That might be OK except that your average grandma isn't Linux literate. 
That's the problem with brainwallets. Anything less than 256 bits of entropy will probably be brute forced at some point. 
Topic: New blog post: Hiding Bitcoins in Your Brain - page 4. (Read 7204 times)
To make a truly secure brainwallet passphrase take the output of
Code:
dd bs=32 count=1 if=/dev/random | hexdump -e '"%x"'
and convert it to PGP wordsThat might be OK except that your average grandma isn't Linux literate.
This is the essence of what I intend to propose as a standard brainwallet replacement for sha256:
First, I propose scrypt as the key derivation algorithm.
Second, I propose the following standardized method for creating salt: a user should enter their own birthdate and their postal code that was current at the time their brainwallet was created. The postal code should be stripped only to alphanumeric characters (no spaces or dashes). These should be provided as salt to the scrypt algorithm in the form YYYY-MM-DD-x where x is the stripped postal code. The purpose of these is that it's unlikely the user will forget these (even if they move) while still providing satisfactory entropy to substantially prevent parallel cracking of the entire brainwallet universe. If all brainwallet generators and decrypters follow the same method for generating salt, users won't be burdened with having to remember how they created their salt, nor how they formatted their information.
Third, I propose the scrypt parameters 16384,8,8 as a starting point. I propose that brainwallet creators offer a checkable option called "additional security" that will result in using sensible power-of-two multiples of these parameters instead (which multiples to use are the implementer's choice, but should be appropriate for the current state-of-the-art in potential cracking threats). For example, 32768,8,8, 32768,16,8 are logical next steps when more difficulty is needed.
Brainwallet decrypters should consider the possibility that a user may have enabled "additional security". After trying the default parameters, a decrypter should be prepared to bruteforce 8 to 16 of the most likely possible alternates, looking for something that results in a private key with funds. This should happen if and when a user fails to decrypt a brainwallet having funds, or indicates that they have enabled "additional security". The user does not have to remember specifically whether or not they enabled it - the worst case for a user is that they don't remember, and are forced to wait a while for the brute forcing process to either find their correct private key, which will succeed regardless of whether they enabled it, or fail, if they have entered the wrong passphrase.
First, I propose scrypt as the key derivation algorithm.
Second, I propose the following standardized method for creating salt: a user should enter their own birthdate and their postal code that was current at the time their brainwallet was created. The postal code should be stripped only to alphanumeric characters (no spaces or dashes). These should be provided as salt to the scrypt algorithm in the form YYYY-MM-DD-x where x is the stripped postal code. The purpose of these is that it's unlikely the user will forget these (even if they move) while still providing satisfactory entropy to substantially prevent parallel cracking of the entire brainwallet universe. If all brainwallet generators and decrypters follow the same method for generating salt, users won't be burdened with having to remember how they created their salt, nor how they formatted their information.
Third, I propose the scrypt parameters 16384,8,8 as a starting point. I propose that brainwallet creators offer a checkable option called "additional security" that will result in using sensible power-of-two multiples of these parameters instead (which multiples to use are the implementer's choice, but should be appropriate for the current state-of-the-art in potential cracking threats). For example, 32768,8,8, 32768,16,8 are logical next steps when more difficulty is needed.
Brainwallet decrypters should consider the possibility that a user may have enabled "additional security". After trying the default parameters, a decrypter should be prepared to bruteforce 8 to 16 of the most likely possible alternates, looking for something that results in a private key with funds. This should happen if and when a user fails to decrypt a brainwallet having funds, or indicates that they have enabled "additional security". The user does not have to remember specifically whether or not they enabled it - the worst case for a user is that they don't remember, and are forced to wait a while for the brute forcing process to either find their correct private key, which will succeed regardless of whether they enabled it, or fail, if they have entered the wrong passphrase.
Don't use anything that can be found in a book. "Really obscure" doesn't mean anything in the context of a brute force attack.
Hm, perhaps it might be OK to use a sentence from a very old/rare book that hasn't been scanned into Google Books yet?
Although I guess it could always still get scanned in the future... 
Don't use anything that can be found in a book. "Really obscure" doesn't mean anything in the context of a brute force attack.
But that also means brain could not handle it well
Don't use anything that can be found in a book. "Really obscure" doesn't mean anything in the context of a brute force attack.
To make a truly secure brainwallet passphrase take the output of
Code:
dd bs=32 count=1 if=/dev/random | hexdump -e '"%x"'
and convert it to PGP words As far as randomness of passphrase, Electrum generates a pretty random phrase. I don't see that those should be very crackable, and I don't beleve in the idea of including personal information in my passwords either, despite Gavin's recommendation.
The personal information bit makes it easy for a employer, government or bank to crack your password. I don't know how that's entropic at all in a objective sense. In fact, the suggestion of associating your personal information with your bitcoins puts a very bad taste in my mouth. Why would you suggest this, Gavin?
As far as randomness of passphrase, Electrum generates a pretty random phrase. I don't see that those should be very crackable, and I don't beleve in the idea of including personal information in my passwords either, despite Gavin's recommendation.
5MyBitcoinPrivKey1234567890 = sha256("salt" + sha256("MySuperSecretPassPhrase"))
^There.
"salt" can be an everchanging number, so you can constantly move on to new brainwallets, without forgetting, or losing access to the old ones.
.
^There.
"salt" can be an everchanging number, so you can constantly move on to new brainwallets, without forgetting, or losing access to the old ones.
.
Nice cube, Mike! Brainwallets and the Electrum light client are why am getting involved with BTC again after a losing a hard drive over a year ago right after I got started. Luckily there was only faucet scale BTC in my wallet.
There is no way I would consider holding significant funds in BTC without a brainwallet. I don't even trust bits of paper in banks.
I enjoyed your article, and I agree this is the best angle to promote BTC.
There is no way I would consider holding significant funds in BTC without a brainwallet. I don't even trust bits of paper in banks.
I enjoyed your article, and I agree this is the best angle to promote BTC.
Thanks! I need to add more material about Electrum. I only just learned about it myself today!
Nice cube, Mike! Brainwallets and the Electrum light client are why am getting involved with BTC again after a losing a hard drive over a year ago right after I got started. Luckily there was only faucet scale BTC in my wallet.
There is no way I would consider holding significant funds in BTC without a brainwallet. I don't even trust bits of paper in banks.
I enjoyed your article, and I agree this is the best angle to promote BTC.
There is no way I would consider holding significant funds in BTC without a brainwallet. I don't even trust bits of paper in banks.
I enjoyed your article, and I agree this is the best angle to promote BTC.
So if you ask the average person to create a secure passphrase, they're very likely to create something that a "determined attacker" with a lot of computing power can crack.
Miners who find themselves in possession of obsolete gear (GPUs after ASICs hit the market) could very well become those determined attackers. ...
Think of two passphrases that you think you can remember. And think of a government-issued number that you can easily lookup or remember (like your driving license or social security number).
Create a brainwallet passphrase that is:
the first passphrase,the government id number,the second passphrase
Then create a 'sentinel' brainwallet that is just the first passphrase, and send a small number of bitcoins to it. When those bitcoins get spent (or more bitcoins are sent to it by somebody else), you know that the first passphrase you chose isn't good enough any more. Choose a more complicated passphrase and create a new 'sentinel' and real brainwallet, and move your old brainwallet there.
Think of two passphrases that you think you can remember. And think of a government-issued number that you can easily lookup or remember (like your driving license or social security number).
Create a brainwallet passphrase that is:
the first passphrase,the government id number,the second passphrase
Then create a 'sentinel' brainwallet that is just the first passphrase, and send a small number of bitcoins to it. When those bitcoins get spent (or more bitcoins are sent to it by somebody else), you know that the first passphrase you chose isn't good enough any more. Choose a more complicated passphrase and create a new 'sentinel' and real brainwallet, and move your old brainwallet there.
Good idea, thanks!
P.S. Casascius suggested to me that we might also consider moving to a slower key-generation algorithm, using scrypt for example, to make brute-force attacks on brainwallets more expensive.
Humans are pretty bad at being original. REALLY bad at being random. And we are terrible at comprehending huge numbers.
So if you ask the average person to create a secure passphrase, they're very likely to create something that a "determined attacker" with a lot of computing power can crack.
I think if people start to use quotes from obscure literary works as their brain wallets, then they're going to lose their bitcoins sooner or later. Attackers can try MILLIONS of passphrases per minute, to crack EVERY SINGLE brainwallet that has ever been created.
So: if you absolutely, positively won't be dissuaded from using a brainwallet, here is my advice on how you might be able to come up with a secure passphrase:
Think of two passphrases that you think you can remember. And think of a government-issued number that you can easily lookup or remember (like your driving license or social security number).
Create a brainwallet passphrase that is:
the first passphrase,the government id number,the second passphrase
Then create a 'sentinel' brainwallet that is just the first passphrase, and send a small number of bitcoins to it. When those bitcoins get spent (or more bitcoins are sent to it by somebody else), you know that the first passphrase you chose isn't good enough any more. Choose a more complicated passphrase and create a new 'sentinel' and real brainwallet, and move your old brainwallet there.
So if you ask the average person to create a secure passphrase, they're very likely to create something that a "determined attacker" with a lot of computing power can crack.
I think if people start to use quotes from obscure literary works as their brain wallets, then they're going to lose their bitcoins sooner or later. Attackers can try MILLIONS of passphrases per minute, to crack EVERY SINGLE brainwallet that has ever been created.
So: if you absolutely, positively won't be dissuaded from using a brainwallet, here is my advice on how you might be able to come up with a secure passphrase:
Think of two passphrases that you think you can remember. And think of a government-issued number that you can easily lookup or remember (like your driving license or social security number).
Create a brainwallet passphrase that is:
the first passphrase,the government id number,the second passphrase
Then create a 'sentinel' brainwallet that is just the first passphrase, and send a small number of bitcoins to it. When those bitcoins get spent (or more bitcoins are sent to it by somebody else), you know that the first passphrase you chose isn't good enough any more. Choose a more complicated passphrase and create a new 'sentinel' and real brainwallet, and move your old brainwallet there.
I'm writing this new blog post as an introduction to Bitcoin for new users. I may add more to it later, but it's at a good stopping point for now.
The emphasis here is on Brain Wallets, because I consider this concept to be a very useful one for enabling users to recover their accounts. Even if the main browser-based or standalone client that you use develops a problem, and even if you lose your wallet backups, paper wallets, private keys, etc., as long as you keep your coins in a brain wallet, then you can just enter your brain-wallet passphrase into a different site or client, and still access your coins.
I wouldn't want my grandmother, for example, to use Bitcoin, if I didn't know that I could always help her to retrieve her main stash as long as she still remembered (or had written down) her brain-wallet passphrase.
Comments are welcome.
Regards, -Mike Frank
The emphasis here is on Brain Wallets, because I consider this concept to be a very useful one for enabling users to recover their accounts. Even if the main browser-based or standalone client that you use develops a problem, and even if you lose your wallet backups, paper wallets, private keys, etc., as long as you keep your coins in a brain wallet, then you can just enter your brain-wallet passphrase into a different site or client, and still access your coins.
I wouldn't want my grandmother, for example, to use Bitcoin, if I didn't know that I could always help her to retrieve her main stash as long as she still remembered (or had written down) her brain-wallet passphrase.
Comments are welcome.
Regards, -Mike Frank
Jump to: