Bitcoin Magazine

Show Menu

Introducing Carbon Wallet

Carbon Wallet, a new service seeking to be the next great innovation in secure online wallets, is launching today. Currently, there are two major types of online wallet: server-side controlled wallets and client-side controlled wallets. In a server-side wallet (eg. Coinbase), the actual wallet is controlled by a server which independently maintains all of its’ users like a bank account, and in a client-side wallet there is an actual fully-functional Bitcoin wallet operating inside the user’s browser, and the server only holds encrypted backups of each user’s wallet – to which only the user knows the decryption key. Carbon Wallet is adding a third paradigm to this mix: the server holds no backups at all, and the wallet is instead deterministically regenerated from the user’s password each time the client loads.

Reconstructing an entire Bitcoin wallet from nothing more than a password may seem like a magical feat, but in reality it is quite feasible. Essentially, a wallet is made up of two parts: private keys, and transaction information. Private keys are the secret numbers that let owners of Bitcoin addresses sign transactions to spend money from them, and the transaction information that wallets need is essentially how much money they have, and the content of the individual transactions that sent the money to them. The Bitcoin Wiki describes a number of ways to generate a potentially infinite set of private keys from a single root seed; the simplest one to explain relies on a cryptographic hash function also used elsewhere in Bitcoin called SHA256. Essentially, SHA256 can take anything as an input, and uses a series of highly chaotic transformations to generate a seemingly random 256-bit number as an output – exactly the right format for a Bitcoin private key. The private key generation algorithm is simple: private key 1 = SHA256(password+”1″), private key 2 = SHA256(password+”2″), and so on, and there exists an algorithm to generate the corresponding Bitcoin address given a private key. The mechanism used by Carbon Wallet is more complicated, replicating the one used internally by Electrum, but it shares the same ability to generate as many addresses as the user requires. Transaction information, just like in the popular client-side wallet, is simply downloaded with the help of the Carbon Wallet servers.

Currently, Carbon Wallet does not let users choose their own passwords; it instead relies on twelve-word “passphrases” of the same format as Electrum wallets. If you do not want to create your own twelve-word passphrase from Electrum’s 1700-word dictionary, Carbon Wallet can create new passphrases for you; “naked goose realize except concrete attack strange tightly thorn note memory church” is one example of a passphrase that Carbon Wallet generated.

The question is, will Carbon Wallet be actually more secure than its alternatives? On the one hand, this does significantly reduce the level of involvement that the server has in the Bitcoin wallet’s use. On the other hand, however, the main weakness of – namely, the fact that its operators are theoretically capable of introducing malicious code into the client to, for example, immediately empty a user’s wallet upon launch, is just as present in Carbon Wallet. has provided a solution to the problem in the form of a Firefox and Chrome extension, and Carbon Wallet will soon implement a similar feature, but in this regard the security of the two models remains exactly the same.

But there are a number of ways in which Carbon Wallet’s model does win out. The first is reliability. Even if the Carbon Wallet servers go down, users can simply convert their Carbon Wallet password into a seed for Electrum, and they will then have an Electrum wallet with all of the same addresses. With, users must either take advantage of’s email or Dropbox wallet backup feature or risk losing access to their wallets if, for whatever reason, the site disappears or all copies of the database are erased. Another advantage is portability; anyone can make their own Carbon Wallet-compatible wallet with superior features or a better interface, and Carbon Wallet users will be free to simply hop between whatever providers they want at a moment’s notice; because the wallet is deterministically generated from nothing but their password, every provider will be able to give the user access to their money in an instant.

There are several features that Carbon Wallet will add in the future. One is the ability to store a long password in local browser storage, and then use a shorter password to decrypt it. This would also help mitigate the brute force guessing issue, and would be necessary when Carbon Wallet expands into mobile applications, as it is very inconvenient to type in a genuinely secure password on a smartphone. The wallet will also soon add at the very least a “validator” extension to protect against someone hacking the Carbon Wallet servers and secretly inserting malicious code into the client that ultimately gets delivered to the user’s browser. Support for mobile devices and QR code support is also a high priority. For those interested in what this new model of wallet storage that Carbon Wallet has to offer, the wallet is now available for use at

Get Top Stories Weekly

We respect your email privacy

  • Tesla

    They should use https to avoid man-in-the-middle attacks. At the moment it is trivial to inject bitcoin-stealing code if you sit on the communication line.

  • Anarcoin

    Is it a password or passphrase ?

    • Raphael Voellmy

      It’s a passphrase. You can check it out yourself:

    • Vitalik Buterin

      Passphrase. Article has been updated to correct this.

  • Luke-Jr

    So it’s a combination of two stupid ideas (brainwallets and webwallets), taking the downsides of both?

    • Capitán Piluso

      a brainwallet is not stupid at all. Webwallets, and anything web related, will be stupid for any serious security application.

  • NullVote

    Yea, and knowing the dictionary, which is freely available, and knowing there are only 12 slots/words used… Makes it the easiest wallet to crack. Even easier for them, because they already have an index of “crack-results”, and know every single combination. That is why they only use 1700 words.

    Now they just have to wait for enough people to start using it, so they have enough to steal, and blame it on a hacker.

    Funny thing is… I bet a hacker will actually clean them out before they clean-out their own customers.

    Having 12 words is like demanding a 12-letter password… They know where to stop, they know the limits, and they will find the solution faster.

    Just having tested a similar cracker (written by myself), I can break 380,000 12-word passwords with a 1700 dictionary, within 1 second, on my cheap home computer. I can generate 1000x that, on the same computer. Thus, fail for security.

    • Raphael Voellmy

      No, your math is completely wrong. There are 1700^12 possible passphrases. It would take you more than a sextillion years to find a passphrase if you can do 1 billion hashes per second on your computer.

      • Capitán Piluso

        But I wonder if this will give birth to a new way of making money: Wallet mining.

    • takeyourhatoff

      Could you please post the source code of your cracking program?
      Pretty much what Raphael said, but the passphrases described provide “12 * log (1700) / log (2) = 129” bits of entropy. I have hashed my electrum seed with sha256 two times and the result is: 82c1ecc34d66bba14be0b189ec5818dcec77fec3d73d087121e54907d0da35ab There are 10 bitcoins waiting in that wallet for you to take if your program is up to it.

  • Fredi not working ?!?!?

    entering passphrase via http … is this secure? I’m confused….

  • Fredi

    https not working….. I’m confused
    entering passphrase via http ….. hmm

    • Malo Bourgon

      No https required, nothing is being sent to the server.

  • CoinBoards

    There is a wallet based off this and integrated into the nitvoin vommunity boards at