Topic: Would a brain wallet based on a password hashing algorithm be secure? - page 2. (Read 544 times)

Simply NO, as long as your password is something possible to guess, a strong enough CPU crack farm can do it.

Ive broken passwords with scrypt where you need a CPU with 32GB of ram and it was really really slow. Even though the password was 12 characters it was based on known phrases from dictionaries and therefor insecure.

It does not matter if you use capital letter add number and special character, as long it follows a formula its possible to brake.

My 5 cents
/KX

mnemonic = a pattern-based device that assists in memorization. randomly generated seeds are definitely not mnemonic.

i don't know why "mnemonic phrase" ever caught on as a term. it's misleading.

i agree with odolvlobo---it's not feasible for most people. for those who can do it, let's see what you remember in 5 years.

these are not hash algorithms, these are key derivation functions. and your points are somewhat false.
- slower in this context means slower in a micro scale otherwise they are quite fast. you can only say a hash algorithm is slower if it takes 1 minute to compute the hash not the same micro second!
- this depends on the settings. if for example you use scrypt with a low cost factor and block size factor then it isn't really a memory expensive one.
- when the "salt" is known (which is the case with a pre-defined brainwallet algorithm) it could still be pre-generated.

the main problem with brain wallets is that the attacker has a much smaller space to search compared to a random 256 bit entropy. you can increase the complexity of the phrase being memorized, the complexity and cost of the algorithm, add salt,... but still the main problem remains the same.

and also since it depends on user's choice of phrase and people rarely choose something truly strong, the search space is usually small.

---

i wouldn't recommend using a brain wallet but the only thing that i can think of which can help create a "better" (still not safest) key is using your own defined algorithm which combines multiple methods.
an easy example would be choosing a password (lets assume it is '123') then using different hashes but not letting anybody know which hashes you used.
even though my password was simple the result is still "more" random. try to guess which hash algorithms i used first before reading the last line. now the attacker not only has to guess my password (brain wallet phrase) but also has to guess which hash algorithms, how many of them and in what order i used to get the final key from. but the problem still exists here too, the assumption should be that the attacker could gain more knowledge about my method which i tried keeping secret. for example he may know i used 5 hashes and figure out i am a fan of keccak,... and if the reward is big enough it justifies the extensive work it needs to break it.


Keccak256(SHA3-256(SHA3-256(RIPEMD160(SHA256("123")))))

Yeah learning a nmonic phrase seems like it'll be a hard thing to learn but it actually isn't that difficult. I remmebe thinking it was hard but I kept restoring my wallet and started to learn it from memory.


Best things to do:
every so often, maybe once a day for 2 weeks, boot up electrum (potentially on something like true key os that's fully disconnected from the Internet) and type up your key there (maybe do it twice or three times a day).
If youre trying to learn it, focus on words that are similar and words that are different for example I have a seed with an oxymoron which produces a bit of a weird concept.

Try to visualise stuff (but don't force it). If it says there's a wasp, a puddle and a log next to each other, the wasp can be resting on the log which is floating on the water. If you try learning it the first way alone, sometimes the order can be messed up when you recite it which is easy to fix but avoidable.

You'd be writing down data from your brain wallet anyway so I don't think there'd be much of a problem there.

Memorizing numbers, especially long numbers, is harder than memorizing a few words. You can get a word or a phrase from your memory even after some time, but with numbers you have to repeat them regularly to not forget them.

And even if you can come up with a phrase that is strong today, it may become weak in the close future, so you'll have a liability of checking if your password is still strong from time to time.


I second jackg, memorizing seeds is not as hard as it might look, they are called mnemonic for a reason.
It's just a bad idea to use your memory as the only way of storing your seed, but it's viable as a third or fourth method. This can have some interesting uses, for example, when you pass a border, the border control will have absolutely zero way of finding your coins, unlike with USB sticks or hiding it inside a book.

I was thinking that something like a PIN could be used as the salt. I would have no problem remembering a brain wallet phrase and an 8 digit PIN.


I don't think that memorizing a random 12+ word seed is feasible for most people.

If you use a slow hashing algorithm and an appropriately sized salt then you should be good. A lot of sites will still use sha256 and 512 for password hashing. The salt would have to be pretty huge based on the size of asics though...

It might be better to just memorise a seed instead? I know quite a few of mine from memory from having to restore wallets. Just read it every couple of hours (potentially while doing something else) and your wallet will be more secure.

The typical brain wallet is constructed by hashing a memorable phrase using SHA-256, and using the result as the private key. It is well-established that the typical brain wallet is not secure. This thread demonstrates that very clearly:

Collection of 18.509 found and used Brainwallets

Here is a good example from that thread showing that even a seemingly good brain wallet phrase can be cracked:


The basic attack against brain wallets involves generating a huge list of potential phrases, and then checking the blockchain for the addresses derived from the hashes of those phrases. The defenses against this attack are to increase the range of potential phrases and to make it slower and more expensive to check them.

The cracked brain wallet above demonstrates to me that the benefit of increasing the potential range is limited. That is basically because a human's ability to create meaningful and memorable phrases is limited. For this reason, we have to accept that although a carefully chosen phrase is important, it is not sufficient, and it is also necessary to make it slower and more expensive to check the hashes of potential phrases.

The issue with SHA-256 is that it is very fast, and it is easy for the attacker to generate the private keys for a large number of potential brain wallets. A typical PC can generate up to a billion SHA-256 hashes every second. SHA-256 is not appropriate for hashing brain wallet phrases (or any kind of passwords).

Now, there are certain hashing algorithms specifically designed to resist attacks on hashed passwords: bcrypt, scrypt, and argon2id, for example. They have these advantages:

• They are much slower than SHA-256. For example, Litecoin's configuration of scrypt is about 1000 times slower than SHA-256.
• They require much more memory, which limits the parallelization.
• They also generally include a "salt" parameter that limits the ability to use pre-generated hash tables.

My question for the experts: would switching to an appropriate hash algorithm such as the ones listed above be enough to make a brain wallet secure?