Brainwallet
A brainwallet is a method of controlling Bitcoin funds by memorizing wallet recovery data, usually a seed phrase, rather than storing it on paper or another physical or digital medium. If the seed phrase is not recorded anywhere, access to the bitcoins depends entirely on the owner's memory. If the phrase is forgotten, or if the owner dies or becomes permanently incapacitated, the bitcoins are lost forever. Memory techniques can make a seed phrase easier to memorize and recall, but they do not remove the risk of memory failure.
A brainwallet can be created by using Bitcoin wallet software to generate a seed phrase and then memorizing it. Examples of wallets that generate seed phrases include Electrum, Armory and Mycelium.
Brainwallets are not recommended for general use because human memory is fallible and human-chosen secrets are often weak. In limited circumstances, such as when someone must flee a country without carrying physical storage media, a memorized seed may be considered. Even then, the risks should be understood carefully.
Worked example
- Use wallet software such as Electrum to generate a new seed phrase.
- Memorize the phrase using a mnemonic technique such as the method of loci.
- When spending or recovering funds, restore the wallet from memory using the seed phrase.
Example memory palace technique
The method of loci, also known as a memory palace, associates each word with a vivid image placed along a familiar route. The route might be a childhood home, workplace, school, or another place that is easy to visualize. The images should be distinctive and emotionally memorable so that each location prompts recall of the corresponding word.
For example, consider this seed phrase:
witch collapse practice feed shame open despair creek road again ice least
One possible memory palace could use a familiar building:
- In the first room, your mother is dressed as a witch while playing Jenga until the tower collapses.
- In the next room, your father is practising with a longbow and shoots a chicken to feed himself.
- In another room, your brother looks ashamed and tries to cover a torn shirt while a window is open and flapping in the wind.
- In the kitchen, your partner is looking at Picasso's Guernica on the wall and is in despair. Next to it, a television is playing Dawson's Creek.
- In the garage, a childhood friend is preparing for a road trip for the fifth time this month, so he is going again.
- Outside in the garden, the ground is covered in melting ice. Two friends have baskets of apples, while you are holding only a few, giving you the least apples.
Repeating the route several times over the first few days can make recall easier. However, relying on memory alone is still risky and is not recommended as the only backup method.
Video example of the method of loci
The BBC documentary The Human Mind (2003), presented by Professor Robert Winston, includes an example of memorizing a list of 30 random words at approximately 31 minutes in:
https://www.youtube.com/watch?v=lRhfQCW1f68&t=1867
Fallible memory warning
Human memory can fail even when mnemonic techniques are used. A memorized seed may become distorted, incomplete, or inaccessible after illness, trauma, stress, aging, or a long period without rehearsal.
Wallet recovery data should generally be backed up. Storing a seed phrase in only one place is dangerous, even if that place is the owner's memory.
Obsolete brainwallet style
An early form of brainwallet was created by memorizing a passphrase and converting it into a private key with a hashing or key derivation algorithm, such as a single SHA256 operation. The resulting private key was then used to compute a Bitcoin address. This method was found to be highly insecure and should not be used. Humans are not a reliable source of entropy, and using a single address also creates problems associated with address reuse.
Memory-hard deterministic derivation
Some later deterministic schemes derive wallet seed material from a passphrase or other user-supplied secret, and may encode the derived entropy as a BIP39 mnemonic rather than directly producing a single private key and address. BIP39 defines a mnemonic code for generating deterministic wallets from entropy and a checksum.[1]
To slow offline guessing, a deterministic brainwallet scheme may use a memory-hard key derivation function such as Argon2id instead of a single SHA256 operation. Argon2 is specified as a memory-hard function for password hashing and proof-of-work applications, and RFC 9106 describes Argon2id as its hybrid variant.[2]
This only increases the cost of each guess. It does not make ordinary human-chosen phrases safe. The security of a passphrase-derived wallet still depends on the entropy of the secret, the derivation parameters, the software implementation, and the operational environment used for generation and recovery. A precomputed hash may be used as an input only if it is itself treated as the secret; hashing a weak phrase does not make it high entropy.
Low entropy from human-generated passphrases
Human-generated passphrases often have much less entropy than users expect. Quotations, song lyrics, common phrases, keyboard patterns, dates, substitutions, and personally meaningful strings can be tested with dictionary attacks, rule-based attacks, and other offline guessing techniques. If a wallet is derived deterministically from a weak phrase, an attacker can search large numbers of candidate phrases and automatically take funds from any matching address.[3]
For this reason, human-generated passphrases should not be used as wallet secrets.
Ryan Castellucci DEFCON talk
Ryan Castellucci gave a talk at DEFCON 23 about cracking brainwallet passphrases. Although weak brainwallet passphrases had already been exploited for years, the talk helped bring wider attention to the issue.[4][5][6]
Legacy code
If funds remain in an old-style brainwallet, the website http://www.bitaddress.org/ contains a GUI for generating the private key using the sha256(passphrase) algorithm. It is strongly recommended to move the funds to a modern wallet as soon as possible.
References
- ↑ BIP-0039: Mnemonic code for generating deterministic keys
- ↑ RFC 9106: Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications
- ↑ Re: hardening brain-wallets with a useful blind proof of work
- ↑ Ryan Castellucci DEFCON Talk
- ↑ Reddit thread on Ryan Castellucci's talk
- ↑ Video of Ryan Castellucci's talk