Standardization is not intended to make public parameters implicit... it is intended to make its format compatible between different implementations.

Take a step back.  The reason for a brain wallet isn't just to avoid writing "something" down.  It is to avoid writing a SECRET down.  Once a secret is written down it can be compromised or lost.  

The implementation isn't a secret and having that "written down" (as in drop a copy in your google docs folder, drop box, filing cabinet, email it to yourself, etc) doesn't represent a risk of compromise.

A universal standard is like a utopia.  It probably will never happen.

I have used this cartoon before but it is (sadly) accurate.


Maybe a universal standard will happen but I honestly doubt it.  There will always be differing opinions between authors on implementation aspects.  An interim goal would be to push that all deterministic wallets provide specific details (not code) on the entire process ("secret" -> set of private keys) in plain text format for archiving which would make reconstruction without any access to current code possible.  That would provide at least some level of disaster recovery in the event no existing wallet is compatible.

A kid's question:

A kid (9 years old) asked me why he can't make a long passphrase just repeating one letter, and I coudn't answer properly.

Example: kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkbitcoin
(30 k's and the word bitcoin)

But I do know the generation scheme:  Ask a human to generate a secure password.

This is something humans are not good at and so they are prone to doing things like ... picking passwords with a repeated character (or, alternatively completely avoiding repeated characters). For example, here are some of the cracked mtgox passwords (all except the Us were using the more secure freebsd crypt scheme): uuuuuuuuu, ggggggggggg, 999999999q, qqqqqq123, 111111111a, 999999999, 88888888, 99999999.

Uniformly probable uncertain length between 1-33 adds only 5 bits of entropy to the repeated character model.   Meaning that if you're already doing "every character repeated" (which is obviously a useful model which cracking tools already include) searching all of those lengths only increases your workfactor by 32.

addendum to my previous post:
there is evidence that some people are "mining" for password-generated bitcoin addresses;
in other words, they are using the brute force of their computers in order to discover passwords.

if you use a deterministic wallet such as Electrum, do not trust yourself for inventing a seed that is complex enough; use the seed provided by the software.

Is the argument really along the lines of "You're too stupid to create your own password."?

My approach:

PrivKey1: sha256 x5 "my long passphrase"
PrivKey2: sha256 x6 "my long passphrase"
PrivKey3: sha256 x7 "my long passphrase"
PrivKey4: sha256 x8 "my long passphrase"
etc.

I might forget that I started at x5 at some point, but it doesn't matter much.

PrivKey1: sha256("my long passphrase1")
PrivKey2: sha256("my long passphrase2")
PrivKey3: sha256("my long passphrase3")
PrivKey4: sha256("my long passphrase4")

anything wrong with that?

You surely know "correct horse battery staple":
https://xkcd.com/936/

The there calculated 550 years (instead of 3 days) do *not* come from "attacker tries every possible combination of small letters up to 25 letters (that would be much much more than 550 years), but precisely assuming what you did, that the attacker has a dictionary with one-, two thousand words where he shuffles them to different combinations of four words.

I couldn't really believe it when I first thought about it, and found much more detailed calculations to exactly this example somewhere.

Ente