Users mostly can't be trusted to produce reasonably constructed 8 character passwords even when there are complexity requirements. So it's rather surprising to hear that now it's a good idea to fully derive the key protecting your spends like cash edollars based off of a pass phrase that's simple enough they feel comfortable committing it to memory. Hint: you'll find a signifiacnt number of pass phrases if you brute force with only phrases out of popular books people will have lying around. You don't even need to wait for them to make their key first - since this is effectively unsalted go ahead and generate your bitcoin brainwallet rainbow tables ahead of time. Then just set your bot to watch for keys in use that you've previously generated. Hell, consider that this is effectively like having a website that only asks for pass phrase for login and no username - given how many people pick password1 as their passwords you're almost sure to see people colliding accidentally with the first 16 words in their favorite psalm or chapter 6 of the twilight book.
It's really easy to keep your keys secure and off disk and still be able to use great entropy - they're called smart cards.
You're right, but I think you miss the point of this article.
The point is that one could store in his brain all the information needed to pay and receive any amount of money, without needing any extra storage device.
Because this money is Bitcoins, and because they are not stored anywhere, it technically means that all your money, all your wealth, resides in your brain - hence the title "Brainwallet".
This is a fascinating thought experiment, but not an assessment of the most secure way to store money.
I still remember a disused http://world.std.com/~reinhold/diceware.html passphrase I generated some ten years ago. Even though it's gibberish, using whole words seems to help a lot.
pass phrases do provide a better source of memorable entropy as compared to traditional passwords, but look at the result the the comic comes up with. In this context, where the pass phrase isn't associated with a user name and the "hashes" are globally published pass phrases made up of four common english words would be relatively trivially brute forceable.
Also note that most people following similarly given instructions would actually construct a pass phrase in the form of "subject adverb verb predicate" or "subject verb adjective predicate" or a few other constructions, dramatically reducing the implied entropy of the phrase.
This passphrase-for-a-chain-of-private-keys idea is a nice one, and it lends itself to a bunch of privacy-related plausible deniability scenarios.
In crypto (especially when there's money involved) it's typical to imagine attackers with lead pipes and your knees in the mix; it's nice to imagine you could 'crack' and give up your stash, except it's not really your stash, it's just a little stash.
There are a bunch of other security factors at work here, though. Consider that you need to have a computer you KNOW does not have a keylogger on it, for instance.
The loss vectors for Bitcoin historically have been
a) Client bugs
b) System password attacks
c) 'errors' or theft by plausibly denying operators
These actually can all be mitigated, but not well with current systems. The master generator password is a good addition to the toolkit, but it's not going to be sufficient. So, let's not forget that cool crypto is as strong as its weakest link.
I've been considering how you'd safely allow frequent $1mm+ transactions with Bitcoins recently, and my list involves an unplugged from the net computer, a faraday cage and a professional auditor from one of the big four.
So when are we going to see dedicated Bitcoin hardware? Most of the security problems with Bitcoin arise from using the software on general purpose computers, which don't mind if arbitrary processes examine the memory of the Bitcoin client. Trusted Platform Modules and smartcard chips, on the other hand, can encrypt incoming data without leaking the private key. You'd only need a couple thousand more gates (WAG) to run Bitcoin on secure silicon.
In fact, this is such a patently obvious insight that someone else must have thought of it already.
There have been discussions on the forum, but nothing serious. (There's specialized Bitcoin mining hardware, but we're talking about wallet storage here.) I don't think a smartcard is really enough; you need something like the IBM ZTIC, and it's not clear that people are willing to pay for that. There was some discussion about using trusted computing: https://bitcointalk.org/index.php?topic=67508.0
It's more than that, though -- the bitcoin private key isn't _encrypted with_ the passphrase, it's _generated directly_ from the passphrase. So there's no data on disk; only data in your mind.
It's a passphrase to autogenerate keys deterministically accordingly to an algorithm. Once you finish using the computer, you can just destroy the keys or even destroy your computer.
Seemingly random modifications of the phrase would aid in strengthening brainwallet, such as “I went seeking freeeedom, but all the world’s issslands were alreaDy taken.” These simple changes make the entire phrase very difficult to predict.
No they don't! Probability does not work that way!
Yes it does. A priori, P("freeeedom") << P("freedom"). This decreases the probability that an attacker will stumble across your passphrase using anything other than a pure brute-force approach (more on that below). Further, though not completely what you're talking about, English has huge amounts (~50%) of redundancy in its structure. It's a tremendously easier problem to attack the passphrases with knowledge of the statistical structure of English, if that's actually a good assumption to make. For example, the prior probability of an unknown word in a sentence being "freedom" is X, but when you know that the three preceding words are, "I went seeking", the probability of the unknown word being "freedom" becomes Y > X. Beyond misspellings, reordering words (say, German-style verb inversion) might also be effective in thwarting this compression while still being easy to remember. [1]
If you want to brute force your way through, sure, there's no difference in the example sentences given. Brute force is a totally ridiculous proposition given the length of the secret involved [2], though, so you're banking on people preserving language structure to aid in memorization to constrict your search space. Otherwise you're basically screwed (not that you aren't basically screwed anyway if the sentence is really not derived from literature and 10 words long).
The error is in assuming that applying a simple permutation to a word increases the entropy by a meaningful amount. Capitalizing a letter, substituting a symbol, moving your hand's position on the keyboard, or repeating a letter are common things to do. A dictionary word that has had one of these things done to it, for purposes of password strength, is still a dictionary word.
People commonly think they are being random when they modify their passwords, but in point of fact, they are doing the same thing as everyone else. You cannot ever trust yourself to be random; the only things you can trust to be random come out of random number generators.
That is why I say probability does not work that way. In order for a modification to make a password or phrase meaningfully secure, it must come from a genuinely random source with a large number of live outcome possibilities. Mutating a phrase in a clever, original way that everyone else uses is pointless. It does not make the passphrase "very hard to predict". It makes it "slightly less hard to predict than it was, which was not very hard in the first place."
Fundamentally, "probability does not work that way" in the sense that just because the outcome looks random and the process feels random, that doesn't mean it is.
> Capitalizing a letter, substituting a symbol, moving your hand's position on the keyboard, or repeating a letter are common things to do. A dictionary word that has had one of these things done to it, for purposes of password strength, is still a dictionary word.
For single-word passwords it can be approximated this way. However, for anything longer, especially a natural language sentence, misspellings makes a big difference.
The OED documents 171,146 words in active use. Assume that every word has at least two simple mispellings. Suddenly your dictionary becomes 513,438 words big. This is a linear expansion, but it's in the exponent since you're taking permutations. That's a big deal. Some mispellings may be much more common than others, so you can bias your dataset accordingly, but it's still a huge expansion.
> You cannot ever trust yourself to be random; the only things you can trust to be random come out of random number generators.
This is true, but neither really here nor there. The entropy of the passphrase is already so great, and then is expanded exponentially with the addition of misspellings and substitutions, even if the distribution of those is biased.
> "for anything longer... misspellings makes a big difference."
The question to ask is, how big a difference? Put another way, how many bits of entropy do your misspellings generate?
In your above example, where each word has 2 common misspellings, each misspelling gets you ~1.5 bits of entropy. For comparison, adding another randomly selected OED word gets you just over 17 bits of entropy. If we're talking about making meaningfully stronger passwords, making a grammatically correct phrase and then adding misspellings (what the article calls "seemingly random modifications") is a less effective strategy than simply using a series of actually-random words from the OED.
It's better to add entropy 17 bits at a time (whole words) than trying to add entropy piecemeal, 2 bits here and 3 bits there (misspellings, punctuation).
Attacks against this type of phrase will almost certainly use dictionaries for the next decade, until it becomes practical to do rainbow tables of size 64^76. So adding elements to avoid dictionary words definitely helps (for now).
It's really easy to keep your keys secure and off disk and still be able to use great entropy - they're called smart cards.