Pages:
Author

Topic: Brain wallet, step-by-step guide (FIXED!)[Mod note: DO NOT USE BRAINWALLETS] (Read 7199 times)

legendary
Activity: 3710
Merit: 1586
Is this really the case? and how do you "correctly use" Electrum seeds? because you made a "if used correctly" remark.
Coming up with the string on your own rather than having the software do it or storing it only in your memory.

I think you mean using the software generated one and not coming up with a string on your own. Just saying that your answer is not clear and might confuse newbies.

Besides, since electrum v2.x you* can't make your own seed coz it has to have a checksum in it. You have to rely on the software.



* i mean lay people.
full member
Activity: 224
Merit: 117
▲ Portable backup power source for mining.
There are security guarantees if you generate passphrases correctly.
If you generate a passphrase uniformly and at random from a set of size S, you can be sure (well...not really sure, there is always a chance an attacker will randomly guess your passphrase, but this is unavoidable) that an attacker preforming N computations, the probability of getting hacked is not more than P=N/S.
If you use words from a book, or a sentence that makes sense, or anything you come up with without a high quality source of randomness (dice, for example), you have no such security guarantee, and it is impossible to estimate the chances of getting hacked.
If you use Diceware with Warp Wallet, you will be safe as long as you don't forget the passphrase.
staff
Activity: 4284
Merit: 8808
Is this really the case? and how do you "correctly use" Electrum seeds? because you made a "if used correctly" remark.
Coming up with the string on your own rather than having the software do it or storing it only in your memory.
legendary
Activity: 1204
Merit: 1028
I have learned recently that brainwallets are not a good idea, mostly because I lurk the bitcoin reddit and I think I saw you posting about it.

Now my fear/question is: are Electrum seeds also compromised? In theory isn't it the same as brainwallets? It creates a seed and this seed contains everything. I think the new HD wallet in bitcoin core is not like that (you can't "spawn" everything with a single seed) but with electrum it seems the same idea to me than brainwallets and now im worried... (im not a coder or anything so I dont understand the details, it just seems the same to me in practice)

The two main problems problems with brainwallets is that (1) humans created the randomness and humans are surprisingly bad at that (and, worse, can't tell how bad they are) and (2) they depend on human memory to perfectly remember a long highly random string.  Human memory is not very good at this either.

Electrum seeds, used correctly, don't have either of these problems.


The electrum seeds claim to be as safe as keeping your bitcoins in your bitcoin core wallet.dat...

Quote
What is the Seed?

The seed is a random phrase that is used to generate your private keys.

Example:

constant forest adore false green weave stop guy fur freeze giggle clock

Your wallet can be entirely recovered from its seed. For this, select the “restore wallet” option in the startup.
How secure is the seed?

The seed created by Electrum has 128 bits of entropy. This means that it provides the same level of security as a Bitcoin private key (of length 256 bits). Indeed, an elliptic curve key of length n provides n/2 bits of security.


Is this really the case? and how do you "correctly use" Electrum seeds? because you made a "if used correctly" remark.

I think the fact that you can memory the Electrum seed is cool, and if it's as safe as the way Bitcoin Core stores the keys, then why not also give us a way to generate our wallet.dat from an human readable seed like Electrum's if its as safe? now that Bitcoin Core supports HD wallet wouldn't this be possible? maybe im mixing things up tho, just using common sense im too dumb for the math/coding.
legendary
Activity: 2053
Merit: 1356
aka tonikt
I thought maybe something along these lines:

Let x be a 32bit integer (the only source of entropy). Then the private key k is
k = pbkdf2(scrypt(key=sha3("bull testicles" + sha3(x), salt=sha3(sha3(x)), N=2^(sha3(x)%1000000000000), r=8, p=1, dkLen=32), salt=sha3(sha3(x)), c=2^(sha3(x)%1000000000000), dkLen=32, prf=HMAC_SHA256)


I am quite sure that this very simple brainwallet cannot be cracked within one week, even for low entropies. Of course, for 32bit of entropy, I wouldnt keep the wallet live for more than a few months / maybe years. But for any four word english phrase that my mind comes up with, I would say it's pretty secure.

Disclaimer: if in doubt assume my approach is unsafe as hell and will lead to a total loss of your funds!

Yes, it's actually another thing worth mentioning.

Despite of what some people claim (or may think) not everybody uses brainwallet.org (which BTW doesn't work), or bitcoinpaperwallet.com, or brainwallet.io or BIP38 or any other "standard" generously acknowledged by the ever patronising us bitcoin celebrities.

You just gave an example for quite a complex hashing mechanism - it takes quite a lot of time to just calc one hash.
Myself, I use much more simple hashing - calculates in an instant, but I'm still comfortable with it, as I focus on making strong passwords.

And it is not only about how you generate the first address, but also others originating from the same seed.

My point is: whoever is going to crack brain wallets cannot really do all-at-once as the function that turns the password into the 256 bit private key can be literally anything. He needs to address each one separately - first having to learn what it actually is.

Suit yourself with the method of the guy who "invented Brainwallets", using the breakthrough science-fiction sentence cracking solution that you have allegedly researched [again!], but don't want to disclose...
But still, if you want to crack my password, you will have to launch a slightly different software.
legendary
Activity: 1260
Merit: 1168
Suggestion: I will put 5 BTC into an address which is secured by an entropy of 32 bits only.
what do you mean?
you will post the public address and 224 bits of its private key - and we only have to guess the remaining 32 bits?
sign me in! Smiley

to go through all the 4294967296 combinations within a week (604800 seconds), one would only have to check 7101 keys per second.
that's totally doable - you will loose your money, man.
however, that will have nothing to do with cracking brain wallets - it's just pure brute forcing of random values.

I did not say, that 32 bits will be missing!  Wink  I said that my private key will have 32 bits of entropy.

I thought maybe something along these lines:

Let x be a 32bit integer (the only source of entropy). Then the private key k is
k = pbkdf2(scrypt(key=sha3("bull testicles" + sha3(x), salt=sha3(sha3(x)), N=2^(sha3(x)%1000000000000), r=8, p=1, dkLen=32), salt=sha3(sha3(x)), c=2^(sha3(x)%1000000000000), dkLen=32, prf=HMAC_SHA256)


I am quite sure that this very simple brainwallet cannot be cracked within one week, even for low entropies. Of course, for 32bit of entropy, I wouldnt keep the wallet live for more than a few months / maybe years. But for any four word english phrase that my mind comes up with, I would say it's pretty secure.

Disclaimer: if in doubt assume my approach is unsafe as hell and will lead to a total loss of your funds!
legendary
Activity: 2053
Merit: 1356
aka tonikt
I'm going to go back to publishing my thoughts on best practices in brain wallets security.

Despite of attacks on my credibility and honesty (which I'm going to ignore, as they are not worth my time), I'm standing behind all my previous statements on how to choose a secure brain wallet seed.
I think all the solutions I described in this topic are secure enough.
But it doesn't mean we cannot make them even more secure, using other kind of tricks.

Think of your life's savings - millions of dollars worth of bitcoins, which you want to protect only by passwords memorised in your brain.

This method is what I would call insurance fund security countermeasure.
You can take e.g. 2% of your life savings and put it on the insurance fund.
Worst case scenario: if your brain wallet gets cracked one day, it will cost you 1% of your savings, assuming you quickly act upon it.


Here is the method:

Note: a brain wallet can lead to practically unlimited number of addresses, but to simplify my guide I will assume that one brain wallet = one address.

So:

1. Make two or more brain wallets and deposit the insurance fund in their P2KH addresses (spreading the entire fund across them - evenly or however you like).

2. Make a multisig address 2-of-2 (or N-of-N if you made more brain wallets in point one) and deposit the rest of your savings there.

3. Do not spend from your multisig address, as it would disclose (to a potential attacker) that there is a much bigger stake to take than just the insurance.

Now, for the insurance to work, you will have to monitor the balance on your insurance addresses - use whatever method you want; manual or automatic.

If any of your passwords gets cracked, its insurance address will get emptied.
Important note here: the insurance address must carry enough coins, to tempt the attacker.

Anyway, when an insurance address gets emptied - this tells you to move the funds from your multisig savings address to a new one.
Also, you can draw conclusions that the password you used for that address was too weak - and learn from it...
legendary
Activity: 2053
Merit: 1356
aka tonikt
Suggestion: I will put 5 BTC into an address which is secured by an entropy of 32 bits only.
what do you mean?
you will post the public address and 224 bits of its private key - and we only have to guess the remaining 32 bits?
sign me in! Smiley

to go through all the 4294967296 combinations within a week (604800 seconds), one would only have to check 7101 keys per second.
that's totally doable - you will loose your money, man.
however, that will have nothing to do with cracking brain wallets - it's just pure brute forcing of random values.
legendary
Activity: 1260
Merit: 1168
I don't wanna tilt with windmills, and I am fine with the brainwallets-are-bad-mantra; it might be true for the average (but not general) case.

Still, just for the fun of it, I am willing to take a challenge with any of the low-entropy-is-bad guys here  Grin
Suggestion: I will put 5 BTC into an address which is secured by an entropy of 32 bits only. The entropy will even come from my brain. If anyone is able to crack my brainwallet within one week, feel free to take the money. If not, you consent to double my stake. I am even willing to tell you how my brainwallet will be constructed beforehand.  Grin

... remember, its not about the entropy, it's about the time that is required to scan through the search space defined by the specific amount of entropy.
legendary
Activity: 2053
Merit: 1356
aka tonikt
question the technical aspects of what I'm saying, instead of trying to undermine my motives.  It's just pathetic, man. How old are you?

Because the mod is a type of person that prefers to run a forum for kids who he can impress and patronise all the time.

...

By this logic nobody should trust your expertise on cryptography because you know too much about the topic and your advice might be luring unconscious  people into using solutions that you claim are secured,  but personally know how to break.

How are you going to answer that?

Ask me again if you ever see me advocating solutions which are have resulted in lots of funds loss in practice... or selling wallet cracking tools.

Are you not advocating Bitcoin?
staff
Activity: 4284
Merit: 8808
question the technical aspects of what I'm saying, instead of trying to undermine my motives.  It's just pathetic, man. How old are you?

Because the mod is a type of person that prefers to run a forum for kids who he can impress and patronise all the time.

...

By this logic nobody should trust your expertise on cryptography because you know too much about the topic and your advice might be luring unconscious  people into using solutions that you claim are secured,  but personally know how to break.

How are you going to answer that?

Ask me again if you ever see me advocating solutions which are have resulted in lots of funds loss in practice... or selling wallet cracking tools.
staff
Activity: 4284
Merit: 8808
I have learned recently that brainwallets are not a good idea, mostly because I lurk the bitcoin reddit and I think I saw you posting about it.

Now my fear/question is: are Electrum seeds also compromised? In theory isn't it the same as brainwallets? It creates a seed and this seed contains everything. I think the new HD wallet in bitcoin core is not like that (you can't "spawn" everything with a single seed) but with electrum it seems the same idea to me than brainwallets and now im worried... (im not a coder or anything so I dont understand the details, it just seems the same to me in practice)

The two main problems problems with brainwallets is that (1) humans created the randomness and humans are surprisingly bad at that (and, worse, can't tell how bad they are) and (2) they depend on human memory to perfectly remember a long highly random string.  Human memory is not very good at this either.

Electrum seeds, used correctly, don't have either of these problems.
legendary
Activity: 2053
Merit: 1356
aka tonikt
I think it's amusing that the two people in this thread loudly trumpeting brainwallets are someone who says they have a fetish for cracking passwords and someone who has posted extensively about wallet cracking and tried to sell scam wallet cracking tools.

This fits right in with the fact that person who popularized the idea and created brainwallet.org was cracking these kinds of keys and complaining about how few he was finding online before creating the site.

Food for thought.

Give me a break Smiley

By this logic nobody should trust your expertise on cryptography because you know too much about the topic and your advice might be luring unconscious  people into using solutions that you claim are secured,  but personally know how to break.

How are you going to answer that?

If you want to have an adult debate with me,  question the technical aspects of what I'm saying, instead of trying to undermine my motives.  It's just pathetic, man. How old are you?
legendary
Activity: 1204
Merit: 1028
I think it's amusing that the two people in this thread loudly trumpeting brainwallets are someone who says they have a fetish for cracking passwords and someone who has posted extensively about wallet cracking and tried to sell scam wallet cracking tools.

This fits right in with the fact that person who popularized the idea and created brainwallet.org was cracking these kinds of keys and complaining about how few he was finding online before creating the site.

Food for thought.


I have learned recently that brainwallets are not a good idea, mostly because I lurk the bitcoin reddit and I think I saw you posting about it.

Now my fear/question is: are Electrum seeds also compromised? In theory isn't it the same as brainwallets? It creates a seed and this seed contains everything. I think the new HD wallet in bitcoin core is not like that (you can't "spawn" everything with a single seed) but with electrum it seems the same idea to me than brainwallets and now im worried... (im not a coder or anything so I dont understand the details, it just seems the same to me in practice)
staff
Activity: 4284
Merit: 8808
I think it's amusing that the two people in this thread loudly trumpeting brainwallets are someone who says they have a fetish for cracking passwords and someone who has posted extensively about wallet cracking and tried to sell scam wallet cracking tools.

This fits right in with the fact that person who popularized the idea and created brainwallet.org was cracking these kinds of keys and complaining about how few he was finding online before creating the site.

Food for thought.
legendary
Activity: 2053
Merit: 1356
aka tonikt
Why does the title say "Mod note: Do not use brain wallets"?
Because the mod is a type of person that prefers to run a forum for kids who he can impress and patronise all the time.
Rather than a forum for adults who can challenge his thinking, so he could sometimes learn something more here.
legendary
Activity: 1260
Merit: 1168
Why does the title say "Mod note: Do not use brain wallets"?
I explicitly want to use brain wallets, and as a free human being it is my right to do so! It's my individual decision! When reading the title I feel somewhat "patronized": "the community" openly displays that it thinks I (and other users) are too dumb to make their own decision. Not nice  Roll Eyes

EDIT: I *AM* a good source of entropy!
legendary
Activity: 2053
Merit: 1356
aka tonikt
The lyrics of a song, a quote, or, for that matter, any sentence that makes sense, are very insecure.

Yes - that is what one should assume making a password that will protect his life's savings.
That's what I assume...

But I'm still dying to see any research that would approach a problem of cracking brain wallets passwords being a "sentences that makes sense".
Let me give you few examples:

Code:
I met a girl, her name was Marlena Witchenberg, I asked her out and she said NO.

Code:
When I was a kid my dad used to take me out for fishing - to a place called Bloodrocks

Code:
One day I will be a milioner, because the only one bitcoin I own will be worth more than 1 million :)

These are all sentences - grammatically correct and quite easy to remember if they have sentimental value for you.
But according to my knowledge and understanding, as of today, they are (were, before I posted them) impossible to crack.
There is loads of research to be done, before anyone can even start cracking these kind of wallets.
Obviously it cannot be done by a man thinking of sentences and typing them in - he would die behind the keyboard with zero hits.
But there is no software that can brute-force "sentences that make sense", preferably only those that have a sentimental value to a targeted person.
Even if there is some software like that, it is not very fast, because creating all kind of "sentences that make sense" is a very complex problem to solve by a machine.
For a machine, it might actually be easier to reverse the EC multiplication function.
full member
Activity: 224
Merit: 117
▲ Portable backup power source for mining.
Obviously if anyone is using a single  word from a dictionary as the seed for his  brain wallet then he is an idiot. Idiots get hit by buses every day - we can't save them.
I agree, there are far too many pseudo-intellectuals using bitcoin simply because it's cool and the new "in thing" and losing coins to change addresses, weak brain wallets, web wallet hacks, and assorted scams.
And they say: NO - because we have 'researched' it and our 'studies' have proven [again!]  that if you choose 12/24 words from the unlimited dictionary, then we can guess what these words were! Roll Eyes
There is absolutely no published science to back this up.
It's fucking bollocks - show how you do it,  or you are a fraud! And I haven't seen a single paper,  let alone a software, on how anyone would be choosing the words to mimic  my thinking.
What I've seen so far was only a primitive software that either uses brute forcing on characters or requires the list of the passwords to be provided to it -  that's it.  That's all their 'research'.

Where is a research  showing  that a software can choose/guess/predict  a set of words in a way to 'guess' what a human being was thinking?
There isn't any.
Because it's nowhere even close as simple as they suggest. People publishing these papers are too stupid to even understand the problem - they have absolutely zero chance to start approaching it from the right angle.
12/24 words are secure if chosen in a reasonably random fashion.
The lyrics of a song, a quote, or, for that matter, any sentence that makes sense, are very insecure.
Unfortunately, many people chose things like "how much wood could a woodchuck chuck if a woodchuck could chuck wood" and get hacked.

Brain wallets do have their advantages, it is by far the most effective way to hide bitcoin from oppressive authorities, specially if they have no proof of its existence.
legendary
Activity: 2053
Merit: 1356
aka tonikt
For me cracking brain wallets is not quite about dictionary attack.

Obviously if anyone is using a single  word from a dictionary as the seed for his  brain wallet then he is an idiot. Idiots get hit by buses every day - we can't save them.
But... any modern wallet can bring it's actual seed to a sequence of 12 or 24 words - and that's from a 'dictionary'  of 2048 words.
Because that's what 256 bits of data come down to.
Plus Bitcoin address have only 160 bit security - so,  it's even fewer words.

So what if I am to choose my seed to be a sentence made of 12 or 24 words? From an undefined dictionary...
Should it not be at least as much secure as the other 12/24 words method???

And they say: NO - because we have 'researched' it and our 'studies' have proven [again!]  that if you choose 12/24 words from the unlimited dictionary, then we can guess what these words were! Roll Eyes
There is absolutely no published science to back this up.
It's fucking bollocks - show how you do it,  or you are a fraud! And I haven't seen a single paper,  let alone a software, on how anyone would be choosing the words to mimic  my thinking.
What I've seen so far was only a primitive software that either uses brute forcing on characters or requires the list of the passwords to be provided to it -  that's it.  That's all their 'research'.

Where is a research  showing  that a software can choose/guess/predict  a set of words in a way to 'guess' what a human being was thinking?
There isn't any.
Because it's nowhere even close as simple as they suggest. People publishing these papers are too stupid to even understand the problem - they have absolutely zero chance to start approaching it from the right angle.

Pages:
Jump to: