Brainwallets and Why You Shouldn’t.

One of the most complicated aspects of Bitcoin and cryptocurrency security is that of maintaining your wallet security. Sadly, there is a lot of conflicting and non-intuitive information out there and it can be difficult to find information about what to do and how to remain safe.

One way of handling wallet security is through a method called brainwallets. In short, these are wallets that use a memorized word, phrase, or sentence to generate a secure key for an address.

Unfortunately, it’s not as easy as just coming up with a good phrase. To understand why, you need to understand a bit about wallets, addresses, and keys. Don’t worry, it won’t be very complex, and I’ll write a more extensive article later on deeper details.

Wallet and Key Primer

The first thing you need to know is that a wallet, in cryptocurrency terminology, is more like a collection of addresses than a store of money. It is the addresses that store the coins, not the wallet. The wallet is really little more than a list of the private keys for those addresses.

Each address is a unique string of characters that is derived from a public key. It is not the public key as such, but rather the result of some mathematical juggling.

At this point, you may be wondering what these private and public keys are, so let me give you a brief overview.

Modern cryptography often utilizes a private and public key pair. Each of these private and public keys in a pair are linked so that a certain public key always corresponds to a certain private key, but in such a way that knowing one part of the pair does not give you the other part.

For example, and very simplified, let’s say you have a public key ABC that corresponds to the private key DEF. You can validate that the key DEF corresponds to ABC and the other way around, but you cannot find DEF simply by looking at ABC.

In fact, you want people to have your public key in many situations. You can share the public key with anyone as long as you keep your private key, well, private. This is essentially what you are doing when you publish your cryptocurrency address, although it’s technically difficult to get from a Bitcoin or Dogecoin address to a public key.

By sharing your public key, or really the address derived from your public key, you accomplish two things. First, you allow people to send coins to your address, which at least in my book is a very compelling goal. Second, you create the ability to sign messages using your private key so that anyone can verify that you control the address. This allows you to send coins as well.

Note: You can even use this in reverse to create encrypted messages that only whoever has the private key can open, but that’s for another article.

Having the the private key part of a public/private key pair means that you can use the key DEF to sign a message, and anyone seeing that message can, knowing the ABC public key verify that it was indeed signed with the corresponding DEF key without knowing what the DEF key really is.

Note: Signing a message is really just creating a unique sequence of numbers or signature as it is usually called, using the private key and the message. Because the private key DEF always corresponds to the public key ABC, anyone who knows the ABC key can verify that it was indeed signed with the DEF key, again without knowing the DEF key.

Cryptocurrencies utilize this key pair method too by creating a unique address derived from the public key ABC. The private key DEF remains in your care, and this is what you need to guard to care for your wallet security. Your wallet essentially contains the private keys for any address (and thus public key) you have added to your wallet.

Anyone can verify that any message, such as a transaction, derived from a public key is indeed signed by the private key that corresponds to the public key. So, as long as you control the private key corresponding to the public key used to generate the coin address, nobody but you can sign a message that sends money elsewhere using that address.

So, with that primer out of the way, let’s look at brainwallets and why they are a bad idea.

Brainwallets: Just Say No!

Every transaction in Bitcoin, Dogecoin, Litecoin, or any cryptocurrency rely on two keys only; the public key, used to generate a coin address, and the private key, used to sign messages to control the coins held by that address.

This is what creates the semi-anonymous nature of cryptocurrencies. Nobody knows who controls the private keys, and whoever controls the private keys control the money. There is no other identifying properties such as address names, usernames, passwords, or anything like that. If you have the private key, you have everything you need.

However, remembering a private key can be very difficult. Here’s an example of a private key:

5KJvsngHeMpm884wtkJNzQGaCErckhHJBGFsvd3VyK5qMZXj3hS

This key corresponds to the address 1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T, which is a fairly well-known and quite insecure address used as an example for a brain wallet.

Instead of trying to remember the private key, or having to keep it secret and possibly losing the medium used to store it, a brainwallet instead uses a phrase or sentence that is much easier for people to remember.

The above example is the brainwallet key for the phrase “correct horse battery staple” which is from a well-known XKCD comic that explains an aspect of passphrase security called entropy.

A brainwallet uses similar cryptographic number crunching to turn that phrase into a private key for a cryptocurrency address. Seems genius, right? You don’t need to memorize any cryptic strings and you don’t even need to store your wallet or private keys anywhere. Simply remember the passphrase and you’re golden; you can always recreate the private key from the passphrase.

But there’s a problem.

A Brilliant Idea Tainted

Because the only thing you need to get access to funds is the private key, and the passphrase can be used to recreate the private key, you end up with a situation in which anyone who uses the same passphrase as you will get the same private key.

The above example, using “correct horse battery staple” is an example of this. It is a common phrase that, while easy to remember, is also known to everyone and also fairly easy to guess.

In short, you end up with a security solution that relies solely on a passphrase that must be globally unique and extremely difficult to guess to have any meaning.

The XKCD comic is still right, but not in the case of cryptocurrency and wallet security. In a website login, a passphrase may work fine because you can add a bit of difficulty by having to combine the username and the passphrase, but also because you cannot simply brute force a billion attempts every second to try to log in using every conceivable combination of words. The server would either overload or there would likely be some kind of lockout after a few failed attempts.

With cryptocurrencies, however, you can try combinations of words as many times as you want. You don’t log in anywhere; you simply create a private key from the combination of words.

To create a secure brainwallet, then, you need to have a passphrase that is guaranteed to be unique and very difficult to guess.

You may think you can outsmart the system by using something that is unique to you. For example, add your spouse’s middle name to your phrase to create something like “correct horse denise battery staple”. However, you’d fail on the ‘difficult to guess’ part, and you’d fail in the globally unique part because, well, other people have spouses named Denise too.

You may use a longer passphrase but again, with the power available to modern computers these days, trying billions of combinations take seconds at most and if the attacker knows even basic information about you, such as the languages you use, your family names, your birthdates, and so on, it wouldn’t take very long to outsmart you by simple brute force.

Even if you managed to find a unique and difficult to guess pass phrase, you’re still stuck with a couple of problems.

One such problem is that you also need to remember the passphrase. The longer the passphrase, the more difficulty you’ll have remembering it.

Note: Writing it down is… not good.

“Great, “ you think, “I’ll use the first paragraph of the national anthem” and you’d fail in the difficult to guess and globally unique aspects again. “So, what about the combined names of all my kids, my parents, and my own, in random order?” For a password, it would be great, but for a brainwallet, it is not sufficient.

But let’s give you the benefit of the doubt and hope you remember your 28 word passphrase perfectly, and that it is both difficult to guess and globally unique.

Now you need to remember such a passphrase for every unique address you control. in cryptocurrencies, new addresses are cheap and used extensively. I’ve had hundreds if not thousands of unique addresses in just the year or so I’ve been involved with cryptocurrencies and remembering a passphrase for even a fraction of these would be impossible. And I do have great memory.

So, Any Good News?

You may think that based on what you’ve read so far, brainwallets have no use at all. That’s not entirely true, but like any tool, you need to know in which situation it makes sense to use it, and not try to force the situation to fit the tool you want to use.

For example, in cold wallet strategies, having a brainwallet may work great. Rather than storing the private keys in clear text, you can store a passphrase as part of something else. For example, you can put a book in a safe, and remember that the passphrase is the second paragraph on page 238. Whoever breaks into the safe won’t know the secret to finding the passphrase, and you just need to remember a few items of data. It isn’t practical for every day use, but then again, the purpose of cold wallets is to be long-term storage, not day-to-day payments.

Note: I’ll write about cold wallets and cold wallet strategies in a later article

For most normal uses, however, brainwallets aren’t as cool as they initially sound, and you need to be very careful before you rely on them for your security. With the knowledge you’ve gained here, though, you may be better able to determine when to avoid them and how they may be used as part of an overall security strategy.

Found this article valuable? Want to show your appreciation? Here are some options:

a) Visit my sponsors to let them know you appreciate them helping me run this site.

b) Donate Bitcoins! I love Bitcoins, and you can donate if you'd like by clicking the button below.
Donate Bitcoins

c) Spread the word! To the left, you should find links to sharing this article on your favorite social media sites. I'm an attention junkie, so sharing is caring in my book!

.b

7 thoughts on “Brainwallets and Why You Shouldn’t.

  1. Thanks for taking the time to write this easy to understand article. Brainwallets sound cool and seem to be promoted online a cool way to store your bitcoin, until you hearing about people who used a ‘brainwallet’ and found every bitcoin got stolen. Bitcoin users need to be aware of the facts and the risk of losing their money!

  2. I am a big fan of brainwallets.

    I like the idea of chaining chronological life events, no matter how trivial, as long as they are memorable enough.

    For example, let’s say I remember all of the cars I’ve owned, in chronological order, make model and year:

    1980 Mercedes 500SL
    1984 Ferrari Testarossa
    1986 Chrysler LeBaron
    1995 Nissan 200SX
    1993 Ford Lightning
    1994 Toyota Corolla

    (I never owned these, this is just an example)

    My Brainwallet passphrase could be:

    Mer50080FerTes84ChrLeB86Nis20095ForLig93ToyCor94

    I could make this the only one I want to remember, so I can append today’s date and make note somewhere that I made a brainwallet that day, creating a 56 character passcode that’s dead simple to remember, and nobody else can possibly guess without lots of hints and detailed knowledge of my life.

    Once I have this passcode committed to memory, I can append new stuff. Maybe I want to double the size of the passcode, using history of past girlfriends or brands of toothpaste I’ve used, or whatever….
    ___________________________________

    Advantages: Super easy to remember, yet secure; portable; indestructible under most ordinary circumstances; you can’t easily misplace it; no need for a persistent wallet file — funds are swept to the brainwallet when transactions are done.

    Disadvantages: Probably not the best route for Alzheimer patients (although many still vividly remember childhood experiences — YMMV); like any imported private keys, there is always the risk of keylogging — Live CD’s mitigate this risk; head trauma or death can kill access to your bitcoin — that’s kind of a big one. There’s options, though, including multisig. I see a lot of promise in multisig brainwallets.

    1. The main issue is that anything that you can deduce, others can deduce as well. And, unlike you, computers are insanely fast at compiling patterns from data. Because there’s no limit to the number of attempts at deducing a key, the combinations can be created blazingly fast.

      Gather information about you is a trivial matter for anyone determined enough. In you example, there are public records of your cars and I’m sure you’ve told your friends which cars you’ve owned and I’m also sure your friends like a beer or fifteen and can be persuaded to disclose that information.

      Even if the attacker had no idea you were using cars, the overhead of including cars, addresses, birthdates of relatives, and so on, is trivial. Your ability to remember or create patterns is infinitesimal compared to that of a computer. You’re competing against machines at what machines were built to do and you’ll lose every time.

      The only situation in which you are out of the picture is where, well, you’re out of the picture. A key that you have no influence in creating and where you do not have trivial access to the key is the only situation in which you are ‘safe’ from directed attacks.

      Oh, and for random searches, there’s no difference between a 1 character and a million character long passphrase.

      Sorry :-/

      .b

      1. “Gather information about you is a trivial matter for anyone determined enough.”

        Sure, but which information about me is relevant for my passphrase? In which way have I decided to organize this information? Spaces, commas, how many characters per event in the sequence? Most favorite to least favorite? Chronological or reverse chronological? I can pick one of many long passphrases which only have relevance to me. You would almost literally need to get inside my head first to have a clue where to begin.

        “Even if the attacker had no idea you were using cars, the overhead of including cars, addresses, birthdates of relatives, and so on, is trivial.”

        I disagree. Yes, you can potentially uncover lots of information about me, but you will have no clue how I built my passphrase from it, or from information not readily available about me.

        “Your ability to remember or create patterns is infinitesimal compared to that of a computer. ”

        I’m not disputing that. That said, it can be very difficult to commit to memory a typical private key to use as a Bitcoin address. Also, I don’t see paper wallets as particularly safe compared to brainwallets. If someone has a copy of your paper wallet, it’s all over. Aside from paper wallets, computer generated keys might have randomness issues, and computer wallets can get corrupted, copied, or crash with the hard drive. I believe that a secure brainwallet is superior to a computer generated random paper wallet in most cases, all things considered.

        1. Let me put it in perspective.

          Let’s say you are extremely fast and use one second to come up with a unique combination of facts about your life. If you did nothing else, it would take you 33 years to come up with 1 billion combinations. If you worked only 8 hours a day at this, it would take you 100 years.

          With a basic computer today, you can create a billion combinations in a second. 24/7, at a power cost of less than a bright lightbulb.

          The main issue is your lack of creativity. No, not you personally, you as a human. You need to create something that has system so you can remember it. Your mind doesn’t remember more than 4-7 things depending on complexity and then you have to start creating systems to keep it intact. Those systems are based on things you know already; it is extremely difficult to remember new things having no correlation to previous experience. As such, once I know enough about you, the facts of your life are now trivial numbers that can be tested at blazingly high speeds.

          Oh, and I’m assuming you realize that a brain wallet isn’t really a wallet but an address only? As such, you need to change your system if you need multiple addresses.

          In fact, you’re probably much better off using a much simpler system. Adding complex rules means they need to be systematic enough for you to remember and learn, and the farther you move in that direction, the farther you get into the playground of computers. Pick six random 6-letter or more words, and you’ve got a passphrase far more secure than your suggestion. The XKCD comic linked above explains why.

          There’s one thing in your favor, though. You’re not that interesting. And no, it’s still not you as a person, but you as a human. Nobody is going to spend a year becoming your closest friend to extract information and then build a system than can combine those facts into possible keys over a few years, just to rob you for a few thousand dollars.

          As such, you’re more than safe enough with far less elaborate passphrases than you suggest, especially considering all the other targets that are more tempting than you. I heard MtGox recently ‘found’ a couple of hundred million dollars lying around, for example. Now _that_ brain wallet would be worth some research into Mark Karpeles’ background.

          .b

          1. “With a basic computer today, you can create a billion combinations in a second. 24/7, at a power cost of less than a bright lightbulb. ”

            True. Yes, it would take a computer much less time to brute force combinations than a human being could. That said, it would still take an extremely long time for a computer to duplicate my string of 40+ letters, numbers, and symbols — many, many orders of magnitude longer than an average human lifespan.

            “once I know enough about you, the facts of your life are now trivial numbers that can be tested at blazingly high speeds.”

            Absolutely true again. Still, which facts are relevant to a given passphrase, in what order, and in what format? Am I using spaces between them, or some other delimiter? Am I using delimiters at all? Am I expressing these facts as one-letter, two-letter, three-letter, four-letter, or full words? Am I deliberately leaving certain information out? Am I using a combination of information known only to me? Am I mixing private and public information? Only I know for sure, and at 40+ characters, it’s going to take a very long time for even the fastest computer to search even half of the relevant space.

            As per my example above, I used no full words, so a dictionary attack is useless. Someone would have to know my car history, know that I used it as a passphrase, and know that I used a three-letter make/model combination, plus a numerical 2 digit year. I could easily have chosen a completely different format instead, appended or prepended a simple password, or decided to use the resulting private key as part of a second-gen passphrase for yet another private key. Lots of options for the paranoid among us. Warpwallet ups the ante further.

            “There’s one thing in your favor, though. You’re not that interesting. ”

            Indeed.

            “I’m assuming you realize that a brain wallet isn’t really a wallet but an address only?”

            Yup. You can reference the contents of the address using Blockchain, for example. You can create a spend transaction using the Brainwallet.org transaction tab and sending it to Blockchain as well.

            Alternately, you can use a wallet client and import the brainwallet when it’s time to spend, then sweep the funds into another brainwallet when the spending is done.

            “you need to change your system if you need multiple addresses.”

            It’s fairly simple to generate any number of sub-addresses from a given passphrase, either by appending a date, or re-feeding the private key into a new passphrase, or some other combination of things. If the original passphrase is secure enough, then its children should be secure enough as well.

  3. Discussion above are Interesting enough and I boldly agree with author of this blog . I wonder why people think of an attacker will target you to guess your brainwallet phrase. As long as value of money transaction is involved, who cares of the owner of those money I trying to steal?

    If I would ever wish to get some free BTCs out of some weak wallet, I would start some common random guessing passphrase may used by most of general people. Starting with some popular dialog with historical year, car, city, country, common name etc as input to calculate private key to check if those has any BTC/Altcoin value stored in… Seems more profitable of mining Bitcoin itself if I am lucky enough. Who knows some lazy or even over smart guy just putted 1k of BTC temporary on way to home thinking it may transfer to other wallet after dinner!! Can anyone believe I still find some online machine having root/root123 or admin/adm123 type password, lots of them, seriously;)

Leave a Reply

Your email address will not be published. Required fields are marked *