Now, there are certain hashing algorithms specifically designed to resist attacks on hashed passwords: bcrypt, scrypt, and argon2id, for example. They have these advantages:
- They are much slower than SHA-256. For example, Litecoin's configuration of scrypt is about 1000 times slower than SHA-256.
- They require much more memory, which limits the parallelization.
- They also generally include a "salt" parameter that limits the ability to use pre-generated hash tables.
these are not hash algorithms, these are key derivation functions. and your points are somewhat false.
- slower in this context means slower in a micro scale otherwise they are quite fast. you can only say a hash algorithm is slower if it takes 1 minute to compute the hash not the same micro second!
- this depends on the settings. if for example you use scrypt with a low cost factor and block size factor then it isn't really a memory expensive one.
- when the "salt" is known (which is the case with a pre-defined brainwallet algorithm) it could still be pre-generated.
My question for the experts: would switching to an appropriate hash algorithm such as the ones listed above be enough to make a brain wallet secure?
the main problem with brain wallets is that the attacker has a much smaller space to search compared to a random 256 bit entropy. you can increase the complexity of the phrase being memorized, the complexity and cost of the algorithm, add salt,... but still the main problem remains the same.
and also since it depends on user's choice of phrase and people rarely choose something truly strong, the search space is usually small.
i wouldn't recommend using a brain wallet but the only thing that i can think of which can help create a "better" (still not safest) key is using your own defined algorithm which combines multiple methods.
an easy example would be choosing a password (lets assume it is '123') then using different hashes but not letting anybody know which hashes you used.
a0b8dec49dfb6a658bb2fcb417d58b8a8550ba73c7f0936d4d628191b3562b5d
even though my password was simple the result is still "more" random. try to guess which hash algorithms i used first before reading the last line. now the attacker not only has to guess my password (brain wallet phrase) but also has to guess which hash algorithms, how many of them and in what order i used to get the final key from. but the problem still exists here too, the assumption should be that the attacker could gain more knowledge about my method which i tried keeping secret. for example he may know i used 5 hashes and figure out i am a fan of keccak,... and if the reward is big enough it justifies the extensive work it needs to break it.
Keccak256(SHA3-256(SHA3-256(RIPEMD160(SHA256("123")))))