Brainwallet: Difference between revisions
→Falleable Memory: fleshed out some ideas for keeping a paper backup |
→Possible Dangers: added information on Ryan Castellucci's talk which can be linked to whenever this issue comes up again |
||
Line 54: | Line 54: | ||
Cheers.'' <ref>[https://bitcointalk.org/index.php?topic=311000.msg3345309#msg3345309 Re: hardening brain-wallets with a useful blind proof of work ]</ref> | Cheers.'' <ref>[https://bitcointalk.org/index.php?topic=311000.msg3345309#msg3345309 Re: hardening brain-wallets with a useful blind proof of work ]</ref> | ||
====Ryan Castellucci DEFCON Talk==== | |||
Ryan Castellucci gave a talk at DEFCON23 about cracking brainwallet passphrases. Although brainwallet passphrases were being exploited for years by this point, the talk helped bring the issues to more popular consciousness.<ref>[https://rya.nc/cracking_cryptocurrency_brainwallets.pdf Ryan Castellucci DEFCON Talk]</ref><ref>[https://www.reddit.com/r/Bitcoin/comments/3g9f1s/why_im_releasing_a_brainwallet_cracker_at_defcon/ Reddit thread on Ryan's talk]</ref> | |||
===Falleable Memory=== | ===Falleable Memory=== |
Revision as of 15:01, 9 August 2015
A brainwallet refers to the concept of storing Bitcoins in one's own mind by memorization of a passphrase. As long as the passphrase is not recorded anywhere, the Bitcoins can be thought of as existing nowhere except in the mind of the holder. If a brainwallet is forgotten or the person dies or is permanently incapacitated, the Bitcoins are lost forever.
Early brainwallets were created simply by coming up with a passphrase. The phrase is turned into a 256-bit private key with a hashing or key derivation algorithm (example: SHA256). That private key is then used to compute a Bitcoin address, or a deterministic sequence of addresses. WARNING - This method was found to be very insecure. Do not use it. Humans are not a good source of entropy. Use the below worked example.
Creating a Brainwallet
A much safer way of storing money in your brain is to have software generate the cryptographic entropy and then memorize it. For example wallets like Electrum, Armory and Mycelium create backup mnemonic words seeds. Using techniques like memory pegging allow them to be memorized and recalled easily. Using a deterministic wallet with multiple addresses also stops the problems associated with address reuse.
Worked Example
- On a computer with no malware, run Electrum and generate the 13-word recovery seed.
- Memorize the seed using http://en.wikipedia.org/wiki/Mnemonic_peg_system
- When spending or saving, restore the wallet from memory using the seed.
- Use the master public key to create an online watch-only wallet, where you can send to but not spend.
- Spend from the wallet in the manner of deep cold storage. Transferring the unsigned transaction to the cold storage computer, signing it and broadcasting to the network.
Example Mnemonic Peg
To memorize a mnemonic seed with this method you must invent a story which hits the words as "keynotes". Try to make it like a fairy tale story, use imagery. Make it somehow striking and emotionally resonant. When remembering you just remember the key words, not all the other words - the other can be remembered more as images and thoughts (which are hard to write down)
Let's say we have this seed:
witch collapse practice feed shame open despair creek road again ice least
You'd imagine walking through a building familiar to you, maybe your own home or workplace or school.
- You imagine looking in the first room and seeing your mother dressed as a witch, playing the jenga boardgame until the tower collapses.
- You walk to the next room and see your father practising with a longbow, he shoots a chicken to feeds himself.
- In the next room you see your brother naked in shame attempting to cover himself, he's looking through a window thats open and flapping in the wind.
- Now you reach the kitchen, girlfriend is looking at Picasso's Guernica on the wall. She is in despair from it. Next to it is a television playing the show Dawson's Creek.
- Next you're in the garage, your childhood friend is working on his car. He plans to go on a road trip for the 5th time this month, he's going again.
- Finally to go outside to the garden. It's early spring and the ground is covered in melting ice. Two of your other friends are there, one friend has a huge basket of apples, the other has a smaller basket but you're holding only some apples. You've got the least apples.
Repeat this story in your head several times over a short period - the first few days. It will sink in, deep, after that. You'll only have to revisit it very occasionally. After a while you can ignore it for months and it'll still come back, not that I'd recommend relying on that.
Possible Dangers
Low Entropy from Human-Generated Passphrases
Practically everyone who knows about or cares loudly yells at people DO NOT USE BRAINWALLETS. We've seen pretty concrete evidence that users are resistant to good advice in this space, and they are shocked when their favorite quotation is cracked and they lose their coins (But it was 60 characters long! I even added a special character! how is this possible?!), the existing sites promoting this stuff won't use a KDF stronger than SHA256*1 because "users are stupid if they use weak passwords".
Brainwallets.
FOR GODS SAKE. DON'T DO IT. YOU MAY THINK YOU ARE SMART ENOUGH. SO DID EVERYONE ELSE WHO GOT ROBBED. HUMANS ARE NOT A GOOD SOURCE OF ENTROPY.
YOU HAVE A SCHEME? Pfft. THE SPACE OF ALL SCHEMES YOU'RE LIKELY TO HAVE PROBABLY ONLY HAS A FEW BITS OF ENTROPY. RANDOM PHRASE IN A BOOK? THERE ARE ONLY ABOUT 30 BITS OF SENTENCE SELECTION IN A LIBRARY.
OH NO. YOU ARE NOT LISTENING TO ME, ARE YOU?
OH CRAP. YOU THINK THAT "EIGHT CHARACTERS AND ONE FROM EACH CHARACTER CLASS" APPLIES HERE?? WEBSITE SECURITY MIGHT HAVE TO DEAL WITH 1000 ATTEMPTS PER SECOND, BUT SOME DUDE WITH A FPGA FARM IS PROBABLY PRECOMPUTING A BILLION BRAINWALLETS PER SECOND. JUST STOP.
NOOOOOOOOOOOO.
Well, now that you have no more Bitcoin I guess we don't have to worry about you using a brainwallet.
Cheers. [1]
Ryan Castellucci DEFCON Talk
Ryan Castellucci gave a talk at DEFCON23 about cracking brainwallet passphrases. Although brainwallet passphrases were being exploited for years by this point, the talk helped bring the issues to more popular consciousness.[2][3]
Falleable Memory
Human memory can be far more falleable than we normally expect. So if you're only storage is memory you may find that it just vanished one day. Keeping a copy stored on paper somewhere could be a useful backup, depending on circumstances.