Difference between revisions of "Brainwallet"

From Bitcoin Wiki
Jump to: navigation, search
m (Added missing word ("move the out" to "move the coins out"))
(32 intermediate revisions by 7 users not shown)
Line 1: Line 1:
A '''brainwallet''' refers to the concept of storing Bitcoins in one's own mind by memorization of a passphrase. As long as the passphrase is not recorded anywhere, the Bitcoins can be thought of as existing nowhere except in the mind of the holder. If a brainwallet is forgotten or the person dies or is permanently incapacitated, the Bitcoins are lost forever.
+
A '''brainwallet''' refers to the concept of storing Bitcoins in one's own mind by memorizing a [[seed phrase]]. If the seed is not recorded anywhere, the Bitcoins can be thought of as being held only in the mind of the owner. If a brainwallet is forgotten or the person dies or is permanently incapacitated, the Bitcoins are lost forever. Using memory techniques allow them to be memorized and recalled easily.
  
Early brainwallets were created simply by coming up with a passphrase. The phrase is turned into a 256-bit [[private key]] with a hashing or key derivation algorithm (example: SHA256).  That private key is then used to compute a Bitcoin address, or a deterministic sequence of addresses. '''WARNING - This method was found to be very insecure. Do not use it. Humans are not a good source of entropy.''' Use the below worked example.
+
To create a brainwallet, use Bitcoin wallet software to generate a seed phrase and then memorize it. Such seeds are generated by wallets like [[Electrum]], [[Armory]] and [[Mycelium]].
  
==Creating a Brainwallet==
+
Brainwallets are not recommended to be used in general because of fallible human memory. But in special situations they could be very useful, for example when fleeing a country with only the clothes on your back.
  
A much safer way of storing money in your brain is to have software generate the cryptographic entropy and then memorize it. For example wallets like [[Electrum]] and [[Mycelium]] create backup mnemonic words seeds. Using techniques like memory pegging allow them to be memorized and recalled easily.
+
== Worked Example ==
  
===Worked Example===
+
# On a computer with no malware, run [[Electrum]] and generate a [[seed phrase]].
 +
# Memorize the phrase using http://en.wikipedia.org/wiki/Mnemonic_peg_system
 +
# When spending or saving, restore the wallet from memory using the phrase.
 +
# Use the master public key to create an online watch-only wallet, where you can send to but not spend.
 +
# Spend from the wallet in the manner of [[Cold_storage|deep cold storage]]. Transferring the unsigned transaction to the cold storage computer, signing it and broadcasting to the network.
  
# On a computer with no malware, run [[Electrum]] and generate the 13-word recovery seed.
+
=== Example Mnemonic Peg ===
# Memorize the seed using http://en.wikipedia.org/wiki/Mnemonic_peg_system
+
To memorize a seed with this method you must invent a story which hits the words as "keynotes". Try to make it like a fairy tale story, use imagery. Make it somehow striking and emotionally resonant. When remembering you just remember the key words, not all the other words - the other can be remembered more as images and thoughts (which are hard to write down)
# When spending or saving, restore the wallet from memory using the seed.
 
# (Optional) Use the master public key to create a watch-only wallet, where you can send to but not spend.
 
  
==Possible Dangers==
+
Let's say we have this seed:
  
===Low Entropy===
+
    witch collapse practice feed shame open despair creek road again ice least
  
Practically everyone who knows about or cares about the BIP process loudly yells at people DO NOT USE BRAINWALLETS.  We've seen pretty concrete evidence that users are resistant to good advice in this space, and they are shocked when their favorite quotation is cracked and they lose their coins (But it was 60 characters long! I even added a special character! how is this possible?!),  the existing sites promoting this stuff won't use a KDF stronger than SHA256*1 because "users are stupid if they use weak passwords".
+
You'd imagine walking through a building familiar to you, maybe your own home or workplace or school.
  
''Brainwallets.
+
* You imagine looking in the first room and seeing your mother dressed as a '''witch''', playing the jenga boardgame until the tower '''collapses'''.
 +
* You walk to the next room and see your father '''practising''' with a longbow, he shoots a chicken to '''feeds''' himself.
 +
* In the next room you see your brother naked in '''shame''' attempting to cover himself, he's looking through a window that's '''open''' and flapping in the wind.
 +
* Now you reach the kitchen, girlfriend is looking at Picasso's [https://en.wikipedia.org/wiki/Guernica_%28Picasso%29 Guernica] on the wall. She is in '''despair''' from it. Next to it is a television playing the show Dawson's '''Creek'''.
 +
* Next you're in the garage, your childhood friend is working on his car. He plans to go on a '''road''' trip for the 5th time this month, he's going '''again'''.
 +
* Finally to go outside to the garden. It's early spring and the ground is covered in melting '''ice'''. Two of your other friends are there, one friend has a huge basket of apples, the other has a smaller basket but you're holding only some apples. You've got the '''least''' apples.
  
FOR GODS SAKE. DON'T DO IT. YOU MAY THINK YOU ARE SMART ENOUGH. SO DID EVERYONE ELSE WHO GOT ROBBED. HUMANS ARE NOT A GOOD SOURCE OF ENTROPY.
+
Repeat this story in your head several times over a short period - the first few days. It will sink in, deep, after that. You'll only have to revisit it very occasionally. After a while you can ignore it for months and it'll still come back, not that I'd recommend relying on that.
  
YOU HAVE A SCHEME?  Pfft. THE SPACE OF ALL SCHEMES YOU'RE LIKELY TO HAVE PROBABLY ONLY HAS A FEW BITS OF ENTROPY. RANDOM PHRASE IN A BOOK? THERE ARE ONLY ABOUT 30 BITS OF SENTENCE SELECTION IN A LIBRARY.
+
=== Video Example of Mnemonic Peg Method ===
  
OH NO. YOU ARE NOT LISTENING TO ME, ARE YOU?
+
From the BBC documentary The Human Mind (2003) by Professor Robert Winston. Approximately 31 minutes in. Memorizing a list of 30 random words.
  
OH CRAP. YOU THINK THAT "EIGHT CHARACTERS AND ONE FROM EACH CHARACTER CLASS" APPLIES HERE?? WEBSITE SECURITY MIGHT HAVE TO DEAL WITH 1000 ATTEMPTS PER SECOND, BUT SOME DUDE WITH A FPGA FARM IS PROBABLY PRECOMPUTING A BILLION BRAINWALLETS PER SECOND. JUST STOP.
+
https://www.youtube.com/watch?v=lRhfQCW1f68&t=1867
  
NOOOOOOOOOOOO.
+
=== Fallible Memory Warning ===
 +
Despite the memory aids, human memory can be very fallible. So if your only storage is memory you may find that it just vanished one day.
  
Well, now that you have no more Bitcoin I guess we don't have to worry about you using a brainwallet.
+
Data should always be backed up. Storing a seed phrase in one place is bad, even if that one place is your brain.
  
Cheers.'' <ref>[https://bitcointalk.org/index.php?topic=311000.msg3345309#msg3345309 Re: hardening brain-wallets with a useful blind proof of work ]</ref>
+
== Obsolete Brainwallet Style ==
  
===Falleable Memory===
+
An early old-style brainwallet was created by by memorization of a passphrase and converting it a [[private key]] with a hashing or key derivation algorithm (example: SHA256). That private key is then used to compute a Bitcoin address. This method was found to be very insecure and '''should not be used'''. Humans are not a good source of entropy. Using a single address also has problems associated with [[address reuse]].
Human memory is far more falleable than we normally expect. So if you're only storage is memory you may find that it just vanished one day.
 
  
===Malicious Website Operators===
+
=== Low Entropy from Human-Generated Passphrases ===
The operator of brainwallet.org seemingly created their service with the specific intention of getting more people to use keys they could crack. They were literally complaining in the main bitcoin IRC channel that they weren't finding many private keys by hashing dictionaries.
 
  
IRC chatlog of the incident: https://people.xiph.org/~greg/brainwallet.txt
+
Practically everyone who knows about or cares loudly yells at people DO NOT USE BRAINWALLETS [GENERATED BY HUMANS].  We've seen pretty concrete evidence that users are resistant to good advice in this space, and they are shocked when their favorite quotation is cracked and they lose their coins (But it was 60 characters long! I even added a special character! how is this possible?!),  the existing sites promoting this stuff won't use a KDF stronger than SHA256*1 because "users are stupid if they use weak passwords". <ref>[https://bitcointalk.org/index.php?topic=311000.msg3345309#msg3345309 Re: hardening brain-wallets with a useful blind proof of work ]</ref>
  
The ''Generate Secure Random Key'' of brainwallet.org was also found to be incredibly inappropriate and could easily lead to money being lost. Around the time they added the really insecure random number generator to the site, they were asking for help in the IRC channel getting very fast bitcoin cryptography (secp256k1) key generation code working.
+
=== Ryan Castellucci DEFCON Talk ===
  
==Precaution==
+
Ryan Castellucci gave a talk at DEFCON23 about cracking brainwallet passphrases. Although brainwallet passphrases were being exploited for years by this point, the talk helped bring the issues to more popular consciousness.<ref>[https://rya.nc/cracking_cryptocurrency_brainwallets.pdf Ryan Castellucci DEFCON Talk]</ref><ref>[https://www.reddit.com/r/Bitcoin/comments/3g9f1s/why_im_releasing_a_brainwallet_cracker_at_defcon/ Reddit thread on Ryan's talk]</ref><ref>[https://www.youtube.com/watch?v=foil0hzl4Pg a video of Ryan's talk]</ref>
It is very important when creating a brainwallet to use a passphrase that has a very high level of entropy. If this is not done, theft of the brainwallet is an eventual certainty.
 
  
'''This is not a simple suggestion.  This is a requirement.  Most people when asked to create a secure password, with everything they've heard about creating a password, will still create a password that if used for a brainwallet, will result in the eventual theft of their funds.  The simple fact of the matter is that hacking a brainwallet password is a mathematical exercise that requires no internet access, no communication, and leaves no trace, so hackers can collectively try multiple trillions of passwords every second in the privacy of their own homes with the very same equipment they use for mining bitcoins (in the usual sense).  Your bank might tell you that a 10 character password with uppercase, lowercase, numbers and symbols is a strong password, but it is not strong enough to secure a brainwallet.  A password that might be strong enough for traditional banking or a social website is typically unacceptable for a brainwallet.'''
+
=== Legacy Code ===
  
A brainwallet passphrase, at a minimum, needs to be an entire original sentence that does not appear in any song or literature.  Security is enhanced simply by including some sort of memorable personal information, which doesn't necessarily even have to be secret (e.g. an e-mail address, or phone number). A good brainwallet passphrase will have ''dozens'' of characters.
+
If you have coins in an old-style brainwallet, the website http://www.bitaddress.org/ contains a GUI for generating the private key using the sha256(passphrase) algorithm. It's highly recommended you move the coins out as soon as you can.
  
==References==
+
=References=
 
<references>
 
<references>
 
</references>
 
</references>
 +
 +
[[Category:Instructional]]

Revision as of 19:02, 29 December 2019

A brainwallet refers to the concept of storing Bitcoins in one's own mind by memorizing a seed phrase. If the seed is not recorded anywhere, the Bitcoins can be thought of as being held only in the mind of the owner. If a brainwallet is forgotten or the person dies or is permanently incapacitated, the Bitcoins are lost forever. Using memory techniques allow them to be memorized and recalled easily.

To create a brainwallet, use Bitcoin wallet software to generate a seed phrase and then memorize it. Such seeds are generated by wallets like Electrum, Armory and Mycelium.

Brainwallets are not recommended to be used in general because of fallible human memory. But in special situations they could be very useful, for example when fleeing a country with only the clothes on your back.

Worked Example

  1. On a computer with no malware, run Electrum and generate a seed phrase.
  2. Memorize the phrase using http://en.wikipedia.org/wiki/Mnemonic_peg_system
  3. When spending or saving, restore the wallet from memory using the phrase.
  4. Use the master public key to create an online watch-only wallet, where you can send to but not spend.
  5. Spend from the wallet in the manner of deep cold storage. Transferring the unsigned transaction to the cold storage computer, signing it and broadcasting to the network.

Example Mnemonic Peg

To memorize a seed with this method you must invent a story which hits the words as "keynotes". Try to make it like a fairy tale story, use imagery. Make it somehow striking and emotionally resonant. When remembering you just remember the key words, not all the other words - the other can be remembered more as images and thoughts (which are hard to write down)

Let's say we have this seed:

   witch collapse practice feed shame open despair creek road again ice least

You'd imagine walking through a building familiar to you, maybe your own home or workplace or school.

  • You imagine looking in the first room and seeing your mother dressed as a witch, playing the jenga boardgame until the tower collapses.
  • You walk to the next room and see your father practising with a longbow, he shoots a chicken to feeds himself.
  • In the next room you see your brother naked in shame attempting to cover himself, he's looking through a window that's open and flapping in the wind.
  • Now you reach the kitchen, girlfriend is looking at Picasso's Guernica on the wall. She is in despair from it. Next to it is a television playing the show Dawson's Creek.
  • Next you're in the garage, your childhood friend is working on his car. He plans to go on a road trip for the 5th time this month, he's going again.
  • Finally to go outside to the garden. It's early spring and the ground is covered in melting ice. Two of your other friends are there, one friend has a huge basket of apples, the other has a smaller basket but you're holding only some apples. You've got the least apples.

Repeat this story in your head several times over a short period - the first few days. It will sink in, deep, after that. You'll only have to revisit it very occasionally. After a while you can ignore it for months and it'll still come back, not that I'd recommend relying on that.

Video Example of Mnemonic Peg Method

From the BBC documentary The Human Mind (2003) by Professor Robert Winston. Approximately 31 minutes in. Memorizing a list of 30 random words.

https://www.youtube.com/watch?v=lRhfQCW1f68&t=1867

Fallible Memory Warning

Despite the memory aids, human memory can be very fallible. So if your only storage is memory you may find that it just vanished one day.

Data should always be backed up. Storing a seed phrase in one place is bad, even if that one place is your brain.

Obsolete Brainwallet Style

An early old-style brainwallet was created by by memorization of a passphrase and converting it a private key with a hashing or key derivation algorithm (example: SHA256). That private key is then used to compute a Bitcoin address. This method was found to be very insecure and should not be used. Humans are not a good source of entropy. Using a single address also has problems associated with address reuse.

Low Entropy from Human-Generated Passphrases

Practically everyone who knows about or cares loudly yells at people DO NOT USE BRAINWALLETS [GENERATED BY HUMANS]. We've seen pretty concrete evidence that users are resistant to good advice in this space, and they are shocked when their favorite quotation is cracked and they lose their coins (But it was 60 characters long! I even added a special character! how is this possible?!), the existing sites promoting this stuff won't use a KDF stronger than SHA256*1 because "users are stupid if they use weak passwords". [1]

Ryan Castellucci DEFCON Talk

Ryan Castellucci gave a talk at DEFCON23 about cracking brainwallet passphrases. Although brainwallet passphrases were being exploited for years by this point, the talk helped bring the issues to more popular consciousness.[2][3][4]

Legacy Code

If you have coins in an old-style brainwallet, the website http://www.bitaddress.org/ contains a GUI for generating the private key using the sha256(passphrase) algorithm. It's highly recommended you move the coins out as soon as you can.

References