Topic: Time to bust a myth. Paper wallets are less secure than normal encrypted wallets (Read 12403 times)

Adding to point (2).  To achieve maximum entropy, it is essential that no word is more or less likely to be selected than any other and each select event is independent from any other.  Some people erroneously attempt to think up their own words or select them from random pages of some book.


Agreed.  I made my own version of the Diceware list years ago to counter this problem.  10 000 words is indeed generous.  Even as a native English speaker I wouldn't care to push much beyond 1000 words.

These days I use the English 2048-word list supplied with BIP0039:


Certainly, shortcuts can cost entropy and while method obscurity may increase security, it will typically do so in a non-quantifiable way.  Relying on one's intuition regarding the difficulty of divining an obscure method is to abandon a foundational premise of information theory.

However, I'd like to highlight key-stretching as a fair source of additional security for a true brainwallet.  In essence, one simply forgets the last few words of their passphrase and brute-forces them whenever access is required.

I'd also like to expand on "sufficiently safe" here.

Selecting 12 words randomly and uniformly from a pool of 10 000 words gives 12 * log₂(10000) = 159.45 bits of entropy (2.d.p).  Roughly speaking, there are as many equally plausible 12-word passphrases as there are Bitcoin addresses.  Assuming the entropy of the passphrase is not reduced as it is converted into a private key, such a private key will be no less effective in securing a Bitcoin output than a standard random key.

Selecting 12 words from a pool of just 2048 yields
bits of entropy.  This is less secure than a standard address but is arguably "sufficiently safe" today.  Electrum¹ seeds have 128 bits by default.  Casascius coins used special 128-bit compact private keys.

Even 9 words from 2048 gives 99 bits of entropy.  We're well past the point of general cryptographic recommendation here but as far as a convenience/security tradeoff is concerned, I believe there are cases where 9 words would be a reasonable choice.  Extending your earlier point of reference:  As of block #387287, approximately 2^83.71 hashes have been calculated by miners in Bitcoin's lifetime, and such a hash is computationally cheaper than converting a private key to an address.

---

[1] Most new Electrum seeds are 13 words from the pool of 2048 words I linked to above.  One might expect such a seed to have 13 * 11 = 143 bits of entropy but some of the data is dedicated to a checksum/version-number and the final word is underutilised (usually begins 'ab' or 'ac').

That's some good information.  I will still stick to my paper wallets though.  I'm actually guilty of using a live machine to print them off.

Conclusion.. Dont download every shit on every page and use a hardware wallet.

How is CIYAM Safe more secure than Trezor? Thanks.

thank you very much.
i would like to add:
do not forget to backup HD/SSD with your wallet.
and don't forget to backup you backup.
and don't store all the backups at the same place.
and encrypt your backups.

and do not use a passphrase twice.

I based my number on this:
The Second Edition of the 20-volume Oxford English Dictionary contains full entries for 171,476 words in current use

So, I guess we should add "in current use" to the < 200k estimate.  Also, I can only guess that GLM's number includes every variant of every word (tense, subject, plurality, etc).  I expect it would be unwise to include all such variants for lists of words that must be precisely memorized.

In either event, I think we agree that the 1M or 200k discrepancy is largely irrelevant.  For brainwallets, there are two constraints on word selection: 1) They must be memorizable. 2) They must be randomly selectable.

Diceware uses five rolls of a six-sided die to do word selection.  This gives 7,776 possible "words", some of which aren't words, aren't well-known, and won't be easily memorized.  There are other lists out there, but they suffer the same constraints.  10,000 is a generous estimate of word pool size for this purpose.

Memorizing 12+ words, selected at random via dice roll, is a mathematically provable method to generate a sufficiently safe brainwallet.  Additional steps, shortcuts, obfuscations, etc are not necessary at best, and crippling to security at worst.

This is a problem, if not the problem.  Things like trezor are trying.

That's the big problem with btc, too much thinking about how to secure your coins for the layman

Quick search has shown this:
"The number of words in the English language is: 1,025,109.8.   This is the estimate by the Global Language Monitor on January 1, 2014." source
So the 1 million words is OK, however it is more realistic that an average person uses only a fraction of this, as you said as well. Above-average people may use something like 25'000 so that is the order you should be looking at, maybe even less, yes. These are the words you would normally think of. Unless, of course, you flip open some scientific magazines.

Let's jump to maths.



(1*10^18)/(1*10^12)=1000'000 which gives your 1 million seconds to break the first passphrase
1000'000/(60seconds*60minutes*24hours)=11.57 days instead of 99weeks

Assuming from the above an above-average person's dictionary, say 25'000 words, with the same numbers the first passphrase can be broken under 0.3 seconds.
The same 25'000 words, cracking with bitcoin network analogy would come down to under 20 years. Still probably pointless, but way less than the 3.3 trillion years. (which has probably the same flaw in calculating the time and it would be actually something like 0.08 trillion years, 7.93E10)

Check again the way you converted hashing time to actual time it takes and it will be OK. Significant error, however for the practical use it doesn't matter. If it takes 20,3 billion or 3 trillion years, who really cares? People will be happier stealing accounts with no encryption or the passphrase "puppy".


On a final note, I don't think you can make 10E12 guesses (trillion) per second, yet alone refurbish the Bitcoin network  . You can use this method if you want, but don't come up with words on your own like "it is Friday". Open a science book or something similar and roll some dice. However, at this point I would ask why would I do this? I personally find this method way too complex to be of practical use to me. I can write down my password somewhere and hide it on a piece of paper in a book's cover, glued to the back of some furniture etc etc.

As to math problems, I'll only point out that there are nowhere near 1 million english words - there are less than 200k words in total.  If these are words are to be memorized, they must be known to the user.  A more practical number to use here is 10,000.  This alone changes your math to a final result of 3.3 years instead of 3.3 trillion years.  If the words are not random, then of course this goes way way down.

This may not be good enough and may result in the loss of your funds.  Don't do this.  If you are unwilling to memorize (and keep memorized) those 12+ RANDOM words, then don't use a brainwallet.  Nobody said you have to memorize them into one long list - feel free to make them into four three-word phrases.  The KEY is that they have to be ACTUALLY RANDOM.  No phrases, no book quotes, no birthdays, etc.  Random words, chosen by dice roll or other non-computer-generated method.

You can also use a hybrid approach.  Memorize some of the words, and keep the rest written down somewhere safe.  Just nowhere digital.

If the words are random, then it will be much more difficult to memorize, and the chances will be greater that you will lose access to your funds.

IMO a safer bet would be to do the following:
#create a brain wallet with a relatively easy to remember phrase
#sign a message with a second, but different easy to remember phrase
#the resulting signature will be your passphrase

For example:
#I create a brain wallet with the phrase "quickseller is cool" (without quotes)
#The corresponding address is using brainwallet.github.io (uncompressed) is 13qAJGPqcyK2Dd69b19n4S9Bvfwxn7SS5Q
#The private key to 13qAJGPqcyK2Dd69b19n4S9Bvfwxn7SS5Q is 5KcNGK5y76KHYMNLnzX8exekj5Y3ygDMNUhudeoc3Eurk9hWkEN
#If I sign the message "today is friday" (without quotes) with the above private key (multibit) then I would receive the following signature: G7PbabLubAJeeEUf0UGvEvD4YeTRw/M3ft/k4daoiocef4fqHY7QX7wJjvSss9TX0E3wMuFA+4zt2/44PkYimYM=
#I would then use G7PbabLubAJeeEUf0UGvEvD4YeTRw/M3ft/k4daoiocef4fqHY7QX7wJjvSss9TX0E3wMuFA+4zt2/44PkYimYM=
 as my passphrase for my brain wallet which would result in the address 1A9Xp5DgASmApmnRpgzriW663oJdv2Uxic

The above steps would make it much more difficult for a brainwallet farmer to try to crack my brainwallet because of the exponentially greater number of potential passphrases if you use two sentences found in literature or are otherwise easily crackable.

If you were to assume there are 1,000,000 words in the english dictionary, and you were to use a 'random' three words as your 'first' passphrase' and a 'random' three words as the message that you sign with the above resulting key then:

There are 1,000,000³, or ~1 * 10¹⁸ possibilities as to what your first (signing) address will be. If you can calculate a trillion 'three word' passphrase combinations per second then it would take you 1,000,000 seconds or ~99 weeks to find all of the possible 'three word' passphrase combinations - they have probably already been found a long time ago.

If you were to take a random of the above addresses and sign a random three word message with the resulting private key then there would be a total of 1 * 10³⁶ possible signing address - resulting signature combinations. If you can calculate a trillion of these combinations per second then it would take you 1 * 10²⁴ seconds to calculate all of these combinations, this works out to be roughly 1.335 * 10¹⁹ years to calculate all of the possible combinations.

The current Bitcoin network hash rate is something less then 400,000 trillion hashes per second, so if the entire current network were to be repurposed to calculate all of the possible above combinations (assuming ASICs could be repurposed to do this) then it would take roughly 3.3375 * 10¹² years to calculate all of the possible combinations. This is roughly 3.3 trillion years.

It should be noted that a three word combination would be very easy to remember, and it would not be difficult to increase either, or both of the lengths, and if this were to happen then the number of possible private key combinations would be exponentially larger.

It should also be noted that I am not going to personally endorse this strategy of creating a brain wallet, and as a result I am not going to take responsibility if anyone were to have their funds stolen as a result of employing this kind of strategy.

if someone can find any non-trival errors in my math then please feel free to point them out

Brainwallet is fine if done correctly.  Sadly, virtually all brainwallets are not done correctly.  The crib notes version for correctly generating a brainwallet:

- Pick 12+ random (really, actually, truly) random words from a large list. Diceware will work fine. (Google it if unfamiliar)
- Commit the words to memory, and periodically test yourself
- Generate your wallet/key from an offline copy of a page, that you either trust or have personally verified the code. Or use Electrum, if you trust it and have ensured it is untampered with.

Trezor and Mycelium I use myself.

In my opinion, both of them are same. If we use encrypted wallet such as electrum, our wallet could be hacked by someone or we lose our recovery ID  when we re-install our operating system. If we use paper walllet, maybe it's safer than encrypted wallet, but when we generate paper wallet, malware could read our private key. So there's no perfect place to store our BTC. That's my opinion.

Serious comment: brainwallet for long term storag, Trezor for mid term, and Mycelium app for pocket change.
Comments?

In my (admittedly costly and time-consuming) example, the PC is rebuilt, the wallet primed from the M portions of the paper wallet, and the transaction information entered.  The signature is generated on the disconnected PC, manually transcribed, then the PC is again decommissioned.

I am sorry I reread your scenario but how are you signing the transaction for your paper wallet, are you signing it on a secure PC or "by hand"? I got the impression you said you were doing it "by-hand" IE pen and paper EC math but now I'm not sure.

It really won't.  Connected computers can be compromised with a keylogger.  My described scenario cannot.

You're "manually" signing the transaction? Do that with the encrypted wallet too, it'll save you the ink and will give you the same security.

Keep reading, it's covered.

As admitted, my example isn't easy, or even practical.  In the real world, we have to balance security and ease of use.  Personally, I use a Trezor.

Sounds great, though that only covers one part of the setup, the generation process. How are you going to spend those Bitcoins? You're going to need some kind of computer right? so I guess destroying the secure computer like you did seems counter-intuitive as you'll need atleast one secure computer to join up the m of n paper wallets to spend them. If you're a fan of destroying and buying computers each time you make a transaction, that would work. But instead of doing that, you could create another wallet using a similar process except make it an M of N encrypted wallet stored on multiple different computers stored in different locations. Same level of security, makes more sense than rebuying computers, why print out the keys at all?

My point is, all paper wallets eventually have to touch a PC and while they are touching the PC they are just as vulnerable as a normal encrypted wallet that has been unlocked, however unlike a locked encrypted wallet which is "non-trivial" to crack, paper wallets have other security risks you need to take into account such as the printer memory issue, which you do not need to even worry about with an encrypted wallet. Additionally wallets are only unlocked for milliseconds if even, some users of paper wallets who are tying in private keys etc may leave the private key in memory for quite some time exposing it to risk. It really does make much more sense to just use a normal encrypted wallet rather than a paper one. I prefer strength in numbers rather than strength in "paper", I am already tired of "paper" money