Passwords for Brain Wallets

SuperSecretDude · October 18, 2017, 10:08pm

I have bought a few NEM coins and want to transfer them from an exchange to a wallet. Unfortunately, things are not easy, because using Google you can generally find lots of stories. And quite a few opinions. And everything is scary…

Personally, brain wallets sound fantastic to me. You just need to remember how your fantastic password is being constructed. Unfortunately, research also let to a thread called ‘Please, stop using brain wallets!’

In it was also this:

Someone else said:

Okay, scary. But what is a VERY GOOD and STRONG password? And when having one, are brain wallets really evil?

Let’s say I come up with the following: one of the ten commandments in Finnish, Mother Teresa’s birthday and a very smart dude from Cameroon glued together. So, I am not a security expert at all, that is why I am asking here, but can such a construction be considered super safe for a brain wallet? Or am I still getting something completely wrong???

+aelkoeoensinullaolkomuitajumaliaminunrinnallani++26081910 +++AchilleMbembe++++

CryptoBeliever · October 17, 2017, 10:39pm

Why you don’t want use simple wallet? Simple wallet is best in my opinion. It’s secure and only thing what you really need to backup is your private key with is 64 chars. Of course you need also have password for wallet file but it’s not required to be so strong because first hacker need have access to your computer and get wallet file from disk.

On other hand for brain wallets private key is generated only from password. If any user use the same password then he has access to your wallet. They don’t need have access to your computer. Just generate random passwords and check if exists wallet with not empty balance related with this password.
This is why brain wallets are less secure and brain wallets with simple password are extremely unsecure.

SuperSecretDude · October 18, 2017, 6:49am

Yes, I really need to backup a private key that can be stolen, found, burn, robbed, lost etc. Also, that’s how I understand things so far, having a simple wallet’s private key a file is not needed, either. And a key with 64 chars is really hard to remember.

Now to create a password for a brain wallet I have written a Python script. In that script I have comments/hints so that I always remember where to put what. So, you cannot just run that script to get my pass phrase. (For the example I gave above, I would need to paste a “+”, the commandment, the date, and the name. Then the script glues things together.)

The good thing is, that I can have such a script/hint like everywhere. I can even give it to you. I could post it here. You would, of course, still not be able to use it to create the same password it will create for me.

Obviously, when using e.g. a script to construct (and help me remember) a proper password, a brain wallet can have lots of advantages. Because nobody can find a backed up private key. Which in my opinion is a simple wallet’s biggest downside. (When I find your private key, why should I take the money now?)

Still, because I am not a security expert, the one big question remains: When can a password for a brain wallet be considered VERY GOOD, STRONG, SMART, etc. I mean, when does simply “guessing” every private key out there become as simple as guessing my brain wallet’s pass phrase?

mizunashi · October 18, 2017, 9:27am

Hello.

If such a request is made, we will not oppose using Brain wallet.
This original article is a warning for those who use Brainwallet without understanding.
Even today, the password of more than 50 account addresses are known on 1 day.
Some have already hacked, others have found 3 million XEM or more accounts.

Recently, there was a change in code to forcibly create with more than 40 letters for brain wallet users with less than 40 characters.
Even a brain wallet with more than 40 letters whose setting was changed under that condition, a new password has been broken.

I think that you think that it is a measure to secure safety to the utmost and ensure safety for general users.

Brain wallet can secure security if used properly.
As you understand that point, please use it at your own risk.

Consider the password shown in the example.
+aelkoeoensinullaolkomuitajumaliaminunrinnallani++26081910 +++AchilleMbembe++++

First of all, 26081910 and AchilleMbembe already exist in attack dictionary.
Therefore, security is considered to be lower than the apparent length.
However, since we have secured certain security with the first alphabet (I do not know if there is something regular), it seems that there is no problem as a whole.

If Phyton Script generated this, I think it would be better to modify it to generate more complex code.

Thank you.

SuperSecretDude · October 25, 2017, 6:47pm

This was just an example anyway. But I have improved things now and ended up having something that has simple, memorable input but gives complex output that pretty much looks like a very long private key. So, I hope this will be as difficult to guess than every private key out there…

Thank you!

mizunashi · October 25, 2017, 6:55pm

About Brain wallet:
Depending on the software, the 20 word string exceeds the entropy of the secret key of BIP 32 or NEM.
If it is a random character string using lowercase letters, uppercase letters, numbers, and symbols, entropy of the secret key of NEM is reached with 39 letters (in case of truly random).
A password with entropy larger than the secret key does not have a real meaning, but it can be said to be the best security measure.

Thank you.