Topic: What's the safest way to use an awesome brainwallet? (Read 1284 times)

Not flustered, not upset.  It is extremely difficult to get me flustered or upset.  I just don't invest enough emotional energy into conversations with complete strangers on the internet. Mostly just bored.


I apologize for any snarky tone that may have been in my responses.  It was not done intentionally.


You're welcome.

Sorry, didn't mean to get you flustered or upset. Your responses generally had a snarky tone, so I just went with the flow.

Thanks for all your help though, your answers were very helpful.

I've made my points.

You are welcome to do whatever you like.

It's your money.

Your OP asked some specific questions.  Those questions have been answered.  You don't like the answers, that's not my problem.

Good luck.

Funny how you skirted my comment about the artificial language trick, guess that was too unconventional for you?

12 random English words is still 12 English words. I don't trust it, but it seems like you are okay with it. So what's the big deal if I invented my own language and came up with 12 words?  

And using the internet and bitcoins are apples and oranges. You don't have to know how flying works with the internet, you just have to learn how to fly.

With bitcoins, you have to learn how flying works to understand how to be as secure as you can be.

And no, people don't know much about technology, and look at the consequences: stolen passwords, phished passwords, cracked accounts, etc.

Bitcoin just seems another continuation of that, but with the opportunity to lose a lot more.

You aren't being amonished for learning.  You are being admonished for making false assumptions, and refusing to put any effort into learning.


As would most of the techinical details behind TCP/IP and ethernet, and yet they all seem to manage to use websites without a problem.


Agreed.  The average user will use a piece of software that has been thoroughly reviewed and certified as trustworthy, or they will use a bank.



Clearly.


Right, but the public key will still be broadcast when you broadcast the transaction, which brings us back to the recommendation to not re-use the address.



Sounds like maybe you're starting to catch on?


Yes, it definitely sounds like you're starting to catch on.


And a brainwallet is basically a bundle of cash as well.  So you would basically be keeping a bundle of cash on your person.  Yeah, its not physical, but you're still keeping a ton of money on your person.  Does anyone do this with conventional money except for drug dealers?


So you prefer that the thief targets you directly rather than your safe?


Sure, in which case the bank is exactly like a bank, but the paper wallet itself is not.  Some people feel that a bank vault provides reasonable protection against theft.  Those people keep their paper wallets in bank vaults.  Others prefer not to.  How to protect a paper wallet is a decision for each individual to make for themselves.


Sure.  And you can encrypt your paper wallet with a password as well if you like.  This seems to be getting away from the discussions of the intrinsically insecure nature of "brainwallets", and the importance of not reusing addresses.


That depends on whether you are generating those words randomly, or using your brain to come up with them.


Glad I could help you understand better the issues surrounding your plans.


Human beings are VERY BAD at doing anything in a random way.  The harder they try to be random, the less random they tend to be:



I'm not going to attempt the same analysis as greyhawk did on someone else's attempt at the same thing, but I will point out:

There are approximately 95 distinct characters you could have used. and yet after typing 101 characters, you have a very significant amount of repetition, and have only used 24 different characters.
You also repeat several sequences multiple times.

I've said it multiple times now.  Human beings are not good at randomness.  We simply aren't wired that way.  We are wired for patterns.


No more than I expect them to understand all the caveats and nuances of the internet's protocols (such as TCP/IP, HTTP, FTP, UDP, etc) in order to use websites.  Can you imagine what the internet would be like right now if use of it required a detailed understanding of all of the underlying protocols?


I'm not sure what you're asking.  But if I'm guessing correctly, you can guess at the private key as many times as you like.  Each guess will result in a new bitcoin address.  Eventually if you guess the correct private key, you'll end up generating the bitcoin address that you expect and you can then use that private key to sign the transaction and broadcast it along with the public key.

Aren't you also relying on memory for the passphrase to your wallet?

I don't have any lawyers, so I don't have that option for now.

Now I'm lost, I thought exposing your public key weakens the integrity of the security mechanism, allowing for the eventual cracking of your private key.


If you say so, I don't know how people expect Bitcoin to thrive when somebody like me is being admonished for learning how to take the proper steps to utilize the full potential of its encryption methods. Most of this stuff would sound like nonsense to a mainstream crowd, let alone having to worry about changing encryption methods down the line when they've invested some of their time to learning how it actually works, if they even learned it at all. Hmmm, no wonder there are banks to take care of all of this for the commoners.



Yeah, I really don't get it myself. The idea I think is so you don't have to use your private key on the hot PC?


I was thinking I send a small amount to another Bitcoin wallet, and use that to spend monies. But then I realized after your response that all transactions have to be recorded online.


I see what you mean. Which means I'll have to come up with multiple brain wallets to maintain a true offline account. Hopefully, I wouldn't have to do that so many times.



A paper wallet is basically a bundle of cash, correct? So I would basically be keeping a bundle of cash in my domicile or another residence. Yeah, it's a lot smaller and easier to maintain, but you're still keeping a ton of money in your home. Does anyone do this with conventional money except for drug dealers?


Well, I would give it up if I had to, that example was under the idea that the safe would be targeted without my presence.


I have seen people recommend saving paper wallets in bank vaults.


I could always encrypt my brainwallet with an audio message if worst came to worst. Of course, better methodologies can be thought up of compared to coming up with one on the spot in a forum post.


People have advocated software seeds that contain 12 English words as being highly secure. C'mon, I can do better than that, is it that hard to believe?


Not if it's easy for them to remember, yet nonsensical for others. Just so I don't give everything away, we would all speak some break-off dialect of some artificial language that only we know. But yes, I see what you're saying. I guess I'll have to come up with something clever in the meantime.


See above.


See above.


Yes, I concede that. But now I have learned a bit more, and can understand where my original plan fails, which is what I wanted to accomplish with this thread. This has all been a great thought experiment so that I can come up with a better plan centered around a brainwallet and/or other methods.


How is that a bad idea? Yeah, the dice sounds good, but typing something like this into a brain wallet is bad? :

onthunsoeahtueroah.crhu903409hu0244903gp02g2[93g[hu9[h239g23[9g29j0ud203gf2309g[192[3d0239[23.0,u02u3 (and so on, for as long as you want)



I meant to say public key instead of public address. But yes, I am having a hard time grasping the difference between public key and an address. I'll make sure to study that thoroughly from here on out.

But if you think the mainstream public could understand all the caveats and nuances of Bitcoin's cryptograhy, then you got another thing coming.


It would be a pain to memorize the private key, but it seems like the easiest way without interfacing with layers of garbage each time.

My only question is, if I have the public key: then it's just like entering a password, right? If I get it wrong, no harm, no foul? I could keep going on until I get it.

My worry was entering in an incorrect key and having something horrible happen. If not, then I don't mind memorizing a new key, but I can see how it can get confusing.

That is correct.


There is no guarantee that ECDSA will ever be "breached", but there is no guarantee that it won't either.  That is the nature of cryptography.  A cryptographic function is secure until someone finds a way to make it insecure, then people move to a newer secure function.  Fortuntately, as long as it is used properly, bitcoin layers 3 different cryptographic functions between your private key and your public address. It is extremely unlikely that a weakness will be found in all three functions simultaneously.  This means there is time to replace a function in the protocol while bitcoins are still protected by the other two functions.  Bitcoin can there fore grow and change to adapt to new cryptographic discoveries.


Describe these "offline transactions"?  Explain exactly how ownership of the bitcoins (which reside as an output on the blockchain) will be transfered to another individual using your "offline wallet and something like Armory" without the public key being exposed?


Send small funds from where?


That depends.  Will you be spending/sending any of the bitcoins that are received at that offline savings wallet? Or will it be exclusively receiving bitcoins.  As soon as you try to get any bitcoins out of that offline savings, you are back where we started.


Which has worked very well for many, many years. What is it about paper money that you don't like?


Well, I'd hope you'd secure it a bit better than that.


So, you'd rather that the hoodlums attack you directly to get at your bitcoins than to attack a safe?  You prefer to be beaten to a bloody pulp and tortured beyond belief for the sake of some money?  Personally, I'd rather they just took my money and moved on.  My life, and health are far more valuable to me than any amount of money could ever be.


A paper wallet is absolutely nothing like that.  Where did you get that idea?


And your memory can't get lost or destroyed by fire? or illness? or fall or other injury?  Just store two copies in two separate secure locations.


I can tell.


And I disagree.


And you can be 100% that none of them will go against your wishes behind your back and write it down so they don't forget it?


You're just not like "other people", right?


I suspect you are wrong about that, but I've already indicated that I'm already generally against the idea of a brain wallet in most cases anyhow.


Which most likely demonstrates that you have no idea what you are talking about and are just making stuff up in hopes that you can do what you want without someone telling you that it is a bad idea.


No.  It really doesn't.  That is a bad idea.  You want a good idea?  Grab a handful of very well balanced dice (perhaps from your local casino?).  Roll the dice a bunch of times (until you've rolled at least 62 dice) and then convert from base 6 to get a private key.


So you've learned nothing then?  You still haven't even bothered to learn the difference between an address and a public key?  Why do I even bother if you aren't going to make an effort?


Sure, you could do that if you like.  How will you generate the private key? And will you memorize a new private key every time you spend funds?

I'd suggest that there are actually two VERY WEAK links in his plans.

The weakest is the human ability to come up with anything out of their own mind or body with more than 160 bits of entropy.  He may think that his passphrase is going to be "amazing", and that if it ever shows up in a rainbow table then "one will ever be able to support a brainwallet ever again once he's shared his compromised passphrase on the internets", but I suspect that he's overconfident.

The next weak link, after his not so random passphrase, is his memory.

And to top it all off, he refuses to write it down to store it anywhere, but he plans to "share the brainwallet with my trusted family members in case anything happens to me".  Almost certainly one of those "trusted family members" will be concerned that they might forget it, so it will be written down somewhere and he won't have control of the storage and safekeeping of that paper wallet.  Wouldn't it be better to secure the paper wallet yourself and then share with trusted family members the information on how to access it if anything happens to you?

Possibly, but IMHO about the wrong things. The weakest link in your reasoning is your memory. Many things could happen yo you (short of death itself) that compromise your memory. A mere blow to the head could suffice to cause sufficient brain damage to render your memory unreliable.

Brainwallets sound like a nice easy concept, but it is very hard to do this properly. DannyHamilton has given very good advice upthread. You really need to do the research to understand why this is so.

For example you have commented several times that you can do an offline transaction to transfer bitcoin without exposing your public keys. This shows ignorance of the workings of the bitcoin transaction mechanism. You have to broadcast that offline transaction to the network for it to take effect. At that point you have also exposed your public key since its an integral part of the transaction.

If you do decide to use brainwallet.org you need not worry about the website breaking down or becoming unavailable. That particular brainwallet simply uses a single sha256 hash of the passphrase to generate the private key. Any competent programmer can replicate that for you. But unless your awesome brainwallet scheme includes at least 192 bits of truly random entropy it will be less secure than a key generated by bitcoin-qt itself.

My advice. Use an officially supported wallet. Choose a good passphrase, write it down and lock it away in a safe or perhaps give it to your lawyers for safekeeping (being sure to advise them not to copy or expose it). Backup your wallet and keep copies in several safe places. Your biggest risk is relying on your memory alone.

Ugh, but then what if the physical medium in which you are saving the website breaks down all at once? Maybe better to just memorize the private key.

Am I being overly paranoid?

just use brainwallet.org and save a copy of the site, should it go down.

Could I choose my own passphrase to do that? I don't trust those randomly generated passphrases.

But I want to be able to use a passphrase to pull up my private key without using software that could become deprecated or non-standard overtime. I would like to be able to recall my passphrase 40 years from now, and the standard generator will pull up my offline savings account without worry.

Okay, I had no idea that the public key served as a protection mechanism. The way its presented to the laymen, it sounds like you can share your public address, and there will be no security breach if you keep the private key to yourself. Thank you for this bit of knowledge, but I doubt the majority of bitcoin users know about this nuance. Frankly speaking, how are they intending to build a secure digital network currency if the encryption method is due for a breach within its lifetime?

So my question then is, couldn't you use an offline wallet and use something like Armory to conduct offline transactions using proprietary keys? Wouldn't this prevent both your public and private keys of your offline saving wallets from ever being exposed?

Another idea: couldn't I just open up a separate offline wallet on my offline PC to send small funds to so that those bitcoins can be used freely? This also preserves the secure state of my offline savings wallet, correct?


I am not a big fan of paper, they are basically like paper money to me. In my eyes, it's tantamount to keeping cash in my mattress, or a safe which will targeted by hoodlums, or keeping it at a bank deposit, which I thought was the direction we were trying to steer away from with this new paradigm shift. Or it could just get lost or destroyed by fire.

I am a big fan of memory, that is the securest method in my opinion. As I'll explain later, I think my brainwallet passphrase is going to be amazing, so I can easily memorize it, while it would be nonsense to others. From there, I can share the brainwallet with my trusted family members in case anything happens to me.


I agree, vast majority, but my circumstances put me in the category of those who will benefit most from a brainwallet, while significantly mitigating its risks. What I meant originally was that if my passphrase does get hacked, no one will ever be able to support a brainwallet ever again once I've shared my compromised passphrase on the internets.


As mentioned earlier, I could use offline transactions, or set up another wallet as a middle man.


Duly noted, I'll make sure to let other people know about this.


I've heard bad things about random generators. One technique I've seen is someone type a bunch of BS letters over 1000 characters long into a brainwallet to generate keys. That seems pretty secure.


http://georgeoughttohelp.tumblr.com/post/46937654072/transferring-bitcoins-to-a-secure-offline-wallet-using




So I learned after all of this, is to never let my offline savings wallet's public address ever hit the network. A pain in the ass, but good to know.


I guess my only other question is: should I just memorize the friggin' private key?

When you use something like Electrum to generate a brain wallet, the passphrase is the seed. From this seed, the app generates an unlimited number of addresses, public keys, and private keys that can be deterministically re-generated, given the passphrase. So in this case, you can have one "brain wallet" (the passphrase) but an unlimited number of public keys generated from that seed; and revealing any of these public keys should be perfectly safe. Right?

A public "bitcoin address" and a "public key" are not the same thing.  When you receive bitcoins at an address for the first time, that address is protected by ECDSA, SHA-256, and RIPEMD-160.  The address is public, but the public key is not yet public at that time.  If, in the future, a weakness is discovered any one or two of those cryptographic algorithms, your balance will still be protected by the remaining algorithm giving you time to move to a new algorithm before anyone can take your bitcoins.

The first time you send any bitcoins that have been received at that address, you broadcast the public key.  At that point, the private key is no longer protected by SHA-256 or RIPEMD-160.  It is ONLY protected by ECDSA. Right now ECDSA is secure enough in most cases, so this isn't a concern, but for long term storage you'll want to consider the possibility that a weakness is discovered in ECDSA and you don't hear about it before an attacker does.  If you've never sent any bitcoins that were received at the address it won't matter, since you are still protected by SHA-256 and RIPEMD-160.  If you have sent those bitcoins and continued to re-use the address, then you've lost that additional protection.

If this doesn't concern or worry you, then you can go ahead and re-use your brain wallets. I just assumed that you were very concerned about security.
 

I suspect that paper will out-live you and your memory.  Brain-wallets are typically one of the weaker traits of bitcoin.  Most people don't chose a passphrase with enough entropy, and human beings are VERY bad at doing anything in a random way.  We just aren't designed that way.


I'm not sure what that means, but the brainwallet concept is a rather weak concept for the vast maority of users.


The public address is fine.  It's when you send a transaction and broadcast the public key that you've made the address weaker.


The bitcoin address?  Yes.

The public key?  Only when you send a transaction, and after that it's best not to re-use the address if you are concerned about security.


Yes, as recomended by Satoshi and other knowledgeable people.  Always use a private key that is generated from a cryptographically strong source of randomness, and never re-use a receiving address.


Since I don't know which "cumbersome and user-unfriendly tutorials" you are talking about, I am unable to answer this question reliably.

I actually wanted to create just a hardware brainwallet that never connects. Maybe an old smartphone that never connects would do. But you can't beat a dedicated offline device.

I think Trezor is the solution to this; it offers security and also a brainwallet series of words that can be used to restore all the private keys in the event that the device is lost, stolen, or damaged.

Hey, thanks for your responses.

I'm not really concerned about anonymity, just security breaches.

I thought that public addresses were meant to be exposed to the wild, so what harm is there in using the public key of your offline savings wallet?

I am mostly going through all of this to protect my offline savings wallet. Therefore, it's imperative that it be immortal, so things like corruptible files, shaky hardware, and physical copies like paper wallets won't do it for me. I only trust myself and I am very happy to know that all of my savings can be backed up in my head. This is the single greatest trait I see in Bitcoin, in my humble opinion.

I only considered Brainwallets because I can create a passphrase that can ultimately bankrupt the Brainwallet concept if it is ever compromised, and because it's easier for me to remember. But I am willing to memorize the private key if that is the safest and most secure method to retaining my savings in my head.

I just don't understand why using the public address of my offline savings wallet is such a problem in terms of security. I thought that was the part that was designed to be shared, and only the private key must never see anyone's eyes.

And if that is such a problem, aren't there ways around it? I have seen some very cumbersome and user-unfriendly tutorials on using proprietary software and transaction keys so that offline wallet keys never see the light of day. Is this the best security solution in tandem with memorizing one's private key??

That depends on how concerned you are about security.  Once you type in the necessary details from your "brainwallet" on a "hot PC", you are immediately vulnerable to various malware including keyloggers.


That depends on how concerned you are about security.  Once you transmit a transaction, the public key of your "brainwallet" becomes public.  You also have to be very careful when constructing your transaction and make sure that any change from the transaction is sent back to the "brainwallet" address.


That depends on what you mean by "safe".  The private key would no longer be protected by RIPEMD-160 or SHA-256.  You would reduce the levels of protection to only ECDSA.  That isn't really a concern at the moment, but if there are new developments in the future that result in ECDSA becoming insecure, how confident are you that you'll hear about it and move your bitcoins before the exploit is used to take them from you? Furthermore, you'll be giving up some anonymity by continuously re-using the same address all the time as well.  Is anonymity important to you?


You could.  It it up to you to decide how concerned you are with any loss of security and anonymity.


Not sure what you mean by "compromising", but as long as ECDSA remains secure and you use a computer that has never been and will never be connected to the internet to create your transactions, you should be ok.


Correct.  That would be because they want to maintain additional anonymity and want the full protection of ECDSA, SHA-256, and RIPEMD-160.  Some of them are also concerned about the possibility of accidentally failing to send the full balance of the "change" back to the original paper wallet address.


Brainwallets are generally a pretty bad idea, but assuming for the moment that you manage to memorize something generated randomly with at least 160 bits of entropy, it would be good for long term storage of bitcoins that you don't expect to use for many months or years.


Do people do that?  Memorize private keys?  If they do, I suppose it would protect them from theft of their long term storage.


Yes, but it results in exposing the public key and eliminating the protection of SHA-256 and RIPEMD-160.  It also results in a loss of anonymity.