

Bitcoin Brainwallet - kiba
http://www.forbes.com/sites/jonmatonis/2012/03/12/brainwallet-the-ultimate-in-mobile-money/

======
trotsky
Users mostly can't be trusted to produce reasonably constructed 8 character
passwords even when there are complexity requirements. So it's rather
surprising to hear that now it's a good idea to fully derive the key
protecting your spends like cash edollars based off of a pass phrase that's
simple enough they feel comfortable committing it to memory. Hint: you'll find
a signifiacnt number of pass phrases if you brute force with only phrases out
of popular books people will have lying around. You don't even need to wait
for them to make their key first - since this is effectively unsalted go ahead
and generate your bitcoin brainwallet rainbow tables ahead of time. Then just
set your bot to watch for keys in use that you've previously generated. Hell,
consider that this is effectively like having a website that only asks for
pass phrase for login and no username - given how many people pick password1
as their passwords you're almost sure to see people colliding accidentally
with the first 16 words in their favorite psalm or chapter 6 of the twilight
book.

It's really easy to keep your keys secure and off disk and still be able to
use great entropy - they're called smart cards.

~~~
gregschlom
You're right, but I think you miss the point of this article.

The point is that one _could_ store in his brain all the information needed to
pay and receive any amount of money, without needing any extra storage device.

Because this money is Bitcoins, and because they are not stored anywhere, it
technically means that all your money, all your wealth, resides in your brain
- hence the title "Brainwallet".

This is a fascinating thought experiment, but not an assessment of the most
secure way to store money.

~~~
te0006
Can't wait for the opportunity to lose my entire savings in a two-minutes
backstreet incident.

Better use this only for the equivalent of todays's purse with as much cash as
you feel you need for the next few days.

See also <http://news.ycombinator.com/item?id=2551397> for how to mitigate
such risks.

------
vessenes
This passphrase-for-a-chain-of-private-keys idea is a nice one, and it lends
itself to a bunch of privacy-related plausible deniability scenarios.

In crypto (especially when there's money involved) it's typical to imagine
attackers with lead pipes and your knees in the mix; it's nice to imagine you
could 'crack' and give up your stash, except it's not really your stash, it's
just a little stash.

There are a bunch of other security factors at work here, though. Consider
that you need to have a computer you KNOW does not have a keylogger on it, for
instance.

The loss vectors for Bitcoin historically have been

a) Client bugs b) System password attacks c) 'errors' or theft by plausibly
denying operators

These actually can all be mitigated, but not well with current systems. The
master generator password is a good addition to the toolkit, but it's not
going to be sufficient. So, let's not forget that cool crypto is as strong as
its weakest link.

I've been considering how you'd safely allow frequent $1mm+ transactions with
Bitcoins recently, and my list involves an unplugged from the net computer, a
faraday cage and a professional auditor from one of the big four.

~~~
vessenes
I wrote a lengthier set of thoughts up at my G+ account:
[https://plus.google.com/112885659993091300749/posts/bD4FNxN8...](https://plus.google.com/112885659993091300749/posts/bD4FNxN8ox9)

------
autarch
"I'm sorry, doctor, I'd like to pay you for the emergency brain surgery, but
since the accident I can't remember my money."

~~~
openstar420
store the key in case of amnesia.

------
sbierwagen
So when are we going to see dedicated Bitcoin hardware? Most of the security
problems with Bitcoin arise from using the software on general purpose
computers, which don't mind if arbitrary processes examine the memory of the
Bitcoin client. Trusted Platform Modules and smartcard chips, on the other
hand, can encrypt incoming data without leaking the private key. You'd only
need a couple thousand more gates (WAG) to run Bitcoin on secure silicon.

In fact, this is such a patently obvious insight that someone else must have
thought of it already.

~~~
wmf
There have been discussions on the forum, but nothing serious. (There's
specialized Bitcoin mining hardware, but we're talking about wallet storage
here.) I don't think a smartcard is really enough; you need something like the
IBM ZTIC, and it's not clear that people are willing to pay for that. There
was some discussion about using trusted computing:
<https://bitcointalk.org/index.php?topic=67508.0>

------
Lucadg
It's scary to think that it that method goes mainstream any robber would
simply need to point a knife to me and say: give me your brainwallet.

------
politician
tldr: master passphrase

~~~
gwillen
It's more than that, though -- the bitcoin private key isn't _encrypted with_
the passphrase, it's _generated directly_ from the passphrase. So there's no
data on disk; only data in your mind.

------
Dove
_Seemingly random modifications of the phrase would aid in strengthening
brainwallet, such as “I went seeking freeeedom, but all the world’s issslands
were alreaDy taken.” These simple changes make the entire phrase very
difficult to predict._

No they don't! Probability does not work that way!

~~~
frisco
Yes it does. A priori, P("freeeedom") << P("freedom"). This decreases the
probability that an attacker will stumble across your passphrase using
anything other than a pure brute-force approach (more on that below). Further,
though not completely what you're talking about, English has huge amounts
(~50%) of redundancy in its structure. It's a tremendously easier problem to
attack the passphrases with knowledge of the statistical structure of English,
if that's actually a good assumption to make. For example, the prior
probability of an unknown word in a sentence being "freedom" is X, but when
you know that the three preceding words are, "I went seeking", the probability
of the unknown word being "freedom" becomes Y > X. Beyond misspellings,
reordering words (say, German-style verb inversion) might also be effective in
thwarting this compression while still being easy to remember. [1]

If you want to brute force your way through, sure, there's no difference in
the example sentences given. Brute force is a totally ridiculous proposition
given the length of the secret involved [2], though, so you're banking on
people preserving language structure to aid in memorization to constrict your
search space. Otherwise you're basically screwed (not that you aren't
basically screwed anyway if the sentence is really not derived from literature
and 10 words long).

[1] For more, this is what you're looking for: [http://cm.bell-
labs.com/cm/ms/what/shannonday/shannon1948.pd...](http://cm.bell-
labs.com/cm/ms/what/shannonday/shannon1948.pdf)

[2] <http://xkcd.com/936/>

~~~
Dove
The error is in assuming that applying a simple permutation to a word
increases the entropy by a meaningful amount. Capitalizing a letter,
substituting a symbol, moving your hand's position on the keyboard, or
repeating a letter are _common_ things to do. A dictionary word that has had
one of these things done to it, for purposes of password strength, _is still a
dictionary word_.

People commonly think they are being random when they modify their passwords,
but in point of fact, they are doing the same thing as everyone else. You
cannot ever trust yourself to be random; the only things you can trust to be
random _come out of random number generators_.

That is why I say probability does not work that way. In order for a
modification to make a password or phrase meaningfully secure, it must come
from a genuinely random source with a large number of live outcome
possibilities. Mutating a phrase in a clever, original way that everyone else
uses is pointless. It does not make the passphrase "very hard to predict". It
makes it "slightly less hard to predict than it was, which was not very hard
in the first place."

Fundamentally, "probability does not work that way" in the sense that just
because the outcome _looks_ random and the process _feels_ random, that
doesn't mean it _is_.

~~~
frisco
> Capitalizing a letter, substituting a symbol, moving your hand's position on
> the keyboard, or repeating a letter are common things to do. A dictionary
> word that has had one of these things done to it, for purposes of password
> strength, is still a dictionary word.

For single-word passwords it can be approximated this way. However, for
anything longer, especially a natural language sentence, misspellings makes a
big difference.

The OED documents 171,146 words in active use. Assume that every word has at
least two simple mispellings. Suddenly your dictionary becomes 513,438 words
big. This is a linear expansion, but it's in the exponent since you're taking
permutations. That's a big deal. Some mispellings may be much more common than
others, so you can bias your dataset accordingly, but it's still a huge
expansion.

> You cannot ever trust yourself to be random; the only things you can trust
> to be random come out of random number generators.

This is true, but neither really here nor there. The entropy of the passphrase
is already so great, and then is expanded exponentially with the addition of
misspellings and substitutions, even if the distribution of those is biased.

~~~
lotharbot
> _"for anything longer... misspellings makes a big difference."_

The question to ask is, how big a difference? Put another way, how many bits
of entropy do your misspellings generate?

In your above example, where each word has 2 common misspellings, each
misspelling gets you ~1.5 bits of entropy. For comparison, adding another
randomly selected OED word gets you just over 17 bits of entropy. If we're
talking about making _meaningfully stronger_ passwords, making a grammatically
correct phrase and then adding misspellings (what the article calls "seemingly
random modifications") is a _less effective strategy_ than simply using a
series of actually-random words from the OED.

It's better to add entropy 17 bits at a time (whole words) than trying to add
entropy piecemeal, 2 bits here and 3 bits there (misspellings, punctuation).

