What is a vanity address?

In a previous piece I discussed how bitcoin addresses are generated. As such, through the use of some algorithms (specifically SHA-256 and RIPEMD-160), a 26–35 character alphanumeric string is produced which allows you to send and receive bitcoins.

Example bitcoin address:

1PMycacnJaSqwwJqjawXBErnLsZ7RkXUAs

But let’s say that you want a specific word or combination of characters in your bitcoin address — how can you generate this?

Vanity Address Generation

A valid bitcoin address which contains human-readable messages or specifically chosen combinations of characters is referred to as a `vanity address`. They are generated using the same algorithmic process as any other bitcoin address but this processes is repeated until the desired combination of characters is achieved. In order to reduce the number of times the bitcoin address generation process is run, there are some optimisations such as VanityGen which is a command-line vanity bitcoin address generator. However, whilst this helps speed up the process a little, it is still a compute-intensive process!

Take the desired string `1TaraLovesBTC…` which is 12 characters of precision after the leading 1 (indicating that it’s a P2PKH address). Generating a bitcoin address with this prefix would be expected to take around 11.7 million years! This is because, even with the VanityGen optimisation, the process of finding this address would require billions of public-private key pairs to be generated and then converted to the bitcoin address format — discarding any which don’t start with the desired result.

However, if we instead wish to generate an address with a lower number of specified characters then the generation time can become more feasible:

As an example, using the vanity address generation websites NiceWalletAddress.com and BitcoinVanityGen.com, the vanity address starting with `1tarabtc….` would take approximately 1 week and would cost 0.1BTC (c$800) on NWA and 0.0281BTC (c$200) on BVG

But how secure are vanity addresses in comparison to a normal bitcoin address?

Vanity Address Security

Albeit with some optimisations in the generation process, the creation of a vanity address uses the same process as any other bitcoin address. As such it is no more or less secure than any other bitcoin address in how it is generated. However, many vanity addresses are generated by 3rd parties such as vanity address services or vanity mining pools, and this means that they may have knowledge of the private key.

The concern here is that if they maintain a copy of the private key, they could eventually use this to transfer any fund which have been received by the vanity address.

To try to mitigate this risk, many vanity address generation services offer a merged key processes whereby the user generates a public-private key pair and their public key is used by the service to create a complementary public key which leads to the vanity address. The users is then able to merge their private key with the complementary private key in order to ensure only they have access to any funds within the vanity address.

However, in addition to the generation process, the security of vanity addresses should be considered in their use.

Some businesses may prefer to use vanity addresses as they believe it offers them additional protection from a practice known as `spoofing` — where a bitcoin address is swapped out by a malicious actor. As such, if they have a generic bitcoin address then it is unlikely a user will be able to spot the change, whereas if the user expects to see a vanity address then they may be alerted to the change. However, it’s important to note that both generic and vanity addresses can be spoofed. Take for example:

1J7mdg5WxGENmwyJP9xuGhG5KRzu99BBCX

and

1J7mdgYqyNd4ya3UEcq31Q7sqRMXw2XZ6n

As such, even a 5 character match here could be easily misread as being the same address. Therefore using more characters of precision or human-readable keywords can make it easier for users to check the validity of an address and more expensive for malicious actors to attempt to compute a replica.

As a cryptocurrency user it is good practice to check both the first few digits as well as the last few digits since this decreases the likelihood of a spoof address being able to be used since it would have to match an increasing number of characters.

Vanity Address Use

An example of a vanity address being used in the wild is BitAddress.org’s donation address which features the keyword `Ninja`:

There is also a thread dedicated to discussions about vanity addresses on the bitcointalk forum where users share the most impressive vanity addresses they have generated, such as:

1BigHit9XN991TquuvZpDB9dSV52v9pY9w (The specified characters of ‘BigHit9x’ represents large crypto profits)

1BatmanboAGH7NortEu45PcnVXHnJKcyH3 (although not a particularly hard one to compute as it is only 6 specified characters, having batman in your bitcoin address is still quite cool)

1attackerpKQNRBrmzhYkmoofg9nWeNC2 (probably not the most user friendly address to use but with a 8 years in 50% chance of finding it, the poster was keen to keep it)

Similarly, some users are interested in vanity addresses which may have certain properties rather than containing human-readable words, such as

1234mNnAPb8YnCsbacaNhB4BqwxB4U4321

this palindromic address has the same 4 characters at the beginning and end!

11111i4VTdHkzFqV2a4jntfZkdVk6B

this address has 6 leading ‘1’s

1CFBdvaiZgZPTZERqnezAtDQJuGHKoHSzg

this address contains only letters (except the initial 1) — this is actually a relatively common character pattern with a 1 in 216 chance for any 34 character addresses which are generated

1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX

this address contains only capital letters and is expected to take around 70 days to generate.

Vanity addresses can therefore be a useful tool for services to help users know where to send funds, but as we’ve seen can also be used maliciously to spoof users into sending funds to the wrong locations. They should therefore be used with caution.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store