These are half-baked thoughts.
IRC discussion: http://bitcoinstats.com/irc/bitcoin-dev/logs/2012/10/05#l4591669
Humans are pretty bad at being original. REALLY bad at being random. And we are terrible at comprehending huge numbers.
So if you ask the average person to create a secure passphrase, they're very likely to create something that a "determined attacker" with a lot of computing power can crack.
If you're protecting something like your Facebook account that's not really a big deal; the typical Facebook account is worth maybe a few pennies (if you're famous then your account is worth more, and you should worry more). And an attacker has to first somehow get the (hashed, salted) Facebook password database before they can start trying to guess your passphrase.
The trouble with bitcoin brainwallets is they are valuable and an attacker already has "the password database."
What do I mean? Well, to try to crack brainwallet passphrases an attacker would:
-
Create a list of all of the bitcoin addresses that have a non-zero balance.
-
Repeatedly generate bitcoin addresses from possible brainwallet passphrases, and see if you get a match to the list created in (1)
Step 1 is easy. And attackers are getting better and better at step 2; they may have hardware capable of trying a hundred million passphrases per second, and have software that knows that a lot of people choose a passphrase that matches the pattern "I <3 {noun phrase}" ("I <3 butterflies and rainbows").
We're terrible at comprehending huge numbers; we underestimate how easy it is to guess our passphrase if the attacker can try hundreds of millions of possibilities per second.
With a brainwallet, it is like we are all celebrities. Even if you have only half a bitcoin in your brainwallet the attacker will find it if you have a weak passphrase because their passphrase-guessing algorithm is checking against everybody's brainwallet.
So: is it impossible for people to create a secure brainwallet? Passwords/passphrases don't work-- because we share so much (popular culture, language, education), even when told "think of something nobody else will think of" we're likely to think of something similar to what lots of other people pick.
Here's a proposal for a brainwallet scheme that I think might be secure:
Create a secure brainwallet by combining:
Your Full Legal Name
Passphrase1
Passphrase2
So my secure brainwallet might be: "Gavin Anthony AndresenI have eleven hovercraft full of eels!Okey dokey: patches welcome."
The security of this scheme depends on how difficult the passphrases are to guess. It would be nice if I could pay somebody to tell us if we chose a bad passphrase, without telling them the passphrase.
Well, I can!
Create two 'sentinel' brainwallets secured by just the passphrases. Send the bulk of my bitcoins to the secure brainwallet and send a few bitcents to the 'sentinel' wallets.
If I see the bitcoins in one of the 'sentinel' wallets get spent then I know some cracker somewhere managed to guess my passphrase, and I should choose a new passphrase, create new 'sentinel' and secure brainwallets and move my bitcoins.
Would an attacker who knows nothing about me in particular, but does know the scheme (Full Name/passphrase1/passphrase2) be able to crack my secure wallet?
Back-of-the-envelope for roughly how many combinations there are:
Name: say the attacker tries the 10-million most common names.
Passphrase: assume the attacker has to try 1 billion likely
passphrases before finding yours.
And lets assume the attacker invests in a massive amount of computing power and can try 10 billion combinations per second (a high-end GPU can do something like 10 million hash-then-ECDSA multiply-then-hash per second that it takes to try to crack a brainwallet passphrase).
Do the math... should take on average more then 10 million years to crack. Definitely secure enough.
But what if the attacker knows you have 1,000 bitcoins sitting in a brainwallet and decides to attack just you? That is 10 million times easier, so it would take them, on average more than a year to get your 1,000 bitcoins. Not worth it, because it will cost them more than that to run their cracking hardware for a year to try to crack just your wallet.
Software that supports creating brainwallets should spend some time trying likely variations on your passphrase, and checking them against the blockchain to see if they're currently being used to store any bitcoins (or were used to store bitcoins at any point in the past). If they are/were, then it should tell you to choose another passphrase.
If there are unspent bitcoins associated with that passphrase, your software should also immediately send those bitcoins to your wallet. That is your way of letting the other person know they chose a bad passphrase, and your reward for letting them know they need to move the coins in their main brainwallet.
The more people using brainwallets that use this (or some similar) scheme, the better we should get at choosing secure passphrases.
PS to the techies: I'm glossing over a gazillion details. Probably the sentinel wallets should be a dead simple, fast:
private key = SHA256(passphrase)
... with the high-security brainwallet something much harder to brute-force (scrypt/bcrypt based, perhaps) or https://bitcointalk.org/index.php?topic=102349.0
https://www.surveymonkey.com/r/T5DNHS6
for any query or suggestion pease contact at
faizanjadoon@hotmail.com