How to Properly Generate a Monero Brain Wallet?

Question

I remember reading somewhere, I think it was fluffypony mentioning one could use for example words from a letter to a loved one seed for a Monero wallet. But from playing with https://xmr.llcoins.net/addresstests.html I realized that it is not possible to enter just any text in the mnemonic seed; it just doesn't accept improperly formed mnemonics, apparently. And even if I had 24 words chosen from the official word list, I would still not know what checksum word to add at the end... (I haven't tried generating a brain wallet in monero-wallet-cli yet, but if there is a way, please let me know.) Is there a way to create one's own mnemonic?

On the other hand, I am assuming that the hexadecimal field does accept anything, since it is the private spend key. So maybe the way to go would be to choose one's own preferred passphrase, take SHA256 of the passphrase and enter it in field 2. Is that how it should be done?

Obviously, one should be very careful choosing such a passphrase, but I am thinking that brain wallets in Monero shouldn't be as dangerous as in Bitcoin simply due to the inherent time consuming operation of scanning the blockchain and trying to decode every single output for the corresponding stealth address. I am guessing that a decent computer should take at least a few seconds for each brain wallet, so that compiling a huge list of brain wallets and monitoring them is unfeasible. Is this understanding correct?

Answer 1

A brain wallet should always be created offline, preferably on a computer that will never touch the Internet once you decide to use it for a key generator. Make sure any JavaScripts you are using can be initiated offline.

Agree that there is a huge computing penalty for having to scan a blockchain for a given viewkey to identify associated stealth transaction deposits. A full refresh for a new wallet takes on the order of minutes on my computer with the current Monero Blockchain size.

Here is a quick example of using text commands to create a brain wallet:

% echo "Brain farts really hurt this miser" | bx base16-encode | bx sha256 e812ff8072348464b3fe59f0324076bc9b1be3afb233d52303b04f19120389e3

% ./sc_reduce32 e812ff8072348464b3fe59f0324076bc9b1be3afb233d52303b04f19120389e3 f27b8d6b01c98293fa6acf06069644989a1be3afb233d52303b04f1912038903

% ./bytes_to_words f27b8d6b01c98293fa6acf06069644989a1be3afb233d52303b04f1912038903 etched segments dash puck rural furnished mice sapling sifting dime jigsaw alpine malady pebbles germs fleet puddle swagger azure react sovereign much worry zebra pebbles

With either the normalized private spend key (after the sc_reduce32 completes) or the Electrum words you have the information to synthesize the following Monero address:

44yo6exuJXtfmGzabRub8w6JkEcY6BjVEUkBmgheV5fEChMb5BD7HUWUPjuKVJ4C2Y11tf9y6DCJo2uAHts6E4EzJZX23fa

FYSA - The sc_reduce32 command was created from a Monero function called sc_reduce32(). Similarly, the bytes_to_words command was created from a function called bytes_to_words().

Answer 2

I remember reading somewhere, I think it was fluffypony mentioning one could use for example words from a letter to a loved one seed for a Monero wallet. But from playing with https://xmr.llcoins.net/addresstests.html I realized that it is not possible to enter just any text in the mnemonic seed;

I dont know what exactly he mentioned but I'd guess he meant hiding the mnemonic words into a poem created for the sole purpose of it, or something along those lines. Only words of the dictionary can be used, and you can see which those are if you look at the code here. There are exactly 1626 words. I wouldn't consider this approach safe because if anyone assumed you did hide some 25 words in a poem, he could compare the poem against the dictionary and isolate the words that belong to both the poem and the mnemonic dictionary. Then, he'd have a lot less guesswork to do in order to try and brute-force the correct mnemonic.

Regarding the second part of your question, I'd strongly advise against generating a seed by any other means than a good random number generator (even by rolling physical dice, for the extra paranoid - you need 100 rolls to get the 256bits of entropy). Our brain is horrible at producing true randomness, and hashing a passphrase has reduced entropy. If someone knew the scheme, he doesn't have to try and guess all possible seeds but can limit his guesses to only those that are the result of hashing a passphrase. This is exactly how many people lost bitcoins, by using weak passphrases for brain wallets.

IMO, the best way would be to just generate it randomly by using moneroaddress.org on an offline computer, and then remember the 25 words generated, or think of a good way to hide them.

While it is true that checking for balance takes a while, the point made by PyRulez is an important one. If someone knows your address, he doesn't need to scan the blockchain anymore to verify that he made a correct guess. But yes, just taking random guesses to try and find any address with a balance to loot, is way more expensive to do with monero than with bitcoin.

Edit: We could say that generating some long enough text with some personal info and then hashing it would be safe enough. Like "I bought my first yacht with Monero. It's 1983m long." where 1983 could be your birth year or something. That's 53 chars and probably not brute-forceable, but now that I've published this idea, anyone could try some number of variations of it for and see if he gets lucky.