Topic: Brain wallet, step-by-step guide (FIXED!)[Mod note: DO NOT USE BRAINWALLETS] - page 2. (Read 7074 times)

Yes hackers use and have already use by the past dictionary attacks, so I think that is isn't necessary to use a same tool, you can simply use a transaction hash, btc address, private key, a key issued on creating brain wallet or even combine between many to access your "Wallet".

Excuse me posting the third time in a row, but I was rushing out in the morning and didn't have much time to write down all my thoughts.

Well, if it's not a joke, then let me explain how you are wrong.

Nobody invented brain wallets!

Perhaps there was a person who named it like that (nice naming, BTW), but he did not invent it!

Brain wallets are natural, just like using the fingers for picking your nose is natural.
You don't invent it - it's just there, ready to be used.

I use brain wallet not because someone showed it to me.
I use it because one day I found it to be a perfect method for creating a seed for a master private key of a bitcoin wallet.
And it didn't take a process - it was just a thought; a natural thought, like thinking of having a swim in a hot weather.

So please stop spreading such disinformation, because not only that it isn't helpful to anyone, but it's also not good for you.
Unless your goal is not to be perceived as a bitcoin scientist/technician, but rather as a bitcoin apostle/preacher.


EDIT:
In the other part of your argument, you mentioned that "rainbow tables" can be used to crack the brain wallets..
I mean, come on, man - are you kidding me?
There is no fucking way you don't know that rainbow tables are completely useless for cracking 256-bit hashes..
Why would you even bring such a term into the discussion?
What is a purpose of that if not trying to convince clueless people that your thesis is right, without providing any actual arguments?

EDIT2:
I have been fascinated with passwords-cracking ever since I was 20.
They almost kicked me out of the university, because of that.
But it wasn't my fault - I was just a kid harmlessly experimenting with stuff.
Back then, in the 90s, cracking unix account passwords was as easy as looking for the match inside the /etc/passwd file.
John the Ripper - is the software I will always remember. It's old school, but still great software.
I know very well how much progress has been made on the filed for the past 20 years.
And today I choose brain wallet.  It's not preaching - it's experience.

I am not telling anyone what he should or should not do - I'm just telling him what I know.
Well, maybe I'm also preaching a bit: Believe in your brain and its limitless imagination - it's far more sophisticated than any PRNG invented by man.

EDIT3:
When I read about all these "research" papers and browse through slideshows from some DEFCON meetings - for me it's just some kids looking for attention, playing with 30 years old technology, which they don't really understand. Had they understood it, they would have had much bigger respect to the very complex problem of cracking passwords. But all I see is an infant boosting and patronising with statements that have absolutely no technical backup.
You kids...

But I still think that the brain wallets in the traditional sense of the word should be secure enough, if their owner only puts enough effort into their complexity and uniqueness.

Like the example I mentioned in the other thread: Make a poem and remember it.
Not a short poem, but it also doesn't need to be very long one - a haiku might be long enough, although two haiku (one after another) would be much better.

Despite of what some people might be claiming, there is no way to paint a second Mona Lisa just by coincidence.
Almost every human being (there might be some brain damaged ones) is able to create an original artistic constructs inside his brain.
And the one thing computers can't do is artistic - the only way to crack an original poem is through brute forcing.
So, to make it even harder for dictionary-based, lexical-whatever-sf-enforced brute forcing, do not use the words as they are.
Modify the words inside your poem, using a system that only you know.
For example:
 - Use only the first and the last letter of each word
 - Skip words of certain lengths
 - Repeat some words or some characters
 - Use customised separation characters between the words (e.g. - | & * @)
 - Swap the letters (all or only two of them) inside each word
 - Add the salt (e.g. your name, phone umber, your email's password) at the end, the beginning or (best) somewhere in the middle.
 - etc. etc. etc. - use your imagination - it's limitless!  

Also: the last thing you should do is following the exact system I just described.
It was good, before I posted it, though.
Anyway, I hope you catch my point.


Mind that you can also combine one or more of the methods/technics/systems, if you are still unsure about a security of a single one.
So for instance: the book, combined with the wife's photo, combined with the poem - even god himself armed with an MRI connected to your head won't crack that, if you don't screw it up.

What we maybe should also mention here are a kind of wallets that actually require a file, but the key to their existence is only in your brain.

A bit like a system with a book I mentioned before, but slightly different...

Think of a photo of your wife. A jpeg file would be good, as it has nice "entropy".
Now, think of two numbers - e.g. her birthday and age... or whatever big enough.
Then cut (from the file) the number of bytes expressed by the second numer, from the file's offset expressed by the first number.
All you need for that is "dd" command. You can concat two or three such fragments, to increase security... Maybe even append some simple string (e.g. your last name) at the end of the extracted data...
Then get a 256-bit hash of it - that would be your master private key.


A photo of your wife you can have stored anywhere, even in the cloud - nobody is going to find it suspicious. Perhaps they will even let you to have it in a prison.
But the key to the wallet is only in your brain.
Now, if nobody knows that the wife's picture is actually the wallet, there is no way to crack it.

This is just one of unlimited methods for making a secure brain wallet.
Just use your brain and imagination and you can create a very secure brain wallet, that no person on earth can crack, find or seize - while you always have it with you.
This is a security and convenience that no random generator based wallet will ever give you.

Ah ha, but no-- the requirements for the password security are much lower.

With a brainwallet, the moment you use it everyone in the world can begin cracking it-- in parallel with all other keys they are cracking at no extra cost.  They can also apply precomputed rainbow tables to try may of the passwords they tested in the past against it-- at low cost. They also can see the bounty attached to it.

If a wallet is encrypted it has a salt and (hopefully) an expensive KDF. The attacker cannot attack multiple files in parallel. If the whole wallet is encrypted, they don't know what their payoff will be and most importantly they can't even begin cracking until they get the file.  The security becomes multi-factor: You must have the file and the passphrase.  Theft of the file may also be noticed, giving you time to react.

So if your passphrase is a little weaker than you intended it to be-- there is likely no great harm.

Of course, a randomly generated and then password-encrypted wallet is by definition more secure than a brain wallet made by the same password.

But then you come back to the problem of choosing the secure password, don't you?
Which brings you back to the point that you need to learn about choosing secure passwords.
And after you learn to choose passwords that are secure enough, you might just as well use brain-only solution.

Hand, not head, for that reason!   (also, hitting people in the head tends to make them unconscious and then they can't answer. Hitting them in the hand is very painful but leaves them able to talk.)

Especially if you're not worried about torture-- use encryption! it also resists seizure in just the same way-- but: it works like a salted password hash stored privately. O(N*M) work to try N passwords for M people, and to even start you must steal a copy of the private data which you have hopefully not posted in a public database.  If you want to generate it securely and _also_ attempt to memorize it, sure knock yourself out, an extra backup doesn't hurt.

Sorry, I didn't mean that they cannot be seized by any type of government.
Mine isn't running a torture camp in Guantanamo - applying a hammer to my head would be illegal where I live.
Plus then I'd most definitely forget it

Unless you never intend to sign a message they do... and they also depend on a human's easily predictable production of "entropy".

There are hundreds of millions of dollars worth of Bitcoin secured by the CSPRNG setup in Bitcoin Core. It is peer reviewed by quite a few subject matter experts. That is a pretty strong bit of auditing there, ... can you say the same for your scheme?

Human memory is very fallible.  We often just don't remember what we don't remember so we don't often realize how bad it is.   A fever, blow to the head, or other illness can easily kill single memories even of things you used frequently-- a brain wallet is the hardest kind to remember: to be secure it must be unusually random, and you should not be using it frequently (if you use it frequently, you will end up leaking it somehow) and being almost right is not good enough!

Backups are also easy if you don't need to redo them. They are practically free:  A small USB stick costs a few dollars, paper costs cents. You can make many backups and secure them with a weak password that your family also knows and really can never be forgotten-- but attackers with a FPGA farm in china cannot crack your password protected backed up wallet!

Equally true of a pasword protected backup wallet.  And both can be seized after finding evidence of you using them in the blockchain or on your computer and then liberally applying a hammer to your non-dominant hand.

Yes, this is perhaps the one advantage-- if you are a refugee who can literally carry _nothing_ without severe risk of losing it. But even there you would be much better off with a few backups of that key securely hidden back at home in case you do forget it and do someday find yourself in a place where you can pick it up.

Both equally true for an encrypted non-brainwallet.

Brainwallets are irrelevant to the government-- they don't add any protection from the a government except in the refugee case, but they are the friend of the coin thieves -- no surprise considering they were invented by one.

You seem to have ignored my point that a brainwallet is equivalent to storing an unsalted password hash in a public database. Do you consider that incompetent security?

Also nobody is talking about the advantages of (strong) brain wallets, that are actually making them more secure than PRNG based wallets.

Besides of the two I mentioned already:
- They don't rely on anyone's (publicly known) implementation of the "entropy"
- They don't require backups

There is more:
- They cannot be seized
- They don't need to be carried
- Their existence can be denied / can't be proven
- Even if someone can prove that a brain wallet had existed at some point in time, he's still unable to prove that you have not forgotten the password

These are mostly about legal security, but isn't Bitcoin's success itself exactly about it?
You see, in my opinion, the biggest enemy of the brain wallets should be the government.

The advice would be to have a computer generate it randomly.  (the next best advice is to choose it with dice but it takes so many rolls to even get 128 bits, that I have found that users don't actually comply with the procedure; a treatment that the patient will not follow is not a good treatment, no matter how perfect it is if used flawlessly). Studying the result in practice isn't politics, it's science.  Developers are not magically anointed with an ability to not make these errors, they appear to be even more vulnerable: to quick to enamor themselves with fancy schemes but just as unable to really comprehend billions of attempts per second as any other human. It isn't a question of being stupid, I do not think I can securely use a brainwallet and I do not think I am stupid.

By this logic: what do you think will happen if you ask an average John to secure his backup of the wallet file?

Is this a forum for Development & Technical Discussion - or not?
If it is, then why are you bringing politics into it?

If people _massively_ overestimate their ability to choose unguessable strings then shouldn't we be discussing and advertising methods of choosing unguessable strings?
Instead of not-discussing brain wallets at all, because you believe that people are too stupid to choose a password that cannot be "easily predicted and exploited by attackers".


I believe that a brain wallet is the most secure wallet for me - and I am putting my money behind it, because I use such wallets myself.
I am willing to share my knowledge of choosing a complex enough passwords with anyone who wants to learn about the topic.
But I am not interested to argue with your "research demonstrates again that brain wallets are not secure and no one should use them" propaganda, because I have no time for such bullshit.

Brainwallets were literally invented by someone who was out to rip people off; no joke!

piotr_n: Errors like you talk about are what happen sometimes when technical experts given all the time in the world work on secure entropy.  What do you think will happen when you ask less technical end users to take care of it for themselves?

Predictable failure, that is what results. And, of course, if your crypto code is broken-- your security is toast anyways: your signatures will give away your key.

People _massively_ overestimate their ability to choose unguessable strings. They come up with absurd munging schemes that are easily predicted and exploited by attackers.  The result is that brainwallets cause funds loss _constantly_.

Why is it when it turns out that some website was using an unsalted hashing scheme to store their users password hashes in a private database people pull out the torches about how incompetent the web developer is-- but when people construct brainwallet software which stores the users hashed password in a PUBLIC database-- unsalted-- where every found password results in an irreversable theft of Bitcoin, some people fall over themselves to recommend it?

... because that is exactly what a brainwallet is doing:  A public key is a hash of the private key (with special homomorphic properties that makes it useful for signatures). When you use a brainwallet you are computing an unsalted password hash and sticking it in a public database along with the amount you can steal by cracking it.  Because they are unsalted, an attacker can target N users with ~O(1) effort just like any other unsalted password hash.

Security is a trade-off between complexity and convenience. Binary arguments about security mean that your data might never get stolen but no-one uses the software - just ask PGP.

My opinion is that brain wallets aren't the most secure but they are secure enough for many non technical users. If it is a commercial service that is being offered then there are other measures to mitigate the risk of loss like insurance-an admission that it can occur and allow compensation according to risk probability.

Also, it makes little sense to talk about the entropy of a specific string, entropy is defined only for distributions.
If, you pick a random list of ten words from a list of 6^5 words, the entropy is log2[6^50], which is 129.248125036 bits, if an attacker tries to brute force this, it would take, on average, more than 2^128 tries.
The specific passphrase "correct horse battery staple" for example, does not have a well defined entropy:
If each word is chosen at random from a large list, this particular sequence is very unlikely to be chosen, and the distribution would have high entropy, choosing a well known password from a high entropy distribution is very bad luck, and is about as likely as a brute force attacker who starts at a random point and searches from there happening to crack your key in a very short time.
The more likely scenario is that it was copied from xkcd, this is a stupid thing to do because the distribution "first thing to come to mind when a passphrase is needed", has a very low entropy for most people, and yet, unfortunately, is how most people choose passwords.

Every now and then we hear about people coins getting lost, because their wallet was using a fucked up random number generator.

Fucking Google distributed a "secure" random number source to millions of android devices and it was only discovered by lost bitcoins that it was being initiated with 31 bit seed.
They claimed that it was a bug, but who the hell knows - might had just as well been a mistake by design.

How many more fuck ups have to come out in PRNG implementations, before you guys start considering a thesis that your brain combined with a simple sha256 hash might be actually far better source of (pseudo) entropy than all of these corporate solutions that nobody is able to fully audit?

Mind that entropy is just an abstract concept that basically quantifies the amount of chaos within a certain set of data.

Trust me: there is no chaos inside the data provided by the random number generators that you guys use and praise to be so much more secure than my brain.
Software based (pseudo) random number generators follow an algorithm, that is just a mathematical function which turns input data into the pseudo-random numbers.
The input data for this function are things like: current time, content of your system's memory, the keys you're pressing on your keyboard, or your mouse cursor movements - that's it.

There are some implementations of a hardware-based random number generators, which are supposed to provide a real random numbers, but they are so shady that smart people will rather stick to the software solutions - pseudo random number generators.
And why?
Because at least with the software PRNG they can audit the code and quantify the complexity of recovering the seed by an attacker.
Which is exactly where the security of the brain wallet is - in the complexity of recovering the seed by an attacker.

http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/

There are two different types of attacks on a cryptographic system; analytical attacks, and brute force.
Entropy protects against brute force, but not against analytical attacks.
A strong system is needed to guard against analytical attacks.

Entropy is necessary for security, but not sufficient.

You're embarrassing yourself.

https://en.wikipedia.org/wiki/Mona_Lisa_replicas_and_reinterpretations  


Finally, we can agree on something.

Certainly Bitcoin would be broken if it was possible to quickly calculate a private key from a given ECDSA public key.  However, without sufficient entropy in the selection of the private key, the security is lost before you ever even know the public key.


One of us is.