On Making High-Entropy Paper Wallets

mircea_popescu: random is a scam.

Indeed, you should need no more convincing on the matter of randomness. MP said so, and he has a way of calling the shotsi.

Since random is a scam, Random Number Generators (RNGs) are most definitely not random and therefore quite undeserving of our trust.ii. This being so, we have two choices: (1) we can pout and wave our futile little fists at the sky, or (2) we can generate some good ol’ fashioned entropy.

Entropy, for those who’ve forgotten their klassroom fisiks, is the degree of disorder in a system. We should be most familiar with this concept from the Second Law of Thermodynamics, which states that the world acts spontaneously to minimize potentialsiii or, equivalently, maximize entropy. In information theory, entropy is measured in bits, where one bit of entropy is equivalent to the uncertainty of a single coin flip, two bits is two flips, and so on.

So why does entropy matter to Bitcoin? Because entropy is all about collisions and therefore the likelihood of brute-forcing an input based on the output. As such, entropy is the core of private key security.

For many users, a strong password and a USB back-up are the only tools implemented in wallet security. With a desktop clientiv, a web-based walletv, or  bitaddress.org’s paper walletsvi, we’re trusting someone else’s interpretation of “adequate entropy”. As much as Bitcoiners loooove trusting, let’s not and say we did.

Generating secure and highly entropic private keys is of the utmost importance, and it’s easy enough to do on our own. Here are the steps:

1. Visit bitaddress.org
2. Save the page as an HTML file to a USB key.
3. Safely remove the USB and plug it into an offline computer running a clean OS.
4. Open the HTML file and click on “Brain Wallet”vii.
5. Since your own vocabulary is inadequateviii,  derive an 10-word (minimum) passphrase using five (5) dice and this 7776-word English dicelist, this Romanian dicelist, or one of these other non-English language dicelists.
6. Click “View”, then print 2 copies.
7. Clear the browsing history, safely eject the USB drive, and restart the computer.

Voila! You now have a high-entropy private key on a paper wallet (aka cold storage)!

You should keep each copy of the paper wallet in a different location, and even cut each piece in half and store them separately so that the compromising of one location doesn’t compromise your savings. Laminating each piece will also protect from age-related fading and moisture damage.

That’s it! You’re now your own bank.

Welcome to Bitcoin.

___ ___ ___

  1. See Bitcoin as a currency, Mt. Gox, Bitcoin Foundation, and as the King of Siam would say: “etsetera, etsetera, etsetera”. []
  2. RNGs, then, are as intentionally gibbled as the rest of our our digital security. []
  3. This sounds suspiciously like the present state of affairs in the modern welfare state, where the masses distribute and diffuse the achievements of the productive few. []
  4. Like Bitcoin-qt or MultiBit []
  5. I personally find blockchain.info to be quite well designed []
  6. Paper wallets created in offline environments on a clean OS aren’t “unhackable” if the private key doesn’t have enough entropy. bitaddress.org currently relies on cursor movement, which won’t cut the mustard no matter how much caffeine you’ve had today. The amount of entropy that a Javascript interface such as this  generates is just too small to be considered safe. From the bitaddress.org GitHub post: “2014-01-18: status ACTIVE bitaddress.org-v2.8.0-SHA1-87dcf19f02ee9fb9dd3a8c787bcf52eef944aa82.html – more entropy from browser fingerprinting for PRNG seed – user can add entropy through URL hash tag – seed mouse movement as 16-bit number” 16 FUCKING BITS! That’s equivalent to choosing a single-word “passphrase” from a 66,000 word dictionary => log2(66000) ? 16.01 bits, which is plainly inadequate. []
  7. This function uses SHA256 to hash your passphrase. One sincerely hopes. []
  8. You don’t want to end up like this chump, do you? []

37 thoughts on “On Making High-Entropy Paper Wallets

  1. Nick Jachelson says:

    Bitcoin inherently makes dumb people lose their money. As simple as the above paper wallet guide is, most people will not use it. Remember, you had people keeping 1,000+ BTC on Gox. The most common passwords are still “1234” and “password”.

    I have decided that until somebody makes bitcoin idiot-proof it’s probably a bad thing to try and encourage more adoption.

    • Bitcoin Pete says:


      Encouraging the adoption of Bitcoin is no worse than encouraging people to understand anything else in this world. The numerically and financially illiterate are more subtly taken advantage of with student loans, credits cards, inflation, advertising, and a million other things.

      Bitcoin is at least explicit. And it begs important questions that most people wouldn’t otherwise consider.

  2. […] technical hurdles in simply securing a wallet and continual butthurt of those who fail to do so indicates […]

  3. […] because of their delusions of digital security, Bitcoiners still aren’t making high-entropy paper wallets. It’s a lot of work, granted, but tripping over each other to host your coins on some […]

  4. […] Bitcoin safely. They can use webwallets, maybe even Circle’s fiat-denominated turdsicle, but high-entropy paper wallets require time and equipment not readily available to them. […]

  5. […] best way to keep your bitcoins offsite and offline is with a high-entropy paper wallet. […]

  6. […] of ideas”), SchellingCoin, Mastercoin, Orisi, bit-thereum (speculative), high-entropy paper wallets, some communist […]

  7. […] must be referring to those high entropy paper wallets everyone is always talking about. […]

  8. […] is equally fucked, what with Circle offering… shit on a stick. You just can’t beat a high-entropy paper wallet, Bitcoin QT, or MultiBit. […]

  9. […] Mycelium’s Entropy USB dongle and high entropy paper wallets. […]

  10. […] a secure passphrase. It’s recommended that you use dice to generate this, as you would for a Bitcoin paper wallet. 7. Do some unrelated work while the key generates. 8. Voila! You now have a GPG keypair! 9. Click […]

  11. […] plastic food, being excessive sessile, taking on more than modest amounts of debt, using webwallets, reading CoinDesk, having Facebook/LinkedIn accounts, buying altcoins, using cloud storage, using […]

  12. […] you have any Bitcoin at all, Step 1 is securing your coins. Treat even your fractions of Bitcoin like they’re worth the moon and you’ll be justly […]

  13. […] security: while some users still use “Password123″ on their webwallet, others are getting smarter about how they store their coins. Heartbleed and Shellshock also raised awareness about our […]

  14. […] angle can be eliminated with USB backups, but all things digital being also corruptible, we can use high-entropy paper wallets instead. Not that paper wallets don’t have their drawbacks, ink and paper can still fade and […]

  15. Jautenim says:

    Do you have any more insightful thoughts on securing the physical paper wallet, besides just splitting it in two (, dear Sir)?

    • Splitting it in three?

    • Jautenim says:

      Thank you. I sat down for a while thinking hard and it eventually sank in.

      By the way during my due diligence I stumbled upon WarpWallet: https://keybase.io/warp

      It works essentially the same as Bitaddress.org’s brain wallet option, but it actually does over 500k iterations of key stretching on your passphrase instead of hashing it straight way, as well as gently remind you to use a salt value. On my box it takes it over 20 seconds to spit a key pair, versus Bitaddress’ immediateness. Worth checking it out, IMO.

    • Isn’t keybase the thing where you give them your PGP private key?

      Those guys are a bit too “user friendly” and not skeptical enough for my liking. Not sure I’d give them an attack vector.

    • Jautenim says:

      You don’t have to use their service. It’s a standalone webpage that you can download and open in an offline computer. No questions asked, just as Bitaddress, but with a good run of PBKDF2 and scrypt key stretching before sha256shing the passphrase.

  16. […] used bc.info for ~2 years for storing pocket change (real money goes on paper wallets), but after this little exercise, I don’t even store that there, or on any webwallet for that […]

  17. […] gold mining – being early,ii holding on to your winnings, dodging wallet inspectors, keeping private keys safe… Many started out on this journey, far fewer survived. Just as it should […]

  18. […] : There are proper ways to store your bitcoins, namely paper wallets, and there are improper ways, namely webwallets (see […]

  19. lobbes says:

    Thank you for this guide / lesson on entropy. It is about time I moved some of my savings to cold storage, but I haven’t trusted many of the ‘paper wallet generators/guides’ out there.

  20. […] dirigible to make your getaway. With Bitcoin, whether you’re carrying a brainwallet, a paper wallet, or a USB key, you’re as agile and mobile as an acrobat in the Cirque du […]

  21. […] Four-hundred steps just to put on a space suit when you can’t handle 10 steps to make a paper wallet or create and register a PGP key ? Seriously. Space is obscenely, impossibly, literally […]

  22. Mitchell says:

    PD, do you use bip38 ?

  23. […] you’ve already secured your bitcoins with a high-entropy paper wallet or an airgapped machine, this is the next step in your journey to create a better world. […]

  24. […] no way and under no circumstances encouraged to use Coinbase, Trezor, or an exchange wallet. Use a paper wallet if nothing else! […]

  25. […] high-entropy diceware passphrase generation (eg. paper wallets) you’re tasked with rolling five dice on a flat, even surfacei and recording the outcomes […]

  26. […] much anyone doing anything with Bitcoin, even something as simple as securing coins properly, is in their mid-20s to late-30s. Jack’s in his mid-40s even though, iirc, his kid is about […]

  27. […] is a tricky business, as we know, so 0.028BTC for FUCKGOATS is an exceedingly modest sum for an auditable and WoT-manufactured […]

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>