Bitcoin Forum>Bitcoin>Development & Technical Discussion
Pages:
Author

Topic: Suggestion: A simple way to protect new users from losing their wallet.dat's (Read 5811 times)

casascius
vip
Activity: 1386
Merit: 1141
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
Suggestion: A simple way to protect new users from losing their wallet.dat's
May 04, 2011, 10:37:12 PM
#28
Quote from: Garrett Burgwardt on May 04, 2011, 04:07:01 PM
People will always want to use simple phrases or words. Collisions will abound, and it will only serve to cause trouble. Leave it out I say.

For single uses, I would suggest it's already feasible to do this, just use a throwaway MyBitcoin account, and using passwords to generate single addresses is outside the scope of the original suggestion.  Using MyBitcoin, the security needs of passing a password as a proxy for a single transfer could be met with a weaker password since using an online service takes away the opportunity to brute force billions and trillions of possibilities per second.
Garrett Burgwardt
sr. member
Activity: 406
Merit: 256
Re: Suggestion: A simple way to protect new users from losing their wallet.dat's
May 04, 2011, 04:07:01 PM
#27
People will always want to use simple phrases or words. Collisions will abound, and it will only serve to cause trouble. Leave it out I say.
ffe
sr. member
Activity: 308
Merit: 250
Re: Suggestion: A simple way to protect new users from losing their wallet.dat's
May 04, 2011, 03:40:12 PM
#26
Quote from: Garrett Burgwardt on May 04, 2011, 03:20:16 PM
Quote from: ffe on May 04, 2011, 01:38:41 PM
Well then, if the import-keys function is added, I suggest adding the ability to create a new key-pair seeded by a password entered then and there.

This way you could create one of those keys, park a bit of coin in it and have it available at any time in the future at any client simply by entering the same password.

Not only useful for you, but a neat way to transfer coin using a human memorable password. You and your buddy are having dinner and you need to transfer 10 BTC to him. Your client on your phone creates a temporary key solely for this transfer, based on a simple password you both agree on, and loads it with 10 BTC. He enters the same password on his phone client and moves the coin to one of his permanent keys. The temporary password is not needed any more and can be dropped by both parties.

Of course if a password generated key-pair is used to store coin long term, make the password a strong one and print it out!

Bad idea. What happens when two people use the same password?

Nothing worse than if you save your wallet on a public forum, as far as I can tell. If you're stupid, you lose your coin.  No one is storing any coin long term in these keys and if someone is stupid enough to use "password" as the password he should expect a collision sometimes.

If we want to protect stupid users I suppose the client could perform basic checks like password quality indicators and checking that the new key-pair has never been seen before in the block chain. My experience is it's a losing game trying to protect stupid people from themselves.
Garrett Burgwardt
sr. member
Activity: 406
Merit: 256
Re: Suggestion: A simple way to protect new users from losing their wallet.dat's
May 04, 2011, 03:20:16 PM
#25
Quote from: ffe on May 04, 2011, 01:38:41 PM
Well then, if the import-keys function is added, I suggest adding the ability to create a new key-pair seeded by a password entered then and there.

This way you could create one of those keys, park a bit of coin in it and have it available at any time in the future at any client simply by entering the same password.

Not only useful for you, but a neat way to transfer coin using a human memorable password. You and your buddy are having dinner and you need to transfer 10 BTC to him. Your client on your phone creates a temporary key solely for this transfer, based on a simple password you both agree on, and loads it with 10 BTC. He enters the same password on his phone client and moves the coin to one of his permanent keys. The temporary password is not needed any more and can be dropped by both parties.

Of course if a password generated key-pair is used to store coin long term, make the password a strong one and print it out!

Bad idea. What happens when two people use the same password?
ffe
sr. member
Activity: 308
Merit: 250
Re: Suggestion: A simple way to protect new users from losing their wallet.dat's
May 04, 2011, 01:38:41 PM
#24
Well then, if the import-keys function is added, I suggest adding the ability to create a new key-pair seeded by a password entered then and there.

This way you could create one of those keys, park a bit of coin in it and have it available at any time in the future at any client simply by entering the same password.

Not only useful for you, but a neat way to transfer coin using a human memorable password. You and your buddy are having dinner and you need to transfer 10 BTC to him. Your client on your phone creates a temporary key solely for this transfer, based on a simple password you both agree on, and loads it with 10 BTC. He enters the same password on his phone client and moves the coin to one of his permanent keys. The temporary password is not needed any more and can be dropped by both parties.

Of course if a password generated key-pair is used to store coin long term, make the password a strong one and print it out!
Matt Corallo
hero member
Activity: 755
Merit: 515
Re: Suggestion: A simple way to protect new users from losing their wallet.dat's
May 04, 2011, 01:19:17 PM
#23
Quote from: ffe on May 04, 2011, 01:11:34 PM
Is there any way in the current client to enter a key-pair not generated in that client?
Not currently but there are patches to allow importing keys from other wallets and it isn't theoretically too hard.
ffe
sr. member
Activity: 308
Merit: 250
Re: Suggestion: A simple way to protect new users from losing their wallet.dat's
May 04, 2011, 01:11:34 PM
#22
Is there any way in the current client to enter a key-pair not generated in that client?
Matt Corallo
hero member
Activity: 755
Merit: 515
Re: Suggestion: A simple way to protect new users from losing their wallet.dat's
May 04, 2011, 12:14:12 PM
#21
Quote from: casascius on May 03, 2011, 06:26:04 PM
Why only one?
Might be useful for people who don't want their entire wallet to be re-creatable given the password but might want to backup a single address.  Though at that point, printing out the private key would probably just be more secure.
casascius
vip
Activity: 1386
Merit: 1141
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
Re: Suggestion: A simple way to protect new users from losing their wallet.dat's
May 03, 2011, 06:26:04 PM
#20
Quote from: sebastian on May 03, 2011, 05:52:17 PM
...and that password is used to create ONE bitcoin adress.


Why only one?
sebastian
full member
Activity: 129
Merit: 119
Re: Suggestion: A simple way to protect new users from losing their wallet.dat's
May 03, 2011, 05:52:17 PM
#19
I think this would be a good idea. Not only for backup, but allow user to "create" a password (enter a password) and that password is used to create ONE bitcoin adress.

The good thing for this is situations where theres no local storage, for example live-CD systems and such. It would be bery good to be able to embed a bitcoin client in a such system, and the user just enter their password and everything is generated and fetched based on the password.
casascius
vip
Activity: 1386
Merit: 1141
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
Re: Suggestion: A simple way to protect new users from losing their wallet.dat's
May 03, 2011, 04:38:43 PM
#18
Quote from: LZ on May 03, 2011, 06:20:05 AM
Quote from: casascius on April 30, 2011, 04:13:33 PM
Yes exactly, they would generate identical wallets and the client would behave the same way as if you copied one wallet to two computers now.  They could spend/steal each other's coins.
It seems that you do not understand how Bitcoin works. The wallet encryption may be useful in 0.4 but no more. Undecided

Your idea is possible as the third party service. But I really do not want something like that in the standard Bitcoin.

With all due respect, I don't think you understand the original suggestion clearly, because even though I do believe I understand how Bitcoin works, the suggestion would still hold water even if I didn't, because of the following known principles:

  • Bitcoin addresses in wallets are generated in a deterministic process based on random numbers
  • Pseudo random number generation by definition is repeatable with the same algorithm and seed
  • Therefore, generating two wallets using identical pseudo-random numbers as input, because they were generated by the same algorithm and seed, will result in a wallet with the same keys.

Where is it that you suppose I have gone wrong?

The idea, stated in another way, is to generate addresses in a predictable fashion, but only predictable to someone with the appropriate passphrase (whose hash yields the seed that will be used in the PRNG).

BTW, the "bang on the keyboard" idea is solid and sound in my opinion... assuming of course this refers to generating a truly random passphrase.
Matt Corallo
hero member
Activity: 755
Merit: 515
Re: Suggestion: A simple way to protect new users from losing their wallet.dat's
May 03, 2011, 01:17:12 PM
#17
Quote from: ffe on May 03, 2011, 12:30:00 PM
How about using the seeding method PGP used. Have the user bang on the keyboard randomly while giving him feedback on the entropy until both he and the program are satisfied. If he likes the idea of regenerating his wallet, he can print out the random sequence. If not, he can just bypass that step and the client is just the regular client with a very strong seed.

In all the years PGP has been used I don't think there was ever a danger that two PGP clients ended up with the same seed. I think the same would be true of the wallet in bitcoin.
Yep, some variation on random input with a minimum length is what would be needed.  Whether its then printed as text or pass sentences (or random words) doesn't really matter as long as its random and of a good enough length.
ffe
sr. member
Activity: 308
Merit: 250
Re: Suggestion: A simple way to protect new users from losing their wallet.dat's
May 03, 2011, 12:30:00 PM
#16
How about using the seeding method PGP used. Have the user bang on the keyboard randomly while giving him feedback on the entropy until both he and the program are satisfied. If he likes the idea of regenerating his wallet, he can print out the random sequence. If not, he can just bypass that step and the client is just the regular client with a very strong seed.

In all the years PGP has been used I don't think there was ever a danger that two PGP clients ended up with the same seed. I think the same would be true of the wallet in bitcoin.

Matt Corallo
hero member
Activity: 755
Merit: 515
Re: Suggestion: A simple way to protect new users from losing their wallet.dat's
May 03, 2011, 11:55:48 AM
#15
Quote from: LZ on May 03, 2011, 06:20:05 AM
Quote from: casascius on April 30, 2011, 04:13:33 PM
Yes exactly, they would generate identical wallets and the client would behave the same way as if you copied one wallet to two computers now.  They could spend/steal each other's coins.
It seems that you do not understand how Bitcoin works. The wallet encryption may be useful in 0.4 but no more. Undecided

Your idea is possible as the third party service. But I really do not want something like that in the standard Bitcoin.
Under the OP's suggestion, what casascius said is completely true.  Maybe I'm misunderstanding what you mean, but as long as the passphrase/pass sentence is secure, wallet encryption is still useful/required as generating of addresses will be unpredictable. 

As long as we don't let users generate their own passphrases (users are terrible at them), it is perfectly secure (assuming we generate passphrases/words well).
LZ
legendary
Activity: 1722
Merit: 1072
P2P Cryptocurrency
Re: Suggestion: A simple way to protect new users from losing their wallet.dat's
May 03, 2011, 06:20:05 AM
#14
Quote from: casascius on April 30, 2011, 04:13:33 PM
Yes exactly, they would generate identical wallets and the client would behave the same way as if you copied one wallet to two computers now.  They could spend/steal each other's coins.
It seems that you do not understand how Bitcoin works. The wallet encryption may be useful in 0.4 but no more. Undecided

Your idea is possible as the third party service. But I really do not want something like that in the standard Bitcoin.
casascius
vip
Activity: 1386
Merit: 1141
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
Re: Suggestion: A simple way to protect new users from losing their wallet.dat's
May 02, 2011, 03:37:26 PM
#13
Quote from: anisoptera on May 02, 2011, 02:24:21 PM
This seems infeasible. Wikipedia is edited all the time. Articles are deleted, changed. You would have to hash every single sequence of words ever posted to Wikipedia; maybe we randomly drop a word.

...

In any case the implementation details are unimportant, but we need to provide the user a sensible default.

Wikipedia allows its entire database, including edit history, to be downloaded as compressed tarballs available to the public.  Hashing every single sequence of words ever posted to Wikipedia isn't that outrageous when you consider the number of words will be what, billions? trillions? and yet network wide, we are already computing into the trillions of hashes every second just for mining.  Dropping a word out of every sentence would maybe increase the difficulty by a factor of ten, but far away from an ideal bit count of entropy.  It would take it from maybe 48-bit security to 51-bit security.  If stealing the entire Bitcoin network's Bitcoins would be the reward for pulling off such a thing, it will surely get done.

To me, a sensible default would be to allow the user to pick their own passphrase, and then provide built-in controls to detect poor ones.
anisoptera
member
Activity: 308
Merit: 10
Re: Suggestion: A simple way to protect new users from losing their wallet.dat's
May 02, 2011, 02:24:21 PM
#12
Quote from: casascius on May 01, 2011, 05:24:42 PM
If it was known that all wallets were based upon a sentence from Wikipedia, as ridiculous as it sounds, someone could (and would) write a program that generates a wallet from every sentence in Wikipedia and then look for the resulting addresses in the block chain.

This seems infeasible. Wikipedia is edited all the time. Articles are deleted, changed. You would have to hash every single sequence of words ever posted to Wikipedia; maybe we randomly drop a word.

I was not suggesting that it be the sole source, as well; could also do a google search and pick a sentence off that page. Or pick two sentences on Wikipedia. Or train a Markov chain generator and use that. Having a sentence that at least makes some grammatical sense to the user makes it easier for them to remember. A sequence of 10 random words will not be remembered, but something that the user can at least read will help.

In any case the implementation details are unimportant, but we need to provide the user a sensible default.
TiagoTiago
hero member
Activity: 616
Merit: 500
Firstbits.com/1fg4i :)
Re: Suggestion: A simple way to protect new users from losing their wallet.dat's
May 01, 2011, 08:38:50 PM
#11
either read it with a mobile or scan the printed page and run the image thru a reader program; the Bitcoin client itself could do that to make sure the scanned image don't even get saved as a file on the computer
casascius
vip
Activity: 1386
Merit: 1141
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
Re: Suggestion: A simple way to protect new users from losing their wallet.dat's
May 01, 2011, 05:24:42 PM
#10
Quote from: anisoptera on May 01, 2011, 04:17:22 PM
What if it automatically did this? What if it literally went to Wikipedia, or made a google search and went to a random page, picked a sentence off of that page, and presented it to the user as their passphrase?

They'd need to be able to reject a given phrase and get a new one an arbitrary number of times, and there'd have to be a manual override as well, but if we could automatically present the user with a reasonable passphrase it would go a long way. Then we can disallow anything with less than X bits of entropy (and apply this requirement also to our auto-generated passphrases)

I think the idea was fine for my example, but not for real world usage.  In the real world, the passphrase would have to be nonsensical, maybe ten to fifteen randomly chosen words from the dictionary, if not sequences of gibberish letters.

If it was known that all wallets were based upon a sentence from Wikipedia, as ridiculous as it sounds, someone could (and would) write a program that generates a wallet from every sentence in Wikipedia and then look for the resulting addresses in the block chain.

The idea of using a QR code is viable, in that it indeed holds enough bits for this purpose.  I am not sure how one would scan the QR code and get the resulting passphrase into the Bitcoin client and how that would be any easier than typing the passphrase when needed, but I suppose a recovery page that included the same thing both in plain text and QR couldn't do any harm (other than, at worst, to make this feature idea more complicated and less likely to get a developer to bite on).
anisoptera
member
Activity: 308
Merit: 10
Re: Suggestion: A simple way to protect new users from losing their wallet.dat's
May 01, 2011, 04:17:22 PM
#9
Quote from: casascius on April 30, 2011, 04:13:33 PM
Quote from: SmokeTooMuch on April 30, 2011, 04:09:58 PM
Wouldn't that mean that if two people are using the same password they will generate the same addresses ?


Yes exactly, they would generate identical wallets and the client would behave the same way as if you copied one wallet to two computers now.  They could spend/steal each other's coins.

At the rate passwords can be brute forced, any password that wasn't super strong and long would be quickly hacked.  

Because a hacker could theoretically start brute forcing your passphrase just by knowing any ONE of your bitcoin addresses, it would be an absolute requirement to use a strong passphrase that's astronomically unlikely to be guessed by anyone else.  Even a sentence off a random page off Wikipedia (what I chose) would be a dictionary vulnerability.  The phrase would have to be so long and contain so much entropy to be safe, that printing it directly to paper (rather than relying on the user to write it down) would pretty much be mandatory to be of any benefit.

What if it automatically did this? What if it literally went to Wikipedia, or made a google search and went to a random page, picked a sentence off of that page, and presented it to the user as their passphrase?

They'd need to be able to reject a given phrase and get a new one an arbitrary number of times, and there'd have to be a manual override as well, but if we could automatically present the user with a reasonable passphrase it would go a long way. Then we can disallow anything with less than X bits of entropy (and apply this requirement also to our auto-generated passphrases)
Pages:
Bitcoin Forum>Bitcoin>Development & Technical Discussion
Jump to: