How long would it take to crack an 8-word brain wallet?


Assuming my private key for a bitcoin wallet is derived from SHA256(passphrase) and the passphrase is 8 words long, how long would it take the average attacker to crack my bitcoin wallet through a bruteforce dictionary attack?

Assume there are no other characters besides letters.


Posted 2013-04-10T05:06:44.177

Reputation: 41

4How big is your dictionary? Is it the entire OED, or the 1000 most commonly used words? Are the words chosen randomly, or did you make up a sentence yourself? How powerful is your attacker? Are they a massive state-sponsored effort, or a guy controlling a botnet? – Nick ODell – 2013-04-10T05:11:59.467

Was the brain wallet generated on a machine only you control? If not, then about 2 seconds; otherwise see below. – Gary Rowe – 2013-04-10T13:32:44.467



A very, very long time.

Oxford English Dictionary contains full entries for 171,476 words in current use.

If you use only lower case letters and they are mostly random words (no phrases - "four score and seven years ago" is like having your password be "secret"), there are about 7.47e41 possibilities.

At 50 million attempts per second, it'll be about 4.74e26 years.

The current estimate for the age of the universe is 1.2e12 years.

If you reduce it to just the most commonly used 1000 words, at 50m gueses a second, it's reduced to 634,195,839 years.

That's pretty secure for a password.


Posted 2013-04-10T05:06:44.177

Reputation: 366


Google gives 171476 choose 8 as 1.854e37. Still very big.

– fbrereto – 2013-04-10T05:26:51.893

I fixed my math (paste error). They don't match yours because "choose 8" assumes unique words without order (we are looking for permutations, not combinations). I used 171476 ** 8 to get my number and then approximated it. – Ben – 2013-04-10T05:59:55.073


Sorry, but your question is a bit vague. If the words form a sentence, then not as long as you might otherwise think. If the words are chosen randomly, then it's not really a brain wallet, and you are likely much more secure using a 12-word BIP39 mnemonic, which is standardized and can generally be relied upon for 128 bits of entropy. Most wallets in common use these days (especially hardware wallets) use a reliable implementation of BIP39 and a quality RNG.

If you choose the words yourself, and they do not form a sentence, and they are not random, you are likely to be limiting yourself to a much shorter wordlist than you think, and your resulting brainwallet can be bruteforced (if that is even necessary) much sooner than anyone might calculate. I'm not a linguistics expert, but I would hazard a guess and say that the working vocabulary of most people is made up of fewer than 1,000 words, even if they may recognize 10,000 or more. That would give you, at best, roughly 80 bits of entropy for an 8 word passphrase. If the words form a sentence, then entropy drops significantly, because the rules of grammar apply and therefore limits word choices. An article or a noun are the types most likely to be chosen as the first word, for example.

The prevailing wisdom is to avoid the brainwallet concept altogether. I would agree, unless you are really that good at creating a password/passphrase with high apparent entropy to potential crackers, and high memorability for yourself. Most people aren't.

John C.

Posted 2013-04-10T05:06:44.177

Reputation: 59