Pages:
Author

Topic: 12-word seed vs 24-word seed? This seems pretty interesting (Read 548 times)

legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Now that I'm programming seed phrase generation, at the end of the day, the number of words doesn't really matter, because it's all hashed down via HMAC-512 into a 256-bit master private key (the other 256 bits on the right are the chain code, but that's not really relevant here), so if anyone can crack ECC used in private keys, it's game over for seed phrases unless another keypair-generating method is introduced earlier.
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
it's a shame that electrum doesn't offer 24 word seeds by default, I know it's possible by entering commands in the console but I'm afraid of compromising security, or doing something stupid, it's a bit off topic but do you know if they have an update planned?
To be honest, if you don't reveal your seed in an ordered way, then you can absolutely feel very secure by 12-word seed alone. You don't actually need 24-word seed.

In my opinion it does not matter if you use 12 word or 24 word seed phrases. IF your seed words get leaked you have an issue no matter what amount of words you have used.
If seed phrase gets leaked in an unordered way, then it can be a problem in case of 12-word seed but not for a 24-word seed. This is proven in that article.

I have to say also the 25 minutes who take maybe are a wrong calculation, because what if he was "lucky" to find the order on 25 minute, but you need to make more and more tries to find out the average time, not only one disorded seed.
Okay, create a wallet with 12-word seed, post phrases in unordered way and I'll honestly tell you how long it takes for me to crack that. Others can join the experiment too, or if you trust, I'll do this experiment myself, put phrases in list randomizer on random.org (if you have better idea, message me) and post the result.
legendary
Activity: 2268
Merit: 18771
I have to say also the 25 minutes who take maybe are a wrong calculation, because what if he was "lucky" to find the order on 25 minute, but you need to make more and more tries to find out the average time, not only one disorded seed.
It's actually pretty accurate.

On my home hardware attempting to descramble a seed phrase from 12 known words, I can test around 115k possibilities a second. 12! / 115,000 = 70 minutes. Given that on average you need to attempt 50% of the possibilities to find the correct one, the average for me to descramble a seed phrase is 35 minutes.

But yes, your other points are correct. It is a pointless scenario because the security of your coins should never rest on an attacker having access to your seed phrase but being unable to descramble it.
jr. member
Activity: 50
Merit: 8
I have to say also the 25 minutes who take maybe are a wrong calculation, because what if he was "lucky" to find the order on 25 minute, but you need to make more and more tries to find out the average time, not only one disorded seed.

Asides of that like a few guys says above, this its not related to BTC or cryptocoins, its all about basic maths and calcus, we know from a long time ago what time or how much tries do you need to solve that.

And obviusly a 24 words can be more safe in that case, but also, we can still go up, why not 36/48/72 etc. No sense

Its like a send a photo of one key of my house to a locksmith, well yes he can make a "fast" copy, and open my house......
hero member
Activity: 1050
Merit: 642
Magic
In my opinion it does not matter if you use 12 word or 24 word seed phrases. IF your seed words get leaked you have an issue no matter what amount of words you have used.

It's weird to see banks now just cover increasing amounts of losses because they're pushing "convenience" instead of security.

Thats just basic economics and the result of the business calculations of the bank. Even if it is weird that they intentionally weaken their security it is just that every business will require to spend money in order to then earn money. So this stolen money is simply a "weird" business expense for the banks. The will then calculate their fees exactly so they will have like 5% or something return on that business expense.
sr. member
Activity: 630
Merit: 277
What's your source of crypto news? I know it won't be one as it shouldn't be but usually, what website(s) do you visit? Your opinion on this task matters because you are a highly valued, knowledgeable member
I tend not to care whatsoever about what these sites class as "news". If you look at the landing page of CoinTelegraph, CoinIdol, etc. on any given day, the top stories are about price speculation, a whole bunch of shitcoins I don't care about, a whole bunch of centralized exchanges or platforms I don't care about, various celebrities or influences I don't care about, clickbait trash like the article being discussed here, and so on. The amount of actual news on these sites is somewhere between zero and none.

What I do care about is bitcoin's development and new advances, and for that I read the bitcoin-dev mailing list, the lightning-dev mailing list, and any relevant discussions on GitHub. I would also recommend the newsletter from https://bitcoinops.org/.
o_e_l_e_o

You have programmed your mind for bitcoin and privacy, every other shits doesn't matter to you and that is the best to do. There are alot of distractions .

Op, people only experiment and scramble seed phrase with zero or few Sats. No one experiments with seed bearing 10's to 100's of BTC. So, it is just a fantazied and dramatically executed idea to have a blog post.
hero member
Activity: 504
Merit: 1065
Crypto Swap Exchange
it's a shame that electrum doesn't offer 24 word seeds by default, I know it's possible by entering commands in the console but I'm afraid of compromising security, or doing something stupid, it's a bit off topic but do you know if they have an update planned?

I am not aware about a potential update from Electrum's dev team

But on linux you can just go with the following command :

Code:
electrum --offline make_seed --nbits=256

I don't see any security risk regarding to this one, if you trust your computer and OS, and do it offline ; everything should be fine
newbie
Activity: 14
Merit: 36
it's a shame that electrum doesn't offer 24 word seeds by default, I know it's possible by entering commands in the console but I'm afraid of compromising security, or doing something stupid, it's a bit off topic but do you know if they have an update planned?
legendary
Activity: 2898
Merit: 1823
There are people who think that its okay to not completely hide your seeds if you remember the way they are ordered but this small experiment makes it pretty clear that one should be more cautious.
No one should consider scrambling their seeds as a way of keeping it away from Intruders, you can forget the actual order and can lose your bitcoins, especially if it's a 24 word seed phrase.

The essence of back ups is the safety of the location which should be as covert as possible to evade detection. If one location does not prove enough then one should consider using more than one location with a multi sig wallet and storing them differently. One getting compromised does not result in loss of funds.

An additional seedphrase which you can store separately is also a good alternative to scrambling the seed phrase.


For BIP-39 compliant wallets, adding a "25th word", which is actually a secret passphrase, in your seed would increase the security of your wallet exceedingly. Make it alpha-numeric, and with symbols included. Plus if a hacker gets your seed words, he/she would have access to a different wallet/address space than the wallet with the added "25th word", with the address space where your Bitcoin is HODLed.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
Spammy, trash "news" site posts clickbait!? I'm shocked! Tongue
Well, I would say that Cointelegraph is not the best website out there, nor the most reliable one but I wouldn't call it spammy trash news website. What's your source of crypto news? I know it won't be one as it shouldn't be but usually, what website(s) do you visit? Your opinion on this task matters because you are a highly valued, knowledgeable member

I also don't have a good opinion of that news source because they used to pay people to spam links on this forum, and I've honestly avoided them ever since. There are certainly many better sources out there, although everyone probably has their favorite when it comes to cryptocurrency news. One of the better sources that deals with slightly more serious topics (although that's just my subjective assessment) -> BM
legendary
Activity: 4326
Merit: 8950
'The right to privacy matters'
To be fair, even the android phone in your pocket can go through all possible combinations of your PIN and unscramble it, if the hackers can't just social engineer the bank into logging you in in the first place.  Roll Eyes
Good luck with that, I don't do banking on my phone (for this exact reason). It's weird to see banks now just cover increasing amounts of losses because they're pushing "convenience" instead of security. And that's another reason why I like Bitcoin: at least I can choose my own security. If "your" money from your bank account is gone, you have to prove you didn't do it. If your Bitcoins are gone, at least you know it's your own fault.

Major banking theft via online is very hard to get reimbursement from your bank.

edit finishing my point: a major cc theft is protected and fairly easy to fix.



The reason is ⅔ of cc users pay huge interest so banks encourage cc use.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
To be fair, even the android phone in your pocket can go through all possible combinations of your PIN and unscramble it, if the hackers can't just social engineer the bank into logging you in in the first place.  Roll Eyes
Good luck with that, I don't do banking on my phone (for this exact reason). It's weird to see banks now just cover increasing amounts of losses because they're pushing "convenience" instead of security. And that's another reason why I like Bitcoin: at least I can choose my own security. If "your" money from your bank account is gone, you have to prove you didn't do it. If your Bitcoins are gone, at least you know it's your own fault.

Update (I don't want to go further off-topic in a new post):
Major banking theft via online is very hard to get reimbursement from your bank.
Here, bank fraud is often covered. Banks prefer to pay the damages to keep their customers (and just raise their annual fees).
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
So you're saying if I post my 12 seed words online, someone can steal my Bitcoins? What's next, if I post the details for my bank but scramble my PIN, someone can steal my euros too? Shocked

To be fair, even the android phone in your pocket can go through all possible combinations of your PIN and unscramble it, if the hackers can't just social engineer the bank into logging you in in the first place.  Roll Eyes

What's your source of crypto news? I know it won't be one as it shouldn't be but usually, what website(s) do you visit? Your opinion on this task matters because you are a highly valued, knowledgeable member
I tend not to care whatsoever about what these sites class as "news". If you look at the landing page of CoinTelegraph, CoinIdol, etc. on any given day, the top stories are about price speculation, a whole bunch of shitcoins I don't care about, a whole bunch of centralized exchanges or platforms I don't care about, various celebrities or influences I don't care about, clickbait trash like the article being discussed here, and so on. The amount of actual news on these sites is somewhere between zero and none.

What I do care about is bitcoin's development and new advances, and for that I read the bitcoin-dev mailing list, the lightning-dev mailing list, and any relevant discussions on GitHub. I would also recommend the newsletter from https://bitcoinops.org/.

Exactly. I guess trash talk is more marketable and gets more clicks than informative discourse, so that's probably why most sites do what they do.

On the other hand, times are not exactly rosy for digital media empires these days (Buzzfeed trouble, and VICE about to go bust).
legendary
Activity: 994
Merit: 1089
exposing your Bitcoin address with a large amount of Bitcoin within can be hacked which is why Bitcoin mixer was created,
Exposing your BTC address that has a large amount of BTC can make you a target, but it does not mean you'll be hacked, you'll be hacked if you have very bad operational security, and that's whether you expose an address connected to your identity or not. If you use a hardware wallet or an air-gapped computer to store your funds, and then you also have great opsec, you won't be hacked even if you expose an address belonging to you or connected to your identity, but never expose yourself in that way because a $5 wrench attack can happen to you Roll Eyes.
sr. member
Activity: 1316
Merit: 356
If you write it down on a piece of paper and have one or two backups in different and secure places, you can avoid the risk of getting hacked online and the only way you'll lose your funds if someone physically get access to those papers where you stored your seed phrase.
There is no point in saving or writing down your seed phrase on a piece of paper in out of order because it will just make it difficult to unlock your wallet. In my opinion, the significance of this experiment is that a seed phrase of 12 words is more vulnerable than a seed phrase of 24 words. But, as I previously stated, I believe this experiment is pointless because no one will keep their seed phrase out of order.

Considering this thing, exposing your Bitcoin address with a large amount of Bitcoin within can be hacked which is why Bitcoin mixer was created, how much more if you show your scrambled seed phrase.
sr. member
Activity: 1078
Merit: 342
Sinbad Mixer: Mix Your BTC Quickly
If you read the article, its written that guy won a prize of 30$ for breaking this 12-word seed. From this prize money one can see the difficulty level of this task.
$30 is dust, which does not prove any difficulty. If you read this thread from the beginning, you will understand that it is not a difficult task to crack and arrange a scrambled 12-word seed phrase when given the actual 12 words, it is an impossible task when you don't have the words at all; so the message is just don't give out your seed phrase, it does not matter if it is in the wright or wrong order, if you give it out many people can quickly crack and arrange it correctly.
The moral of the story is to never put any of the words from your seed phrase at any risk online (whether scrambled or not= you will get hacked and lose your funds).
 
If you write it down on a piece of paper and have one or two backups in different and secure places, you can avoid the risk of getting hacked online and the only way you'll lose your funds if someone physically get access to those papers where you stored your seed phrase.
legendary
Activity: 994
Merit: 1089
If you read the article, its written that guy won a prize of 30$ for breaking this 12-word seed. From this prize money one can see the difficulty level of this task.
$30 is dust, which does not prove any difficulty. If you read this thread from the beginning, you will understand that it is not a difficult task to crack and arrange a scrambled 12-word seed phrase when given the actual 12 words, it is an impossible task when you don't have the words at all; so the message is just don't give out your seed phrase, it does not matter if it is in the wright or wrong order, if you give it out many people can quickly crack and arrange it correctly.
hero member
Activity: 1120
Merit: 571
20BET - Premium Casino & Sportsbook
Otherwise, your 12-word seed phrase is as safe as 24-word seed phrase if attacker doesn't know your seeds. But if one knows seeds but not their ordering, then 12-word seed wallet will be vulnerable to attacks but 24-word seed phrase still maintains high security.


Why somebody would know your seed at first place? (Regardless of whether its in or out of order). The security of your seed is must, even if you have 24-word or more seed. I have written seed of my wallet on paper and is never stored digitally.


If you read the article, its written that guy won a prize of 30$ for breaking this 12-word seed. From this prize money one can see the difficulty level of this task.
legendary
Activity: 2268
Merit: 18771
What's your source of crypto news? I know it won't be one as it shouldn't be but usually, what website(s) do you visit? Your opinion on this task matters because you are a highly valued, knowledgeable member
I tend not to care whatsoever about what these sites class as "news". If you look at the landing page of CoinTelegraph, CoinIdol, etc. on any given day, the top stories are about price speculation, a whole bunch of shitcoins I don't care about, a whole bunch of centralized exchanges or platforms I don't care about, various celebrities or influences I don't care about, clickbait trash like the article being discussed here, and so on. The amount of actual news on these sites is somewhere between zero and none.

What I do care about is bitcoin's development and new advances, and for that I read the bitcoin-dev mailing list, the lightning-dev mailing list, and any relevant discussions on GitHub. I would also recommend the newsletter from https://bitcoinops.org/.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
By the way, it was a little bit interesting, wasn't it?
Not really. People shouldn't post their seed words online. Period.
A much more interesting thing about 24 seed words is that you can split them up into 3 parts, and it's still pretty secure if someone gets their hand on one card:

Don't be so hilarious.
I was trying to be sarcastic Wink
Pages:
Jump to: