How safe is this brainwallet?

[Lorenzo]

"Kaleno vinen humuui sandacoro (yo 77322 1149398223). Moro tibero santana rocolono (yo 487763 7761204782212). Nuve kaleno ijii."

I know that brainwallets are a bad idea, but after using Electrum and the NXT client, I wonder if it would be possible to produce a strong brainwallet by using words from a made-up language.

A conlang (short for constructed language) is a language that is completely invented. An example of such a language is Klingon.

How secure would a passphrase similar to the above one be? It has about 120 characters and none of the words can be found in a dictionary. Shouldn't it be superior to a typical 12-word seed that Electrum and the NXT client provides since the latter two contain dictionary words, has no symbols or numbers, and is shorter in length?

I'm only asking because I would like to use a similar passphrase using a conlang that only I know but with a completely different set of characters to the one above.

[OnkelPaul]

A passphrase in a language that only you know would be secure against guessing, of course.
It's up to you whether it is secure against forgetting as well - one missing/replaced letter makes it unusable (of course you could bruteforce it if you know that there's just one or two minor differences in the version that you remember).

Onkel Paul

[Soappa]

Yup, if you use such kind of phrase to create a brainwallet, it should very secure.
But then you need to make sure you can recall such 120 characters when you need to (may be in a year, may be in 10 years) without one single mistake.

[Lorenzo]

Ah, thanks for the replies. So it looks like I'll be OK then as long as I don't forget it. Shouldn't be too much of a problem then since I already have memorized a couple of poems written in my conlang and I can definitely still remember all of them after many years.

[dothebeats]

It will be VERY secure IF and only IF you only know the pass phrase yourself. You mustn't base your pass phrase in to a common phrase or group of words that can easily be cracked by anyone. And the important thing in using a brainwallet is to NEVER EVER FORGET YOUR OWN PASS PHRASE.

Cheers dude. Hope this comment helped you in any way.

[newflesh]

It should reduce the chance of your passphrase being bruteforced but it wouldn'r make a difference if your computer is infected with a trojan or keylogger etc

Strengthen it using some special characters like @%&*

[btchris]

How secure would a passphrase similar to the above one be? It has about 120 characters and none of the words can be found in a dictionary. Shouldn't it be superior to a typical 12-word seed that Electrum and the NXT client provides since the latter two contain dictionary words, has no symbols or numbers, and is shorter in length?

Your passphrase probably isn't more secure than Electrum.

A nice thing about an Electrum seed (or a BIP39 mnemonic) is that we know exactly how it's created, and therefore we know that it contains very close^* to 128 bits of entropy. That means that brute-forcing it would take, on average, about 170 billion billion billion billion operations.

Code:

2^127 = 170 141 183 460 469 231 731 687 303 715 884 105 728

It's not as much entropy as some wallets, but it's still a whole lot.

The problem with your scheme (nearly all schemes for that matter) is that we don't know how much entropy it actually contains. Unless you describe exactly how you created your conlang, and then describe exactly how you construct your passphrase, there's no way to know (and even then it could be difficult to figure out).

This is at the heart of why brainwallets are bad. Humans are bad at creating entropy using just our brains, and we're really bad at estimating how much entropy something has, and in the end it's the amount of entropy in a key that makes it difficult (or not) to brute-force.

So is it possible that your scheme is safe? Maybe, but it's unlikely (given the last sentence above) and impossible to say for certain (given that you didn't describe your exact scheme). It's always safer to go with a solution whose strength we know -- there's no real reason to invent your probably-unsafe own.


* Electrum is only as secure as its underlying source of entropy, which is /dev/urandom on Linux/BSD/Mac OS and CryptGenRandom() on Windows. Although there are no known weaknesses in current versions of either, both have had problems in the past, so it remains possible that the actual amount of entropy could be less.

[Minnlo]

The problem with your scheme (nearly all schemes for that matter) is that we don't know how much entropy it actually contains. Unless you describe exactly how you created your conlang, and then describe exactly how you construct your passphrase, there's no way to know (and even then it could be difficult to figure out).

This is at the heart of why brainwallets are bad. Humans are bad at creating entropy using just our brains, and we're really bad at estimating how much entropy something has, and in the end it's the amount of entropy in a key that makes it difficult (or not) to brute-force.

I don't know much about the concept of entropy, but here is my question.
In the viewpoint of the attacker who has no info how the passphrase is constructed, shouldn't that passphrase work just like a completely random meaningless combination of 120 capital letters, numbers and special characters?

[btchris]

I don't know much about the concept of entropy, but here is my question.
In the viewpoint of the attacker who has no info how the passphrase is constructed, shouldn't that passphrase work just like a completely random meaningless combination of 120 capital letters, numbers and special characters?

If the passphrase has structure to it, than a sophisticated attacker can take advantage of that structure to reduce the search space. Just to be clear though... I'm not a sophisticated attacker, so please don't ask me how such an attack might actually work, or how successful a sophisticated attacker would be in attacking this particular style of password... I just don't know.

My "not knowing" is the point, though. Given these two options, which is better?

• A private key generated from a good random source, which has a known amount of entropy and a known likelihood of compromise via private key brute-forcing (practically none).
• A private key generated from someone's brain, with an unknown amount of entropy and an unknown likelihood of compromise via private key brute-forcing.

The former is always safer exactly because the latter is an unknown quantity. Unless there's some real benefit for using brain wallets, the fact that they might be insecure (definitely so in many cases) is enough reason to avoid them entirely. After all, why make life easier for an attacker, even if it turns out to only be a little bit easier?

(If there were some other security advantage to brain wallets, this might be a different story, but there aren't any...)

[silversurfer1958]

Brainwallets are OK, so long as you realise that any word that is easy to remember has less entropy than a genuine random Pass word.
By that I mean, supposing you wanted to create an 8 character Password, you could choose, for example, 'elephant' or 'xcdrgthy'.
The problem with Brain wallets is that they are effectively mineable unless you use a VERY good password or Phrase.
For example, if you chose to use elephant as a brain wallet (You can't because most require 15 chars or more, but let;s suppose) and you put some Bitcoin in there, you would lose your BTC instantly because bad guys have already pre compiled all the Public and Private keys for all simple Passwords and Phrases.
Eg Elephant1235abcd......JohnsBtcWallet  etc. A high end PC graphic card can calculate 20 Billion password > Brain wallet Private Keys per second and they have been doing this for several years AND saving these to Hard disk, so if EVER anyone uses one of those passwords as a brainwallet password, their BTC will dissapear almost instantly.
For example, the Brainwallet passphrase 'elephantbeardog' quite possibly has never been used but it has quite possibly be precompiled by the bad guys so that as soon as someone uses it, let's say to do an experiemnt just to see how Brainwallets work, their BTC will more than likely disappear instantly because all common 3 word combinations have already been precompiled into Public and Private keys and stored on hard disk and those addresses will be regularly monmitored.
The point I am making is that in order for a BRain wallet to be secure it must be as Cryptographically unique as you can possibly make it and if you are going to use words, it will never have the randomness that a purely random Password will have.
You can compensate for that to a degree by making it longer.
If you are going to use a Bainwallet, use Upper and Lower case, numbers and Special Characters and be more than 20 Chars.
If most of your Password is recognisable as a Word, it is less secure than For example you might think that €L€9h@nt   is a reasonably good password, but in Brain wallet terms it is as bad as Elephant, because once they have compiled all the SHA(2565) derivations of all the dictioary words, they then went on to compile all the common character substitutions for all the dictionary words, meaning that in Brain Wallet terms, €L€9h@nt  is no better than Elephant.
In General there are Three main ways someone can attack your Passphrase or Pass word.

Firstly, they can use Brute force and just try every combination of Characters.
currently, anything over 10 Characters if it contains Upper/Lower case, Numbers and Special Chars is highly resistant to Brute force, unless your attacker has a Supper Computer at his disposal.
The way to defeat a Brute for attack is usingh a Long Password containing Upper case, lower case, numbers and special Chars.

The next method of attack is a dictionary attack, where the attacker can try all the common Dictionary words, common Character substitutions Such as Elephant123    elephant123   elephantabc  €lephantabc   etc etc
plus trillions of other possible words and common character substitutions.
Simple examples like those will get your Bitcoins stolen almost imediately.
The way to defeat a Dictiononary attack is to not use whole common dictionary words

the next way they might attack your password is to attack your personal information.
for example, they coudl collect everything they know about you, your name, your birthday, your tel no, Nat insurance mumber and again, With a Very powerful PC able to compute Billions of rearrangements
per second could, in a few hours compute Trillions of Possible password combinations base don various re arrangements of your name, abreviations of your name, Tel no, Wife's name, Surname, Tel no, etc etc.

Password / Passphrase length is one of the most important factors in security, the longer the better.
you could use your Birthdate Tel no and Nat ins No Plus an abreviation of your name.

that would most liklely produce a Passphrase long enough to resist Brute forcing and a dictionary attack but would be comparatively weak to an attacker who had a lot of personal information on you such as
you Tel no, name, Birthday etc.

and so, if you want to creat a Brainwallet PassPhrase, it must be long, 20 chars or more, possibly contain personal info, heavily abreviated, Your name, shortened or a Nickname, interspaced with special chars, and maybe even a common character substituted dictionary word, that way, they must uyse all three techniques in order to get at your password.
EG,     :-)[Rob12/10/1987/077986]:-)  Would fare very well against a Dictionary attack, and a Brute force attack though you would remain significanntly more vulnerable from an a attacker who had information on you.

A password that contains a Birthday for example might be   13101958  (13th Oct 1958)
You might think that has 99 Million possibilities because it has 8 numbers, but if it;'s a birthday. there are only 31 Possible combinations for the first two chars (days)
Only 12 for the second 2 chars ( months ) and only possibly 2000 for the Next four chars (years), meaning that
there are only 30 X 12 X 2000 Possible birthday combinations in that 8 digits, not Billions as you might first suspect.
Because obviously, there is no 99th Day of the 99th Month.    
Personally I like the Brainwallet concept , put you have to be very very very Cryptic,

Even if you manage that though, your pass word will not be as secure as a true randon 20 char Password even though you might very well be able to produce something that is very highly secure plus reasonably easy to remember for you.

The biggest problem with Brainwallets as far as the general public is concered is that many will try to use them and
not do their homework and try things like   'AlisonsWalletNo1'  or LetMeInABC    or etc etc etc an promptly lose thier BTC. because things like that will have already been pre computed and are now being regularly monitired.

[btchris]

The point I am making is that in order for a BRain wallet to be secure it must be as Cryptographically unique as you can possibly make it and if you are going to use words, it will never have the randomness that a purely random Password will have.

Agree -- if it's not truly random, it's always less secure than a traditional wallet.

In General there are Three main ways someone can attack your Passphrase or Pass word.

Disagree -- there may be three ways that you (or that I) can think of, but people who are more experienced/smarter than you or I may have many more ways. This is why the level of security of a brainwallet can't be well determined.

Personally I like the Brainwallet concept

Why? What is it that you like, that makes it worthwhile for you to give up some amount of security?

[silversurfer1958]

What I like about it is that I can effectively store money in my head, not that I have much to store but...
I believe that a Brain wallet can be strong enough that, yes, it may not be as strong as a similar length, truly random Password, but still uncrackable in any reasonable time period.

I also think that Brainwallets could be hardened against attacks by introducing a slower algorythm in the path,  along the lines of     Sha256(Bcrypt(Password))

And you're right there are more than three ways, another way would be for someone to be peering over your shoulder while you are creating your Brainwallet Password or Passphrase, or using a key logger or screen scraper, or decoding the electrical noise generated by individual keypresses or.....holding a gun to your head.
 

[CIYAM]

The biggest problem with a "brainwallet" is that "you need a good brain" to create it.

Assuming that you have one then actually you don't have a problem (all the advice *against* brainwallets is aimed at people that *don't have a good brain" and that is fair enough as most people "don't").

I have stored funds in a brainwallet for years and they still haven't *gone anywhere* (and that is used as a "test" for further brainwallets to let me know if someone might have discovered my first one - so go for it *brainwallet hackers*).

The biggest worry is that you develop "Alzheimer's" or something similar and simply *forget your brainwallet* (so some sort of paper backup would still be recommended).

Luckily diseases such as Alzheimer's tend to leave "your oldest memories" intact - so I did develop this: http://ciyam.org/memory_key.html as a method to ensure you use something "that is old but memorable to yourself".

[Velkro]

Your brain can't actually make good enough random passphrase because its always based on some language, some words that appeal to you etc.
Its security risk, i don't recommend brain wallets

[CIYAM]

Your brain can't actually make good enough random passphrase because its always based on some language, some words that appeal to you etc.
Its security risk, i don't recommend brain wallets

Again I'll state that I have a brainwallet that *has not been hacked for more than 2 years".

So your statement that "your brain can't actually make a good enough random passphrase" does not seem to actually be correct (otherwise my BTC should have disappeared).

If anyone thinks they can *hack my brain* then *go for it* (there is at least 1 BTC you can make from this).

[btchris]

What I like about it is that I can effectively store money in my head

Why is that useful? What I'm trying to ask is, why does this one purported advantage outweigh the security negatives?

I'll bet we could come up with some cool sounding use case for it for which traditional wallets fail (I've been unjustly imprisoned with temporary access to computers but no access to paper, and with no friends on the outside, but still I want to let people send me bitcoins....) But are there any real-life use cases where a brain wallet would actually be an advantage, and not just a security risk?

The biggest problem with a "brainwallet" is that "you need a good brain" to create it.

Fair enough -- you need to be good at creating impressively random stuff in your brain, and you need to be able to remember that stuff.

The problem I continue to see is this: how are you sure that you have such a brain? We (humans that is) do a good job of overestimating our own abilities -- it's just human nature. This is especially the case when it comes to estimating our ability to create entropy. I may think I'm pretty darn smart... but who doesn't?

I'm sure there are some people who can pull this off, and it's entirely possible that CIYAM is one of those people, but CIYAM would be in a large minority.

If you can't be certain that you have such a "good brain", what would be the advantage gained by taking this risk?

[CIYAM]

The problem I continue to see is this: how are you sure that you have such a brain? We (humans that is) do a good job of overestimating our own abilities -- it's just human nature. This is especially the case when it comes to estimating our ability to create entropy. I may think I'm pretty darn smart... but who doesn't?

Agreed - I can only say that my brainwallet still has the 1 BTC that I put there (years ago) so either I'm:

(a) extremely lucky or
(b) smart enough to have created a passphrase that no-one can brute force

Of course this could change at any time (so I do check my address often) but my point is that "it is not *impossible* to create a good "brainwallet" *(but I do agree it is not the best idea for most people).

I just think that saying that *no-one can create a good brainwallet is wrong* (as it at least seems that I have been able to do that).

[alistar]

wait why use other wallets when there is options like blockchain?

[Lorenzo]

Compared to the original example I gave in the OP, how secure would a paragraph/short story of original English text be?

For example:

"Yesterday was a cold and rainy day. Perhaps the coldest it had ever been since the great winter of 1989. The effects of the cold front that was continuing to blast our little town with raindrops the size of tennis balls were quite evident when I had finally arrived. The geraniums had wilted and our pets were nowhere to be found. We would later learn that they had died. Rex had crawled underneath the house, fashioned a bed made of snow, and never woke up. Poor guy froze to death with his girlfriend by his side. That's right. Fluffy is dead too. Good thing our boy doesn't know yet. She was his favorite. Gotta go down to the pet store ASAP. Might pick up a pair of thermal socks on the way home.

Yeah... I know. I fucked up. Hamsters aren't meant for the cold."

Throwing the above into the password strength checker shows 4000 bits of entropy which is definitely strong but typing in the word "hello" repeated 5 times shows 110 bits of entropy which is still pretty strong (but obviously isn't and your funds would get stolen right away).

[CIYAM]

Compared to the original example I gave in the OP, how secure would a paragraph/short story of original English text be?

You are always going to be less safe using "some known text" (be it from a book, poem, song, etc.) than creating something 100% original and this is actually part of the real problem to creating brainwallets - it requires the same sort of degree of "creativity" that writers or composers have (and for those curious I majored in music at university).