(!) Armory Brain Wallet | Bitcointalksearch.org

TimS

sr. member

Activity: 250

Merit: 253

Quote from: timz on July 10, 2015, 01:01:25 PM

The main reason - Armory's master key generated by Armory's algorithm. If the algorithm will be compromised, or will be picked up initial conditions for key generating, then your coins will be at stake. In addition, I think it is not easy to find out (and remember) a phrase for existing key.
I just like idea that you may use your favorite phrase to restore wallet anywhere anytime. Just select strong passphrase. In addition you may create paper fragmented backup if you like.

1. You're underestimating the security of Armory's random number generator. The non-technical version is that computers and algorithms are actually pretty great at generating a limited number of securely random bits. For more details, read this comment in the source code (it captures a lot of info about your mouse clicks, key presses, system files, and a screenshot of your desktop for extra entropy).
2. You can generate a phrase for any given key/number following grammatical structure pretty easily, even if it might not make perfect semantic sense (but that's okay, it doesn't need to be sensical, just memorable).
3. You're overestimating the security of a person thinking up a "strong passphrase". This is what everyone in this thread has been trying to tell you. Bottom line: If your brain came up with it, it's bad! (not 100% of the time, but often enough that that's the advice I'll give you)

If you want to memorize your Armory key, what I'd recommend is making an algorithm that can convert between the easy base 16 format and a passphrase format. There should be a one-to-one-to-one correspondence between valid 128-bit keys, valid 128-bit base 16 encodings, and valid 128-bit passphrases.

timz

member

Activity: 120

Merit: 10

Quote from: Searinox on July 10, 2015, 11:15:06 AM

If you absolutely MUST use a brain wallet, why not make something that takes Armory's master key and provides multiple methods of representing it as easily memorizable words or phrases? You at least keep Armory's crypto-securely-generated master key. You don't make it any less of a risk to forget it, but it's a step up at least.

The main reason - Armory's master key generated by Armory's algorithm. If the algorithm will be compromised, or will be picked up initial conditions for key generating, then your coins will be at stake. In addition, I think it is not easy to find out (and remember) a phrase for existing key.
I just like idea that you may use your favorite phrase to restore wallet anywhere anytime. Just select strong passphrase. In addition you may create paper fragmented backup if you like.

Searinox

full member

Activity: 147

Merit: 100

Do you like fire? I'm full of it.

If you absolutely MUST use a brain wallet, why not make something that takes Armory's master key and provides multiple methods of representing it as easily memorizable words or phrases? You at least keep Armory's crypto-securely-generated master key. You don't make it any less of a risk to forget it, but it's a step up at least.

CircusPeanut

full member

Activity: 123

Merit: 100

Here's another great article on why Brain Wallets are insecure:

http://www.wired.com/2015/07/brainflayer-password-cracker-steals-bitcoins-brain/

All you really need to know is that every hacker that is attacking a bitcoin brain wallet, is attacking your bitcoin brain wallet...if you have one, so don't have one.

etotheipi

legendary

Activity: 1428

Merit: 1093

Core Armory Developer

By the way, it's fairly established that the english language has 0.8 to 1.2 bits per letter. Rather, grammatically correct, properly spelled english has appoximately one-eighth the amount of entropy as its length. So for the phrase you picked as an example has 68 letters, so between 54 and 81 bits of entropy. This is somewhat strong, but on the low-end, still brute-forceable.

Root keys should never be generated with less than 128 bits of entropy. That is both a reasonable, forever-secure value, and also the approximate protection level of a 256-bit ECDSA private key (ECDSA private keys have about half the seucirty of their length).

Even if you're holding $100, 54 bits of entropy is really quite terrible considering that an attacker can brute-force all brainwallets in the world with the same brute-force search. You can improve it with some solid passphrase stretching, but for any significant amounts of money no one should even be taking this risk.

Newar

legendary

Activity: 1358

Merit: 1001

https://gliph.me/hUF

Quote from: btchris on October 11, 2014, 11:44:40 AM

[...]
Good points. I hope you're not suggesting that you should type your brainwallet into google to check its password strength.... Wink

Lol, no.

This brings back the memories of instawallet and the way bitcoin addresses were leaked to the Google search index via Chrome. It made these addresses real easy to find.

https://bitcointalksearch.org/topic/m.1719541

btchris

hero member

Activity: 672

Merit: 504

a.k.a. gurnec on GitHub

Quote from: Newar on October 11, 2014, 09:50:58 AM

The developer of the tool writes a bit about entropy estimation in this blog post, which may be of interest to you: https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/ (scroll down about a third of the page)

That's a great article, thanks.

Quote from: Newar on October 11, 2014, 09:50:58 AM

Of course, anything you can find on google (using quotation marks around the search term), you don't need to bother putting it in that tool. Contrary to other "password check" tools, zxcvbn at least makes mention of that by showing "pattern: dictionary".

Good points. I hope you're not suggesting that you should type your brainwallet into google to check its password strength.... Wink

Newar

legendary

Activity: 1358

Merit: 1001

https://gliph.me/hUF

Quote from: btchris on October 10, 2014, 12:07:51 PM

I do believe that in suggesting that (or any) entropy estimation tool, you just contradicted yourself...

Entropy estimation tools such as the one mentioned can provide, at best, an upper bounds estimate, and therefore provide a false sense of security. They assume password crackers only use particular predetermined techniques when generating password guesses, however crackers are forever improving their techniques (furthermore these techniques are not necessarily public knowledge).

The developer of the tool writes a bit about entropy estimation in this blog post, which may be of interest to you: https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/ (scroll down about a third of the page)

Quote from: btchris on October 10, 2014, 12:07:51 PM

The (nice, thanks for that) article you pointed to exactly demonstrates this. I took the first "difficult" password mentioned in the article (which has been successfully cracked using the described techniques), and plugged it into the estimation tool, and got this:

Code:

password: Am i ever gonna see your face again?
entropy: 100.857
crack time (seconds): 1.1482519836189682e+26
crack time (display): centuries
score from 0 to 4: 4
calculation time (ms): 7

It seems awfully unlikely that the article's authors were able to crack a password with 101 bits of entropy, hence the estimate is a bad one. So, just to reiterate: estimating entropy is really hard...

Of course, anything you can find on google (using quotation marks around the search term), you don't need to bother putting it in that tool. Contrary to other "password check" tools, zxcvbn at least makes mention of that by showing "pattern: dictionary".

CircusPeanut

full member

Activity: 123

Merit: 100

Quote from: btchris on October 10, 2014, 02:13:57 PM

Quote from: CircusPeanut on October 10, 2014, 01:43:55 PM

...Then I use my brain wallet pass phrase to protect my offline armory wallet....

That sounds pretty good to me. Since it's no longer a brain wallet, there's no reason to call it a "brain wallet pass phrase", right?

I meant that instead of using my brain wallet pass phrase to generate the wallet, I would use the pass phrase as the password for protecting the wallet file. So, yeah, I guess at that point it's just a pass phrase.

btchris

hero member

Activity: 672

Merit: 504

a.k.a. gurnec on GitHub

Quote from: CircusPeanut on October 10, 2014, 01:43:55 PM

Hypothetically speaking (I am absolutely not suggesting that anyone is doing this now) if I was a hacker it seems like a good way to steal bitcoins would be to write a little program, probably like the javascript above, but something faster, that for each pass phrase in those lists, generate an Armory wallet, check the first 20 or so addresses for any bitcoins.

People already do it for other brain wallets, so I don't see why it would be any different for Armory brain wallets.

Quote from: CircusPeanut on October 10, 2014, 01:43:55 PM

I use a shuffled deck of cards myself. Peel off the first 40 cards to generate my root key. Then 3 of 6 fragmented backup, test them out a few times on my offline device, and store them in separate places. Then I use my brain wallet pass phrase to protect my offline armory wallet. Good to go.

That sounds pretty good to me. Since it's no longer a brain wallet, there's no reason to call it a "brain wallet pass phrase", right?

CircusPeanut

full member

Activity: 123

Merit: 100

Quote from: Newar on October 10, 2014, 10:56:59 AM

Yeah, why bruteforce when you can wordlist? http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/

Hypothetically speaking (I am absolutely not suggesting that anyone is doing this now) if I was a hacker it seems like a good way to steal bitcoins would be to write a little program, probably like the javascript above, but something faster, that for each pass phrase in those lists, generate an Armory wallet, check the first 20 or so addresses for any bitcoins. Just let the program run in the background and then get on the forums talk up the generating a Bitcoin Armory brain wallet.

I use a shuffled deck of cards myself. Peel off the first 40 cards to generate my root key. Then 3 of 6 fragmented backup, test them out a few times on my offline device, and store them in separate places. Then I use my brain wallet pass phrase to protect my offline armory wallet. Good to go.

btchris

hero member

Activity: 672

Merit: 504

a.k.a. gurnec on GitHub

Quote from: Newar on October 10, 2014, 10:56:59 AM

Quote from: spin on October 10, 2014, 04:06:44 AM

[...]
(Of course given that it's now a sentence on a bitcoin related site, using it now would be suicide!)

Yeah, why bruteforce when you can wordlist? http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/

Quote from: picobit on October 09, 2014, 02:08:14 PM

[....]
I *think* it is barely out of reach of a brute force search, but honestly I have no clue.

https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html gives an entropy of 194 bits.

I do believe that in suggesting that (or any) entropy estimation tool, you just contradicted yourself...

Entropy estimation tools such as the one mentioned can provide, at best, an upper bounds estimate, and therefore provide a false sense of security. They assume password crackers only use particular predetermined techniques when generating password guesses, however crackers are forever improving their techniques (furthermore these techniques are not necessarily public knowledge).

The (nice, thanks for that) article you pointed to exactly demonstrates this. I took the first "difficult" password mentioned in the article (which has been successfully cracked using the described techniques), and plugged it into the estimation tool, and got this:

Code:

password: Am i ever gonna see your face again?
entropy: 100.857
crack time (seconds): 1.1482519836189682e+26
crack time (display): centuries
score from 0 to 4: 4
calculation time (ms): 7

It seems awfully unlikely that the article's authors were able to crack a password with 101 bits of entropy, hence the estimate is a bad one. So, just to reiterate: estimating entropy is really hard...

Newar

legendary

Activity: 1358

Merit: 1001

https://gliph.me/hUF

Quote from: spin on October 10, 2014, 04:06:44 AM

[...]
(Of course given that it's now a sentence on a bitcoin related site, using it now would be suicide!)

Yeah, why bruteforce when you can wordlist? http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/

Quote from: picobit on October 09, 2014, 02:08:14 PM

[....]
I *think* it is barely out of reach of a brute force search, but honestly I have no clue.

https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html gives an entropy of 194 bits.

spin

sr. member

Activity: 362

Merit: 262

It's

Quote from: btchris on October 09, 2014, 02:36:47 PM

Quote from: picobit on October 09, 2014, 02:08:14 PM

And since "Two beer, or bottle of wine? That is the question of my silly brain." is (almost) grammatically correct and uses sensible punctuation, it has much lower entropy than one would expect. I *think* it is barely out of reach of a brute force search, but honestly I have no clue.

I agree it seems like a nice long passphrase, but this is exactly the problem.

Exactly, this has far less entropy than the same number of random (i.e. computer chosen) words from a long words list. How much less is not clear.
(Of course given that it's now a sentence on a bitcoin related site, using it now would be suicide!)

btchris

hero member

Activity: 672

Merit: 504

a.k.a. gurnec on GitHub

Quote from: picobit on October 09, 2014, 02:08:14 PM

And since "Two beer, or bottle of wine? That is the question of my silly brain." is (almost) grammatically correct and uses sensible punctuation, it has much lower entropy than one would expect. I *think* it is barely out of reach of a brute force search, but honestly I have no clue.

I agree it seems like a nice long passphrase, but this is exactly the problem.

We humans (myself included of course) are really bad at estimating how much entropy something has by just looking at it, and we're just as bad creating things with lots of entropy using only our brains. If it turns out the passphrase was in fact good enough, you'll know in 10 or 20 years because your key was never stolen. If, on the other hand, you were wrong, your bitcoin could disappear at any time between now and then.

If you're that worried about losing your paper backups, you can be nearly as paranoid as you want, e.g. print a 2-of-6 backup, and store them all in safety deposit boxes at different banks. (or how about just a standard/1-of-1 backup that you tattoo to a, uh, private area of your body? that should be hard to lose and, depending on your profession, hard to get stolen too

)

picobit

hero member

Activity: 547

Merit: 500

Decor in numeris

Quote from: timz on October 09, 2014, 01:53:07 PM

Well, I don't remember the password, but I still have my paper fragmented backup.
But if papers were lost, you may try to recall the password. It is just additional possibility to restore wallet.

That actually makes sense - at least if your passphrase is long and cryptic enough to be secure.

The demands for a brain wallet is many orders of magnitude higher than for a password, since you do not need access to anything other than the block chain to break it - and can attack all the world's brain wallets in parallel at no extra cost. A lot of people have a lot of specialized hardware for doing rapid hashes - and they no longer pay for themselves mining bitcoin. Some of these are going to try for brainwallets instead. And since "Two beer, or bottle of wine? That is the question of my silly brain." is (almost) grammatically correct and uses sensible punctuation, it has much lower entropy than one would expect. I *think* it is barely out of reach of a brute force search, but honestly I have no clue.

timz

member

Activity: 120

Merit: 10

Quote from: picobit on October 09, 2014, 12:44:36 PM

One year from from now, typing 'Two beer, or a bottle of wine? That is the question of my silly brain.' Wait??? Where are all my coins??? I am sure I remembered my password.

This is the other reason brain wallets are such a terrible idea.

Well, I don't remember the password, but I still have my paper fragmented backup.
But if papers were lost, you may try to recall the password. It is just additional possibility to restore wallet.

picobit

hero member

Activity: 547

Merit: 500

Decor in numeris

Quote from: timz on October 05, 2014, 04:28:57 AM

Use something like 'Two beer, or bottle of wine? That is the question of my silly brain.'

One year from from now, typing 'Two beer, or a bottle of wine? That is the question of my silly brain.' Wait??? Where are all my coins??? I am sure I remembered my password.

This is the other reason brain wallets are such a terrible idea.

spin

sr. member

Activity: 362

Merit: 262

Quote from: timz on October 06, 2014, 10:51:24 AM

Quote from: spin on October 06, 2014, 10:00:18 AM

entropy of sha256(sha256('3333333377777777444444443333333377777777444444443333333333333'))
is the same as the entropy of '3333333377777777444444443333333377777777444444443333333333333'

Only in case of password. And in case of low-cost brute forcing. But generally no. I mean if entropy of '3333333377777777444444443333333377777777444444443333333333333' is low, for example equal to 2^3 bytes phrase, it doesn't mean you may find the 8-bytes phrase that
hash256(8-byte-phrase)=hash256('3333333377777777444444443333333377777777444444443333333333333').

Users often chose low entropy passwords, x.
If entropy of x is low then entropy of sha256(sha256(x)) is also low...
Which means people can easily crack their wallets.

This is why everyone thinks brain wallets are a bad idea.

goatpig

legendary

Activity: 3766

Merit: 1364

Armory Developer

Address chain extension:

https://github.com/etotheipi/BitcoinArmory/blob/master/armoryengine/PyBtcWallet.py#L1047

Deriving the first key:

https://github.com/etotheipi/BitcoinArmory/blob/master/armoryengine/PyBtcWallet.py#L912

timz

member

Activity: 120

Merit: 10

Quote from: goatpig on October 06, 2014, 10:50:08 AM

Wallet passphrases are completely different from root keys. Root keys come from a CSPRNG. Passphrases are created by users, so they are extended properly for added security.

Could you tell the algorithm for generate chain key and first private key from Root Key? The restoring wallet takes a time, I though it is complicated procedure.

timz

member

Activity: 120

Merit: 10

Quote from: spin on October 06, 2014, 10:00:18 AM

entropy of sha256(sha256('3333333377777777444444443333333377777777444444443333333333333'))
is the same as the entropy of '3333333377777777444444443333333377777777444444443333333333333'

Only in case of password. And in case of low-cost brute forcing. But generally no. I mean if entropy of '3333333377777777444444443333333377777777444444443333333333333' is low, for example equal to 2^3 bytes phrase, it doesn't mean you may find the 8-bytes phrase that
hash256(8-byte-phrase)=hash256('3333333377777777444444443333333377777777444444443333333333333').

goatpig

legendary

Activity: 3766

Merit: 1364

Armory Developer

Quote from: timz on October 06, 2014, 09:21:51 AM

About brute forcing. Why I didn't make more iterations? If Armory does complicated scrypt-like work to restore wallet's private key from the Root Key, I really don't need more. Because brute-forcer have to do this work too. So our password is additionally protected from brute-forcing by Armory's algorithm.

We use a precursor to scrypt and a target derivation time on the extend wallet passphrases, that are used to encrypt the entries in your wallet if you choose to encrypt the wallet, on disk.

Wallet passphrases are completely different from root keys. Root keys come from a CSPRNG. Passphrases are created by users, so they are extended properly for added security.

spin

sr. member

Activity: 362

Merit: 262

entropy of sha256(sha256('3333333377777777444444443333333377777777444444443333333333333'))
is the same as the entropy of '3333333377777777444444443333333377777777444444443333333333333'

timz

member

Activity: 120

Merit: 10

Quote from: spin on October 06, 2014, 05:20:42 AM

But from your comments, it's not clear that you do understand. For example this comment:

Quote from: timz on October 04, 2014, 11:54:05 PM

Oh, REALLY??? Could you please prove the terrible entropy of sha256(sha256('any password'))? I think predetermined computer's random is worse.

If we are talking about entropy of string, sha256() always has good entropy. Example:
3333333377777777444444443333333377777777444444443333333333333 - Bad entropy.
7ba996c43e44eb1976019d31960bf21873d6d24ba469ccc03f626f8a2a856137 - Good entropy.
You may evaluate the entropy by compressing string. If you can zip the string, the string has bad entropy.

I guess you mean entropy of password, not sha256 string. It is the also object of dictionary brute forcing besides low entropy of real languages.

About brute forcing. Why I didn't make more iterations? If Armory does complicated scrypt-like work to restore wallet's private key from the Root Key, I really don't need more. Because brute-forcer have to do this work too. So our password is additionally protected from brute-forcing by Armory's algorithm.

spin

sr. member

Activity: 362

Merit: 262

Quote from: timz on October 06, 2014, 04:07:03 AM

I understand your position. Actually I made this for myself. I'm waiting for 2 years for passphrase determined wallet, but nothing appears. So I'm going to use Armory with my password addition. Of course this solution for people who understand what is password entropy, what password is secure.

But from your comments, it's not clear that you do understand. For example this comment:

Quote from: timz on October 04, 2014, 11:54:05 PM

Oh, REALLY??? Could you please prove the terrible entropy of sha256(sha256('any password'))? I think predetermined computer's random is worse.

timz

member

Activity: 120

Merit: 10

I understand your position. Actually I made this for myself. I'm waiting for 2 years for passphrase determined wallet, but nothing appears. So I'm going to use Armory with my password addition. Of course this solution for people who understand what is password entropy, what password is secure.

goatpig

legendary

Activity: 3766

Merit: 1364

Armory Developer

Quote from: timz on October 05, 2014, 04:28:57 AM

Do you have even one reasons why I shouldn't use not-bruteforceable password

Think of entropy as search space:

1) By using brain wallets you will most likely reduce your search space per byte from 2^8 to 2^6 (A-Z a-z 0-9 and some punctuation signs). On a 32 bytes/characters passphrase that's significant, and that's assuming people use passphrases that long.

2) To support such long passphrases people will probably resort to mnemonics. This will crush the search space to brute force your key, opening up the way for dictionary attacks and rainbow tables.

3) People who would rather not resort to mnemonics will reduce their passphrase length and expose themselves that way instead.

4) 2 sha iterations for a password derivation function is terribly weak. It's not unusual to see forum passwords hashes at 10k+ iterations. At least use something like scrypt to involve some RAM in the derivation function (like it's done in Armory as an example)

Overall you are taking these comments as attacks directed at you, when they state a couple simple truths: not everyone understands entropy and it's consequences, and less informed/involved users will usually turn towards the simplest solution.

Also you fail to see our standpoint. We can't support a tool that will have users do stupid things and lose coins, because we'll end up being liable in some way. We are an open source company. We don't have the resources to support customers who won't follow the proper security guidelines, so we simply won't promote bad practices.

timz

member

Activity: 120

Merit: 10

Just don't use 'bob' as a password. Use something like 'Two beer, or bottle of wine? That is the question of my silly brain.'
Do you have even one reasons why I shouldn't use not-bruteforceable password combined with fragmented backups? All your previous arguments are untenable to this usage.

etotheipi

legendary

Activity: 1428

Merit: 1093

Core Armory Developer

Quote from: timz on October 04, 2014, 11:54:05 PM

Could you please prove the terrible entropy of sha256(sha256('any password'))? I think predetermined computer's random is worse.

The act of hashing a password doesn't increase its entropy. The number of possible passwords is the total entropy. You can use sha256¹⁰⁰('bob') as your brain wallet, but anyone who looks at your applet will see that it uses sha256¹⁰⁰(pwd) and will write a program to start guessing through possible passwords passed through that function. All users that used "bob" as their password will immediately have their coins stolen, regardless of how many times you hash it.

A while back there was a user here who write a program to do a brute force search of brainwallets that use sha256(sha256()). I believe they found in excess of 100 BTC. Because people pick memorizable passwords and wanted to believe that no one would find it. And in reality, people don't realize just how fast computers are at guessing and how weak their own entropy is. For your reddit login, the stakes aren't very high. For $100,000 bitcoin wallet, I would be horrified if someone used a brain wallet.

Admittedly, your little javascript applet is very slick. But Armory Technologies will not be supporting the functionality since it so easily leads to lost coins. Our job is to not only create secure software, but to promote best security practices. Having a solid backup solution is one of those best practices.

timz

member

Activity: 120

Merit: 10

Quote from: etotheipi on October 04, 2014, 06:01:28 PM

For most humans, a wallet with sufficient entropy to be secure would not be memorizable. Thus, if it is memorizable, you're at significant risk of someone being able to steal your funds with brute-force searching.

That is why you have to use unique several-words phrases, your own ditty etc.

Quote from: etotheipi on October 04, 2014, 06:01:28 PM

Human-generated passwords have terrible entropy. You must use a cryptographically-secure random number generator to create your wallets. Armory provides this for you, but not if you use a brain wallet.

Oh, REALLY??? Could you please prove the terrible entropy of sha256(sha256('any password'))? I think predetermined computer's random is worse.

Quote from: etotheipi on October 04, 2014, 06:01:28 PM

Humans brains are not well-adapted to remembering such information for long periods of time. You may remember it now. You might remember it in 6 months. What about 3 years? 10 years? If you've ever forgotten a password, do not use a brain-wallet.
Even if you think you can get around the three points above, it still means that you take your Bitcoins to your grave with you. If I was your parent/spouse/kid, I would hope that if something unfortunate happens to you that I'll have a way to get access to your savings. Brain-wallets have no such mechanism and the coins will be lost forever.

To anyone who wants to better protect their wallets, we strongly encourage you to use a regular Armory wallet with fragmented backups instead. They provide a flexible combination of physical security, redundancy, will have sufficient entropy, and be recoverabe by family members if needed.

You may print fragmented backups as well if you use brain wallet. The brain wallet just an additional feature helps you if goes something wrong with your pieces of paper.

Quote from: etotheipi on October 04, 2014, 06:01:28 PM

We can't stop people who are really determined to make brain wallets, just don't say you weren't warned!

Thank you for warning. I developed this feature for people who has own brain.

etotheipi

legendary

Activity: 1428

Merit: 1093

Core Armory Developer

Armory Technologies strongly advises against the use of brain wallets under any circumstances.

For most humans, a wallet with sufficient entropy to be secure would not be memorizable. Thus, if it is memorizable, you're at significant risk of someone being able to steal your funds with brute-force searching.
Human-generated passwords have terrible entropy. You must use a cryptographically-secure random number generator to create your wallets. Armory provides this for you, but not if you use a brain wallet.
Humans brains are not well-adapted to remembering such information for long periods of time. You may remember it now. You might remember it in 6 months. What about 3 years? 10 years? If you've ever forgotten a password, do not use a brain-wallet.
Even if you think you can get around the three points above, it still means that you take your Bitcoins to your grave with you. If I was your parent/spouse/kid, I would hope that if something unfortunate happens to you that I'll have a way to get access to your savings. Brain-wallets have no such mechanism and the coins will be lost forever.

To anyone who wants to better protect their wallets, we strongly encourage you to use a regular Armory wallet with fragmented backups instead. They provide a flexible combination of physical security, redundancy, will have sufficient entropy, and be recoverabe by family members if needed.

We can't stop people who are really determined to make brain wallets, just don't say you weren't warned!

dabura667

sr. member

Activity: 475

Merit: 252

Human generated entropy is ALWAYS a good idea. /s

timz

member

Activity: 120

Merit: 10

Just want to copy here the source code.

brainwallet.js

Code:

/*
Open source under the BSD License.
Author: Tim Zakirov, 2014
*/

function sha256(bits) {
return CryptoJS.SHA256(bits);
}

function hash256(bits) {
return CryptoJS.SHA256(CryptoJS.SHA256(bits));
}

function computeChecksum(binaryStr, nBytes, hashFunc) {
nBytes = typeof nBytes !== 'undefined' ? nBytes : 4;
hashFunc = typeof hashFunc !== 'undefined' ? hashFunc : hash256;
return hashFunc(binaryStr).toString(CryptoJS.enc.Latin1).slice(0, nBytes);
}

function binary_to_hex(b) {
return CryptoJS.enc.Latin1.parse(b).toString();
}

NORMALCHARS = '0123 4567 89ab cdef'.replace(/ /g, '');
EASY16CHARS = 'asdf ghjk wert uion'.replace(/ /g, '');
hex_to_base16_map = {};
base16_to_hex_map = {};
len = NORMALCHARS.length;
for (i = 0; i < len; ++i) {
n = NORMALCHARS[i];
b = EASY16CHARS[i];
hex_to_base16_map[n] = b;
base16_to_hex_map[b] = n;
}

function binary_to_easyType16(binstr) {
return Array.prototype.map.call(binary_to_hex(binstr), function (c) { return hex_to_base16_map[c]; }).join('');
}

function makeSixteenBytesEasy(b16) {
if (b16.length !== 16) {
throw 'Must supply 16-byte input';
}
chk2 = computeChecksum(CryptoJS.enc.Latin1.parse(b16), 2);
et18 = binary_to_easyType16(b16 + chk2);
nineQuads = [];
for (i = 0; i < 9; ++i) {
nineQuads[i] = et18.slice(i * 4, (i+1) * 4);
}
return nineQuads.join(' ');
}

function calc(password) {
var entropy=hash256(password);
var line1=makeSixteenBytesEasy(entropy.toString(CryptoJS.enc.Latin1).slice(0, 16));
var line2=makeSixteenBytesEasy(entropy.toString(CryptoJS.enc.Latin1).slice(16));
document.getElementById('line1').innerHTML=line1;
document.getElementById('line2').innerHTML=line2;

}

index.html

Code:

Armory Brainwallet - JavaScript Client-Side Armory Wallet Generator

Passphrase

Root Key

How to use. Enter your long passprase, open your Armory wallet application
and "restore" the wallet using Root Key (select '2 lines Unencrypted')

cs.css

Code:

html {
font-family: geneva, sans-serif;
-webkit-text-size-adjust: 100%;
-ms-text-size-adjust: 100%;
}
body {
margin: 0; background-color: #fff; text-align: center;
}
.logo {
height: 350px;
background: url('armory.png') no-repeat center; min-height: 100%;
margin: 50px 0 0 0;
}
.tit {
color: #162959;
font-size: 18px;
margin-bottom: 15px;
}
.tit1 {
color: #bc214c;
font-size: 18px;
margin-top: 60px;
margin-bottom: 15px;
}

input {
color: #1c59b4; width: 55%; border:1px solid #162959;font-size: 16px; padding: 5px; text-align: center;
}
.line {font-family: Courier; font-size: 18px; color: #162959; margin-bottom: 10px;}
.comment {
font-size: 12px;
margin-top: 120px;
color: #1c59b4;
}

sha256.js (from google)

Quote

/*
CryptoJS v3.1.2
code.google.com/p/crypto-js
(c) 2009-2013 by Jeff Mott. All rights reserved.
code.google.com/p/crypto-js/wiki/License
*/
var CryptoJS=CryptoJS||function(h,s){var f={},t=f.lib={},g=function(){},j=t.Base={extend:function(a){g.prototype=this;var c=new g;a&&c.mixIn(a);c.hasOwnProperty("init")||(c.init=function(){c.$super.init.apply(this,arguments)});c.init.prototype=c;c.$super=this;return c},create:function(){var a=this.extend();a.init.apply(a,arguments);return a},init:function(){},mixIn:function(a){for(var c in a)a.hasOwnProperty(c)&&(this[c]=a[c]);a.hasOwnProperty("toString")&&(this.toString=a.toString)},clone:function(){return this.init.prototype.extend(this)}},
q=t.WordArray=j.extend({init:function(a,c){a=this.words=a||[];this.sigBytes=c!=s?c:4*a.length},toString:function(a){return(a||u).stringify(this)},concat:function(a){var c=this.words,d=a.words,b=this.sigBytes;a=a.sigBytes;this.clamp();if(b%4)for(var e=0;e>>2]|=(d[e>>>2]>>>24-8*(e%4)&255)<<24-8*((b+e)%4);else if(65535>>2]=d[e>>>2];else c.push.apply(c,d);this.sigBytes+=a;return this},clamp:function(){var a=this.words,c=this.sigBytes;a[c>>>2]&=4294967295<<
32-8*(c%4);a.length=h.ceil(c/4)},clone:function(){var a=j.clone.call(this);a.words=this.words.slice(0);return a},random:function(a){for(var c=[],d=0;d>>2]>>>24-8*(b%4)&255;d.push((e>>>4).toString(16));d.push((e&15).toString(16))}return d.join("")},parse:function(a){for(var c=a.length,d=[],b=0;b>>3]|=parseInt(a.substr(b,
2),16)<<24-4*(b%8);return new q.init(d,c/2)}},k=v.Latin1={stringify:function(a){var c=a.words;a=a.sigBytes;for(var d=[],b=0;b>>2]>>>24-8*(b%4)&255));return d.join("")},parse:function(a){for(var c=a.length,d=[],b=0;b>>2]|=(a.charCodeAt(b)&255)<<24-8*(b%4);return new q.init(d,c)}},l=v.Utf8={stringify:function(a){try{return decodeURIComponent(escape(k.stringify(a)))}catch(c){throw Error("Malformed UTF-8 data");}},parse:function(a){return k.parse(unescape(encodeURIComponent(a)))}},
x=t.BufferedBlockAlgorithm=j.extend({reset:function(){this._data=new q.init;this._nDataBytes=0},_append:function(a){"string"==typeof a&&(a=l.parse(a));this._data.concat(a);this._nDataBytes+=a.sigBytes},_process:function(a){var c=this._data,d=c.words,b=c.sigBytes,e=this.blockSize,f=b/(4*e),f=a?h.ceil(f):h.max((f|0)-this._minBufferSize,0);a=f*e;b=h.min(4*a,b);if(a){for(var m=0;ma._data=this._data.clone();return a},_minBufferSize:0});t.Hasher=x.extend({cfg:j.extend(),init:function(a){this.cfg=this.cfg.extend(a);this.reset()},reset:function(){x.reset.call(this);this._doReset()},update:function(a){this._append(a);this._process();return this},finalize:function(a){a&&this._append(a);return this._doFinalize()},blockSize:16,_createHelper:function(a){return function(c,d){return(new a.init(d)).finalize(c)}},_createHmacHelper:function(a){return function(c,d){return(new w.HMAC.init(a,
d)).finalize(c)}}});var w=f.algo={};return f}(Math);
(function(h){for(var s=CryptoJS,f=s.lib,t=f.WordArray,g=f.Hasher,f=s.algo,j=[],q=[],v=function(a){return 4294967296*(a-(a|0))|0},u=2,k=0;64>k;){var l;a:{l=u;for(var x=h.sqrt(l),w=2;w<=x;w++)if(!(l%w)){l=!1;break a}l=!0}l&&(8>k&&(j[k]=v(h.pow(u,0.5))),q[k]=v(h.pow(u,1/3)),k++);u++}var a=[],f=f.SHA256=g.extend({_doReset:function(){this._hash=new t.init(j.slice(0))},_doProcessBlock:function(c,d){for(var b=this._hash.words,e=b[0],f=b[1],m=b[2],h=b[3],p=b[4],j=b[5],k=b[6],l=b[7],n=0;64>n;n++){if(16>n)a[n]=
c[d+n]|0;else{var r=a[n-15],g=a[n-2];a[n]=((r<<25|r>>>7)^(r<<14|r>>>18)^r>>>3)+a[n-7]+((g<<15|g>>>17)^(g<<13|g>>>19)^g>>>10)+a[n-16]}r=l+((p<<26|p>>>6)^(p<<21|p>>>11)^(p<<7|p>>>25))+(p&j^~p&k)+q[n]+a[n];g=((e<<30|e>>>2)^(e<<19|e>>>13)^(e<<10|e>>>22))+(e&f^e&m^f&m);l=k;k=j;j=p;p=h+r|0;h=m;m=f;f=e;e=r+g|0}b[0]=b[0]+e|0;b[1]=b[1]+f|0;b[2]=b[2]+m|0;b[3]=b[3]+h|0;b[4]=b[4]+p|0;b[5]=b[5]+j|0;b[6]=b[6]+k|0;b[7]=b[7]+l|0},_doFinalize:function(){var a=this._data,d=a.words,b=8*this._nDataBytes,e=8*a.sigBytes;
d[e>>>5]|=128<<24-e%32;d[(e+64>>>9<<4)+14]=h.floor(b/4294967296);d[(e+64>>>9<<4)+15]=b;a.sigBytes=4*d.length;this._process();return this._hash},clone:function(){var a=g.clone.call(this);a._hash=this._hash.clone();return a}});s.SHA256=g._createHelper(f);s.HmacSHA256=g._createHmacHelper(f)})(Math);

timz

member

Activity: 120

Merit: 10

Hi all!
I like armory a lot. You can make a paper backup and restore whole your wallet in case of hdd failure or pc lost.
It is a great feature, but I really do not trust to paper. The paper could be stolen, lost, confiscated, burned, etc. I want to be sure I can restore my wallet at any time, even if all my papers are lost. I mean brainwallet. The one phrase restoring all my bitcoin addresses.

So I created an open source

Just enter a passphrase and you'll get a Root Key to restore (or create new one) wallet.
It is a client-side javascript application, no data leaves your computer. I use hash256(passphrase) as a base to generate Root Key. The Root Key generation procedure (makeSixteenBytesEasy()) was rewritten to javascript using original Armory code.

You still can make fragmented backup, print root key if you like and use all armory's features. But additionally you can restore your wallet using your passphrase! And we use your password's entropy to create wallet, I think it is not so bad too. Just use long several-words phrases.

Download for local use.

Mirrors:
https://armorybrainwallet.com (10 years domain, hosting paid for 3 years)
http://armorybrainwallet.org/ (10 years domain, freehosting)

Regards,
Tim.

Topic: (!) Armory Brain Wallet (Read 4959 times)