Topic: 12 Word Recovery Phrase - a security weakness? My (free and simple!) solution(s) - page 2. (Read 516 times)

You beed much more information than just a title/author. You need publisher, year of publication, release number etc. For book written in different language you need translator name. That’s why ISBN is used, the same book may be published in different formats, font size etc - any change breaks your triplet constraint.

A more elegant solution would be to make this a brain wallet. Either via a "traditional" brainwallet, or by converting the 12 words to a xprivkey in a non-standard (nor BIP39 compliant) way.

This will allow you to generate the words in a way that is actually random. Even if you were to use software that uses flawed RNG, it will not be as big of a problem because you are using a book that your device will never know about.

This particular solution has issues similar to that of using a brain wallet. For example, if the specific book is not written down anywhere, you may forget which book you are using, or your next of kin will have no way of recovering your coin when you die.

You can mitigate your chances of losing access to the particular version of the book by choosing a book that will likely continue being published, like the bible.

--> Why hide the book?? No-one would know that my keynote refers to it, so it can sit on my shelf with the rest

--> Perhaps, but it seems to me that the chances of Github being shutdown are pretty low... Probably lower than my piece of paper being stolen/lost/burnt in a fire, but perhaps not.

--> The additional passphrase is something I've only just learned about, this seems like it would help me feel more secure, so I'll look into it.

I still feel uncomfortable just keeping the 12 words written down on paper and hidden, so I'm going to use my Book / my Github repo as a 'key' or 'cypher' for the time being... No worries if others find it 'unnecessarily complicated'

With the first solution (book), you are now reliant on hiding an entire book rather just a single piece of paper. If you lose your copy of the book, there is no guarantee you would find the exact same edition again and your coins will be lost. So that's a more difficult back up process and a single point of failure.

With the second solution (Github), you are now reliant on a third party to continue hosting your repo. If your account is banned, or their servers fail, or they shut down, etc., then your coins will be lost. So again, a more difficult process and a single point of failure.

In short, this is unnecessarily complicated and significantly increases the risk of you losing access to your wallets. If you want a set up in which your seed phrase can be compromised without resulting in immediate loss of your funds, then you would be far better off using a standardized method which does not have a single point of failure, such as either an additional passphrase or a multi-sig set up.

I have some remarks:
- instead of keeping 1 “item” safe, now you need to take care of 2 “items”. You are dependent on external services github server must be up and running and you must have access to it etc).
- each word encodes number, why not to store numbers instead of words, if you really do not like the idea of keeping seed safe
- seed is one thing, you may create many different derivation paths using “extra word” (password). To some extend we may say seed means nothing without password (if it was used), so you may even publish your seed if you know that all your coins are accessible using that seed AND password (for example Moby Dick ISBN).
- and the last one - that’s great that people try to invent anything new, but what’s wrong with secret sharing using Shamir algorithm? If you like to keep secrets in several places, maybe it would be interesting for you.

PS discussion also happening on Reddit -

https://www.reddit.com/r/Bitcoin/comments/xtp1s3/12_word_recovery_phrase_a_security_weakness_my/

(TL:DR at the bottom)

The Problem

Every time you create a new BTC wallet, you’ll get a 12 word 'recovery phrase' that needs to be noted down and hidden somewhere, which - to me at least - seems like a pretty gaping security gap. It doesn’t matter whether you write the words down and hide them in your attic, or stamp them on metal and bury them in your garden, the ‘master key’ to your wallet is still just sat somewhere, hoping that no-one finds it. If someone does find it, they can empty your account, and there’s no way you can stop them.

A Quick Definition, for the Uninitiated:

A seed phrase, seed recovery phrase or backup seed phrase is a list of words which store all the information needed to recover Bitcoin funds on-chain. Wallet software will typically generate a seed phrase and instruct the user to write it down *on paper*. If the user's computer breaks or their hard drive becomes corrupted, they can download the same wallet software again and use the paper backup to get their bitcoins back. (From: https://en.bitcoin.it/wiki/Seed_phrase, with my emphasis)

My Inspiration

A friend of mine told me about his ingenious technique for storing his recovery phrase, as I will detail below:

The ‘key’ here was that the notation he actually 'stored' referred to a favourite book of his, which was *unknown* and *not written down*, neither along with the recovery phrase ‘key’ (which I’m going to call ‘keynote’ to save time from now on) nor anywhere else.

For the purposes of the example, let’s say the book was Moby Dick, 1987 edition by Penguin House. Critically, no-one knew the book, so it would be close to impossible for a stranger to crack the code.

His keynote looked as follows:

17, 12, 4
48, 6, 8
174, 8, 1
...and so on…

Each line in this key was formed of a triplet that referred to the page, line and word-number of a specific word, which, when looked up (using the exact correct book), was in fact the relevant ‘recovery word’. In 12 lines, he’d noted all 12 of the words in his recovery phrase without actually giving anything away to a casual reader/attacker. So long as the attacker didn’t know the book it referred to, the recovery phrase would be secure.

In my mind, this seemed pretty impressive. Feel free to use it, substituting his book (which I in fact made up) for your own. BUT don’t forget it needs to refer to a *specific edition & publisher & date*, because each edition will be different, and will give wildly different outputs for any given keynote.
 
The downside to this method is, you’ll have to spend some time actually *finding* each of your keywords in your favourite book, and you might have to cross your fingers that the book in fact does contain the word *at all*. It probably will, but it might not, and it might take you a while to actually find it. Either way, it’s a bit of a ball-ache. As you can see, the method still has some weaknesses.

A New Solution

I created a secret, unknown Github persona, and this persona has uploaded the *entire* bank of 2048 potential Bitcoin recovery phrase words, in randomised order, in 256 rows of 8, to a repo.  *I* know the name of this account, and the name of the specific repo, but an attacker wouldn’t. My keynote now looks something like this:

13, 7
24, 0
…and so on…


Each line refers to the ‘line’ and ‘word number’ referring to my unique words in my recovery phrase. This seems pretty secure to me.
BUT we’re not quite finished.

Firstly, given that I think I might be the only person who’s done this, it probably wouldn’t be too hard for a smart person to find my ’secret’ account and, if they had access to my keynote, steal my Bitcoin.

So Why the Post?

I want to scale this concept so that everyone can use it *and* improve security even further - for all of us. There’s a couple of ways we could do it:

1 - Anyone and everyone could do the same as I did, creating their own repo and pushing a randomised list of recovery words. They could then note their own recovery phrase, in the form of a keynote as described above, secretly referencing their own Github repo. Please feel free to go ahead and do that if you want 🙂. 

OR, even easier (but maybe less secure?!), I could do the following:

I could link my not-so-secret account below, and anyone and everyone - hopefully lots of people - could fork the repo and make their *own* randomised version of the 2048 seed word list.

It would literally just be:
* Fork my repo
* Run something like ‘randomised_seed_words.shuffle’ locally
* Push your new randomised list to your repo

That way, we each wouldn’t necessarily need to use our own account as our personal ‘referent’. In fact, you could pick a random forker and use *their* repo as your referent. No-one would ever know which repo you eventually chose as a referent, so it would make it *pretty damn secure*.

NEXT LEVEL SHIT

Here’s where it could get really cool.

I’m sure there’s someone out there in the community who could help build this, as I don’t think it’s particularly complicated technically. Sadly, however, it’s a little above my technical competence.

We could extend my repo in the following way:

* Have it spin up a micro cloud instance on something like AWS/Google Cloud/Heroku etc (it would need to be free so that lots of people fork it and create their own version without having to spend any money)
* Every day, say at midday UTC, the cloud instance would awaken, create a new, randomised version of the 2048 bank of ‘recovery’ words, and push it to my Git repo.

Ideally, it would be even further extended so that *anyone* could fork it, and just add their own unique details (their Github name, unique repo address, login details for Git & whichever cloud provider we choose).

In this way, we could (hopefully!) have thousands of people all providing their own version of the randomised recovery words, *AND* a new version would be posted to *each* account *every day*, creating *lots* of potential ‘referents’.

What this would mean would be that, for *even higher* levels of security, not only could you choose a random account as your referent, you could also choose a random *day* too, so that there would only be 2 ‘keys’ for you to remember - a Github ID and a date, the ‘day of push’ - which you would memorise, never write down, and keep as your truly ‘secret' keys.

I hope I’m making sense.

If this existed, my secret phrase notes might look very similar as they do now:

13, 7
24, 0
…and so on…

BUT what the attacker would have a *super* hard time discerning would be that, in fact, this ‘keynote’ refers to ShiftyDude6102’s ‘BTC_randomised_recovery_words' repo, and specifically to the push that was made on the 5th April 1975 .

I’m not sure it could get much securer than that.

The only risk I can see is that the person whose account/repo/date-of-push you rely on might delete their account, thus making your keynote refer to a non-existent push. I guess we should therefore ask plebs to only fork the code if they commit to never deleting their account.

In short, if someone could help me with the cloud infrastructure bit, and we could get just a slice of the users of this forum to fork a version to their own repo, add their own personal account details (git and whatever Cloud service we choose to use) and have it make daily pushes of the randomised bank of recovery words, we’d all have a huge set of potential dictionaries from which to derive our security / to which our keynotes could refer, making it possible to close what *I* believe to be the biggest, most insanely broad attack vector of *how and where to store your recovery phrase*.

And, finally, even the people stamping things on metal could take advantage of this, since they could just stamp number pairs instead of entire words onto their thingy-mabobs.

I hope that makes sense. Sorry if it was a bit long. Feedback, as always, very welcome.

If you got this far, thanks for reading! 🙂

--------------------------------------------------------------------------------------------------

TL:DR

* Rather than store your BTC wallet’s ‘seed recovery phrase’ as brute words, which seems insanely insecure to me, you could pick your favourite book and store 12 triplets of [page, line, word-number], thus massively improving your security
* Rather than using a book, you could push a randomised list of the 2048 recovery words to git. In 'real life' you would only need to store 12 number pairs in the format [line, word-number]. It would be even better if you did this with a secret, pseudonymous Github account.
* If someone could help me make this into a simple forkable ‘product', that could spin up a micro cloud instance and have it push a new bank of randomised recovery words to the associated repo *every day*, and possibly even allow others to fork it and do the same using their own unqiue credentials, it could become a super secure, broad resource that all Bitcoiners could use as a referent when storing the 12 words of their recovery phrase.