eλληνικά, particularly if the passphrase contains local slang in these languages.

So if everyone just makes good use of their native language this only leaves those out in the rain who speak only English. Fine.

[paraipan]

like trying to misuse a secret salt to add entropy, I think using multiple rounds of sha is just an excuse for (fear of) low entropy in the passphrase.

The moment you put something personal into the passphrase, an attack that can crack your passphrase becomes an attack on *your passphrase exclusively*. Unless you have a very well funded brain wallet, the whole cracking enterprise is no longer economical. [EDIT:] using many rounds of hashing plus conditionals after each round pulls the teeth of SIMD & friends to an extend.

But I think a passphrase should not only be long, it should also force the attacker to use a vast dictionary of many Billion entries to even have a chance to crack it. I think most dictionary attacks completely loose their teeth if you mix languages like ລາວ, 中文, ไทย, or even Eλληνικά, particularly if the passphrase contains local slang in these languages.

So if everyone just makes good use of their native language this only leaves those out in the rain who speak only English. Fine.

+1 totally agree to this, using local slang with my passwords since 2000

[anu]

Just downloaded some of these dreaded dictionaries. None of them would crack "Vires in Numeris",  even. Even if you use the very first sentence of a piece of world literature like:

"Uns ist in alten Mæren wunders vil geseit
von Helden lobebæren, von grôzer arebeit"

you're safe. Seems like dictionary designers have no knowledge that other languages exist.

[Pieter Wuille]

I'm not sure you're looking at the same dictionary that "professional" password crackers use.

From the many password database leaks that have already happened in the past, there are known passwords of over 10 random-looking characters that have been cracked, presumably just from the leaked SHA hash. I don't have an example myself, but please don't just assume that because you can't crack something yourself, nobody can. Everyone is smart enough to devise a system he can't crack himself. Realize that the bitcoin network itself has done almost 2^70 SHA256 operations already, enough to traverse the entire space of up-to-11 characters alphanumeric passwords.

If you're really creating a wallet based on a passphrase, do the math. A word chosen randomly from a 5000-word dictionary provides 12 bits of entropy. Say you include randomly some words from one other language, given that there are 500 other languages and dialects, gives you 13*n+9 bits of entropy. I wouldn't advise using less than 128 bits to create a wallet, so that'd mean 9 words if you include foreign ones, or 10 if you don't. Please note that this calculation is assuming random words, and not existing text.