Go to the profile of Egor Homakov
Egor Homakov

Why Brainwallets are great for cryptocurrency

I recently stumbled upon this tweet (please read the whole thread)

In this thread you may see a link to Brainwallet.org story (https://github.com/brainwallet/brainwallet.github.io) — it was so popular that became equivalent to the word “brainwallet”. Which is wrong.

Brainwallet.org used poor derivation scheme (one round of sha256) and many users lost ~1800 BTC. However, brainwallet.org != brainwallet just as blockchain.info != blockchain. This situation resembles racism: when you reason of a race by one person.

I’m tired of explaining this fact, and instead I propose to call secure brainwallets passwallets. With this rebranding brainwallets may earn the trust of the community back and make the reader carefully review what derivation scheme is used instead of screaming “DO NOT USE BRAINWALLETS” right away.

Let’s review 3 ways wallets can be stored:

1. Unencrypted seed on a paper

This is how Electrum and Multibit HD greet new cryptocurrency user. They tell you to write down 12 words. On a paper. With a pen.

Imagine you come to a bank and instead of shiny credit card they tell you to go get pen & paper to write down your credentials.

Not just it’s easy to lose or wash with your clothes, anyone with 1 second access to it may take a photo and steal everything right away (as long as they know anything about cryptocurrencies).

2. Encrypted wallet file

This method is employed by Multibit (not HD version), original Bitcoin client and, for example, myEtherWallet in the tweet above.

keypair = generateKeypair(entropy)

part1 = encrypt(keypair, part2)

There are 2 things you need to have in order to get the private key

keypair = decrypt(part1, part2).

  1. part1— encrypted wallet, which you have to store somewhere. It probably will be storage services like Dropbox and a USB flash drive.
  2. part2 — password

If you lose either of them it’s a game over. You have to care about 2 parts of data instead of just one in passwallet. Less is better. No one stops you from creating 12 passwords and storing them in every corner of your house… but please, don’t make the users to do so.

3. Passwallet

keyPair = scrypt(email, password, N=18, p=20 to 40).

Using email as a salt prevents global bruteforce and makes them target only you@example.org. Using N=18 requires quite a lot of memory and p=20 takes about 17 seconds on Macbook Pro 2013. Not particularly bad user experience either: during these 17 seconds you may slideshow some tips and tricks about cryptocurrencies

All you need is that password. Not password and encrypted wallet. Just one of them. Security is the same, but backup method is much more user friendly. Derivation takes less than a minute and you do it once when you create/import a new wallet.

Yet it is nearly impossible to hack (namely, bruteforce): no one could do it to N=18 p=1 WarpWallet (see their challenges) and p=20 makes it 20 times harder. Even top-1M password would be too expensive to crack for a hacker.

Summary

The point of this post is not showing what an ugly backup experience all crypto wallets are offering, but to hear back opinions why are we holding back to paper seeds or encrypted backups which make people lose their money.

I care about cryptocurrencies — to succeed it needs to get usable. I keep seeing people being victims of this UX on reddit, twitter and even among my friends. They lose papers, backups, wallets, files, drives, word sequences.

Yes, they also lose passwords. But this one is necessary in all of 3 methods.

Brainwallet.org was insecure and ceased to exist. It gave the word “brainwallet” extremely negative meaning, but let’s stop banishing deterministic approach as a whole. It’s more convenient than anything we have so far and can be implemented securely. Let’s use it.