A 90-bit passphrase, *IF* randomly generated (as this script is doing), has
NEVER been cracked and it will most likely not be in our lifetimes.
Bitcoin has now done ~2^74 hash operations. I'm reasonably confident that it will do 2^90 of them in my lifetime, I am not confident that it will be the only 2^90 search.
Yes bitcoin has done 2^74 operations but at what total cost? In the tens or hundreds of millions USD, if I'm not mistaken.
Also the workfactor to break one of your 90 bit keys is less than 2^90 the moment two of your keys have been used... If your scheme were widely used, it would be much easier to find one at random. It may also turn out that your RNG is less uniform than believed and after careful analysis doesn't require a 2^90 search to match even a single key.
The script is feeding straight from /dev/urandom (SystemRandom in python). That's easy to verify from the 25-line source code.
It will also support another randomness method that totally bypasses the OS provided RNG, which should cater to the most paranoid amongst us...
In general symmetric cryptography applications 128 bits has arisen as a general standard. Is 128 meaningfully better than 90? Is it meaningfully better than 120? Meaningfully better than 65? Part of the purpose of having a standard size is so that you don't have to constantly engage in a complicated tradeoff discussion: you just demand that everything is 128 bits.
The objective of this tool is to provide keys that can be remembered by a normal human being and can't be cracked easily. 2^90 achieves this, which is also the view that many password strength experts hold (eg: agilebits, diceware, Schneier, us gov internal recommendations, etc)
Also as stated earlier, just changing one digit in the code makes it generate much stronger passphrases, if required for whatever reason or belief.
Your scheme also only generates a single address, so users are stuck reusing it, compromising their privacy.
This is a well-known brainwallet limitation that affects all commonly used brainwallet generators (bitaddress, brainwallet.org, etc). This is why it is recommended to use a brainwallet address only once (just like any other bitcoin address, really). At least NoBrainr provides random generation for brainwallets, which the other approaches don't, and provides strong 90-bit + keys, compared to the 30 to 40 bit (song lyrics, poems, etc) that many people use to generate their brainwallets on those sites. The slightly confusing thing with the "brainwallet" moniker is that it is actually just one address, so not a wallet in the regular bitcoin-client sense.
This is part of the reasons that only advanced users should even consider using brainwallets, and only after researching them properly.
Is 128 bits more to memorize than 90? Yes. But relying on memorizing keys which can never be recovered via any other means is already skating on thin ice. People are used to it being possible to recover access if you forget— though sometimes with great effort. Crypto is different. Memory is just reliable enough for its unreliability to be surprising, especially since you don't remember all that you've forgotten by definition.
Of course, once you're up to that size you could just use the scheme electrum uses (or the one that it will use). Of course, the implementation isn't 1024 bytes— but neither is yours: The dictionary is an utterly essential part of the implementation.
Of course the dictionary is essential, but the point is that 1024 bytes / 25 lines of
code makes NoBrainr orders of magnitude easier to audit and review, compared to any other alternative. This can make all the difference for non-developers or anyone who doesn't have days to waste just to make sure nothing malicious is going on in the source code.
-
