Bitcoin Magazine

Show Menu

Brain Wallets: The What and the How

Of all the formalized monetary systems that have ever been used by mankind, Bitcoin is unique in the fact that it exists entirely as pure information. The blockchain, the database storing Bitcoin transactions so the system can figure out who owns what, it stored simultaneously on tens of thousands of computers and servers around the world. The system’s equivalent of “accounts”, Bitcoin addresses, are also really nothing more than 160-bit numbers, and the private keys that allow withdrawal access are 256-bit numbers themselves. The result of this is that we can literally store our money in whatever way we want, and people have picked up on this: we have QR code wallets, paper wallets, coins with private keys hidden behind a hologram, etc. However, the most interesting of all the alternatives is the place where humans have been storing most of our information for the past 100,000 years: in our brains.

A “wallet” is a collection of two types of numbers: addresses, typically rendered as 33 or 34-character strings like “13ignD31FysQbaBBVJUzffcQoFxxEuEcbE“, that allow deposit access to the address’s associated account and private keys, slightly longer numbers that allow withdrawal access. Technically, you do not need to remember your address as you can always derive it from the private key, but it is better to as you do not want to be typing in your private key all over the place. Thus, the simplest wallet that can be memorized is just one address and one private key.

The major insight that gives us all the various different options to help us remember an address and private key is that addresses and private keys are ultimately not strings of digits and letters – they are numbers. A number is a mathematical entity that we can choose to represent in our traditional base 10 (called “base 10” because it relies on ten symbols to represent all of our numbers: 0123456789) as, for example, “3022885”, in base 16 (“2E2025”), in base 2 or binary (“1011100010000000100101”), as a product of prime numbers (5 * 89 * 6793), in base 58 (“GVbi”) or in any other way that we see fit. Bitcoin uses base 58 because it is a reasonable compromise between brevity and readability – lower bases are longer since you can pack less information into each symbol, but upgrading to a higher base like 60 would introduce distinctions between the letter O and the number 0 and capital I and lowercase l and thus potentially lead to mistakes. You can memorize an address or private key in any base you see fit, provided that you have a base converter to bring it back to base 58 when the time comes to give out your address or use your private key.

Base 58 is the easiest option, and will have you memorizing a fairly reasonable 51 characters for the private key and 34 more for the address, although if you do not want to memorize the address you can also just memorize the first few characters and let retrieve the rest for you (paste the address into firstbits to find out just how much you need to memorize; usually it’s 6 characters). Note that firstbits recovers the address by searching for the chronologically first matching address in the blockchain, so you will need to have sent a transaction to the address, but the upside of firstbits’ algorithm is that your firstbits abbreviation will be valid forever. In terms of raw information content (or, as information theorists refer to it, entropy), the simpler solution is equivalent to memorizing fourteen 7-digit phone numbers, something which those of us who have not yet been drawn in by the seductive allure of storing everything on our smartphones have likely aready done anyway. The full solution of memorizing all 51+34 brings that up to 21 phone numbers. However, the nature of base 58 makes this job considerably easier for us as the presence of letters and numbers triggers auditory and visual memory at the same time, and the pronounceable letter combinations, short words and acronyms that sometimes pop up trigger a mental phenomenon known as clustering where we remember multiple symbols as one unit – think of how you remember “Smith”, not “S…M…I…is that D or T again…H”.

Smaller bases are more difficult to use because of how many characters you will need to memorize, but if you prefer a mix of more numbers and some letters base 16 is a reasonable option, and it has the advantage that private keys can be imported from that format automatically just as easily as base58 keys. Another possibility is, interestingly enough, base 1751, using not letters as digits but words. Grondilu’s Bitcoin Bash Tools convert back and forth for you automatically, giving you a string of words like this:


It’s up to you to decide if this form of base 1751 is easier than base 58 by a sufficient margin to warrant having to deal with an extra non-standard software package.
There is, however, another solution that is even easier to memorize. In the ECDSA cryptographic system that Bitcoin relies on almost any 256-bit number can be a private key, so you can make your private key as memorable as you want – you can even make your private key “0101010101010101….” and generate a bitcoin address from the key and everything will work just fine, although you can’t control what the address looks like so you will have to memorize at least 6 random base-58 characters for firstbits to do its job. For security purposes though, it’s better not to make the private key itself memorable but to make the private key generated using a standard function using a phrase or password as a “seed”. The SHA256 cryptographic hash function is generally preferred for this, as it outputs pseudorandom data of exactly the right size from any input and online utilities to compute the SHA256 of any string are easy to find (note that if you’re using the Linux command line, use echo -n rather than echo to pipe into sha256sum; otherwise, you’ll get a different result from other utilities since echo adds a trailing newline by default). After hashing, the seed “correct horse battery staple”, for example, becomes:


Then, go to in private browsing mode, turn off your internet and input the private key that you just generated into the box under the “Wallet Details” tab to get the address out: 1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T. Notice how little you really need to memorize to have a brain wallet with this method: following the same process with a much smaller seed and using an address shortener, ("123","1Bfvq2ap") is a brain wallet all by itself.

Next comes the question of how you can actually use a brain wallet once you have created one. Seeing how much your balance is is fairly easy: go to any blockchain watching site like or and search for it. You will be able to see the address’s total current balance and all the transactions that have ever come in or out of it. If you memorized just the first six characters, both services will search for and find your full address automatically.
To spend your bitcoins, there are two paths that you can take. The first, easier, option is to import the private key into a wallet or client when you want to use it and simply proceed to send a transaction normally. There are three major clients that allow you to do this: Armory, and Electrum. Armory is a fully fledged Bitcoin client with many features, althought it does have the disadvantage that it requires a powerful computer to run as it currently stores the entire blockchain in memory (you need at least 4GB of RAM). is a web application that requires no installation, which is much more convenient but slightly less secure because you’re essentially re-downloading the application from the server every time. The other major online wallet, Strongcoin, is also an option, although with it the functionality for generating a private key from a phrase is built in, but it charges a small fee for outgoing transactions. and Armory, if their respective weaknesses are acceptable to you, have graphical interfaces that are very easy to use and self-explanatory. Electrum requires some basic command line use but it also not very difficult. Once you’ve created an address and private key, to import it into Electrum open up a command line, navigate to the directory Electrum is located in and type in:

./electrum import 1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T:5KJvsngHeMpm884wtkJNzQGaCErckhHJBGFsvd3VyK5qMZXj3hS

And there you go. You can now send transactions with your Electrum wallet, and for added security you can delete the electrum.dat file (located at ~/.electrum/electrum.dat on Linux) when you’re done.

However, if you are storing your wallet in your head because you are paranoid, you may instead prefer the second option: offline transactions. This approach is more secure as it allows you to send transactions without ever having your private key touch a computer that is connected to the internet, so that even if both your computers have viruses on them your bitcoins are still secure. To do this with, you will need to take the following steps:

  1. Create a account and log in.
  2. Import just your address into your wallet.
  3. Log in from a secure computer in offline mode, making sure to use private browsing mode (incognito mode in Chrome). When the system asks you to turn off your internet connection, do so.
  4. Import the private key. Your address will automatically appear in your wallet along with it.
  5. Click “send money” and follow the onscreen instructions until you get a base 16 number a few hundred characters long. Copy this string down on paper or with a USB key and close the browser window.
  6. Copy this string over to the tool at and send the transaction.

With Electrum, the procedure is slightly more complicated:

  1. On an offline computer, import the address:
  2. Locate the electrum.dat file on the offline computer. This file should be at C:Users\YourUserName\AppData\Local\Electrum\ on Windows Vista and 7 and ~/.electrum on Linux (sorry, no Mac version as of the time of this writing). Note that for the next step to be valid, the file should be unencrypted. If it’s encrypted (ie. is just a jumble of random data, without any kind of structure), remove it and generate a new wallet (with ./electrum create or the graphical interface) with no password.
  3. Make a copy of the file. In that copy, look for the private key that you imported and take it out.
  4. Take this neutered wallet and copy it over to your online computer, and wait until the client detects and collects the references to the 5 bitcoins’ worth of transactions that you need to spend.
  5. Copy the wallet back to your offline computer and put it back where the original electrum.dat file was.
  6. Put the private key back in.
  7. Create the transaction offline:

./electrum mktx -s 1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T -c 1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T 13ignD31FysQbaBBVJUzffcQoFxxEuEcbE 5.00

From there, proceed as before. This is one of the highest levels of paranoia that you can possibly reach with Bitcoin, but it is worth it if you are handling large amounts of money. Electrum has three advantages over that may make up for the increased effort. First, you do not have to pay the 0.01 BTC fee per transaction. Second, since Electrum is a desktop application you can keep the computer that handles private keys off the internet 24/7, while with this is much harder as it is a web application – with the wallet you are actually downloading the program that runs within your browser every time you use it. The third problem is another consequence of this fact: if is hacked, the transactions that it generates might be compromised and you would not even know it until the intended recipient tells you that they never got the transaction and you realize that you’ve sent off your precious electronic cash to some teenager in Ukraine. With Electrum, you only download it once, you can check it once if you desire and you do not need to worry about such security issues.

Note that Electrum also has a “brain wallet” functionality of its own that offers a compromise between memorizing a premade key and making a key from something you memorized: a 12-word base 1600 “wallet seed” from which Electrum generates five addresses and private keys. You can use roughly the same process as above to send transactions with such a wallet, but removing the seed instead of the private key when copying the wallet over to the online machine.

If your goal for having a brain wallet is not security but either as a backup, for the convenience and versatility of having your wallet literally always on you no matter where you are or what you have with you or just to impress your friends, though, you do not need to bother with offline transactions and simply using it in conjunction with other Bitcoin wallets is enough. Just like Bitcoin in general, the concept of a brain wallet is extremely flexible; you can make whatever tradeoff between convenience and security that suits you best.


Get Top Stories Weekly

We respect your email privacy

  • Garrett MacDonald

    Good article, I can’t wait to receive the magazine!

  • JoelKatz

    One warning: If you use a mental wallet and perform a spend transaction, make sure to generate the transaction using a tool that sends the change back to your mental wallet account. Some clients (such as the Satoshi client) send the change back to a new account, leaving some of your Bitcoins in your mental wallet account and some in a brand new account stored only in that client.

  • austinhamman

    the only issue i see is that base58 seems case sensitive. so you arent remembering for instance 931Ubc6 but 931capital-U, lowercase-b, lowercase-c, 6
    then there are letters and number that sound alike:
    a and 8 e,b,c,d,and 3 m,n etc these seem like they would decay a lot faster

    • Vitalik Buterin

      It’s not that hard if you remember how it sounds and how it looks at the same time – I memorized my main address (13ign…) and which letters are capitalized and which aren’t just comes naturally.

      • austinhamman

         that’s why i said it would decay faster, that is if not used for say a month or two the chance of a memory error would increase especially amongst those letters/number which sound alike or amongst caps.

        memory tends to be a use it or lose it sort of thing and if not used for a decent amount of time it will decay, memetics help this by giving you a key to reconstruct the faulty memories which must itself decay as well for the memory to fail. also because the fragility of the brain wallet (one letter wrong=whole wallet wrong) compared to a sentence for instance (contextual clues related to the remembered sections of the sentence help you reconstruct the forgotten or incorrect sections) the likelihood of catastrophic memory failure seems high for a brain wallet. remembering as a nonsense sentence isnt much of an improvement because as i mentioned it lacks any context to reconstruct lost sections.
        as an example i regularly remember passwords like this:
        which i can remember because its the pythagorean theorum:
        “the square of the hypotenuse of a right triangle is equal to the sum of the square of its two remaining sides”
        never attribute to malice that which is adequately explained by stupidity (hanlon’s razor)
        the caps and lowers are logical so dont require any extra memory (every word but the, is, or, etc are capitalized)

        • Vitalik Buterin

          True. It depends what you’re comfortable with really; if you don’t like memorizing whole addresses and private keys (most people don’t), then deriving a private key from a phrase stored in your brain is the most logical option.

    • enmaku

      I toyed for a while with the idea of a base32 brain wallet, b32 consisting of A-Z, 2-7 and being case-insensitive. I ended up compromising and printing up a set of dog tags with 8-character b32 strings on them numbered 0 through 9. I remember a 4 digit PIN for each of my “brain accounts,” concatenate the appropriate b32 strings from the dog tags and use sha256(x) to create a privkey. IMO it’s a good compromise between a paper wallet and a brain wallet as I the tags are useless without the PIN and knowing the PIN is useless without the tags. Base 32 is also perfect for dog tags since it’s difficult to find a company that can emboss lowercase characters on them.

      They’re the perfect physical component – cheap, disposable, durable, designed to be worn on your person and attract very little attention.

      • tuxx

        Interesting idea. As long as b32 strings on those dog tages are at least 52 characters long, you wouldn’t lose any entropy, I think.

        “tags are useless without the PIN” -> you think :)? It’s just 10000 sha256 checksums to caculate, should take about 33 microseconds for my graphics card here 😉 ( (10^4) / (10^6 * 300) = 0.000033 ).

        I’d highly recommend using more digits.

        • enmaku

          True enough. If it makes it any better I do tack a nice secure password that only I know onto the end of the whole mess – consider it brain salt for my tag hashes.

      • Vitalik Buterin

        In my physical magazine article I suggested 2-out-of 3 solutions as well – slice your private key (or generator) into three pieces, store pieces 1 and 3 on paper, 1 and 2 in your head and 2 and 3 with a close friend. 

  • tuxx

    Nice article! Made me realize that 256 Bits for a Bitcoin private key is actually not that much to remember. Actually, a brain wallet might be cheaper / less effort compared to a decent harddisk backup solution for longterm Bitcoin savings.

    Just two minor notes and questions:

    You’re saying “Notice how little you really need to memorize to have a brain wallet” ~> I’d be a little more careful with that statement though. And because of the maths you are doing in the previous paragraphs I don’t think you really mean it like that. Just to clarify and emphasize for others: This example only needs so little to remember, those four words, because an aweful lot of entropy is thrown away. You’d have to use at least 24 _random_ words when using a base 1751 word dictionary (like you actually did, in the according example for that before) (256 / logBase 2 (1751) = 23.76). The four word example is approximately one decllion times one decillion times easier to guess than a 24 word one ( (1752^24) / (1751^4) = 2^215.47 ).

    But on the other hand, if you’d get such 4 words for the change after buying a cup of coffee, which you’d transfer to a safer wallet with a higher entropy when you come back home, then I guess you’re fine, of course.

    For the phone number example, I count twelve 7-digit phone numbers (256 / logBase 2 (10^7) = 11.009). Did you say 14 to be safe against sha256 collisions? Or is there something else I’m missing which I should better be aware of?

    Hmm, what is ‘(“123″,”1Bfvq2ap”)’ refering to exactly?

    Thanks for this very detailed, great article, Vitalik!

    • Vitalik Buterin

      > You’d have to use at least 24 _random_ words when using a base 1751 word dictionary (like you actually did, in the according example for that before) (256 / logBase 2 (1751) = 23.76). 
      > Hmm, what is ‘(“123″,”1Bfvq2ap”)’ refering to exactly?
      Ah, you misunderstood me. You do not need to actually have 256 bits of entropy memorized to make a 256 bit private key. You can use preimages as small as you want (of which “123” was my simplest example), and then use the standard SHA256 hash function to generate a private key from the preimage, and convert that into an address. 1Bfvq2ap is the firstbits of the address that comes from 123 using this abbreviation. Having too little entropy is of course bad too, since if this becomes popular there will be people scanning through all low-entropy preimages to grab bitcoins, but 128 bits should be good enough for anyone for a while.

  • Ade

    Sounds great for crooks too, imagine converting their ill gotten gains into money, buying bitcoins and storing it in a brain wallet.
    To be really practical though, you’d need a secure vault version, whilst having the ability to dip into it from time to time to spend your money, whilst maintaining security.

  • InterestedGuest

    Why disconnect from the internet , as instructed , if connection is encrypted through TOR and my computer is very safe ? Is it really neccesary? Please clarify.

  • Ade

    I was wondering how to create multiple brain wallets that are easy to remember and thought that a good way would be to start with a Brain wallet as described, then alter it according to another secret passphrase. Thus my original Brain wallet would be generated by MaryHadALittleLambItsFleeceWasWhiteAsSnow.
    Obviously no one’s going to use something that simple..
    Then modify it with a Word like Elephant.
    The First letter of Elephant is E, I change the case of the first occurence of the MaryHadALittleLamb….. to MaryHadALittlELamb……. to generate an entirely new brain wallet.
    The next letter of Elephant is ‘l’ so I now generate a new brain wallet with MaryHadAlittlELamb….
    Now the E and the L have changed case  to generate an entirely new brain wallet.
    I’m sure it could be improved upon.

  • Pingback: Introducing Ripple | Bitcoin Magazine()

  • ebtc

    This is an amazing article. Deep, profound AND helpful.

  • Oskar Hane

    Thanks, great article!

    It seems like is down, is there an alternative to that service?

    • Vitalik Buterin

      Article updated, thanks for the tip.

  • Simon

    Can you do transactions with Electrum using only one bitcoin address? Is any transaction change payed out to that address? Would that address be the only address I need to remember to access my bitcoin?

    • John C.

      Brainwallets are best used to sweep funds from your active wallet and protect them against your computer or wallet file being compromised in any way. Which addresses your client uses becomes irrelevant, because at the end of your session, you have moved everything to your brain wallet. When you are ready to use the client again, you can import the brain wallet and spend, then sweep to a new brain wallet when you are done.