What if the brain wallet is just a memorable private key itself?

2

A brain wallet usually applies a hash function on a passphrase to derive the private key. But what if the private key itself is memorable and we just use the private key as the brain wallet?

For example it is very easy to memorize this private key:

Private key: 5JustSomeVeryEasyToRememberBitcoinPrivateKeyWALEmag
Address: 1GtAW7vntpij1q8Mqi3FQw8R1gAd9rnRV4

uminatsu

Posted 2014-03-13T17:55:44.967

Reputation: 1 061

Answers

3

A series of random words (not a sentence!) long enough to use as a secure key should be about 12 words long, which could be around 100 characters long (figuring they're fairly long, 7-8 average, with a space in between). This gives you 2^128 combinations that you might have to try to crack your password, which might take about 1 billion billion years.

A private key, in base 58 format, is 51 characters long. Your idea of using a 51-character sentence as a private key would probably give about 51 bits of entropy (English is around 0.6 to 1.3 bits per character), which could be cracked in about 12.5 seconds.

Tim S.

Posted 2014-03-13T17:55:44.967

Reputation: 4 159

2

If it is easy to remember, it is almost certainly easy to guess.

And by guess, I don't mean a single person trying a few sentences in some time. I mean exposing yourself to a brute force attack by the entire world (the block chain data is public), for eternity.

Pieter Wuille

Posted 2014-03-13T17:55:44.967

Reputation: 54 032

I agree and the example I gave is probably too obvious. But maybe a randomly chosen sequence of words followed by a checksum is strong enough?

Consider this example: 5HumanPerfumeLatticeDeceiveCementRuneHydrogenDGA1s5uminatsu 2014-03-13T18:11:34.770

2If you're doing that, you might as well remember seven words generated at random and hash them with a standard algorithm to generate the key. It would take less effort than remembering the checksum.Diego Basch 2014-03-13T18:59:47.800

Pretty much anything a human can even come up with (except when using diceware, ...) has only a fraction of the entropy that is assumed by the cryptography.Pieter Wuille 2014-03-13T19:28:49.973