Difference between revisions of "Brainwallet"

From Bitcoin Wiki
Jump to: navigation, search
(reorg related sections)
m (Fallible Memory Warning: added note about only storing the seed in your brain is like having no backups)
(7 intermediate revisions by 3 users not shown)
Line 1: Line 1:
A '''brainwallet''' refers to the concept of storing Bitcoins in your brain by remembering the secret seed from which your wallet keys are generated.
+
A '''brainwallet''' refers to the concept of storing Bitcoins in one's own mind by memorizing a [[seed phrase]]. If the seed is not recorded anywhere, the Bitcoins can be thought of as being held only in the mind of the owner. If a brainwallet is forgotten or the person dies or is permanently incapacitated, the Bitcoins are lost forever. Using memory techniques allow them to be memorized and recalled easily.
  
= WarpWallet =
+
To create a brainwallet, use Bitcoin wallet software to generate a seed phrase and then memorize it. Such seeds are generated by wallets like [[Electrum]], [[Armory]] and [[Mycelium]].
  
Currently one of the best ways to create a brainwallet, is use [https://keybase.io/warp/ WarpWallet] on a secure, malware-free computer to to generate your wallet keys from a strong passphrase, salted to your email address.
+
Brainwallets are not recommended to be used in general because of fallible human memory. But in special situations they could be very useful, for example when fleeing a country with only the clothes on your back.
  
An advantage of this wallet generation method is that it not vulnerable to a malicious or broken Random Number Generator.
+
== Worked Example ==
  
A disadvantage is that only a single address is generated at a time and [[address reuse]] can introduce privacy problems.
+
# On a computer with no malware, run [[Electrum]] and generate a [[seed phrase]].
 
+
# Memorize the phrase using http://en.wikipedia.org/wiki/Mnemonic_peg_system
WarpWallet uses a strong bruteforce resistant Key Derivation Function: 2^18 rounds of scrypt + pbkdf. Older methods of creating a brainwallet (e.g., bitaddress.org) from a passphrase are extremely error prone and dangerous. See discussion below.
+
# When spending or saving, restore the wallet from memory using the phrase.
 
 
==Usage example==
 
 
 
# Boot [[BitKey]] on an offline computer in cold-offline mode.
 
 
 
# Run WarpWallet
 
 
 
# Use a strong passphrase to generate your wallet key. Salt with your e-mail.
 
 
 
= Memorizing a wallet generated seed =
 
 
 
An alternative to using WarpWallet with a strong user supplied passphrase is to use trusted Bitcoin wallet software to generate a mnemonic seed and then memorize it.
 
 
 
This assumes the Random Number Generator used to generate the seed is not broken or compromised.
 
 
 
Such seeds are generated by wallets like [[Electrum]], [[Armory]] and [[Mycelium]].
 
 
 
==Electrum based Example==
 
 
 
# On a computer with no malware (e.g., offline PC running live in RAM from [[BitKey]]), run [[Electrum]] and generate the 13-word recovery seed.
 
# Memorize the seed using http://en.wikipedia.org/wiki/Mnemonic_peg_system
 
# When spending or saving, restore the wallet from memory using the seed.
 
 
# Use the master public key to create an online watch-only wallet, where you can send to but not spend.
 
# Use the master public key to create an online watch-only wallet, where you can send to but not spend.
 
# Spend from the wallet in the manner of [[Cold_storage|deep cold storage]]. Transferring the unsigned transaction to the cold storage computer, signing it and broadcasting to the network.
 
# Spend from the wallet in the manner of [[Cold_storage|deep cold storage]]. Transferring the unsigned transaction to the cold storage computer, signing it and broadcasting to the network.
  
= Risk of losing coins =
+
=== Example Mnemonic Peg ===
 
+
To memorize a seed with this method you must invent a story which hits the words as "keynotes". Try to make it like a fairy tale story, use imagery. Make it somehow striking and emotionally resonant. When remembering you just remember the key words, not all the other words - the other can be remembered more as images and thoughts (which are hard to write down)
If the secret seed to your wallet is not recorded anywhere, the Bitcoins can be thought of as being held only in the mind of the owner. If a brainwallet is forgotten or the person dies or is permanently incapacitated, the Bitcoins are lost forever.
 
 
 
Using techniques like memory pegging allow them to be memorized and recalled easily.
 
 
 
==Example Mnemonic Peg==
 
 
 
To memorize a mnemonic seed with this method you must invent a story which hits the words as "keynotes". Try to make it like a fairy tale story, use imagery. Make it somehow striking and emotionally resonant. When remembering you just remember the key words, not all the other words - the other can be remembered more as images and thoughts (which are hard to write down)
 
  
 
Let's say we have this seed:
 
Let's say we have this seed:
Line 60: Line 31:
 
Repeat this story in your head several times over a short period - the first few days. It will sink in, deep, after that. You'll only have to revisit it very occasionally. After a while you can ignore it for months and it'll still come back, not that I'd recommend relying on that.
 
Repeat this story in your head several times over a short period - the first few days. It will sink in, deep, after that. You'll only have to revisit it very occasionally. After a while you can ignore it for months and it'll still come back, not that I'd recommend relying on that.
  
==Video Example of Mnemonic Peg Method==
+
=== Video Example of Mnemonic Peg Method ===
  
 
From the BBC documentary The Human Mind (2003) by Professor Robert Winston. Approximately 31 minutes in. Memorizing a list of 30 random words.
 
From the BBC documentary The Human Mind (2003) by Professor Robert Winston. Approximately 31 minutes in. Memorizing a list of 30 random words.
Line 66: Line 37:
 
https://www.youtube.com/watch?v=lRhfQCW1f68&t=1867
 
https://www.youtube.com/watch?v=lRhfQCW1f68&t=1867
  
==Fallible Memory==
+
=== Fallible Memory Warning ===
 +
Despite the memory aids, human memory can be very fallible. So if your only storage is memory you may find that it just vanished one day.
 +
 
 +
Data should always be backed up. Storing a seed phrase in one place is bad, even if that one place is your brain.
  
Despite the memory aids, human memory can be very fallible. So if your only storage is memory you may find that it just vanished one day. Keeping a copy stored on paper somewhere could be a useful backup, depending on circumstances.
+
== Obsolete Brainwallet Style ==
  
=Dangerous Old-Style Brainwallets =
+
An early old-style brainwallet was created by by memorization of a passphrase and converting it a [[private key]] with a hashing or key derivation algorithm (example: SHA256). That private key is then used to compute a Bitcoin address. This method was found to be very insecure and '''should not be used'''. Humans are not a good source of entropy. Using a single address also has problems associated with [[address reuse]].
  
An early old-style brainwallet was created by by memorization of a passphrase and converting it a [[private key]] with a weak key derivation algorithm (example: two rounds of SHA256). That private key is then used to compute a Bitcoin address.
+
=== Low Entropy from Human-Generated Passphrases ===
  
This method was extremely dangerous because it was vulnerable to global dictionary and bruteforce attacks and relied on humans as a source of entropy.
+
Practically everyone who knows about or cares loudly yells at people DO NOT USE BRAINWALLETS [GENERATED BY HUMANS].  We've seen pretty concrete evidence that users are resistant to good advice in this space, and they are shocked when their favorite quotation is cracked and they lose their coins (But it was 60 characters long! I even added a special character! how is this possible?!),  the existing sites promoting this stuff won't use a KDF stronger than SHA256*1 because "users are stupid if they use weak passwords". <ref>[https://bitcointalk.org/index.php?topic=311000.msg3345309#msg3345309 Re: hardening brain-wallets with a useful blind proof of work ]</ref>
  
Modern brainwallets such as WarpWallet have proven much more resistant to attack due to the strong Key Derivation Function and e-mail based salting. For example, the WarpWallet challenge offered a 20 BTC prize for anyone managing to crack an unsalted random 8-character brainwallet. The challenge has resisted attack for 2.5 years.
+
=== Ryan Castellucci DEFCON Talk ===
  
Note that even with WarpWallet, using a single address still has problems associated with [[address reuse]].
+
Ryan Castellucci gave a talk at DEFCON23 about cracking brainwallet passphrases. Although brainwallet passphrases were being exploited for years by this point, the talk helped bring the issues to more popular consciousness.<ref>[https://rya.nc/cracking_cryptocurrency_brainwallets.pdf Ryan Castellucci DEFCON Talk]</ref><ref>[https://www.reddit.com/r/Bitcoin/comments/3g9f1s/why_im_releasing_a_brainwallet_cracker_at_defcon/ Reddit thread on Ryan's talk]</ref><ref>[https://www.youtube.com/watch?v=foil0hzl4Pg a video of Ryan's talk]</ref>
  
==Legacy Code==
+
=== Legacy Code ===
  
 
If you have coins in an old-style brainwallet, the website http://www.bitaddress.org/ contains a GUI for generating the private key using the sha256(passphrase) algorithm. It's highly recommended you move the out as soon as you can.
 
If you have coins in an old-style brainwallet, the website http://www.bitaddress.org/ contains a GUI for generating the private key using the sha256(passphrase) algorithm. It's highly recommended you move the out as soon as you can.
 
==Low Entropy from Human-Generated Passphrases==
 
 
Practically everyone who knows about or cares loudly yells at people DO NOT USE BRAINWALLETS [GENERATED BY HUMANS].  We've seen pretty concrete evidence that users are resistant to good advice in this space, and they are shocked when their favorite quotation is cracked and they lose their coins
 
 
==Ryan Castellucci DEFCON Talk==
 
 
Ryan Castellucci gave a talk at DEFCON23 about cracking brainwallet passphrases. Although brainwallet passphrases were being exploited for years by this point, the talk helped bring the issues to more popular consciousness.<ref>[https://rya.nc/cracking_cryptocurrency_brainwallets.pdf Ryan Castellucci DEFCON Talk]</ref><ref>[https://www.reddit.com/r/Bitcoin/comments/3g9f1s/why_im_releasing_a_brainwallet_cracker_at_defcon/ Reddit thread on Ryan's talk]</ref><ref>[https://www.youtube.com/watch?v=foil0hzl4Pg a video of Ryan's talk]</ref>
 
  
 
=References=
 
=References=
 
<references>
 
<references>
 
</references>
 
</references>
 +
 +
[[Category:Instructional]]

Revision as of 17:16, 4 October 2018

A brainwallet refers to the concept of storing Bitcoins in one's own mind by memorizing a seed phrase. If the seed is not recorded anywhere, the Bitcoins can be thought of as being held only in the mind of the owner. If a brainwallet is forgotten or the person dies or is permanently incapacitated, the Bitcoins are lost forever. Using memory techniques allow them to be memorized and recalled easily.

To create a brainwallet, use Bitcoin wallet software to generate a seed phrase and then memorize it. Such seeds are generated by wallets like Electrum, Armory and Mycelium.

Brainwallets are not recommended to be used in general because of fallible human memory. But in special situations they could be very useful, for example when fleeing a country with only the clothes on your back.

Worked Example

  1. On a computer with no malware, run Electrum and generate a seed phrase.
  2. Memorize the phrase using http://en.wikipedia.org/wiki/Mnemonic_peg_system
  3. When spending or saving, restore the wallet from memory using the phrase.
  4. Use the master public key to create an online watch-only wallet, where you can send to but not spend.
  5. Spend from the wallet in the manner of deep cold storage. Transferring the unsigned transaction to the cold storage computer, signing it and broadcasting to the network.

Example Mnemonic Peg

To memorize a seed with this method you must invent a story which hits the words as "keynotes". Try to make it like a fairy tale story, use imagery. Make it somehow striking and emotionally resonant. When remembering you just remember the key words, not all the other words - the other can be remembered more as images and thoughts (which are hard to write down)

Let's say we have this seed:

   witch collapse practice feed shame open despair creek road again ice least

You'd imagine walking through a building familiar to you, maybe your own home or workplace or school.

  • You imagine looking in the first room and seeing your mother dressed as a witch, playing the jenga boardgame until the tower collapses.
  • You walk to the next room and see your father practising with a longbow, he shoots a chicken to feeds himself.
  • In the next room you see your brother naked in shame attempting to cover himself, he's looking through a window that's open and flapping in the wind.
  • Now you reach the kitchen, girlfriend is looking at Picasso's Guernica on the wall. She is in despair from it. Next to it is a television playing the show Dawson's Creek.
  • Next you're in the garage, your childhood friend is working on his car. He plans to go on a road trip for the 5th time this month, he's going again.
  • Finally to go outside to the garden. It's early spring and the ground is covered in melting ice. Two of your other friends are there, one friend has a huge basket of apples, the other has a smaller basket but you're holding only some apples. You've got the least apples.

Repeat this story in your head several times over a short period - the first few days. It will sink in, deep, after that. You'll only have to revisit it very occasionally. After a while you can ignore it for months and it'll still come back, not that I'd recommend relying on that.

Video Example of Mnemonic Peg Method

From the BBC documentary The Human Mind (2003) by Professor Robert Winston. Approximately 31 minutes in. Memorizing a list of 30 random words.

https://www.youtube.com/watch?v=lRhfQCW1f68&t=1867

Fallible Memory Warning

Despite the memory aids, human memory can be very fallible. So if your only storage is memory you may find that it just vanished one day.

Data should always be backed up. Storing a seed phrase in one place is bad, even if that one place is your brain.

Obsolete Brainwallet Style

An early old-style brainwallet was created by by memorization of a passphrase and converting it a private key with a hashing or key derivation algorithm (example: SHA256). That private key is then used to compute a Bitcoin address. This method was found to be very insecure and should not be used. Humans are not a good source of entropy. Using a single address also has problems associated with address reuse.

Low Entropy from Human-Generated Passphrases

Practically everyone who knows about or cares loudly yells at people DO NOT USE BRAINWALLETS [GENERATED BY HUMANS]. We've seen pretty concrete evidence that users are resistant to good advice in this space, and they are shocked when their favorite quotation is cracked and they lose their coins (But it was 60 characters long! I even added a special character! how is this possible?!), the existing sites promoting this stuff won't use a KDF stronger than SHA256*1 because "users are stupid if they use weak passwords". [1]

Ryan Castellucci DEFCON Talk

Ryan Castellucci gave a talk at DEFCON23 about cracking brainwallet passphrases. Although brainwallet passphrases were being exploited for years by this point, the talk helped bring the issues to more popular consciousness.[2][3][4]

Legacy Code

If you have coins in an old-style brainwallet, the website http://www.bitaddress.org/ contains a GUI for generating the private key using the sha256(passphrase) algorithm. It's highly recommended you move the out as soon as you can.

References