Gaining unauthorized access to financial accounts and withdrawing funds is an insidious attack that plays out repeatedly on deposit accounts at financial institutions, but what happens when the account is stored in the account-holder’s brain and the funds on the blockchain? Enter the world of Bitcoin brain wallets.
Successful account takeovers are commonly link to social engineering, identity theft, the use of malicious code, and breach of familial trust. However, regardless of the method employed, in each case a digital credential-holding platform is exploited.
Bitcoin enables users to create a variety of wallets for storing credentials that secure digital currency in a blockchain. The most secure wallets are not connected to the internet where they are vulnerable to attack. Bitcoin wallets store credentials, not bitcoin, and the host comes in several forms: (1) cloud wallets, (2) mobile wallets, (3) USB cold storage wallets, (4) paper wallets, and (5) brain wallets. All of these wallets use random data to create unique private encryption keys that are required to access funds stored in the blockchain. For example, a private encryption key that is impractical to recreate by brute force attack can easily be generated by applying a strong encryption algorithm to twelve randomly selected dictionary words.
Perhaps the least known Bitcoin wallet is the brain wallet. With the brain as its host, the brain wallet enables the Bitcoin user to exercise global mobility without concern of losing their encryption key through the loss, destruction or confiscation of a computing device or a piece of paper. The brain wallet also protects against loss arising from fraud committed by unscrupulous exchange operators who provide wallet custody services on their cloud platforms. At this point, you are likely wondering how brain wallets are created, so we will take a look at this next.
Whereas wallet apps create entropy by randomly selecting dictionary words and organizing them indiscriminately to create unique private encryption keys, the brain wallet relies on the user to provide the random input that is converted by a cryptographic algorithm into a private key. The process of creating a brain wallet is fairly straight forward. Brain wallet generators can be found online; however, the utilities should only be used on devices that are disconnected from the internet. The wallet generator will prompt the user to enter a passphrase and confirm it. Unlike typical passphrases, Bitcoin brain wallet generators accept spaces between words and allows the user to enter a significant amount of data. For example, a brain wallet can be created using the full text or a few pages from Dr. Seuss’ Green Eggs and Ham. Having committed this book to memory after reading it to my kids repeatedly when they were toddlers, I recognize that this is a very viable option. Using several pages from the book as a passphrase, a user would be able to create a private encryption key and regenerate it from anywhere in the world. To access their bitcoin, the user would simply import their private encryption key into a wallet app stored on a computing device such as a smartphone.
While the value of a brain wallet may not be readily apparent to many people living in stable economies, this form of value storage provides a potential wealth preservation strategy for refugees displaced from nations ravaged by civil war. Having said that, the verdict is out as to whether the use of brain wallets will gain traction more generally.
At first glance, a full page from a book may appear to be more secure than using password123 as a passphrase; however, it may be just as vulnerable to hacking. When using brain wallets, there are some important caveats that must be observed.
Brain wallets that rely solely upon memory are vulnerable to memory loss and this is problematic because loss of access to a Bitcoin private key renders the associated bitcoins inaccessible; there is no back-door trick to access bitcoin when encryption keys are lost. There is, however, a more immediate threat. Fraudsters are actively taking over Bitcoin brain wallets that are created with weak passphrases using servers that perform brute force attacks based on music lyrics, academic papers, books, and other published works. Coindesk reported on a test of the efficacy of these attacks, and the findings were startling. A researcher generated several brain wallets based on content from published works. One wallet was hacked within seconds of creation, and within 13 hours all of the other wallets were hacked, and the funds were depleted.
Prospective users of Bitcoin brain wallets should take note that using verbatim passages from published works can be as ineffective as the proverbial password123 password. Complexity can be added to the brain wallet passphrase by combining words and phrases from a variety of sources including some randomness from the brain creating the wallet. Finally, to mitigate the risk of memory loss, brain wallet passphrases should be hard to guess but easy to remember.
Jeff Bryan, MA, BA, CBP, CFE