Topic: Can a brain wallet be trusted? (Read 336 times)

Even easier: memorize the 12 words, and cross the border. If you forget a few words, drive back and dig up your seed word backup.
More realistically: the average person carries at least tens or even hundreds up to thousands of GB of data with him all the time. There's no way anyone is going to find the 12 words they're looking for in there without spending a very long time searching.

Come on.  What are the chances someone finds it suspicious to have a graphic T-Shirt?  Has anyone ever been pulled over for having a random graphic design on their shirt?  Does everyone go to the airport with basic, plain T-Shirts on them?  Create a very minimalistic T-Shirt with the text on it and nobody would suspect a thing.  Unless you create a design that makes absolutely no sense and seems cryptic.  Poems though or stuff like that, who cares really.

I would be more afraid of the guy who has the printing company than of the border guards.

-
Regards,
PrivacyG

A T-shirt with a text is a very good idea but are you sure the border guards won't find that a little bit suspicious. Even if they don't suspect a Bitcoin seed, they could think it's a coded message containing critical informations.
Moreover if you are put in jail, you won't be able to keep your t-shirt.

How many times did you forget a password?  How many times did you forget where you put a particular thing of yours?  How bad was it when you forgot your e-mail password?  How bad would it be to forget your 'brain wallet' password?  This is not like you left your soda at the mall by mistake and you just buy another.  By forgetting your brain wallet password, you are just going to make us all a favor by having your coins lost in the darkness.

The ONLY way I think a brain wallet could actually be helpful is if you have to flee the country and are afraid the border guards or the airport guys will find your seed.  You can then create a very random and long brain wallet and print it on a T-Shirt you will wear to the airport and move the coins as soon as possible when you are safe at the destination.  Otherwise, there is no way I would ever trust a brain wallet.  In fact.  I would not trust it even in this fleeing situation, for which reason I would keep my coins there for the least amount of time possible.

Edit.  If I think about it, it actually makes no sense to create a brain wallet, even for temporary fund storage.  You could simply create a seed and print a poem containing the seed words on a T-Shirt and this is a MUCH safer way to store your coins.  Forget brain wallets.  Not worth the risk.

-
Regards,
PrivacyG

Thank you for pointing out this thread from CIYAM, it seems the challenge is over since the last funds have been spent in 2019 but at least it shows one thing. (Strong) brain wallets could be used for a temporary storage.
If you need to go somewhere where you can't safely bring any luggage with you, it could be a solution. I know it's certainly safer to store a seed on internet and to memorize its passphrase in this kind of situation since the attacker would have to find and hack your account first. But if you cant easily access internet in this place or if you don't want to rely on the availability of an online service, only few solutions remain...
Another famous use case is a way to easily and quickly give funds to someone you trust.

You should have multiple copies of the seed phrase and keep them in different secure places. For more safety, you can use a metal sheet for backing up the seed phrase.

You can also create a multi-signature wallet. For example, you can have a 2 of 3 multi-signature wallet. In this way, you will have three seed phrases and need only two of them for signing transactions. Even if one of the seed phrase is stolen, the thief can't steal your bitcoin.

If you don't trust your memory: write down your seed phrase.
If it gets stolen: you lose your money.
If you lose the last copy of your wallet: you lose your money.

"Be your own bank" comes with responsibilities.

I know these HD wallets can be reliable but then what ever has its advantages has its disadvantages as well and in a situation where one chooses seed phrases that are hard to memorize, what do you advise he does if the wallet is stolen or lost .

I wouldn't be so sure. We know that there are plenty of bots out there constantly adding more and more private keys and addresses to their databases of cracked brain wallets, just waiting for coins to steal. Some fairly unlikely words and phrases have not only been turned in to brainwallets but have subsequently been cracked. For example:

Song lyrics - "voulezvouscoucheravecmoicesoir" - 13Rq3HxwJwHzcGK8TQE4MnK9CezazLG55t
Book quotes - "Down the Rabbit-Hole" - 1PYgfSouGGDkrMfLs6AYmwDqMLiVrCLfeS
Movie quotes - "Zed's dead baby. Zed's dead." - 12dyYjCxWzSJg7p8mpS3t7PhsL7Btb2rPB
Internet quotes - "correct horse battery staple" - 1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T
Religious quotes - "gate gate paragate parasamgate bodhi svaha" - 1N8gLjZEhRxLRRjg8ymS6Zez8KVegEKtb1
Non English phrases - "que me lleve la muerte" - 1K9xaDfABruMHrvWtJ3DWPu1q3XTr5wxUS

And these are just the ones which are in the public domain. It is certain that there are bots out there with millions more similar examples which we don't know about. You should assume that if a phrase or sentence appears somewhere online, then at some point some bot will check if it is a brainwallet.

Those phrases look like something you'd harvest from a news article. Since I'm not aware of any scrapers for harvesting phrases from news articles to build a dictionary out of, it is extremely unlikely to find any funds in such a wallet. But that doesn't waive my general dislike for brainwallets anyway (not standardized, easy to lose access to the tool used to make them, or even to use a compromised tool).

Not exactly. Adding a salt is not enough if your algorithm is naturally fast and weak; reaching your specific permutation would likely just be a matter of time (albeit longer, but still easier than other algorithms because hashing SHA256 is not really that difficult). Regardless, that is not what I'm advocating for and while it does make for a difference in the difficulty, it does not, by any means make it expensive or impossible to crack.

Instead, what I'm advocating for is to use Brainwallet with a resource intensive KDF and salted. Doing this gives you the best chances; it is far, far slower to crack if it is memory-hard and it makes more sense to go through dictionary or known wordlists in that case with common salt permutations. When compared to the original brainwallet, the choice would be a no-brainer.

That's why a much more difficult to brute-force system is so much better: there's less to remember for the same security.

You could add a "salt" to a "normal" brain wallet: after your password, add for instance your real name. That makes it impossible to brute-force it together with all other brain wallet users out there.

I do love your name choice.

Back to thread.

Yes if you don’t care about losing the coins is the correct answer.

Since it is only contained in your brain 🧠 your brain and my brain and all of humanity’s brains are easily broken and you can also forget anything you remember .

For example
1st grade teacher name ? forgot
2nd  grade teacher ? Mrs De Pace
3rd grade teacher? forgot
4th grade teacher? forgot
5th grade teacher? forgot
6th grade teacher? forgot but the 5th was the same as the 6th
7th grade teacher? mr paratore
8th grade teacher? sister francine

so I am 3 for 8

granted I am covering 1962 to 1970 time frame but those are what I remember

okay
phone numbers

212 835 8851 same time
718 835 8851 say 1972 to 1987 when house was sold.
when i got married and move to an apartment in 1986 I have zero Idea 💡 what that number was.

I can give endless examples of memory failure for most anyone. With out looking back what is the second sentence in this post?

I wrote it and iirc i wrote. back to the op. and a fail as it was :

Back to  thread.

The list of forgettable things gets bigger as you get older.
I am 65 and fully aware that I forget various things at various times.

oh how about this.


California
Hawaii
Philippines
Diego Garcia
Mauritius
Australia
Hawaii
California



That list of places covers a Navy Trip I did in 1979 to 1980

and I also remember each city port we sailed into and out of.

It would have been quite something if you did find one, since that would've cemented the idea into users minds that, even if you aren't looking for someone else's brain wallet, you might accidentally stumble upon it like this discussion, which is a bit of a outlier no doubt, but I could see someone thinking "that's pretty random", of course its not, anything you derive from something you've read is in fact, not random, but I can see how someone might come to that conclusion.

Not many people think about what could happen to them that's out of their hands. Most users here probably don't have a inheritance plan, and simply forgetting or god forbid worse ill health, is a legitimate concern.

People have had accidents, and didn't even know his own family, but even if it's not to that extent. Going through a traumatic experience means you could lower the priority of remembering your seed or private key, which ultimately has the same effect.

It would not surprise me in the slightest if someone out there was pulling every post made on this forum or other popular bitcoin communities and trying every phrase or sentence in a brainwallet generator.

Even if not, the four quotes you gave are all compromised of a low number of English words. Even a brainwallet generator just randomly brute forcing combinations of English dictionary words would find them before long. I have no idea what the benchmarks for something like Brianflayer are, but as ranochigo points out, a single SHA256 function (and then the usual steps to go from private key to address) is not exactly resource intensive.

I think that it is still important to acknowledge that the brainwallet implementation was inherently flawed with a fairly weak KDF that resulted in an extremely fast bruteforce and balance checking which resulted in very efficient and effective implementations like Brainflyer to exist. Which accounts for this impression that brainwallet simply doesn't work.

However, more recent implementations uses a far slower and intensive algorithm which limits the effectiveness of the bruteforce as it would require either high memory intensity or resources. In addition, salt is mandatory in most implementations which makes for an additional round of protection. Fact is, while such algorithms cannot beat the entropy of your OS, you'll still have a fairly decent security as any attempts would be far more than a generic bruteforce but they would also have to take into account the salt, which is personalized and unique. Caveat being both your phrases as well as your salt has to be unique and sophisticated enough.

Brain wallet: 12N2L3T1tt6adzL4iAXGtcCznKaB3u1rnC

15CnpSrcL1Lqa5YpgwHGYtmmXBYodbzWGx

1DHxTbwDFqryVn6VZSizE21JBJ4Cw9JW3

1M3qaaWyYQRwFzrcF3fNE2qwCQP1sZ6uoP

It would be really nice of some of the brain wallet hunters would comment here: would the above phrases pop up in your dictionary search? I'm pretty sure some of them would have found it if any of those addresses had any funds.

The balance between "not losing access" and "preventing someone else from gaining access" is still something I'm not entirely comfortable with when it comes to crypto. That applies to brain wallets, backups and written down seed phrases.

Other answers above have told you just how insecure brain wallets are and how humans are a terrible source of entropy. Now, even if you were to generate a properly secure BIP39 seed phrase, here is why you should write it down and not try to remember it.

Each year:

69 million traumatic brain injuries: https://pubmed.ncbi.nlm.nih.gov/29701556/
12 million strokes: https://www.world-stroke.org/assets/downloads/WSO_Global_Stroke_Fact_Sheet.pdf
10 million new diagnoses of dementia: https://www.who.int/news-room/fact-sheets/detail/dementia
5 million new diagnoses of epilepsy: https://www.who.int/news-room/fact-sheets/detail/epilepsy
2.5 million cases of meningitis: https://www.path.org/articles/toward-world-without-meningitis/
2 million new brain tumors: https://academic.oup.com/noa/article/3/1/vdaa178/6043315
1.5 million cases of encephalitis: https://www.sciencedirect.com/science/article/pii/S0163445322002110

That's each year, and that's only major conditions which directly affect the brain. Add in things like cardiac arrest, heart disease, sepsis, shock, diabetes, vascular injury, hemorrhage, poisoning, smoke inhalation, etc., all of which can cause secondary brain injury, and there are literally hundreds of millions of people every single year who suffer some form of insult to their brain which can lead to memory problems.

Do you want to trust all your coins to those odds? I know I don't.

There's been debate through the years, and some users have even run some challenges to try, and prove that they can be secure. However, generally brain wallets introduce additional risks, which if you aren't aware of could potentially compromise you. Plus, as suggested humans are generally absolutely horrible at entropy. We tend to think similarly, and follow patterns. It's very much what makes us human. Most living things have patterns.

The above challenge was never claimed, however this is a rather flawed challenge since we don't know exactly how it was generated. The question isn't about are brain wallets inherently insecure, it's more the human factor when it comes to generating the entropy. LoyceV, has a nice little thread there that demonstrates this weakness.

So, even if you believe you've made a completely random password, it likely isn't. Our thought processes are flawed for entropy. Computer generation of entropy is almost always better.

How reliable is the human brain in storing passphrase to be frank it is very poor in regards to this,  but there are situation where they only option left to keep your coin safe is to have a brain wall especially during wars and environmental hazards where people seek refuge in other countries without any property except the cloth the put on.

while you depend on Brain wallet it is still good to have HD wallet for backup and best to store this passphrases in a mobile friendly means incase of casualties. E.g metal plates or steel