Forget brainwallet - could you memorize an entire private key?

[deepceleron]

Can we memorize a full Bitcoin private key?

I added a base26 encoding to pybitcointools to simply things (normal addresses and wallet-import-format private keys are Base58, with hard-to-memorize upper-case letters and numbers). Let's make some private keys. With this encoding, they have a usual and maximum length of 55 characters:

>>>bitcoin.encode(random.randint(1,2**256-432420386565659656852420866394968145599L), 26)
'digiglqzmbsylezyvovztjincftnxmpvcmtkszwcqrzttkgizgwgsrs'
'crbifkrcyokrerdtvfbliynoyyvspncuhenzanzoesdaggzjjccedyo'

Or if we separated them, lets try four or five letter groups:

'digi-glqz-mbsy-lezy-vovz-tjin-cftn-xmpv-cmtk-szwc-qrzt-tkgi-zgwg-srs'
'crbif-krcyo-krerd-tvfbl-iynoy-yvspn-cuhen-zanzo-esdag-gzjjc-cedyo'

We'd better check mistypes, two more letters from a hash of the key, for a 99.85% chance we detect a mistake - for a final form:

'digi-glqz-mbsy-lezy-vovz-tjin-cftn-xmpv-cmtk-szwc-qrzt-tkgi-zgwg-srsc-a'
'crbif-krcyo-krerd-tvfbl-iynoy-yvspn-cuhen-zanzo-esdag-gzjjc-cedyo-bi'

Do you have the brain power to commit a full-strength private to memory?


A private key is much stronger than a bitcoin address though - a private key is 256 bits, but an address hash is only 160 bits; every address probably has about 79228162514264337593543950336 private keys that could spend its money. As crazy as it seems, maybe we could get by only using private keys starting with 0x000000000000000000000000h; let's generate the rest:

>>> bitcoin.encode(2**160, 26)
'bdonjydfhmonirbfouktjpxyqzilesiamaq'

That is the minimum size of a computer-generated "brainwallet" key or password required to give you near the same strength as a regular Bitcoin address - 35 letters. A gifted individual could apply themselves and commit this to memory, just as there are those that memorize 1000 digits of pi.

Electrum cheats - it makes a 128-bit deterministic seed, even smaller than this (although the generated bitcoin private keys are spread around the keyspace in a way hard to reverse).

If you take letters randomly chosen from pages of a book, you need more letters (due to the frequency of certain letters). If you try to use English words, you need about 20 of them, randomly chosen from the entire Oxford dictionary (not ones you picked). If you try to make up your own password...well, you see the point.

Don't use your brain to store bitcoins.

[Candystripes]

Brainwallets were never a bad idea, they're just as secure as using a normal password. If you forget the password, bad luck, same goes with brainwallets.

It's easy to remember a simple phrase, such as "CandyMadeTheCowGoPoo", I can't understand why you think it's a bad idea.

[deepceleron]

Brainwallets were never a bad idea, they're just as secure as using a normal password. If you forget the password, bad luck, same goes with brainwallets.

It's easy to remember a simple phrase, such as "CandyMadeTheCowGoPoo", I can't understand why you think it's a bad idea.

Let me drop knowledge: http://www.reddit.com/r/Bitcoin/comments/1ptuf3/
 or http://www.reddit.com/r/Bitcoin/comments/1nbmet/
They were always a bad idea.

[DeathAndTaxes]

Be careful with only using 160 bits of entropy for private keys.  The strength of ECDSA keys when the public key is known is half the key size.  For full length key 256 bits length = 128 bits strength.   So 160 bits mean 80 bit of strength.  This is not beyond brute force.  It may not be economical but brute forcing the private key from the public key is feasible.

[Beliathon]

Take your favorite book.

Now pick your favorite 3 chapters from that book.

Pick a number from 1-10.

If your number is 4, go to the fourth page in each of your 3 selected chapters. Take the first letter of each word from that page, in the order in which the appear.

That's a good brain wallet.

[TimS]

Take your favorite book. ~10 bits entropy for number of popular books (estimated at 1024; this doesn't need to be a maximum to be the right entropy, since the most popular books will cover more than their share)

Now pick your favorite 3 chapters from that book. ~12 bits entropy for 3*log_2(number of chapters in a typical book), estimated at 3*4; this is generous, as the common favorites of a book will lower this

Pick a number from 1-10. ~3 bits entropy (10 numbers)

If your number is 4, go to the fourth page in each of your 3 selected chapters. Take the first letter of each word from that page, in the order in which the appear. ~3 bits entropy for different editions

That's a good brain wallet. Nope.

At 28 bits of entropy (as a rough estimate), no it's not a good brain wallet. Given the right resources (a list of popular books and their texts in a certain edition), an attacker would only have to try 2^28 combinations to crack most brain wallets based on this scheme.
You're only short by a factor of 2^100. *cough*

Forget brainwallet - could you memorize an entire private key?

I can memorize a 128-bit key fairly easily, so there's nothing stopping me from memorizing a 256-bit key except that there's no point to it: I feel quite secure with a 128-bit seed securing my wallet.

[Candystripes]

Take your favorite book.

Now pick your favorite 3 chapters from that book.

Pick a number from 1-10.

If your number is 4, go to the fourth page in each of your 3 selected chapters. Take the first letter of each word from that page, in the order in which the appear.

That's a good brain wallet.

What if the letters spell out "car" or "btc" or something ridiculously stupid?

[deepceleron]

Be careful with only using 160 bits of entropy for private keys.  The strength of ECDSA keys when the public key is known is half the key size.  For full length key 256 bits length = 128 bits strength.   So 160 bits mean 80 bit of strength.  This is not beyond brute force.  It may not be economical but brute forcing the private key from the public key is feasible.

That's a very good point I've glossed over, that when you spend, you are releasing more information that can be used to deduce the private key, worse if in conjunction with a weak random generator by the spending wallet. I was comparing directly the possible key size to possible address size.

To simplify the brute force would require some information about how the simplified public key was encoded; here I just showed it was shortened by being a much smaller number, other discoverable encodings of small keys include SHA256 (brainwallet). Putting the small key through 777 rounds of Centrifuge and Lanarea, for example, makes the encoding more obscure and more costly to rainbow-table, but still is not security equivalent to using a full random key. The encoding technique also becomes one more thing to remember.

I must add that I started the topic wanting to challenge people to memorize their own 55-letter random string, and remember it a day, a week, a month later, but the thesis changed as I was typing it.

[jonald_fyookball]

Electrum cheats - it makes a 128-bit deterministic seed, even smaller than this (although the generated bitcoin private keys are spread around the keyspace in a way hard to reverse).
 

wait...now i'm totally confused... given what DeathandTaxes just said -- how is it that Electrum keeps the 128 bits of entropy and it doesn't become half that when we generate the
private keys?  Why is it hard to reverse , or, put to it another way: why would it be easy to work backwards in another instance? I'm fuzzy on that now.

---
On another note, it is not hard to memorize a lot of information -- we all
have different talent for memorization, but its mostly a question of effort,
determination, and practice.  The human brain remembers what it deems
important and forgets that which it considers unimportant.    If a 256 bit private
key is in hexadecimal format, that's 64 characters, or 32 pairs of 2 digits
like "E9" or "43" or "5B".  32 is not that many.  You can memorize that in
a less than an hour, or a day, or a week, depending on your talents and
other factors.  For me, I think I have a pretty good memory, so I could
memorize it in  maybe 20-30 minutes, but it would require practice to retain,
and there's no point -- I would rather memorize an electrum seed, which
would only take me 5 minutes to memorize if I really needed to.

[cameltoe]

Remembering the whole private keys? That's just retarded when you can use a passphrase haha

[Divinespark]

I have tried, the answer is probably yes
But I would be absolutely terrified of forgetting it. Risk magnified as we age.

[TrailingComet]

I tried doing this once as a test
By day 6, I could substantially remember it but was starting to have doubts about individual characters
Too bloody dangerous unless you have a back up in some form. A back up of course defeating the purpose of the whole exercise.

[Pente]

You can increase the level of entropy in a brainwallet by using the altkeys. Most keyboards only have 94 symbols (26 letters, 26 caps, 10 numbers, and 32 symbols), but you can increase that to almost 256 by using the altkeys. For instance ♥ is alt 3.

So you can do something like: (password:phonenumber)(Q♠)(K♥)(∞)
Which makes private key: 5KJkhonUA3EfX7Cjuc2rJMASq8jh5t7bJLW3axvtYjpP2mab4v9
and public address: 1BJg3A9AnURtRm9DZpV32Xut8cbrsZ6tPo

Other tricks include using Google translator to make words using different character sets to mix with your english words.

Brainwallet: (Hello World)(пpивeт миp)(नमस्ते विश्व)
Private Key: 5JwMiUD1h2uL9Fxj82Ymvxe95wY6Tg6fwvJwdHXoxbqBD6mGADS
Public Address: 1NANoMSZanrBEYSCthGTPrz7VR7PRQxt6V

[catlinhappy]

I don't see any reason in memorizing an entire private key when one can simply use a passphrase instead.

[melisande]

Its possible to memorize an entire private key but its a bit risky if one suddenly develop amnesia due to age or accident.

[Mars not Moon]

What's the need to memorize if you can write on a piece of paper.

Why to go for un-necessary hard work?

[oceans]

I agree, it's simple to write it down and keep it safe than to memorize it however I can also understand why many people would not want to write their private keys down so it is easy for them to remember mainly due to being cautious. I personally myself do not feel I could memorize an entire private key to be honest but me being on of those that is over cautious I think I would be a bit dubious about writing it down even if I knew it was a better solution.

[JompinDox]

Be careful with only using 160 bits of entropy for private keys.  The strength of ECDSA keys when the public key is known is half the key size.  For full length key 256 bits length = 128 bits strength.   So 160 bits mean 80 bit of strength.  This is not beyond brute force.  It may not be economical but brute forcing the private key from the public key is feasible.

This is often repeated around here, but are there any documented, non-theoretical examples of that? Not talking about in 10 years, but today? Not trolling. Do you have any sources for that claim?

[cryptohill]

If you had the choice to remember your private key or to write it down, which would you choose and why? I am new to bitcoin but I imagine brain wallets are way to easy to break and therefore not a realistic option. Disregard the fact that a private key is difficult to actually remember, I am just trying to ascertain if actually remembering the private key is in any way advantageous over writing it down? Does the capability of remembering a private key solve any current issue or would it serve any good purpose?

Thanks.

[jonald_fyookball]

If you had the choice to remember your private key or to write it down, which would you choose and why? I am new to bitcoin but I imagine brain wallets are way to easy to break and therefore not a realistic option. Disregard the fact that a private key is difficult to actually remember, I am just trying to ascertain if actually remembering the private key is in any way advantageous over writing it down? Does the capability of remembering a private key solve any current issue or would it serve any good purpose?

Thanks.

i don't see any advantage over using a passphrase. I think OP was just asking out of curiosity.