(!) Armory Brain Wallet

[btchris]

And since "Two beer, or bottle of wine? That is the question of my silly brain." is (almost) grammatically correct and uses sensible punctuation, it has much lower entropy than one would expect.  I *think* it is barely out of reach of a brute force search, but honestly I have no clue.

I agree it seems like a nice long passphrase, but this is exactly the problem.

We humans (myself included of course) are really bad at estimating how much entropy something has by just looking at it, and we're just as bad creating things with lots of entropy using only our brains. If it turns out the passphrase was in fact good enough, you'll know in 10 or 20 years because your key was never stolen. If, on the other hand, you were wrong, your bitcoin could disappear at any time between now and then.

If you're that worried about losing your paper backups, you can be nearly as paranoid as you want, e.g. print a 2-of-6 backup, and store them all in safety deposit boxes at different banks. (or how about just a standard/1-of-1 backup that you tattoo to a, uh, private area of your body? that should be hard to lose and, depending on your profession, hard to get stolen too )

[1714139519]

1714139519

[1714139519]

1714139519

[1714139519]

1714139519

[1714139519]

1714139519

[1714139519]

1714139519

[spin]

It's

And since "Two beer, or bottle of wine? That is the question of my silly brain." is (almost) grammatically correct and uses sensible punctuation, it has much lower entropy than one would expect.  I *think* it is barely out of reach of a brute force search, but honestly I have no clue.

I agree it seems like a nice long passphrase, but this is exactly the problem.

Exactly, this has far less entropy than the same number of random (i.e. computer chosen) words from a long words list.  How much less is not clear.  
(Of course given that it's now a sentence on a bitcoin related site, using it now would be suicide!)

[Newar]

[...] 
(Of course given that it's now a sentence on a bitcoin related site, using it now would be suicide!)

Yeah, why bruteforce when you can wordlist? http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/

[....]
I *think* it is barely out of reach of a brute force search, but honestly I have no clue.

https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html gives an entropy of 194 bits.

[btchris]

[...] 
(Of course given that it's now a sentence on a bitcoin related site, using it now would be suicide!)

Yeah, why bruteforce when you can wordlist? http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/

[....]
I *think* it is barely out of reach of a brute force search, but honestly I have no clue.

https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html gives an entropy of 194 bits.

I do believe that in suggesting that (or any) entropy estimation tool, you just contradicted yourself...

Entropy estimation tools such as the one mentioned can provide, at best, an upper bounds estimate, and therefore provide a false sense of security. They assume password crackers only use particular predetermined techniques when generating password guesses, however crackers are forever improving their techniques (furthermore these techniques are not necessarily public knowledge).

The (nice, thanks for that) article you pointed to exactly demonstrates this. I took the first "difficult" password mentioned in the article (which has been successfully cracked using the described techniques), and plugged it into the estimation tool, and got this:

Code:

password:              Am i ever gonna see your face again?
entropy:               100.857
crack time (seconds):  1.1482519836189682e+26
crack time (display):  centuries
score from 0 to 4:     4
calculation time (ms): 7

It seems awfully unlikely that the article's authors were able to crack a password with 101 bits of entropy, hence the estimate is a bad one. So, just to reiterate: estimating entropy is really hard...

[CircusPeanut]

Yeah, why bruteforce when you can wordlist? http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/

Hypothetically speaking (I am absolutely not suggesting that anyone is doing this now) if I was a hacker it seems like a good way to steal bitcoins would be to write a little program, probably like the javascript above, but something faster, that for each pass phrase in those lists, generate an Armory wallet, check the first 20 or so addresses for any bitcoins. Just let the program run in the background and then get on the forums talk up the generating a Bitcoin Armory brain wallet.


I use a shuffled deck of cards myself. Peel off the first 40 cards to generate my root key. Then 3 of 6 fragmented backup, test them out a few times on my offline device, and store them in separate places. Then I use my brain wallet pass phrase to protect my offline armory wallet. Good to go.

[btchris]

Hypothetically speaking (I am absolutely not suggesting that anyone is doing this now) if I was a hacker it seems like a good way to steal bitcoins would be to write a little program, probably like the javascript above, but something faster, that for each pass phrase in those lists, generate an Armory wallet, check the first 20 or so addresses for any bitcoins.

People already do it for other brain wallets, so I don't see why it would be any different for Armory brain wallets.

I use a shuffled deck of cards myself. Peel off the first 40 cards to generate my root key. Then 3 of 6 fragmented backup, test them out a few times on my offline device, and store them in separate places. Then I use my brain wallet pass phrase to protect my offline armory wallet. Good to go.

That sounds pretty good to me. Since it's no longer a brain wallet, there's no reason to call it a "brain wallet pass phrase", right?

[CircusPeanut]

...Then I use my brain wallet pass phrase to protect my offline armory wallet....

That sounds pretty good to me. Since it's no longer a brain wallet, there's no reason to call it a "brain wallet pass phrase", right?

I meant that instead of using my brain wallet pass phrase to generate the wallet, I would use the pass phrase as the password for protecting the wallet file. So, yeah, I guess at that point it's just a pass phrase.

[Newar]

I do believe that in suggesting that (or any) entropy estimation tool, you just contradicted yourself...

Entropy estimation tools such as the one mentioned can provide, at best, an upper bounds estimate, and therefore provide a false sense of security. They assume password crackers only use particular predetermined techniques when generating password guesses, however crackers are forever improving their techniques (furthermore these techniques are not necessarily public knowledge).

The developer of the tool writes a bit about entropy estimation in this blog post, which may be of interest to you: https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/ (scroll down about a third of the page)

The (nice, thanks for that) article you pointed to exactly demonstrates this. I took the first "difficult" password mentioned in the article (which has been successfully cracked using the described techniques), and plugged it into the estimation tool, and got this:

Code:

password:              Am i ever gonna see your face again?
entropy:               100.857
crack time (seconds):  1.1482519836189682e+26
crack time (display):  centuries
score from 0 to 4:     4
calculation time (ms): 7

It seems awfully unlikely that the article's authors were able to crack a password with 101 bits of entropy, hence the estimate is a bad one. So, just to reiterate: estimating entropy is really hard...

Of course, anything you can find on google (using quotation marks around the search term), you don't need to bother putting it in that tool. Contrary to other "password check" tools, zxcvbn at least makes mention of that by showing "pattern: dictionary".

[btchris]

The developer of the tool writes a bit about entropy estimation in this blog post, which may be of interest to you: https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/ (scroll down about a third of the page)

That's a great article, thanks.

Of course, anything you can find on google (using quotation marks around the search term), you don't need to bother putting it in that tool. Contrary to other "password check" tools, zxcvbn at least makes mention of that by showing "pattern: dictionary".

Good points. I hope you're not suggesting that you should type your brainwallet into google to check its password strength.... 

[Newar]

[...]
Good points. I hope you're not suggesting that you should type your brainwallet into google to check its password strength.... 

Lol, no.

This brings back the memories of instawallet and the way bitcoin addresses were leaked to the Google search index via Chrome. It made these addresses real easy to find.

https://bitcointalk.org/index.php?topic=164143.msg1719541#msg1719541

[etotheipi]

By the way, it's fairly established that the english language has 0.8 to 1.2 bits per letter.   Rather, grammatically correct, properly spelled english has appoximately one-eighth the amount of entropy as its length.  So for the phrase you picked as an example has 68 letters, so between 54 and 81 bits of entropy.  This is somewhat strong, but on the low-end, still brute-forceable.   

Root keys should never be generated with less than 128 bits of entropy.  That is both a reasonable, forever-secure value, and also the approximate protection level of a 256-bit ECDSA private key (ECDSA private keys have about half the seucirty of their length).

Even if you're holding $100, 54 bits of entropy is really quite terrible considering that an attacker can brute-force all brainwallets in the world with the same brute-force search.   You can improve it with some solid passphrase stretching, but for any significant amounts of money no one should even be taking this risk.

[CircusPeanut]

Here's another great article on why Brain Wallets are insecure:

http://www.wired.com/2015/07/brainflayer-password-cracker-steals-bitcoins-brain/

All you really need to know is that every hacker that is attacking a bitcoin brain wallet, is attacking your bitcoin brain wallet...if you have one, so don't have one.

[Searinox]

If you absolutely MUST use a brain wallet, why not make something that takes Armory's master key and provides multiple methods of representing it as easily memorizable words or phrases? You at least keep Armory's crypto-securely-generated master key. You don't make it any less of a risk to forget it, but it's a step up at least.

[timz]

If you absolutely MUST use a brain wallet, why not make something that takes Armory's master key and provides multiple methods of representing it as easily memorizable words or phrases? You at least keep Armory's crypto-securely-generated master key. You don't make it any less of a risk to forget it, but it's a step up at least.

The main reason - Armory's master key generated by Armory's algorithm. If the algorithm will be compromised, or will be picked up initial conditions for key generating, then your coins will be at stake. In addition, I think it is not easy to find out (and remember) a phrase for existing key.
I just like idea that you may use your favorite phrase to restore wallet anywhere anytime. Just select strong passphrase. In addition you may create paper fragmented backup if you like.

[TimS]

The main reason - Armory's master key generated by Armory's algorithm. If the algorithm will be compromised, or will be picked up initial conditions for key generating, then your coins will be at stake. In addition, I think it is not easy to find out (and remember) a phrase for existing key.
I just like idea that you may use your favorite phrase to restore wallet anywhere anytime. Just select strong passphrase. In addition you may create paper fragmented backup if you like.

1. You're underestimating the security of Armory's random number generator. The non-technical version is that computers and algorithms are actually pretty great at generating a limited number of securely random bits. For more details, read this comment in the source code (it captures a lot of info about your mouse clicks, key presses, system files, and a screenshot of your desktop for extra entropy).
2. You can generate a phrase for any given key/number following grammatical structure pretty easily, even if it might not make perfect semantic sense (but that's okay, it doesn't need to be sensical, just memorable).
3. You're overestimating the security of a person thinking up a "strong passphrase". This is what everyone in this thread has been trying to tell you. Bottom line: If your brain came up with it, it's bad! (not 100% of the time, but often enough that that's the advice I'll give you)

If you want to memorize your Armory key, what I'd recommend is making an algorithm that can convert between the easy base 16 format and a passphrase format. There should be a one-to-one-to-one correspondence between valid 128-bit keys, valid 128-bit base 16 encodings, and valid 128-bit passphrases.