Brainwallet

2026-06-21T09:27:50Z

Misterpsd:

A '''brainwallet''' is a method of controlling Bitcoin funds by memorizing wallet recovery data, usually a [[seed phrase]], rather than storing it on paper or another physical or digital medium. If the seed phrase is not recorded anywhere, access to the bitcoins depends entirely on the owner's memory. If the phrase is forgotten, or if the owner dies or becomes permanently incapacitated, the bitcoins are lost forever. Memory techniques can make a seed phrase easier to memorize and recall, but they do not remove the risk of memory failure.

A brainwallet can be created by using Bitcoin wallet software to generate a seed phrase and then memorizing it. Examples of wallets that generate seed phrases include [[Electrum]], [[Armory]] and [[Mycelium]].

Brainwallets are not recommended for general use because human memory is fallible and human-chosen secrets are often weak. In limited circumstances, such as when someone must flee a country without carrying physical storage media, a memorized seed may be considered. Even then, the risks should be understood carefully.

== Worked example ==

# Use wallet software such as [[Electrum]] to generate a new [[seed phrase]].
# Memorize the phrase using a mnemonic technique such as the [https://en.wikipedia.org/wiki/Method_of_loci method of loci].
# When spending or recovering funds, restore the wallet from memory using the seed phrase.

=== Example memory palace technique ===

The method of loci, also known as a memory palace, associates each word with a vivid image placed along a familiar route. The route might be a childhood home, workplace, school, or another place that is easy to visualize. The images should be distinctive and emotionally memorable so that each location prompts recall of the corresponding word.

For example, consider this seed phrase:

witch collapse practice feed shame open despair creek road again ice least

One possible memory palace could use a familiar building:

* In the first room, your mother is dressed as a '''witch''' while playing Jenga until the tower '''collapses'''.
* In the next room, your father is '''practising''' with a longbow and shoots a chicken to '''feed''' himself.
* In another room, your brother looks ashamed and tries to cover a torn shirt while a window is '''open''' and flapping in the wind.
* In the kitchen, your partner is looking at Picasso's [https://en.wikipedia.org/wiki/Guernica_%28Picasso%29 Guernica] on the wall and is in '''despair'''. Next to it, a television is playing Dawson's '''Creek'''.
* In the garage, a childhood friend is preparing for a '''road''' trip for the fifth time this month, so he is going '''again'''.
* Outside in the garden, the ground is covered in melting '''ice'''. Two friends have baskets of apples, while you are holding only a few, giving you the '''least''' apples.

Repeating the route several times over the first few days can make recall easier. However, relying on memory alone is still risky and is not recommended as the only backup method.

=== Video example of the method of loci ===

The BBC documentary ''The Human Mind'' (2003), presented by Professor Robert Winston, includes an example of memorizing a list of 30 random words at approximately 31 minutes in:

https://www.youtube.com/watch?v=lRhfQCW1f68&t=1867

=== Fallible memory warning ===

Human memory can fail even when mnemonic techniques are used. A memorized seed may become distorted, incomplete, or inaccessible after illness, trauma, stress, aging, or a long period without rehearsal.

Wallet recovery data should generally be backed up. Storing a seed phrase in only one place is dangerous, even if that place is the owner's memory.

== Obsolete brainwallet style ==

An early form of brainwallet was created by memorizing a passphrase and converting it into a [[private key]] with a hashing or key derivation algorithm, such as a single SHA256 operation. The resulting private key was then used to compute a Bitcoin address. This method was found to be highly insecure and '''should not be used'''. Humans are not a reliable source of entropy, and using a single address also creates problems associated with [[address reuse]].

=== Memory-hard deterministic derivation ===

Some later deterministic schemes derive wallet seed material from a passphrase or other user-supplied secret, and may encode the derived entropy as a BIP39 mnemonic rather than directly producing a single private key and address. BIP39 defines a mnemonic code for generating deterministic wallets from entropy and a checksum.<ref>[https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki BIP-0039: Mnemonic code for generating deterministic keys]</ref>

To slow offline guessing, a deterministic brainwallet scheme may use a memory-hard key derivation function such as Argon2id instead of a single SHA256 operation. Argon2 is specified as a memory-hard function for password hashing and proof-of-work applications, and RFC 9106 describes Argon2id as its hybrid variant.<ref>[https://datatracker.ietf.org/doc/rfc9106/ RFC 9106: Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications]</ref>

This only increases the cost of each guess. It does not make ordinary human-chosen phrases safe. The security of a passphrase-derived wallet still depends on the entropy of the secret, the derivation parameters, the software implementation, and the operational environment used for generation and recovery. A precomputed hash may be used as an input only if it is itself treated as the secret; hashing a weak phrase does not make it high entropy.

One implementation example is [https://brainwalletseed.com/ BrainWalletSeed], a client-side deterministic BIP39 brainwallet generator using Argon2id derivation. This does not change the security warnings above: memory-hard derivation can make guessing more expensive, but it does not make weak or human-chosen secrets safe.

=== Low entropy from human-generated passphrases ===

Human-generated passphrases often have much less entropy than users expect. Quotations, song lyrics, common phrases, keyboard patterns, dates, substitutions, and personally meaningful strings can be tested with dictionary attacks, rule-based attacks, and other offline guessing techniques. If a wallet is derived deterministically from a weak phrase, an attacker can search large numbers of candidate phrases and automatically take funds from any matching address.<ref>[https://bitcointalk.org/index.php?topic=311000.msg3345309#msg3345309 Re: hardening brain-wallets with a useful blind proof of work]</ref>

For this reason, human-generated passphrases should not be used as wallet secrets.

=== Ryan Castellucci DEFCON talk ===

Ryan Castellucci gave a talk at DEFCON 23 about cracking brainwallet passphrases. Although weak brainwallet passphrases had already been exploited for years, the talk helped bring wider attention to the issue.<ref>[https://rya.nc/cracking_cryptocurrency_brainwallets.pdf Ryan Castellucci DEFCON Talk]</ref><ref>[https://www.reddit.com/r/Bitcoin/comments/3g9f1s/why_im_releasing_a_brainwallet_cracker_at_defcon/ Reddit thread on Ryan Castellucci's talk]</ref><ref>[https://www.youtube.com/watch?v=foil0hzl4Pg Video of Ryan Castellucci's talk]</ref>

=== Legacy code ===

If funds remain in an old-style brainwallet, the website http://www.bitaddress.org/ contains a GUI for generating the private key using the sha256(passphrase) algorithm. It is strongly recommended to move the funds to a modern wallet as soon as possible.

= References =
<references>
</references>

[[Category:Instructional]]

Bitcoin Wiki - User contributions [en]

Brainwallet