Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove brainwallets from site #106

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Remove brainwallets from site #106

wants to merge 3 commits into from

Conversation

dabura667
Copy link
Contributor

Maybe replace with BIP39 / A tool that can generate offline transactions for brainwallets without showing the address / WIF private key to the user.

All tools that show the user a WIF private key and Address in response to a passphrase with a single SHA256 algorithm with 0 key stretching is just asking for people to lose money.

I understand this is a key functionality of your site that is one of the main functions people use it for, but that is also the presentation at DEFCON has served as a well needed wakeup call for people relying on bad brainwallets.

Alternative solutions:

  1. Implement stringent password requirements that will search input for common dictionary words / simple replacements of letters with symbols (s > $; a > @) and outright REFUSE INPUT if not met.
  2. Implement strong key stretching.

As for backwards compatibility, you could make some tool to aide in recovery.
(like https://bip32jp.github.io/english/recoverbrainwallet.html )

Thanks for the consideration.

(The pull request was more symbolic than anything, so I might have missed some stuff to delete/fix)

@pointbiz
Copy link
Owner

pointbiz commented Aug 8, 2015

Using SHA256 to make a Bitcoin Private Key has been around for a long time and people were doing it before it was available on my site. People requested this functionality and doing the SHA256 on my site can help people avoid needing another tool to accomplish their objective. However, your pull request leaves the ability to do the SHA26(passphrase) on the wallet details tab which was the first place I put this functionality because I didn't want to make it easy (then people kept asking for it cause they didn't know it was buried in this way).

At some point in time the idea of "SHA256(entropy)" turned into "SHA256(brain_entropy)" and the meme Brain Wallet was created. I'm not a fan of Brain Wallets and you could easily call the Brain Wallet a "Deterministic Wallet". This was a defacto standard before BIP32/39 came along.

I have plans to add BIP32/39 support. I'd like to provide a few different random number generator options with at least one that guides you through providing physical randomness (like dice rolls) and combine this with BIP32/39. When that overhaul is accomplished it will make more sense at that time to do the removal suggested here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dabura667 @pointbiz