Bitcoin Magazine

Cointellect
Show Menu
brain.wallet

Brain Wallets: The What and the How

Of all the formalized monetary systems that have ever been used by mankind, Bitcoin is unique in the fact that it exists entirely as pure information. The blockchain, the database storing Bitcoin transactions so the system can figure out who owns what, it stored simultaneously on tens of thousands of computers and servers around the world. The system’s equivalent of “accounts”, Bitcoin addresses, are also really nothing more than 160-bit numbers, and the private keys that allow withdrawal access are 256-bit numbers themselves. The result of this is that we can literally store our money in whatever way we want, and people have picked up on this: we have QR code wallets, paper wallets, coins with private keys hidden behind a hologram, etc. However, the most interesting of all the alternatives is the place where humans have been storing most of our information for the past 100,000 years: in our brains.

A “wallet” is a collection of two types of numbers: addresses, typically rendered as 33 or 34-character strings like “13ignD31FysQbaBBVJUzffcQoFxxEuEcbE“, that allow deposit access to the address’s associated account and private keys, slightly longer numbers that allow withdrawal access. Technically, you do not need to remember your address as you can always derive it from the private key, but it is better to as you do not want to be typing in your private key all over the place. Thus, the simplest wallet that can be memorized is just one address and one private key.

The major insight that gives us all the various different options to help us remember an address and private key is that addresses and private keys are ultimately not strings of digits and letters – they are numbers. A number is a mathematical entity that we can choose to represent in our traditional base 10 (called “base 10″ because it relies on ten symbols to represent all of our numbers: 0123456789) as, for example, “3022885”, in base 16 (“2E2025″), in base 2 or binary (“1011100010000000100101″), as a product of prime numbers (5 * 89 * 6793), in base 58 (“GVbi”) or in any other way that we see fit. Bitcoin uses base 58 because it is a reasonable compromise between brevity and readability – lower bases are longer since you can pack less information into each symbol, but upgrading to a higher base like 60 would introduce distinctions between the letter O and the number 0 and capital I and lowercase l and thus potentially lead to mistakes. You can memorize an address or private key in any base you see fit, provided that you have a base converter to bring it back to base 58 when the time comes to give out your address or use your private key.

Base 58 is the easiest option, and will have you memorizing a fairly reasonable 51 characters for the private key and 34 more for the address, although if you do not want to memorize the address you can also just memorize the first few characters and let firstbits.com retrieve the rest for you (paste the address into firstbits to find out just how much you need to memorize; usually it’s 6 characters). Note that firstbits recovers the address by searching for the chronologically first matching address in the blockchain, so you will need to have sent a transaction to the address, but the upside of firstbits’ algorithm is that your firstbits abbreviation will be valid forever. In terms of raw information content (or, as information theorists refer to it, entropy), the simpler solution is equivalent to memorizing fourteen 7-digit phone numbers, something which those of us who have not yet been drawn in by the seductive allure of storing everything on our smartphones have likely aready done anyway. The full solution of memorizing all 51+34 brings that up to 21 phone numbers. However, the nature of base 58 makes this job considerably easier for us as the presence of letters and numbers triggers auditory and visual memory at the same time, and the pronounceable letter combinations, short words and acronyms that sometimes pop up trigger a mental phenomenon known as clustering where we remember multiple symbols as one unit – think of how you remember “Smith”, not “S…M…I…is that D or T again…H”.

Smaller bases are more difficult to use because of how many characters you will need to memorize, but if you prefer a mix of more numbers and some letters base 16 is a reasonable option, and it has the advantage that private keys can be imported from that format automatically just as easily as base58 keys. Another possibility is, interestingly enough, base 1751, using not letters as digits but words. Grondilu’s Bitcoin Bash Tools convert back and forth for you automatically, giving you a string of words like this:

THE BLOT SET TWIT BARE LEER WAGE LILT LIND CORK GOAL OFT REAR VOTE FLEW WAD KEYS GAVE SEES WAGE EAR YOGA VAST POT BIRD FAKE BEE

It’s up to you to decide if this form of base 1751 is easier than base 58 by a sufficient margin to warrant having to deal with an extra non-standard software package.
There is, however, another solution that is even easier to memorize. In the ECDSA cryptographic system that Bitcoin relies on almost any 256-bit number can be a private key, so you can make your private key as memorable as you want – you can even make your private key “0101010101010101….” and generate a bitcoin address from the key and everything will work just fine, although you can’t control what the address looks like so you will have to memorize at least 6 random base-58 characters for firstbits to do its job. For security purposes though, it’s better not to make the private key itself memorable but to make the private key generated using a standard function using a phrase or password as a “seed”. The SHA256 cryptographic hash function is generally preferred for this, as it outputs pseudorandom data of exactly the right size from any input and online utilities to compute the SHA256 of any string are easy to find (note that if you’re using the Linux command line, use echo -n rather than echo to pipe into sha256sum; otherwise, you’ll get a different result from other utilities since echo adds a trailing newline by default). After hashing, the seed “correct horse battery staple”, for example, becomes:

c4bbcb1fbec99d65bf59d85c8cb62ee2db963f0fe106f483d9afa73bd4e39a8a

Then, go to bitaddress.org in private browsing mode, turn off your internet and input the private key that you just generated into the box under the “Wallet Details” tab to get the address out: 1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T. Notice how little you really need to memorize to have a brain wallet with this method: following the same process with a much smaller seed and using an address shortener, ("123","1Bfvq2ap") is a brain wallet all by itself.

Next comes the question of how you can actually use a brain wallet once you have created one. Seeing how much your balance is is fairly easy: go to any blockchain watching site like blockchain.info or blockexplorer.com and search for it. You will be able to see the address’s total current balance and all the transactions that have ever come in or out of it. If you memorized just the first six characters, both services will search for and find your full address automatically.
To spend your bitcoins, there are two paths that you can take. The first, easier, option is to import the private key into a wallet or client when you want to use it and simply proceed to send a transaction normally. There are three major clients that allow you to do this: Armory, blockchain.info and Electrum. Armory is a fully fledged Bitcoin client with many features, althought it does have the disadvantage that it requires a powerful computer to run as it currently stores the entire blockchain in memory (you need at least 4GB of RAM). Blockchain.info is a web application that requires no installation, which is much more convenient but slightly less secure because you’re essentially re-downloading the application from the server every time. The other major online wallet, Strongcoin, is also an option, although with it the functionality for generating a private key from a phrase is built in, but it charges a small fee for outgoing transactions. Blockchain.info and Armory, if their respective weaknesses are acceptable to you, have graphical interfaces that are very easy to use and self-explanatory. Electrum requires some basic command line use but it also not very difficult. Once you’ve created an address and private key, to import it into Electrum open up a command line, navigate to the directory Electrum is located in and type in:

./electrum import 1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T:5KJvsngHeMpm884wtkJNzQGaCErckhHJBGFsvd3VyK5qMZXj3hS

And there you go. You can now send transactions with your Electrum wallet, and for added security you can delete the electrum.dat file (located at ~/.electrum/electrum.dat on Linux) when you’re done.

However, if you are storing your wallet in your head because you are paranoid, you may instead prefer the second option: offline transactions. This approach is more secure as it allows you to send transactions without ever having your private key touch a computer that is connected to the internet, so that even if both your computers have viruses on them your bitcoins are still secure. To do this with blockchain.info, you will need to take the following steps:

  1. Create a blockchain.info account and log in.
  2. Import just your address into your wallet.
  3. Log in from a secure computer in offline mode, making sure to use private browsing mode (incognito mode in Chrome). When the system asks you to turn off your internet connection, do so.
  4. Import the private key. Your address will automatically appear in your wallet along with it.
  5. Click “send money” and follow the onscreen instructions until you get a base 16 number a few hundred characters long. Copy this string down on paper or with a USB key and close the browser window.
  6. Copy this string over to the tool at http://blockchain.info/pushtx and send the transaction.

With Electrum, the procedure is slightly more complicated:

  1. On an offline computer, import the address:
  2. Locate the electrum.dat file on the offline computer. This file should be at C:Users\YourUserName\AppData\Local\Electrum\ on Windows Vista and 7 and ~/.electrum on Linux (sorry, no Mac version as of the time of this writing). Note that for the next step to be valid, the file should be unencrypted. If it’s encrypted (ie. is just a jumble of random data, without any kind of structure), remove it and generate a new wallet (with ./electrum create or the graphical interface) with no password.
  3. Make a copy of the file. In that copy, look for the private key that you imported and take it out.
  4. Take this neutered wallet and copy it over to your online computer, and wait until the client detects and collects the references to the 5 bitcoins’ worth of transactions that you need to spend.
  5. Copy the wallet back to your offline computer and put it back where the original electrum.dat file was.
  6. Put the private key back in.
  7. Create the transaction offline:

./electrum mktx -s 1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T -c 1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T 13ignD31FysQbaBBVJUzffcQoFxxEuEcbE 5.00

From there, proceed as before. This is one of the highest levels of paranoia that you can possibly reach with Bitcoin, but it is worth it if you are handling large amounts of money. Electrum has three advantages over blockchain.info that may make up for the increased effort. First, you do not have to pay the 0.01 BTC fee per transaction. Second, since Electrum is a desktop application you can keep the computer that handles private keys off the internet 24/7, while with blockchain.info this is much harder as it is a web application – with the blockchain.info wallet you are actually downloading the program that runs within your browser every time you use it. The third problem is another consequence of this fact: if blockchain.info is hacked, the transactions that it generates might be compromised and you would not even know it until the intended recipient tells you that they never got the transaction and you realize that you’ve sent off your precious electronic cash to some teenager in Ukraine. With Electrum, you only download it once, you can check it once if you desire and you do not need to worry about such security issues.

Note that Electrum also has a “brain wallet” functionality of its own that offers a compromise between memorizing a premade key and making a key from something you memorized: a 12-word base 1600 “wallet seed” from which Electrum generates five addresses and private keys. You can use roughly the same process as above to send transactions with such a wallet, but removing the seed instead of the private key when copying the wallet over to the online machine.

If your goal for having a brain wallet is not security but either as a backup, for the convenience and versatility of having your wallet literally always on you no matter where you are or what you have with you or just to impress your friends, though, you do not need to bother with offline transactions and simply using it in conjunction with other Bitcoin wallets is enough. Just like Bitcoin in general, the concept of a brain wallet is extremely flexible; you can make whatever tradeoff between convenience and security that suits you best.
 

 

BTC: 1FxkfJQLJTXpW6QmxGT6oF43ZH959ns8Cq

LTC: LaBhvWiAP7msku6w8QSQ5G7omVWMF3uxJC

By

Vitalik Buterin is a co-founder of Bitcoin Magazine who has been involved in the Bitcoin community since 2011, and has contributed to Bitcoin both as a writer and the developer of a fork of bitcoinjs-lib, pybitcointools and multisig.info, as well as one of the developers behind Egora. Now, Vitalik's primary job is as the main developer of Ethereum, a project which intends to create a next-generation smart contract and decentralized application platform that allows people to create any kind of decentralized application on top of a blockchain that can be imagined.

Get Top Stories Weekly

We respect your email privacy

  • Garrett MacDonald

    Good article, I can’t wait to receive the magazine!

  • JoelKatz

    One warning: If you use a mental wallet and perform a spend transaction, make sure to generate the transaction using a tool that sends the change back to your mental wallet account. Some clients (such as the Satoshi client) send the change back to a new account, leaving some of your Bitcoins in your mental wallet account and some in a brand new account stored only in that client.

  • austinhamman

    the only issue i see is that base58 seems case sensitive. so you arent remembering for instance 931Ubc6 but 931capital-U, lowercase-b, lowercase-c, 6
    then there are letters and number that sound alike:
    a and 8 e,b,c,d,and 3 m,n etc these seem like they would decay a lot faster

    • Vitalik Buterin

      It’s not that hard if you remember how it sounds and how it looks at the same time – I memorized my main address (13ign…) and which letters are capitalized and which aren’t just comes naturally.

      • austinhamman

         that’s why i said it would decay faster, that is if not used for say a month or two the chance of a memory error would increase especially amongst those letters/number which sound alike or amongst caps.

        memory tends to be a use it or lose it sort of thing and if not used for a decent amount of time it will decay, memetics help this by giving you a key to reconstruct the faulty memories which must itself decay as well for the memory to fail. also because the fragility of the brain wallet (one letter wrong=whole wallet wrong) compared to a sentence for instance (contextual clues related to the remembered sections of the sentence help you reconstruct the forgotten or incorrect sections) the likelihood of catastrophic memory failure seems high for a brain wallet. remembering as a nonsense sentence isnt much of an improvement because as i mentioned it lacks any context to reconstruct lost sections.
        as an example i regularly remember passwords like this:
        tSotHoaRTi=2tSotSoi2RS
        which i can remember because its the pythagorean theorum:
        “the square of the hypotenuse of a right triangle is equal to the sum of the square of its two remaining sides”
        or:
        NA2MtWiAEbS
        never attribute to malice that which is adequately explained by stupidity (hanlon’s razor)
        the caps and lowers are logical so dont require any extra memory (every word but the, is, or, etc are capitalized)

        • Vitalik Buterin

          True. It depends what you’re comfortable with really; if you don’t like memorizing whole addresses and private keys (most people don’t), then deriving a private key from a phrase stored in your brain is the most logical option.

  • Pingback: Introducing Ripple | Bitcoin Magazine