This article proposes a solution which retains the qualities of brainwallets, while having none of it defaults. The idea is to use personal questions as a seed to create a brainwallet. This idea can be generalized to sensitive passwords and offer some unique and very powerful properties.

A brainwallet is a bitcoin wallet of which the private key is generated from a secret sentence called a passphrase. This passphrase can be stored by memory only, hence the name.

Brainwallets are considered insecure by most bitcoin experts. A few users did lose funds due to a naive usage of brainwallets; indeed it is very easy to create an insecure brainwallet.

Yet, brainwallets offer a very unique advantage :

Impossible to steal them because they have no physical existence. This is an extremely elegant property, unique to brainwallet.

However they suffer from very bad issues as well :

Very vulnerable to brute force attacks

Can be forgotten

This would not matter if those two issues could be solved independently but the more you try to handle one (by having an easy to remember passphrase or a very long and random passphrase), the more you are susceptible to the other.

More on brainwallets vulnerabilities

Brainwallets are extremely susceptible to brute force attacks for 3 reasons.

The first one is that humans are a pretty bad source of entropy : if I ask you to give me a random sentence, it won’t be a true random sample. Chances are that you will use a logical chain of words, or use a quote.

Also to be able to remember your passphrase it would need to have some kind of meaning but unfortunately this subset of sentences is infinitely small compared to the set of all the possible letters arrangement.

The second one is that computers are extremely fast at computing hashes : you might think that choosing a random sentence from a barely known book is enough; it’s not. A dedicated system could be able to compute hundreds of billions hashes in one second.

To give you some perspective, there have been a total of 14 millions books published in France throughout all times. If we assume a random book is 500 pages long, with 20 sentences by page, that makes a grand total of around 140 billions of sentences. Well, that's only two seconds of computation from a single computer. To conclude, any sentence that exists or that you can think of in any language whatsoever is not safe. Any text entry anywhere on the internet is not safe either. A subset of an existing sentence (for example picking just the X first letters) or from a different language is just a moderately bigger set.

The order of magnitude we are actually aiming for ideally is much more than the number of elementary particles in the universe, so that we can be protected by the laws of thermodynamic while having a decent margin of error.

The third and probably biggest problem is that anyone anywhere can attack all the brainwallets at the same time : in a normal brute force scenario, a hacker is targeting a specific set of users. In this case, the real danger is that anything trying to brute force brainwallets is attacking everybody at the same time, in a blind way. Since the passphrase can be generated by any computer, it also means that anywhere anyone can try to find not just our passphrase, but any passphrase of anyone using a brainwallet.

So the attacker can build a huge rainbow table and check at any time if a deposit is being made into any of the address, and swipe it instantly.

There are a couple workaround for these problems : one is using a more advanced hash method tailored to be extremely slow. The second is using a strong salt method. Still, they remain major issues and to solve them requires to complexify the passphrase, hence increasing the risk to forget it.

Given these problems, is there a hope for brainwallets ?

I believe that the range of possibilities offered by brainwallets has not been explored fully yet, as I will now attempt to show.

Question wallets

My proposal to improve brainwallets is to store a series of very personal questions, for example on paper, which are then used to generate a passphrase. I have been using this kind of wallets since 2012 and have found them very powerful while being convenient.

This can be seen as an “enhanced paper wallet” : If someone finds the question wallet, he still has to find the answers to the questions. This allow to put less trust on your girlfriend / bank vault / notary…

Answers should not only be extremely memorable but also very private, with no ambiguity, and finally some salting questions should be added to prevent weak question wallets.

How would this compare to the already existing cold storage solutions ?

It is impossible to physically steal, like a brain wallet. Paper wallets can be physically stolen on the other hand, and can also be lost.

It is almost impossible to forget, like a paper wallet

Precautions must be taken to ensure that no ambiguity exists, so this set of rules could be used :

A space between each word

Every character is non capitalized

If an answer is composed of several words (like a compound name), only the first one should be used

We suggest this list of recommendation, for entropy and safety :

One should verify that he has no ambiguity answering the questions.

The answer should also not be available anywhere on the internet.

At least 20 questions should be used.

Finally, entropy should be as strong as possible for each answer : The set of possible answer for each question should be big and relatively uniformly distributed.

A good rule of thumb should be to use : Some dates, some name, some places, some random imaginary elements.

As an example this set of questions could be used :

1 My dog’s nickname when I was 7 years old

2 The name of the city where I broke my ankle

3 The last name of the girl I slept with at the party “love the fun” of my school HEC

4 The first name of the friend I lived with for 3 months when I was in Barcelona in 2012

5 The first word of the video game me and my little brother Frank played when we were on holidays at Cousons

6 The name of my Warcraft 3 clan

7 My friend Aurélien Dupont’s nickname

8 The last name of the farmer from which my uncle Samuel Laurent has been buying milk his whole life

9 The name of the paper game I invented with my friend Kris when we were kids

10 The city where I proposed to my wife

11 The name of my characters when I used to play zelda3 on the NES

12 The date where my black ex-girlfriend did throw my phone on the bathtub , expressed in DD/MM/YYYY

13 The phone number from my best friend when I was eleven years old

14 The first name of the hooker you used in Las Vegas

15 The date when someone did beat you up as a kid, in DD/MM/YYYY

16 The first name of your favorite teacher

17 The sport you loved the most when you were 12

18 The profession you wanted to do when you were 15

19 The nickname of Vanessa

20 The last name of the guy you hated the most when you were 18

As an extra precaution, some generic questions must be added in order to prevent brute force attacks, for example adding the following questions. Clearly in my example it’s probably not necessary, but it should be a good practice to always do it (and a question based application should force this precaution as well). This helps ensures that no question based wallets are susceptible to brute force attacks.

21 First name of my paternal grandmother

22 Maiden last name of my paternal grandmother

23 Birth date of my paternal grandmother (format DD/MM/YYYY)

24 First name of my maternal grandfather

25 Last name of my maternal grandfather

26 Birth date of my maternal grandfather(format DD/MM/YYYY)

27 My first name

28 My last name

29 My birth date (format DD/MM/YYYY)

Answering the question, you would then have a sentence which should be like this :

“woufy civrieux dumoutier guillaume castlevania cycom albator sander doomotor sydney…”

Converted using a standard SHA256 algorithm (or better, a slower hashing algorithm) this would finally give the private key.

Inheritance schemes

It also has a very nice property : it can easily be made inheritable. By choosing your questions appropriately, you can make it transferable upon death only to a specific set of persons you choose.

If you do not have any loved one and do not care to make it heritable, you can use very personal questions to which only you have the answer.

If you wish that only your spouse could get the bitcoins, then use answers which only you and your spouse know.

By using questions that different people from your families might know, and using questions to which some of your friends have the answer; you can create an inheritable wallet.

After your death, many people would then need to collaborate to regroup all the elements to be able to retrieve the question wallet.

It is very important to use very private informations, that people might not share spontaneously.

Deterministic question wallets

It is also possible to create a deterministic question wallet. By incrementing a integer after the passphrase, we can generate infinitely many private keys from one single question wallet.

For example, the 3rd key for the wallet generated by the (insecure) seed “this is my passphrase” would then be “this is my passphrase 3”

Deriving many private keys from a single private key offers much more privacy. Also address reuse could be a potential security risk, even if in practice the bitcoin cryptography scheme(elliptic curve) has been safe so far with a good random number generator.

Also, as suggested by glaatraa, the passphase could also be used as a seed for a hardware wallet like ledger or trezor .

As a general security solution

Beyond storing cryptocurrencies wallets, question passphrase can also be used as a general and very powerful security mechanism.

By using a question passphrase to generate the password, you benefit of all the pleasant properties of the question wallet.

For example let’s assume that you manage a business holding millions worth of dollars of cryptocurrency, and that for convenience you want to store backups of your hot wallet online. You encrypt your wallet with a password. Now the real question becomes : How do you store and share this password to be as secure as possible ?

The password needs to be stored in a way that allows access, while still being kept from privy eyes.

You can share between the founders via some medium like email, shared storage solution or some kind of anonymous pseudo-secure chat. This is not a good solution, mails can be hacked and so can computers. If someone is logging your keyboard input or taking screenshot via a trojan, a crypto-secure canal will not help.

You can use physical tokens providing 2FA, hardware wallets and similar contraptions. This is probably one of the best solutions, but it’s still vulnerable to physical theft and requires to physically send them to the correct entities.

Finally, you can use some good old pen & papers and share passwords by hand. This is as well a good solutions, but it is still vulnerable to physical theft, physical loss and again requires to physically meet or use mail.

So now let’s assume the worst case : All the mails boxes and computers are hacked, postal mail will be opened and every hiding place that you can think of will be searched. In this situation, how can we transmit and store a password in plain sight without anybody knowing ?

Using a passphrase based on secrets known only by the founders provides a way to generate a password which is both super easy to store (send an email to everyone with the Questions) and unstealable (as long as only the recipients know the answers)

Of course we did not address the other big problem of sharing access to a wallet which is trust between the founders, but multi signature is there for that.

That is actually the exact solutions we used for our now defunct exchange MasterXchange. In fact, we were so confident in it that we used this design at many step, both as a passphrase for encryption and as a passphrase to unlock the wallets.

This allowed us to very conveniently store a large number of passwords directly on our mails, while being completely confident that hacking the mails would not provide the passwords to an attacker.

For example, and slightly changed for privacy, here are the questions that we used for one of the question password :

The first name of Adrien Lafuma’s father

The first name of the very friendly ex-poker pro that we met in Amsterdam

The first name of Adrien’s cousin who is a hippy

The masterXchange development environment root password

The 7 letters nickname of Johan montargon

The first word of the game we did bet and where Adrien lost the epic sum of 2.5 bitcoins in a couple minutes

Since here we are talking about a specific password which can only be used in a specific case (trying to unlock the wallet), we did not bother to salt as some of the answers were random enough (the dev root password is huge and random)

Additional security recommendations

Question wallets are of course intended as a cold storage solution.

The usual recommendations used to create paper wallets and brainwallets still apply here : Use a fresh installed OS that you will use offline, without saving any data. Live Ubuntu are great for this usage.

Verify several times on different days that you can type correctly your question wallet, and that it always gives you the same public key. Try with a small amount that your process is working.

Do not ever type a passphrase (or a private key) on a search engine or anywhere online, it will bring it into existence. The passphrase is a private key.

A bit of philosophy

So I showed how it was possible to share a secure key (the passphrase) in plain sight using question wallets. It is in this case very similar to the public key cryptography system, where you can secretly exchange passwords in plain sight through unsecured mediums, by mutually using your public keys.

There is however a problem, you have to know the public key of your recipient to ensure that you will be signing with the correct key. This is for example why HTTPS certificate validation requires a third party to ensure that the certificate is indeed the one you are looking for.

With a memory cryptographic scheme, you can be confident that only the recipient can decrypt your passphrase.

Instead of using a secret key to crypt messages, it would be like signing with your private shared experiences: Only someone knowing the same memory can then “decrypt” the message.

It might be possible to construct some much more general cryptographic system based on this principle, but this is very much outside the scope of this article, which focuses on a single important use case which is cold storage for bitcoin.

Conclusion

I hope this article showed the qualities of question wallets. They arguably could provide a better cold storage solution than both brainwallets and paper wallets, combining the simplicity of paper wallets without the theft vulnerabilities.

You no longer have to be scared of fire, and you do not need to store your backups in a military grade facility anymore.

Finally, we provided a way to securely share and store password even trough potentially hacked environment and believe that it can be used as a useful security tool for bitcoins business.

We hope this will be helpful to the bitcoin and cryptocurrency communities.

Thanks to Adrien Lafuma for the fruitful discussions.