To those saying a pass-phrase based key can't be used because it lacks entropy have obviously never heard of Password Based Key Derivative Functions
http://en.wikipedia.org/wiki/PBKDF2To those that haven't heard of key derivitives they work because instead of taking a hash of the passphrase (i.e. "This is my secure bitcoin passphrase"), you take a hash of the hash of the hash of the hash of the hash of hash ..... (n iterations later) of the passphrase.
Also a random salt is chosen at the time of password generation and is added to each round of hashing.
To make it brute force proof one simply needs to pick a large enough n so that it takes a "non trivial" amount of time to hash one password.
Current top of line GPU can perform < 1 GH/s.
So you make n = something in the magnitude of 10 million.
An example program would prompt the user for 4 randomly chosen words (w1,w2,w3,w4) and a 4 digit number (p). (You could have the program not generate a key for words which are too common to improve security).
passphrase = w1+w2+w3+w4
p = salt
n = p * 2^12 (the 2^12 is a constant to match all possible 4 digit p's to a n in the range we need (~10M so it takes a GPU a "non-trivial" amount of time to complete).
Now simply run a key derivative function which uses a pass-phrase of "w1+w2+w3+w4" iterates n times with each round salted with p.
...
a single 1 GHash/s GPU making 30 attempts per second would take nearly 11 million years to try all possible combinations of passwords and salts.
However that is just one GPU. What if deepbit pool tried to brute force the key? With 5THashes/s of computing power it would only take deepbit ~3,400 years. Another way to look at it is the entire deepbit pool would need to work for 34 years 24/7/365 just to have a 1% chance of breaking the private key.
To regenerate the private key in the future the user would simply need to remember the 4 words and 4 digit pin. Hopefully this gets some people thinking.
Sorry for necroing this thread, but I couldn't leave the previous post as the last post. It makes some bad assumptions. First, while it would take a lot of computing power to crack a single private key generated by this method, it would take much less effort to find a private key generated by this method if a million keys were generated. That is the basic flaw in using any kind of algorithm to generate a private key from a smaller key. Second, given the constant exponential increase in computing power, all the estimates above will be cut by a factor of 100 in only a decade or so.
The only real criteria for the safety of a private key algorithm is whether or not it is more efficient to mine BTC or to look for the private keys. If the method above were to become popular, then it could be more efficient to look for the generated private keys than it would be to mine, and the algorithm would not be safe.
