Topic: A challenge to the idea that no-one can create a good brainwallet (Read 15599 times)

I can't quite tell what you're trying to ask them, but they haven't logged in to these forums for almost three years now.  You'll need to go find them on their own forum if you want a response to your question, or to find out what happened to the funds in that brainwallet.

buzfap01$02%014STK1456cAonImA;)7


are these, where these all the letter numbers, special chars used by you Ciyam, thanks.

I'd like to know too.

1+ year bump

The remaining 1 BTC disappeared from this address in January 2019. Was the wallet cracked, or is this challenge over?

https://www.blockchain.com/btc/address/1Au4v6dZacFVsWXeKUMJd99AtyBZeqti2L

Still has 1 BTC there (was that your point?).

I moved the other funds earlier in case you had missed that (decided that 10 BTC was really too much to leave there).

Hmm. HMM!

I think this would be a better application to authorize things like a withdrawal from an exchange or to act as "2FA" to access a website/service.

Although I don't think this would be very feasible to implement into a strong brainwallet.

I use brainwallets all the time. My current system is composed of three parts. A salt phrase which I never change, a few passphrases, and a digit area which i simply increment to create a group of brainwallets so I don't have to reuse addresses (I started doing that after blockchain started reusing R values for transactions). So for example, my brainwallet is the HSH256 of "Mypassphrase+Mysalt+0000", "Mypassphrase+Mysalt+0001", ect.

I also use alt-keys to increase the level of entropy, even made a web site to make it easier on myself (also didn't trust brainwallet.org):

http://www.paganmind.com/_BrainWallet.html

I have a FB page for brainwallets now:

https://www.facebook.com/Brainwallet

If brainwallets catch on much, I was thinking of programming a wallet that is kind of like the Electrum wallet, but instead of a password, you would enter your brainwallet phrase. It would generate a set of addresses based on that phrase by incrementing a counter that is added to the phrase for each address.

BTW, I have a small amount of funds sitting in an old brainwallet with much less entropy than my current batch of brainwallets. Those funds are still sitting there.

I wouldn't recommend using a brainwallet for website passwords but instead a password manager (as you mention re-using patterns could be a very bad idea).

In the future I would hope we could sign in to websites via QR code - one neat method I have thought about would be that when initially signing up you'd provide the equivalent of a Bitcoin "address". When you next go to sign in you would be presented with a service id and "nonce" in a QR code which you'd scan with an offline device.

It would look up the service id to find the public key (matching the address the service knows about) then sign a message containing the "nonce" and a new address which it would then display as a QR code for the service to scan to authenticate.

Easy:

Commit your brainwallets to memory and practice them.
Use pwd management software for everything else.

This is always an interesting topic. How to construct a strong password without forget about it.

If you have 10+ passwords for different sites/wallets and some of them you might only use it once a year, how to remember all these passwords? And to make things worse, if all of your passwords are constructed with a similar pattern, if one of them is compromised, how can you make sure the rest are still safe? So, you might end up with many different coding patterns for different passwords, and you forget one of them much faster than you can imagine 

Password management software becomes single point of failure, but if it is on offline machine and have extra layers of protection, it might help to organize large amount of random passwords. Is there any other way to manage large amount of random passwords?

you're not trusting them with the money ,
you're only trusting they will
do their job and simply execute the will as you would
do anyway with an estate.

If revealing an address helped then we'd have a more serious issue (as that would mean that RIPEMD160 is not a secure hash algo).

I didn't reveal the address I did for any other reason except to prove that the funds (originally 10 BTC and now 1 BTC) are still there after a very long time (so none of the bots that try and crack brainwallets have been able to crack it).

It was actually a "canary" address (back when it held 10 BTC and when BTC wasn't worth so much) although because I have re-used the address (meaning the public key has been published) it now only serves the purpose of proving that it isn't so easy to crack a brain wallet.

I keep my coins in a Brain Wallet. Love it.

What I am wondering is if publishing the address actually makes it an easier to crack ? I would think not..

But if so - why ?

Surely the big 'crack farms' just check any hash they create with the 150,000 or so valid addresses on the chain.

I wouldn't trust an attorney with $1.
They know the law and they know how to break it and get away with it.

Then again, it's your money, do what you please with it.

Once you reveal your method for producing the pass phrase we can see that many fall short of the recommended entropy level. It's not saying your coins are unsafe because
1. The entropy is high enough for the moment
2. We don't know which addresses are yours
However a good method should not rely on hiding anything but the secret.
If you truly choose random 7 words from a good English dictionary you get 128 bit of entropy. It's all in the 'random' part

I agree that obfuscation adds some entropy.  However, the mistake people make is in looking at the final resultant passphrase and think it has way more entropy than it really does.  The other mistake is in assuming that someone else won't think of your obfuscation.

Well in general terms, my idea is simple.
Create a wallet requiring two keys.

Give one to your family, and
hire an attorney to be the executor
of your estate in order to provide
your family with the second key as part
of your will.  

There are many ways to implement
this.  It doesn't have to be literal "2 keys".
For example, it could be two halves of
a brain wallet phrase.  Or the lawyer could
have the entire phrase but only your family
has a scrambled electrum dictionary file
to convert this phrase into a wallet.

I never did figure out a good dead man drop.  I'd love to hear any ideas you are willing to share.

Nice.  Did you ever figure out the dead man drop?
I have my own idea on that one. 

I have read this whole thread with great interest. I am a brainwallet user.  In a thread from over a year ago, I learned a lot about the difference between obfuscation and sufficient entropy.  Have a look...

https://bitcointalksearch.org/topic/pondering-a-highly-secure-deterministic-brainwallet-350789

In the end, I decided to stay away from obfuscation.  I now use a truly random, very high entropy passphrase.  I couple that with a second random and high entropy BIP38 passphrase. My coin are extremely safe.

not bad but if someone knows your method and finds your secret 15 chars it's not strong

Thanks @CIYAM for bringing this topic to light.

Brainwallet has its pros and cons, but vulnerability to rainbow tables is not one of its cons. In some cases brainwallet provides the best cold storage method out there in the market (except multisig addresses). I have most of my coins in brainwallet.

You don't need to have a good memory skill in order to set up a secure brainwallet. Here is one technique I use to generate private keys.

1. Get 15 random characters and write them down. I use sha256(of some words I don't even remember), then I took the middle 15 characters of the hash value and wrote them down on a paper and on walls, saved them on my cellphone and on my pc, emailed to myself. I don't consider them secret so I have them everywhere.

2. Choose specific date. (it can be the future)

3. Choose a name. (it can be in any culture)

4. Pick one Special character. (eg =.,?/+*&^%$#@)

5. your lucky number.

6. hash them 3 times.


I don't think this technique requires good memory skills.  

I use Electrum as well, and evaluating my possibility of remembering a random set of 12 words in the correct order for the rest of my life, I can't guarantee that and will never attempt such things. 2 of 3 physical distribution of the password is the best I can do.

Clustering of relational memory feels a lot more natural to me and will probably last a lifetime.

Overall though, I don't believe in single point of failure, be it human memory or wallet format, which is why I use Bitcoin Core, Electrum, Armory, and a bunch of other stuff...

Yes.

But, so far, I haven't seen a better implementation
than Electrum.  12 words, no other fancy
steps to remember, computer generated
entropy, and 144 bits of security.  (Plus
its compatible with the electrum wallet.)

The brain wallet is a tool with unparalleled security, due to the leverage afforded by truly invisible money, that follows you everywhere.

You can go to any computer (or smartphone) in the world and print money, and no one will know you have satoshi. You can do this with any amount of wealth.

Most people's brainwallets that failed involved obscure Afrikaan poetry, 1337 substitutions, or some type of wacky human references. Most people don't know how to leverage hashing algorithm to create an incredible amount of entropy from a simple seed.

With just SHA2, "Bitcoin", and a secret method, for example, a competent person can create a private key with probably as much entropy as SHA2 space allows, thus their brainwallet will be indistinguishable from random noise.

A demonstration:

1. SHA2(Bitcoin) = B4056DF6691F8DC72E56302DDAD345D65FEAD3EAD9299609A826E2344EB63AA4

2. B4056DF6691F8DC72E56302DDAD345D65FEAD3EAD9299609A826E2344EB63AA4 ->
6691F8DC72E56302DDAD345D65FEAD3EAD9299609A826E2344EB63AA4B4056DF

3. SHA2(6691F8DC72E56302DDAD345D65FEAD3EAD9299609A826E2344EB63AA4B4056DF+Bitcoin) =
D551322B778D7BA384DF2FDBE0F0A77F4469C03771780B67D664EAE06F9CB97F

4. And so on...

The possibilities are innumerable.

That said, most people shouldn't do brainwallets because most people are not good at math--and more specifically, probabilities.

The point is that I can cross the border naked and still be worth the private key(s) I control.

I understand that the same thing can be achieved with cloud storage and conventional (bitcoin) wallet, but the personal private key generation is a much more elegant solution that bypasses several entities worth of trust compared to conventional wallets.

So my guess is that you'd be surprised that my brainwallet requires no such tools and is far less than 12 words (of course there are no dictionary words involved).

It was actually created as a test to see if it would have its funds stolen (I am rather surprised the funds are still there after so much time).

whatever software/code you se t create a signed TX already includes the reference libraries/functions of SHA.. so it only takes an extra couple lines of code to turn normal dictionary words into hashed words to increase entropy. all of which can be done offline. i only mentioned that anyone can google online sha encrypt in reference to your reply that it requires extra software.

all i am generally saying is that a straight 12 word dictionary listed words are not as good as hashing the words.. but i agree that adding salt and going through a few rounds to rehash and rehash it over and over again makes chances of people hacking your key even less of a possibility, whilst also making the user still only required to remember 12 words initially.

id say with just 10 lines of code added to any brainwallet utility, whether its a website, java app, or executable, will strengthen the brainwallet risks without making users have to remember more then 12 words

True - but the simpler the software the better (in terms of being able to access your funds even when you are on holidays, etc.).

And being able to sign a tx without being online is an important feature for security IMO.

well you need software / website/ code to unlock a brainwallet of basic phrases too..
but my example was not any software.. i just googled "sha encrypt online" much like people would google brainwallet. so there is nothing special required.

but i agree that just hashing a few words is not ideal and that re-hashing and doing other things inbetween (salt/rounds) before converting to a privkey should be added.

Although I am not going to give out any precise clues as to how I created my own brainwallet clearly words that appear in any dictionary are not what you should use (and hashes of dictionary words are really no better).

If you were going to use hashing then you'd want to use "salt" and "rounds" also (and in any case is not really a "brainwallet" anymore as now you need software to unlock it).

anyone thinking about using brainwallets i feel that simply typing in 12 words into brainwallet.org is risky. as many people are developing databases of attempted word combinations

for instance:

is not unique. and can be predicted within a couple weeks of trying different combinations.

BUT if we were to hash each word first. and then put the result into brainwallet converter.. then it is more secure:

to=663ea1bfffe5038f3f0cf667f14c4257eff52d77ce7f2a218f72e9286616ea39
improve=2b35ed6944dd2e8f7462b14096e8969711280dffe1457a680c885a95127e426c
is=fa51fd49abf67705d6a35d18218c115ff5633aec1f9ebfdc9d5d4956416f57f6
to=663ea1bfffe5038f3f0cf667f14c4257eff52d77ce7f2a218f72e9286616ea39
change;=dc36e8b61c6627435b26da98200d6eb38a9a6feaeaae7392864b0e53e67f4932
to=663ea1bfffe5038f3f0cf667f14c4257eff52d77ce7f2a218f72e9286616ea39
be=46599c5bb5c33101f80cea8438e2228085513dbbb19b2f5ce97bd68494d3344d
perfect=fafe97f7def328bbd4f10779b9625a8aa0bfaa143d7ae64e6f5770e47b51cd1d
is=fa51fd49abf67705d6a35d18218c115ff5633aec1f9ebfdc9d5d4956416f57f6
to=663ea1bfffe5038f3f0cf667f14c4257eff52d77ce7f2a218f72e9286616ea39
change=12ea12eace7d655f471ce55e34f89b1b77a3d9d05a445ca82877dd2235beaa51
often.=b0c347a4cd46f0a96e83fa2b63d8611511c5bb5dc986406e88674b3fb3e54ad3

the entropy alone is atleast 10 times longer. yet all you have to do is in your mind remember the 12 words and then use a sha encryptor before pasting the result into a brain wallet converter.

This is true. I had a brainwallet that was based on a regular expression to capture the words of a childhood pet phrase into non-sequential capture groups, the actual sequence being based on another number that I remember. I happen to be really good at writing regular expressions so I could just bang it away for any given phrase. I would guess that there are very few rainbow tables out there based on this.

Of course, I no longer use this, having moved on to a more unique method.

Not sure if trolling but, it is basically what the word means.
A wallet stored in your brain in the form of 12 words passprhase (as usual).
You basically create a private key to a wallet using a 12 word passprhase.

Remember, 12 words is what is usually used, you can use less or more.
I would advise you to use more and like others said, use words not published anywhere before.
Use slang if you wish, just make sure it's a word not published anywhere before.


EDIT: here: https://brainwallet.github.io/

what means brainwallet?

I guess the point I was trying to make is that although it is a skill (and I like your Parkour analogy) it is still "possible" to create good brainwallets (and I do agree that it is not a common skill and so I do understand not recommending the use of brainwallets for most).

Perhaps it is the sort of "nanny state" attitude that was annoying me (so many people trying to suggest you *can't create a secure brainwallet*) so I just wanted to show people here that I actually *have* a secure brainwallet (funds are still there) and I don't think I am some sort of "freak of nature" for being able create that.

You can use anything for a brainwallet. It obviously includes seed words or a long hex string. In theory, a brainwallet has as much security as a random number generator. So why even argue that it's not the case?

@CIYAM, your experiment proves that you are capable of having a good brainwallet. Great - you have good memory and the skills to pick a high security sentence. Unfortunately, that is not the case for most of the other people and that's for them that the recommendation is.
I don't recommend jumping from buildings but if you are an expert at Parkour it's easy as walking.

@Danny, I have no idea why you want to prove than any brainwallet is bad. It's easy to prove that they have the same security if used properly.

I have crappy memory so I don't use a brainwallet. Besides, there are much easier way to keep your money secure. So what's the point?

Indeed:

http://en.wikipedia.org/wiki/Akira_Haraguchi

Just watched a film "In time", when people carrying lots of times (the currency of future, embedded in the body like a brain wallet but the balance is visible on arm) walking around, they need to hire some bodyguards 

A brainwallet doesn't have to come entirely out of your own brain's "RNG." There is a lot of info our brain can and does store that is generated externally.

I didn't know that anyone thought a secure (both from hacks and memory loss) brainwallet was impossible. I think that's quite clearly not the case. I personally use a brainwallet that is multiple sentences that don't appear anywhere in print or on the web, including words that don't appear in any dictionary, that has no real meaning to any strangers on the internet and which I can't even fathom forgetting. So GL to anyone who wants to crack that.

Of course there are still many ways one can go wrong when attempting to use a brainwallet, but it's hardly impossibly for it to be done well.

Ok, I thought you were suggesting that you'd built up quite a bit more entropy than this.  While I don't feel you have well-justified* that {a person looks around a room, selects an object, and makes 2 "mental hops"} generates (very conservatively) log_2(100) bits of entropy, I don't doubt that a person conscious of the subtleties of information theory would manage at least this.

(*) The assumption of there being 100 different words is insufficient to justify log_2(100) bits of entropy per word.  One also needs to assume that the person would select of these 100 words uniformly (each word as likely as the next) for this.  In reality, some words are going to be more common than others (maybe following a Pareto distribution?), hurting the entropy, but I expect this will be made up for by a larger dictionary (400 words should easily do it and even this seems a bit conservative to me).

Woah, you are missing the context here.

The passphrase isnt supposed to be 4 words.  It's supposed to be 24 words.  I only gave 4
in a prior post to demonstrate how to get random words.   Teukon asked how much entropy
those 4 words would have.
 
You can't go off a million words in the dictionary.  You go off 100 words
(an exaggeratedly SMALL number) to be on the safe side.  If brainwallet
skeptics say that "oh everyone has the same thoughts", well, assume
people would choose the same 100 words over and over and go with that.
So, the formula then becomes 100^24 = 160 bits of entropy.

I disagree with your assumption. There are roughly 1 million words in the English dictionary. One a potential attacker knew that a passphraise was going to be exactly 4 English words, then the number of potential combinations would be 1,000,000^4 which is 1 * 10^24. While this may sound like a lot, you need to understand that testing one combination would generally take the same amount of computing power to make one "hash". You also need to understand that "mining" brain wallet addresses is not the same as mining Bitcoin blocks as once you check an address, you will forever know what the private key is to an associated public address

I bet nobody gets your Bitcoin.

Very conservatively, that would be about 27 bits of
entropy minimum, since you have 4 words. (sliver fish kracker utoob).

The assumption is there would be minimum of 100
words people would choose.  100^4 = 100,000,000
combinations.

As I mentioned, you would need a 24 word passphrase
to generate 160 bits of entropy.

A brain wallet is a wallet where all the information needed to spend the held bitcoins is memorised.

Memorising a private key (or extended private key: BIP-0032) is one simple way of doing this.  You might also memorise the essential contents of some service's paper-wallet backup (related reading: BIP-0039).

Some people will generate a passphrase themselves and take some 256-bit hash of that passphrase to be used as a private key.  However, it is common for people to create insufficient entropy in this process and thereby run the risk of having their bitcoins stolen.


I don't see.  How much entropy do you have here?

The thing is that in order to steal a car, you need to be physically present while you do not even to be connected to the internet to crack a brain wallet (you only need a 'somewhat' up to date version of the blockchain.

The level of entropy that a brain wallet will use is not enough to keep it secure over the long term. This is especially true as ASICs are being made for scrypt based altcoins, which means that it will eventually be more profitable to re-purpose GPUs to attempt to mine brain wallets (which means more effort will be put into finding a brain wallet). I think that brain wallets may be secure for short term storage under certain circumstances (for example if you are crossing the border and/or going to be going to jail for a short time).

I also think the fact that no one has stolen your 1 BTC means that no one has found the private key. It is a known fact that some people "test" their brain wallet with small amounts of bitcoin to see if the money is quickly stolen and if so don't put what they "really" intended to put in it, and as a result people who are farming brain wallets will not always take the balance from a brain wallet just because there is a balance in it

This is definitely debatable, and I would personally disagree with this statement.
I've already given a method that demonstrates how you can generate high entropy.



While both of these statements are somewhat true, neither preclude generation of entropy, and you're ignoring
several important facts.  Namely, that there is a large number of distinct words/thoughts/things
that exist...and while our thoughts may ultimately be deterministic, there is no meaningful way
to predict them.  Furthermore, we all have unique experiences, memories, and brains, so we will
come up with different thoughts.  Even our own selves will come up with different thought patterns
on different days and there is no way to predict them.  Combine that with enough components
to a brain wallet phrase, and high entropy is possible.


 

You are really *reaching with this* - so you think that someone has worked out my private key and not taken the funds.

Then I'd ask that person to sign a message showing that they have the private key otherwise your post is rather ridiculous.

There is a difference between "nobody can empty my address" and "nobody has emptied my address".

Just like there is a difference between "nobody can steal my car" and "nobody has stolen my car".

You can't equate the fact that the funds haven't been taken with the concept that the funds can't be taken.

Well - if no-one can empty my address then how would you explain that?

(luck?)

Just making a very obvious point about the flaw in your reasoning.

Correct.

And the human mind is incapable of useful amounts of entropy.  Anything that any person in the world is capable of thinking, someone else in the world can also think.  We are deterministic creatures that are limited by our minds.

Clearly nobody has emptied the address yet, but that is a very bad way of determining if something is secure or not.

Sure - let's just get back to the address I mentioned and the funds - not some imaginary situation.

No one is assuming anything other than that.

This is about entropy - if my passphrase entropy is not good enough then the funds will be stolen.

There is a vehicle in Alaska right now that is unlocked with the keys in the ignition.

Go ahead, steal it.

Oh yes, I forgot, you can't.

Therefore, it must be comeplete secure from anyone ever stealing it.

There are also people stealing vehicles 24x7.

My point is that you can't assume, just because nobody has written the correct software to crack your brainwallet, that nobody ever will.  You also can't assume that nobody in the entire world will every attempt to store their bitcoins using the exact same method as you (completely by coincidence) and stumble upon your bitcoins.

@Danny - there are people running software 24x7 to hack weak passwords - you know this.

So why pretend that you don't?

Again there is still 1 BTC there.

Steal it (oh yes - I forgot - you can't).

Does my age matter?

The point stands on its own.

There are a significant number of people in the world that leave their vehicle unlocked with the key in the vehicle and that have not had their vehicle stolen.  Does the simple fact that a vehicle hasn't been stolen yet mean that the method of storing it is "secure"?


Honestly, that's a perfect argument.

You are stating that your brainwallet is proven "secure" simply because it hasn't been stolen yet.  Meanwhile many people with brainwallets have had their funds stolen.

I'm pointing out that a method of securing something that results in some losing what they are securing, can't be considered "secure" just because others haven't yet lost what they are securing.

So you are over 50 years old now?

(seriously that is not a good argument)

If my key could have been found easily it would have already been found.

The fact that something hasn't been stolen yet is not an indication that it is secure.

My vehicles have been parked in my driveway in front of my house for the past 50 years.  The vehicle doors are always unlocked.  The key is always in the glovebox.

I have never yet had a vehicle stolen.

Does this mean that I've found a secure way to store my vehicle?  Certainly my 50 years is longer than your 2 years.

I agree completely...

Not only on the creation of passphrases, but memory too.

Even memorizing a private key isn't THAT hard.  
Its 64 characters, or 32 pairs (E9, B2, etc).

I'm all about erring on the side of caution when
it comes to money but come on, its like people
have become mental midgets.

If I told you you have to memorize 5 private
keys by tomorrow or I'll kill your family, I bet
you would be able to do it.

A big part of the reason I created this topic was to measure the thinking that others have about brainwallets.

It is correct that most people are not capable of creating good brainwallets but to suggest that no-one can do this is IMO just wrong. If I lose the 1 BTC I've exposed then maybe I'll have to change my thinking - but until then I am saying brainwallets are a great way to store funds for those that have the capability to do so.

And btw - anyone trying to find my key by following the suggestions that I made in this topic won't have a chance to get my 1 BTC. 

The human brain is far more capable than most people seem to give it credit for - so I give this 1 BTC wallet as an example of that (if I lose that 1 BTC it is not as though it won't be noticed now).

Again I am not against using random methods to help but after seeing the failures of PRNG's before I'd rather trust myself than an OS that might have a buggy PRNG (of course the dice suggestion is a good one).

I will say that while I do agree its possible, why not just use a RNG to help choose dictionary words?
If you don't trust computers, dice or cards work great.

True - if you use a bad passphrase for your brainwallet you'll lose your funds almost instantly.

But the purpose of this topic is not to debate about that but whether or not you can actually protect BTC with a good brainwallet (as nearly every topic I have read on this forum about brainwallets suggests that my 1 BTC should have already been stolen).

So why is my 1 BTC not stolen?

As I've added in the edit in my post above, PRNGs have their set of issues. There was a single bigger case of lost bitcoins caused by the known bug in Android PRNG, and the number of coins that where lost was < 100 if I remember correctly + the users where reimbursed by Blockchain.info whose wallet was the app that used Android PRNG mentioned above. The number of bitcoins lost to bad brainwallet is at least an order of magnitude (if not two orders of magnitude) bigger then that. Remember also that that bug was corrected once and for all, while bad brainwallets are generated over and over again. As you've said, everyone has a choice what to use.

This is absurd.  

1.  Yes, you need LONGER passphrases if they are human generated, but
you can't define the security based on human memory.  My memory
has nothing to do with whether the phrase was generated by
a computer or by a human.

2. IMO, a brain wallet is still a brain wallet if you use it as such
(electrum generated seed for example), regardless of how the
phrase was generated.

3. Some people have very good memories.  Some people
memorize entire books.

The actual length I used for my brainwallet is longer but not much longer (again I will state that this address was created over 2 years ago and has not been hacked).

Am sure there are some now trying to crack my address but that's okay - this is the experiment I am doing.

And we have seen broken PRNGs lead to the loss of many Bitcoins already.

I personally trust my own brain more than than a PRNG - if you wish to trust a PRNG that is of course your choice.

I am not sure this would be long enough. It may be a good start, but I would say you probably need to have additional words at the end of the the above.

I think this was somewhat already addressed. It was mentioned that you should not make your passphraise anything that has ever been published, in any language. If you make it truly random and something that has not been published anywhere then you should be okay. As I mentioned above, something the length of only 4 words is probably not long enough.

If you can't remember it, it can not be called a brainwallet. If you can remember it, it has a fraction of the entropy of any PRNG.

Edit: although PRNG have their own set of problems which is not the topic here. Nevertheless they are the best tool we have.

As stated - I checked the address by remembering my passphrase before I created the topic (so I have managed to remember it now for over 2 years).

I think it is fairly easy to create a brainwallet with enough entropy to protect the coins. It is more challenging to remember the formula with no mistakes a few years from now.

that's the conventional wisdom we are challenging.  there is no reason why this has to be true (even if many people would screw it up).  

Because it is "good enough" that rainbow-table-generating guys still haven't cached up with it. The are trying every upper/lower/initial case combination + every spacing combination + 1337-speak combinations of every passphrase their machines can get their hands on. It doesn't mean that sooner or later they will not get you. If you passphrase protect the single instance of the wallet they may try forever, you would be safe.

@itod - if my brainwallet doesn't have enough entropy then why does it still have 1 BTC?

I am not against hardening one's brainwallet but my point is rather a simple one - if no-one can possibly come up with a secure brainwallet then why do I still have 1 BTC (I should have zero) and this brainwallet has existed for over 2 years (presumably since I've now made this address public the funds should be gone very soon).

So let's see how quickly I lose the 1 BTC (I have published this address as an experiment).

well even that would not matter if you had 24 different things in there and the order was jumbled but yes it would be better to use 1842 rather than 1776

Brainwallets just don't produce enough entropy for the seed of your private key. It's known fact that there are several groups with GPU farms creating giant rainbow tables for these purposes. It's generally considered that every passphrase that can be Googled is not secure enough for the brainwallet. There's a guy who reported that passphrase created from the entire poem written in some obscure language (Afrikaans) has been bruteforced. For instance, I've took the four words from your sentence above in random order "capable dispute creating everyone" and it returns 0 hits on Google (until I post this, at least). This may be a good brainwallet by your criteria since if I haven't post it it would be probably safe against attackers for a very, very long time, but it has nowhere close enough entropy compared to any decent PRNG. The question is this: If it's inferior from the security standpoint then any address generated by the Bitcoin-QT wallet, why don't you let the Bitcoin-QT generate the address and after that passphrase protect the wallet with the same "capable dispute creating everyone" passphrase, making it infinitely harder for the attacker since he has to hack your machine first + hack the passphrase, instead of only hacking the passphrase?

Not only enough but not to use stupid things like *famous years* or *football teams that won a grand final*, etc.

yes there are many techniques that would be possible.  most important thing is have enough components to ensure high entropy.

Then finally add a smiley you are partial to:

buzfap01$02%014STK1456cAonImA;)

and perhaps a lucky number as well.

buzfap01$02%014STK1456cAonImA;)7

Even at this stage my guess is that we are at a level of pretty safe entropy (provided you have not followed my formula but instead created your own).

Such a passphrase is not so difficult to learn (but does take time). So I think that most people are capable of creating a brainwallet but I think it will take them some time to develop it (but if you really care about your investment you'll spend the time to protect it).

and after this lets add a swear word translated into a different language than our native one (mixing the case)

buzfap01$02%014STK1456cAonImA

You are right on to my wavelength here.

So let's see where we can go next with my simple experiment.

After our stock ticker addition lets add a number that we can come up with without anyone else easily knowing such as the number of lines of code we had committed to github in the year before we started creating this passphrase.

Now we are at say: buzfap01$02%014STK1456

I am a fan of electrum and use the 12 word seed as a brain wallet.  
Computer generated passphrases have measurable entropy and
will be shorter and this easier to memorize.

However, I can create a strong passphrase by using
random word association, my current surroundings,
and a little bit of creativity.

If I want to be on the safe side, let's say I want 160
bits of entropy (the highest applicable), then I should
choose 24 words given the very conservative estimate
that there's only 100 random words people would use.
100^24 ~= 2^160.

let's use a technique I call "2 mental hops".

right now I see some silver tinsel, so maybe I'll start
with the word silver.  silver sounds like sliver which
reminds of a sliver of fish, so that's 2 mental hops
from silver to fish.  so far I have "silver fish".

now I can either do another 2 mental hops from
fish, or choose a new word.  let's say fish reminds me
of barrel, and barrel reminds me of cracker.  but I'll
twist this further and spell it kracker.

so far I have fish silver kracker.

now I look at some ice in my glass, let's do 2 mental hops,
with a twist...ice reminds me of vanilla ice, which I saw
on YouTube.  so, I'll spell it utoob.  now I have silver fish kracker utoob.

etc etc

you can also do silly rhymes and include them too.

silver fish kracker utoob the noob with phat boobs.

you can see were getting into serious entropy already.

Perhaps you have followed some stocks in the past and there is one that you don't tell anyone about because you didn't do very well with it (or perhaps the one you never invested in but wish you had).

Let's add its ticker (in upper case).

So now maybe we have: buzfap01$02%014STK

Once you have your nonsense word then maybe add a date (but format the date in an unusual manner such as dd$mm%yyy).

So now we have: buzfap01$02%014

Sweet challenge nothing like trying to win some free BTC

My suggestion is to build up your secure pass phrase over time.

Start with something small (and don't ever use it publicly - perhaps use it for encrypting some private files locally or the like).

A nonsense word can be a good start if it is something that is only known to yourself and say a couple of friends (e.g. buzfap).

I agree - and would like this topic to perhaps focus on *how* this can be achieved (in a general enough manner not to give away my own passphrase of course).

Let's start with what you should *not do*.

1) Do not use a published phrase from literature or pop-culture (i.e. some lyrics of a hit song are never going to be a good idea).

Trying to memorise a private key would be even challenging to people with very good memories - so no - in general you'd memorise a long passphrase that gets hashed.

as long as we're challenging conventional wisdom,
I would also argue that humans are capable of creating
high entropy passphrases.

Does anyone here mind telling me what a Brain wallet is please ? Basically you remember your Private key from your Wallet or how does it work exactly ?

For sure I am not *recommending* them but just putting the case forward that they are actually feasible if you have the ability (this is in no way trying to encourage any noobs to use brainwallets).

As a counterpoint I was playing around with raw txs and stupidly re-used an address that had been published before (in an uncompressed version). My compressed version was relieved of its funds almost immediately after making the tx (luckily it was a trivial amount).

I totally agree.  Brain wallets are great IF you know what you are doing. 
I get why they are not recommended...we don't want noobs losing their
coins due to poor passphrases.

So here is a brainwallet address I created two years ago: https://blockchain.info/address/1Au4v6dZacFVsWXeKUMJd99AtyBZeqti2L

Originally I had stored 10 BTC there but after reading so many posts from people such as Gavin I decided to reduce the risk to 1 BTC but kept that just to see if my brainwallet would be discovered.

So after 2 years no-one has discovered it (and it is an address that was created via a passphrase that I have remembered successfully since then - I retested my memory of the passphrase just prior to making this post).

I don't dispute that creating brainwallets is not for everyone but I *do dispute* the idea that no-one is capable of creating a decent brainwallet.

So now that you know the address - let's see if anyone can work out my passphrase and steal the 1 BTC.



Also I'd be interested to know from those who are keen on analysing the blockchain how much BTC they think I might have based upon this address.