Author

Topic: Would a brain wallet based on a password hashing algorithm be secure? (Read 573 times)

full member
Activity: 224
Merit: 120
The typical brain wallet is constructed by hashing a memorable phrase using SHA-256, and using the result as the private key. It is well-established that the typical brain wallet is not secure. This thread demonstrates that very clearly:

Collection of 18.509 found and used Brainwallets

Here is a good example from that thread showing that even a seemingly good brain wallet phrase can be cracked:


The basic attack against brain wallets involves generating a huge list of potential phrases, and then checking the blockchain for the addresses derived from the hashes of those phrases. The defenses against this attack are to increase the range of potential phrases and to make it slower and more expensive to check them.

The cracked brain wallet above demonstrates to me that the benefit of increasing the potential range is limited. That is basically because a human's ability to create meaningful and memorable phrases is limited. For this reason, we have to accept that although a carefully chosen phrase is important, it is not sufficient, and it is also necessary to make it slower and more expensive to check the hashes of potential phrases.

The issue with SHA-256 is that it is very fast, and it is easy for the attacker to generate the private keys for a large number of potential brain wallets. A typical PC can generate up to a billion SHA-256 hashes every second. SHA-256 is not appropriate for hashing brain wallet phrases (or any kind of passwords).

Now, there are certain hashing algorithms specifically designed to resist attacks on hashed passwords: bcrypt, scrypt, and argon2id, for example. They have these advantages:
  • They are much slower than SHA-256. For example, Litecoin's configuration of scrypt is about 1000 times slower than SHA-256.
  • They require much more memory, which limits the parallelization.
  • They also generally include a "salt" parameter that limits the ability to use pre-generated hash tables.

My question for the experts: would switching to an appropriate hash algorithm such as the ones listed above be enough to make a brain wallet secure?


Why limit yourself to one hash function???

You could switch between different hash functions in the same algorithm.

Something like this

Code:
for i in range (10000):
if   int(str[-1:], 16) == 0: hash = hashlib.sha256(str.encode())
elif int(str[-1:], 16) == 1: hash = hashlib.sha3_256(str.encode())
elif int(str[-1:], 16) == 2: hash = hashlib.blake2s256(str.encode())
elif int(str[-1:], 16) == 3: hash = hashlib.sha512(str.encode())
# and so on ...

str = hash.hexdigest()

The hashing function for the next hash depends on the result of the previous hash

This prevents the prehashed tables attacks against your brain wallet

The algorithm is now part of the entropy of the passphrase and if you keep it secret you can use easier to remember seeds to feed the algo
-------------------------
If you need to keep the key secret, then first of all you need to be afraid of an attack on your device, and not on cryptographic tools.

All tips for using different hash functions are correct. It is worth listening to them. But you need to do this on a computer that is not connected to the Internet and from the lows of installed auxiliary and unverified programs.

And that's why:
10:00 / December 5, 2019
Lazarus macOS malware
Malware is a new round in the development of tactics used by Lazarus to invisibly infect Macs.

The Lazarus ATP group, often linked by experts to the DPRK government, has been armed with new macOS hacking techniques.

K7 Computing Security Analyst Dinesh Devadoss discovered the first malware in the Lazarus arsenal to run in Mac memory. Such file-free programs work exclusively in the computer’s RAM, which allows them to successfully bypass anti-virus solutions that look for malicious files on hard drives.

A malware sample discovered by Devadoss this week was examined by security guru Patrick Wardle. According to him, malware is a new round in the development of tactics used by Lazarus to quietly infect computers.

Check this information at the links:

https://mobile.twitter.com/dineshdina04/status/1201834142704394242

https://objective-see.com/blog/blog_0x51.html

As in other Lazarus malicious operations (in particular, in AppleJeus operation), a new attack begins with the victim installing malware disguised as a legitimate cryptocurrency trading application.

But are they all telling us that they are being used against us?
So it goes.
newbie
Activity: 1
Merit: 0
The typical brain wallet is constructed by hashing a memorable phrase using SHA-256, and using the result as the private key. It is well-established that the typical brain wallet is not secure. This thread demonstrates that very clearly:

Collection of 18.509 found and used Brainwallets

Here is a good example from that thread showing that even a seemingly good brain wallet phrase can be cracked:


The basic attack against brain wallets involves generating a huge list of potential phrases, and then checking the blockchain for the addresses derived from the hashes of those phrases. The defenses against this attack are to increase the range of potential phrases and to make it slower and more expensive to check them.

The cracked brain wallet above demonstrates to me that the benefit of increasing the potential range is limited. That is basically because a human's ability to create meaningful and memorable phrases is limited. For this reason, we have to accept that although a carefully chosen phrase is important, it is not sufficient, and it is also necessary to make it slower and more expensive to check the hashes of potential phrases.

The issue with SHA-256 is that it is very fast, and it is easy for the attacker to generate the private keys for a large number of potential brain wallets. A typical PC can generate up to a billion SHA-256 hashes every second. SHA-256 is not appropriate for hashing brain wallet phrases (or any kind of passwords).

Now, there are certain hashing algorithms specifically designed to resist attacks on hashed passwords: bcrypt, scrypt, and argon2id, for example. They have these advantages:
  • They are much slower than SHA-256. For example, Litecoin's configuration of scrypt is about 1000 times slower than SHA-256.
  • They require much more memory, which limits the parallelization.
  • They also generally include a "salt" parameter that limits the ability to use pre-generated hash tables.

My question for the experts: would switching to an appropriate hash algorithm such as the ones listed above be enough to make a brain wallet secure?


Why limit yourself to one hash function???

You could switch between different hash functions in the same algorithm.

Something like this

Code:
for i in range (10000):
if   int(str[-1:], 16) == 0: hash = hashlib.sha256(str.encode())
elif int(str[-1:], 16) == 1: hash = hashlib.sha3_256(str.encode())
elif int(str[-1:], 16) == 2: hash = hashlib.blake2s256(str.encode())
elif int(str[-1:], 16) == 3: hash = hashlib.sha512(str.encode())
# and so on ...

str = hash.hexdigest()

The hashing function for the next hash depends on the result of the previous hash

This prevents the prehashed tables attacks against your brain wallet

The algorithm is now part of the entropy of the passphrase and if you keep it secret you can use easier to remember seeds to feed the algo
full member
Activity: 224
Merit: 120
Yeah learning a nmonic phrase seems like it'll be a hard thing to learn but it actually isn't that difficult. I remmebe thinking it was hard but I kept restoring my wallet and started to learn it from memory.


Best things to do:
every so often, maybe once a day for 2 weeks, boot up electrum (potentially on something like true key os that's fully disconnected from the Internet) and type up your key there (maybe do it twice or three times a day).
If youre trying to learn it, focus on words that are similar and words that are different for example I have a seed with an oxymoron which produces a bit of a weird concept.

Try to visualise stuff (but don't force it). If it says there's a wasp, a puddle and a log next to each other, the wasp can be resting on the log which is floating on the water. If you try learning it the first way alone, sometimes the order can be messed up when you recite it which is easy to fix but avoidable.

You'd be writing down data from your brain wallet anyway so I don't think there'd be much of a problem there.
-----------------
I am not a specialist in the physiology of the human brain, but I understand that it is not yet possible to solve the problem of storing, generating and using a complex and long password, definitely for everyone, and not just for the mentally developed. Passwords and keys are the weakest point of any cryptographic security system. It is for these data that crackers are hunting. It seems that the development of technology on the one hand does not at all mean the development of security for the user on the other. Probably need new approaches. Check out my thread: https://bitcointalk.org/index.php?topic=5204368.new#new

If there are doubts and questions, I will answer in this place.
legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
This doesn't work for everyone, but I have never lost my physical wallet, the one where I keep cash and cards and stuff. It's possible it can get stolen. Do you guys not have a safe place at home where you keep important documents such as school records, medical, birth, marriage, death certificates?

You don't need an expensive 10 hour rated waterproof and fire-resistant safe (although that is nice to have, might be worth it if your brainwallet stores a thousand coins.) You can get a relatively cheap combination lock safe with a backup key, bolt it inside a small closet in the middle of your house, and that's where you store your paper wallet backup.

Or you can do it John Wick style and pour cement over a hole in your basement.

I have a small filing cabinet, that's what I use.

Warp Wallet uses PBKDF2 and scrypt. It takes several seconds to spit out a private key, but it's not updated to use either compressed keys or segwit addresses. You could use what it spits out as another input to make either a single segwit address or as entropy for some BIP32/39 extended private key for plenty of addresses.

Example:

1. Use Warp Wallet, type in your 12+ character randomly generated password, get private key.
2. Use bitaddress, paste private key, view details, get private key in hexadecimal format.
3. Use bip39 tool, show entropy details, paste hexadecimal.
4. Choose your preferred derivation path for Legacy, Nested Segwit or Native Segwit addresses.

Do it three times for practice and to make sure you get the same set of bip39 words and addresses, maybe test sending to the first one with a small amount and spend from it too.

Save the three pages in a file somewhere, zip it, rar it, upload it to your own website, as even if it's on github, these things can disappear.


Ohhhh, I found another one:

https://www.nowallet.org/

Quote
NOWALLET

A Secure, private, and plausibly deniable
Cross-platform Bitcoin brainwallet

Still in beta at this time though one can experiment, they have instructions for Linux.

*edit* I found this https://github.com/Logicwax/PortalWallet

Still not updated to include segwit though, but I'm sure someone else can fork this or fork the original warpwallet and add support for yprivs and zprivs.
legendary
Activity: 3528
Merit: 4945
If password key derivation functions are not good enough for brain wallets, are they good enough for passwords?

No.  If the user chooses a weak password, then no derivation function is good enough.

On the other hand, if the user chooses an adequately strong password, then ANY derivation function is good enough.
legendary
Activity: 3430
Merit: 3083
If you are going to use a brainwallet, I would suggest having a paper backup somewhere.

as LoyceV points out, what happens if you forget where you put the paper backup? Maybe you could surreptitiously visit the hiding place every day? And maybe people observing you doing that would notice and surmise that your hiding spot could be nearby. It's all a trade-off.

You could tell someone in your family, but you'd have to trust each other alot (presumably you'd remember their seed and vice versa). Families frequently argue over money, all the more so if it's alot of money.
legendary
Activity: 4522
Merit: 3426
Sorry for using the word "hash" when I should have written "password key derivation function".

I was hoping for something more than "brain wallets are bad". Any sig campaign spammer can write that.

A brain wallet created using a good password key derivation function must be better than one created using SHA-256. How secure is it? If password key derivation functions are not good enough for brain wallets, are they good enough for passwords?
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
The issue is with how easy it is to forget these things. I've spoken about this before in various thread on here, but there a million and one things that can happen to anybody without warning which can result in significant and not fully reversible memory problems.
It's been more than a year since I last saw my paper wallets. They must be somewhere in the house, but after searching everywhere, I didn't find them. I've given up searching, hoping we'll find them if we ever move out.
Strange enough I can remember most passwords for a very long time.
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
If it says there's a wasp, a puddle and a log next to each other, the wasp can be resting on the log which is floating on the water.
If you put it like this, I can visualize it as pictures on a wall in your house. I know it's not exactly from memory, but will be impossible for an online attacker to find.
Just be careful when you search for images, Google remembers everything. Ideally, you should have a very large image collection already for all seed words before creating the seed phrase.

You could always just use clip art on an offline pc. Verbs and intensifiers are much harder to remember though...

But for nouns it's normally easy to find image representations.
legendary
Activity: 2268
Merit: 18775
-snip-
The issue with brain wallets isn't how easy or otherwise it is to memorize the words/phrase/characters in the first place. Almost everyone has committed to memory multiple addresses, phone numbers, usernames and passwords, PINs, etc. without any real difficulty and without a significant amount of effort.

The issue is with how easy it is to forget these things. I've spoken about this before in various thread on here, but there a million and one things that can happen to anybody without warning which can result in significant and not fully reversible memory problems. I'm not just talking about direct trauma, although traffic collisions and falls resulting in traumatic brain injuries are very common. You could have a brain aneurysm which could burst at any time. About 1 in 30 people will suffer from epilepsy or an associated seizure disorder at some point in their life, it can manifest at any age, and seizures can cause memory issues. About 1 in 6 will have a stroke, again with no warning and with potential for memory loss. Even something as seemingly benign as the flu or food poisoning can lead to sepsis and memory issues.

Much like a web wallet being hacked, a brainwallet will work fine until the day it doesn't, and when it fails you have no means of retrieving your funds. If you are going to use a brainwallet, I would suggest having a paper backup somewhere.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
If it says there's a wasp, a puddle and a log next to each other, the wasp can be resting on the log which is floating on the water.
If you put it like this, I can visualize it as pictures on a wall in your house. I know it's not exactly from memory, but will be impossible for an online attacker to find.
Just be careful when you search for images, Google remembers everything. Ideally, you should have a very large image collection already for all seed words before creating the seed phrase.
legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
You can memorize anything reasonably shorter than 30 characters or 20 words with rote repetition. It's a force of habit kind of thing. You write down the words, then you recite them over and over. Then you do it again tomorrow, and the next day. Keep doing this every day for a month, you'll probably have the words and their sequence memorized completely.

I am able to memorize 8 character alphanumeric passwords rather quickly. All I do to make a longer one is string them together. Used to be able to memorize 8 of them, so that would make it a 64 character completely randomly generated alphanumeric password. Case sensitive too. Symbols might take extra time to incorporate.

I'd stick to just alphanumerics. Native Segwit Bech32 addresses are not case sensitive, for example. If you use something that looks like that and were able to memorize it, that's a very good password.
legendary
Activity: 3038
Merit: 2162

mnemonic = a pattern-based device that assists in memorization. randomly generated seeds are definitely not mnemonic.

i don't know why "mnemonic phrase" ever caught on as a term. it's misleading.

i agree with odolvlobo---it's not feasible for most people. for those who can do it, let's see what you remember in 5 years. Tongue

Seed wordlists have some special properties, like how there's no words that sound or are spelled similarly, and most words have 1-3 syllables. They are much easier to memorize than 12 random words from a dictionary.

But, it's all highly subjective - some people can memorize long numbers or passwords with difficult patterns, others find no problems with memorizing long sequences of words. I'm not saying that memorizing seeds is a viable option for everyone, but it's worth trying, because they have strong entropy, while creating a strong password requires some extra knowledge.

And regardless of method, the key requirement with storing something in memory is repeating it regularly and often.

I think what everyone here can agree is that it is possible to have a secure brainwallet if you know what you are doing, but it is hard and has many caveats, so it shouldn't be advised to broad audience. 
legendary
Activity: 3528
Merit: 4945
My question for the experts: would switching to an appropriate hash algorithm such as the ones listed above be enough to make a brain wallet secure?

Security is not a light switch.

There is no such thing as completely secure.

There is no such thing as completely insecure.

There is only more secure and less secure, meaning that security only has meaning when used in a comparison.

If you are comparing your new brainwallet idea to the older brainwallet idea that you presented, then yes, I'd say that your new idea is "generally more secure" than that other option (assuming a well enough chosen mnemonic and/or salt).

If you are comparing your new brainwallet idea to the concept of a well protected completely randomly chosen private key, then I'd say that your new brainwallet idea is "generally less secure" than that other option.

However, security also must take into consideration what it is that you are protecting against.  A well protected written key is MUCH more secure against memory loss, but a brainwallet is MUCH more secure against physical discovery and confiscation of the private key.  When discussing security solutions it is important to think about everything that could go wrong, what the probabilities are of each of those things, and how well the solution protects against each of those probabilities.
legendary
Activity: 3472
Merit: 10611

This one is interesting. Thank you for sharing.
Do you understand the whole process how this tool makes the private key from a simple phrase?

it is explained on the website inside the link that was shared, is there any particular step of the process that have problem with?


it is worth adding that when you speak of brain wallet you should never only think about how strong a password YOU can create. maybe you can come up with a real strong password and never have any problem but majority of the others who use the same tool will not. and that is another big problem!
sr. member
Activity: 443
Merit: 350

This one is interesting. Thank you for sharing.
Do you understand the whole process how this tool makes the private key from a simple phrase?
legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
Have you guys seen the Warp Wallet?
https://keybase.io/warp/warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html

I still would prefer to memorize an alphanumeric password longer than 12 characters for a brainwallet. Maybe up to 24 which is just 3 8 characters one put together.

Depending on what kind of security you are looking for, a paper wallet or paper backup of a seed (12-24 words) is good, fits in a small paper, can be backed up easily and hidden relatively securely. It's a matter of "smuggling" a small piece of paper with the seed or private key or a relatively long password for a brainwallet.

What is your purpose? Are you going to travel internationally? Are you going to any place where you could possibly be stripped naked and have no clothes at all? You can hide the info in or around your clothes where they are undetectable, or taped to a dog tag around your neck or stuck on the bottom of your camera or laptop (but not actually inserted, if it's a microSD card) or in a USB flash drive.

If you use something like Warp Wallet (make a backup, save the file in another location, email it to yourself), and have a 24+ or longer character password, you should be good to go.

To me, a proper brainwallet is randomly generated and then memorized, not some phrase from any book, and not anything you made up. Use dice. Use coin flips. Use a password generator.


People have been memorizing pi to a thousand digits. Go memorize your private key instead, it's much shorter. (or, a 24 to 32 character alphanumeric password / 12 to 24 word seed.)
legendary
Activity: 1000
Merit: 1120
My question for the experts: would switching to an appropriate hash algorithm such as the ones listed above be enough to make a brain wallet secure?

Maybe if you go to extremes: use a key derivation function (not a hash) that requires dozens of GB of memory and hours of runtime.
sr. member
Activity: 443
Merit: 350
-snip-
Here is a good example from that thread showing that even a seemingly good brain wallet phrase can be cracked:

-snip-

This was not something secret. Transaction on this address were made in August 2015, but "tothemoonguy" existed before this:
twitter: https://twitter.com/ToTheMoonGuy
reddit: https://www.reddit.com/user/ToTheMoonGuy

-snip-
The basic attack against brain wallets involves generating a huge list of potential phrases, and then checking the blockchain for the addresses derived from the hashes of those phrases. The defenses against this attack are to increase the range of potential phrases and to make it slower and more expensive to check them.
-snip-

So this also was just a basic attack. The list of potential phrases could be taken from twitter accounts and twitter accounts description. "To the moon!!! ┗(°0°)┛" was exactly the twitter account description.
legendary
Activity: 2604
Merit: 2353
I don't think that memorizing a random 12+ word seed is feasible for most people.
I second jackg, memorizing seeds is not as hard as it might look, they are called mnemonic for a reason.

mnemonic = a pattern-based device that assists in memorization. randomly generated seeds are definitely not mnemonic.

i don't know why "mnemonic phrase" ever caught on as a term. it's misleading.

i agree with odolvlobo---it's not feasible for most people. for those who can do it, let's see what you remember in 5 years. Tongue
Precisely, bitcoin.it says "This is a bad name because the word mnemonic implies that the phrase should be memorized"... it doesn't say it couldn't be.

In fact, in another article it's explained how you can memorize a seed (with the Mnemonic Peg Method)
Quote
Memorize the phrase using http://en.wikipedia.org/wiki/Mnemonic_peg_system
[...]
To memorize a seed with this method you must invent a story which hits the words as "keynotes". Try to make it like a fairy tale story, use imagery. Make it somehow striking and emotionally resonant. When remembering you just remember the key words, not all the other words - the other can be remembered more as images and thoughts (which are hard to write down)
[...]
Repeat this story in your head several times over a short period - the first few days. It will sink in, deep, after that. You'll only have to revisit it very occasionally. After a while you can ignore it for months and it'll still come back
https://en.bitcoin.it/wiki/Brainwallet
member
Activity: 382
Merit: 53
Telegram @keychainX

Now, there are certain hashing algorithms specifically designed to resist attacks on hashed passwords: bcrypt, scrypt, and argon2id, for example. They have these advantages:
  • They are much slower than SHA-256. For example, Litecoin's configuration of scrypt is about 1000 times slower than SHA-256.
  • They require much more memory, which limits the parallelization.
  • They also generally include a "salt" parameter that limits the ability to use pre-generated hash tables.

My question for the experts: would switching to an appropriate hash algorithm such as the ones listed above be enough to make a brain wallet secure?


Simply NO, as long as your password is something possible to guess, a strong enough CPU crack farm can do it.

Ive broken passwords with scrypt where you need a CPU with 32GB of ram and it was really really slow. Even though the password was 12 characters it was based on known phrases from dictionaries and therefor insecure.

It does not matter if you use capital letter add number and special character, as long it follows a formula its possible to brake.

My 5 cents
/KX
legendary
Activity: 1652
Merit: 1483
I don't think that memorizing a random 12+ word seed is feasible for most people.
I second jackg, memorizing seeds is not as hard as it might look, they are called mnemonic for a reason.

mnemonic = a pattern-based device that assists in memorization. randomly generated seeds are definitely not mnemonic.

i don't know why "mnemonic phrase" ever caught on as a term. it's misleading.

i agree with odolvlobo---it's not feasible for most people. for those who can do it, let's see what you remember in 5 years. Tongue
legendary
Activity: 3472
Merit: 10611
Now, there are certain hashing algorithms specifically designed to resist attacks on hashed passwords: bcrypt, scrypt, and argon2id, for example. They have these advantages:
  • They are much slower than SHA-256. For example, Litecoin's configuration of scrypt is about 1000 times slower than SHA-256.
  • They require much more memory, which limits the parallelization.
  • They also generally include a "salt" parameter that limits the ability to use pre-generated hash tables.
these are not hash algorithms, these are key derivation functions. and your points are somewhat false.
- slower in this context means slower in a micro scale otherwise they are quite fast. you can only say a hash algorithm is slower if it takes 1 minute to compute the hash not the same micro second!
- this depends on the settings. if for example you use scrypt with a low cost factor and block size factor then it isn't really a memory expensive one.
- when the "salt" is known (which is the case with a pre-defined brainwallet algorithm) it could still be pre-generated.

Quote
My question for the experts: would switching to an appropriate hash algorithm such as the ones listed above be enough to make a brain wallet secure?
the main problem with brain wallets is that the attacker has a much smaller space to search compared to a random 256 bit entropy. you can increase the complexity of the phrase being memorized, the complexity and cost of the algorithm, add salt,... but still the main problem remains the same.

and also since it depends on user's choice of phrase and people rarely choose something truly strong, the search space is usually small.


i wouldn't recommend using a brain wallet but the only thing that i can think of which can help create a "better" (still not safest) key is using your own defined algorithm which combines multiple methods.
an easy example would be choosing a password (lets assume it is '123') then using different hashes but not letting anybody know which hashes you used.
Code:
a0b8dec49dfb6a658bb2fcb417d58b8a8550ba73c7f0936d4d628191b3562b5d
even though my password was simple the result is still "more" random. try to guess which hash algorithms i used first before reading the last line. now the attacker not only has to guess my password (brain wallet phrase) but also has to guess which hash algorithms, how many of them and in what order i used to get the final key from. but the problem still exists here too, the assumption should be that the attacker could gain more knowledge about my method which i tried keeping secret. for example he may know i used 5 hashes and figure out i am a fan of keccak,... and if the reward is big enough it justifies the extensive work it needs to break it.


Keccak256(SHA3-256(SHA3-256(RIPEMD160(SHA256("123")))))
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
Yeah learning a nmonic phrase seems like it'll be a hard thing to learn but it actually isn't that difficult. I remmebe thinking it was hard but I kept restoring my wallet and started to learn it from memory.


Best things to do:
every so often, maybe once a day for 2 weeks, boot up electrum (potentially on something like true key os that's fully disconnected from the Internet) and type up your key there (maybe do it twice or three times a day).
If youre trying to learn it, focus on words that are similar and words that are different for example I have a seed with an oxymoron which produces a bit of a weird concept.

Try to visualise stuff (but don't force it). If it says there's a wasp, a puddle and a log next to each other, the wasp can be resting on the log which is floating on the water. If you try learning it the first way alone, sometimes the order can be messed up when you recite it which is easy to fix but avoidable.

You'd be writing down data from your brain wallet anyway so I don't think there'd be much of a problem there.
legendary
Activity: 3038
Merit: 2162
I was thinking that something like a PIN could be used as the salt. I would have no problem remembering a brain wallet phrase and an 8 digit PIN.


Memorizing numbers, especially long numbers, is harder than memorizing a few words. You can get a word or a phrase from your memory even after some time, but with numbers you have to repeat them regularly to not forget them.

And even if you can come up with a phrase that is strong today, it may become weak in the close future, so you'll have a liability of checking if your password is still strong from time to time.


I don't think that memorizing a random 12+ word seed is feasible for most people.

I second jackg, memorizing seeds is not as hard as it might look, they are called mnemonic for a reason.
It's just a bad idea to use your memory as the only way of storing your seed, but it's viable as a third or fourth method. This can have some interesting uses, for example, when you pass a border, the border control will have absolutely zero way of finding your coins, unlike with USB sticks or hiding it inside a book.

legendary
Activity: 4522
Merit: 3426
If you use a slow hashing algorithm and an appropriately sized salt then you should be good. A lot of sites will still use sha256 and 512 for password hashing. The salt would have to be pretty huge based on the size of asics though...

I was thinking that something like a PIN could be used as the salt. I would have no problem remembering a brain wallet phrase and an 8 digit PIN.

It might be better to just memorise a seed instead? I know quite a few of mine from memory from having to restore wallets. Just read it every couple of hours (potentially while doing something else) and your wallet will be more secure.

I don't think that memorizing a random 12+ word seed is feasible for most people.
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
If you use a slow hashing algorithm and an appropriately sized salt then you should be good. A lot of sites will still use sha256 and 512 for password hashing. The salt would have to be pretty huge based on the size of asics though...

It might be better to just memorise a seed instead? I know quite a few of mine from memory from having to restore wallets. Just read it every couple of hours (potentially while doing something else) and your wallet will be more secure.
legendary
Activity: 4522
Merit: 3426
The typical brain wallet is constructed by hashing a memorable phrase using SHA-256, and using the result as the private key. It is well-established that the typical brain wallet is not secure. This thread demonstrates that very clearly:

Collection of 18.509 found and used Brainwallets

Here is a good example from that thread showing that even a seemingly good brain wallet phrase can be cracked:


The basic attack against brain wallets involves generating a huge list of potential phrases, and then checking the blockchain for the addresses derived from the hashes of those phrases. The defenses against this attack are to increase the range of potential phrases and to make it slower and more expensive to check them.

The cracked brain wallet above demonstrates to me that the benefit of increasing the potential range is limited. That is basically because a human's ability to create meaningful and memorable phrases is limited. For this reason, we have to accept that although a carefully chosen phrase is important, it is not sufficient, and it is also necessary to make it slower and more expensive to check the hashes of potential phrases.

The issue with SHA-256 is that it is very fast, and it is easy for the attacker to generate the private keys for a large number of potential brain wallets. A typical PC can generate up to a billion SHA-256 hashes every second. SHA-256 is not appropriate for hashing brain wallet phrases (or any kind of passwords).

Now, there are certain hashing algorithms specifically designed to resist attacks on hashed passwords: bcrypt, scrypt, and argon2id, for example. They have these advantages:
  • They are much slower than SHA-256. For example, Litecoin's configuration of scrypt is about 1000 times slower than SHA-256.
  • They require much more memory, which limits the parallelization.
  • They also generally include a "salt" parameter that limits the ability to use pre-generated hash tables.

My question for the experts: would switching to an appropriate hash algorithm such as the ones listed above be enough to make a brain wallet secure?
Jump to: