Author

Topic: 3 seed words + passphrase (Read 882 times)

sr. member
Activity: 1680
Merit: 288
Eloncoin.org - Mars, here we come!
March 31, 2024, 06:50:10 AM
#40
Isn’t it easier to memorize those 12 or 24 words than to  memorize something that has special characters? Because you can’t use a simple word as it would be easier to hack through. What you’re proposing could work but you know pretty much that it isn’t as strong as the 12/24 words. If I was asked to choose, I’d stick with the 12/24 words because not only do you have to guess the words (which you can’t), you have to guess their order correctly. Unless we make super super computers soon, nothing can do such multiple tries in a short time.
full member
Activity: 2520
Merit: 214
Eloncoin.org - Mars, here we come!
March 31, 2024, 04:21:31 AM
#39

I understand that seed phrase can easily be guessed by a hacker but then he needs to be able to crack the 18 characters (combination of lower, upper case, number, special characters such as * ? >< !@#}|_-&^%$)




You are underestimating lots of hackers.

There are so much ways for a hacker to infiltrate your device and steal your password. The three seed phrase can be easily guessed and so does the password. It will maybe take quite a long time but I don’t see any reason why it could be impossible.
full member
Activity: 1484
Merit: 136
★Bitvest.io★ Play Plinko or Invest!
March 27, 2024, 07:38:16 AM
#38
The thing is no matter how long your password maybe or word phrase if you can't secure your credentials or yourself in internet then hackers could easily penetrate or hack your wallet or anything that they could access to you, in this modern world where everything is in internet many people are increasing their screen time more. So if you will want a different system of word phrase or password it will be difficult to implement as it is the normal norms now or the current system anyway its up to you on how will you keep sake your credentials and accounts.
sr. member
Activity: 1470
Merit: 428
March 26, 2024, 11:45:43 PM
#37
I have never been made aware of any wallet that has just 3 seed words, unless am proven wrong, I have only seen and known of 12 and 24 seed phrases of which one has to be constantly login in or have them written down or saved on a device before one can login into their wallet before even having an idea of the correctness of the words.

While 3 seed phrases ain't a bad idea, and it allows the owner of the wallet ease to memorize them and use at their frequency, it would be easily hacked into thats why it may not be a good idea of choice for large coin investors or long term HoDLers.
hero member
Activity: 1120
Merit: 540
Duelbits - Play for Free | Win for Real
March 26, 2024, 09:17:51 PM
#36
the 12 word length standard is the accepted standard in 95% of wallets, what guarantee do u have that a seed of just 3 words will be accepted by other wallets? Understand that this causes the versatility of the backup to be lost, being limited to a few wallets that accept restoring a 3-word seed + passphrase.

Your passphrase must be long enough to compensate for the weak security of a 3-word seed, which creates another problem, how will you guarantee that you'll remember this passphrase when you need to restore funds? It's easier for you to follow the standard of at least 12 words and use a good passphrase using words + numbers and some symbols, thus striking a good balance between increasing security and avoiding forgetfulness.

I see that the only justification for choosing a seed of 3 words instead of 12 is to make it easier to remember, but there are safer ways to do this...

It's easy to memorize a seed of 12 words and some passphrases, but never rely solely on your brain due to the risk of amnesia, spread your backup geographically without giving obvious clues that it has anything to do with bitcoin.
jr. member
Activity: 45
Merit: 35
March 26, 2024, 04:45:11 AM
#35
@NeuroticFish - There was no reason.  And you might be correct, perhaps I should have started a new topic.  I don't post a lot on social media so I'm not in tune with all the nuances, proper etiquette, etc.  I had jumped onto this forum to ask a specific question about what the difference was between the TRADITIONAL Chinese BIP39 list and the SIMPLIFIED Chinese BIP39 list and which one would a Chinese person prefer?  Anyway, while on the board I happened across this post and since I had just finished completing a "Private Key Kit, which presents how you can hide your mnemonic seed phrases in plain sight", project that I have been working on since 2018, I was very familiar with what he was wanting to do.  So I decided to post.  I saw that it was old but my purpose was simply to send him a direct reply to his question.  So I saw no reason to resurrect the subject necessarily.  What's funny is that this morning after reading the replies I went back and read through the entire thread to get context on some of the quotes being presented in the replies.  I found that I had actually replied to this guy back in June of 2020.  When I wrote my post yesterday I had no idea I had already replied to this thread.  I guess that says something for my memory!  I'm definitely not getting any younger and I am realizing the importance of writing EVERYTHING down.  It just doesn't have to be written down in a straight forward manner.  While there are many forms of security I still believe mis-direction is a very effective form when securing your private key seed phrases.

I will add to my post - While having 3 words represent 128 bits of entropy is not really possible since it would require a mnemonic word list with over 17 Trillion words in it.  @casdinyard is correct that you could use 33 bits of entropy along with a PASSWORD and store some bitcoin in it.  I personally wouldn't recommend putting your life savings behind a Private Key created with only 33 bits of entropy.  But for spending money on a trip it might be fine.  Just FYI: Using 33 bits of entropy essentially gives you a Bitcoin Private Key that falls between 1 - 8,589,934,591.  While picking a number from 8 and one half billion numbers might take awhile there might be hacking groups out there that are monitoring bitcoin addresses created from the first few million numbers? Or even Billion numbers?  I don't really know?  I suppose a way to increase security would be to repeat the 3 words three more times therefore giving you 12 words.  And to improve security beyond that you could reverse the order of the 3 words, i.e. 1, 2, 3, 3, 2, 1, 1, 2, 3, 3, 2, 1.  Or, 1,1,1,1,2,2,2,2,3,3,3,3.  Or some other scheme to mix them up a bit.  Any which way you do it though I would not consider it a super secure wallet.  But probably O.K. to temporarily put bitcoin in for a trip.  Especially if you then add a Passphrase to the mnemonic phrase to secure it further.

I'm just so happy that Bitcoin exists.  The ability to mange my own money without having to rely on anybody else!  It's intoxicating!

Kresp

jr. member
Activity: 208
Merit: 2
March 25, 2024, 10:43:17 AM
#34
I want to ask what is the dangerous of creating a seed phrase that generate 3 words only + passphrase (strong password 18 characters)? Is it safe? Is it possible to lose the funds this way? If yes, how?

The idea is, people just need to memorise 3 words + passphrase (of their choice) (strong password) rather than worrying that the (seed phrase 12 or 24 words) is stolen or lost. Any reason why this cannot be practical or recommended?

I understand that seed phrase can easily be guessed by a hacker but then he needs to be able to crack the 18 characters (combination of lower, upper case, number, special characters such as * ? >< !@#}|_-&^%$)





i would suggest you to make 12 words seed, but you can make multiple copies and leave it in few places


but your password can be something tricky



hero member
Activity: 2184
Merit: 891
Leading Crypto Sports Betting and Casino Platform
March 25, 2024, 09:02:13 AM
#33
I want to ask what is the dangerous of creating a seed phrase that generate 3 words only + passphrase (strong password 18 characters)? Is it safe? Is it possible to lose the funds this way? If yes, how?

The idea is, people just need to memorise 3 words + passphrase (of their choice) (strong password) rather than worrying that the (seed phrase 12 or 24 words) is stolen or lost. Any reason why this cannot be practical or recommended?

I understand that seed phrase can easily be guessed by a hacker but then he needs to be able to crack the 18 characters (combination of lower, upper case, number, special characters such as * ? >< !@#}|_-&^%$)



Honestly password strength is a trivial matter that only becomes a major playing factor in hacking when the person has an in-depth idea of who you are. Like even "statistically weak passwords" like Iloveyou or password has got some strength to them when you add numbers and punctuation marks, so as long as you don't put yourself out there and don't go out of your own way to give the people a general notion of who you are or how you think, you should be safe even with this 3 seed phrase plus password combo.

I'd argue that this is even safer than having us memorize or take note of a 12 word seed phrase, since this you can remember by heart without having to put it someplace else, only to misplace it if it's a paper wallet or send it to someone accidentally if you've kept your seed phrases on a text file like I always do. There's some personalization in it that is going to be a tough nut to crack without the use of advanced tools.

Out of all security options the 12 seed phrase is still king, but if it means I risk losing my wallet as well when I forget the seed phrase combination and the exact words I'd choose a "less safer" but more accessible option all day.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
March 24, 2024, 11:35:33 AM
#32
Lol. I know lots of people who say that they could remember
their passwords or whatever it is without writing it down because it is so
common and easy to remember but maybe that is the problem. It is so common
that it could be literally anything so it’s not memorable.

I've written this a lot and will continue to do so: now you are young and remembering 12 words is piece of cake. But what will happen in 10 years of not needing them? Or what happens if one gets a stroke (I hope not) or an accident with head injury (again, I hope not)? How will remembering work then?

Isn't it easier toy write it down and, if the amounts worth it, keep it very safe?


PS. What's the actual reason for this necro bump, @TheDigitalMan? Wouldn't have been more meaningful to make a new topic and link there this old one?
sr. member
Activity: 2828
Merit: 357
Eloncoin.org - Mars, here we come!
March 24, 2024, 08:44:04 AM
#31
and if the password were strong (truly random) then it can't be memorized over long term. they still have to write it down so that they won't forget it (after like in a year)

Actually everything has to be written down - seed words and password - even if it's something very simple.


Lol. I know lots of people who say that they could remember
their passwords or whatever it is without writing it down because it is so
common and easy to remember but maybe that is the problem. It is so common
that it could be literally anything so it’s not memorable.

jr. member
Activity: 45
Merit: 35
March 24, 2024, 06:20:01 AM
#30
I find your post interesting.  I had similar questions when I first started diving down the rabbit hole of private keys and mnemonic seed phrases.  I wanted a way to create a seed phrase that I didn't have to write down.  To do what you are asking and preserve the same level of entropy you would need a mnemonic word list that was longer.  The current BIP39 mnemonic word list is 2048 words long.  It operates on the premise that you are writing down BASE 2048 numbers.  You can represent ANY number that could be a valid 128-bit Bitcoin Private Key using 12 words.  It takes 24 words to represent a 256-bit Bitcoin Private Key.  But if you increased the BASE of the numbering system.  And without doing some math I can't say exactly what it would need to be increased to...  but I am thinking 4 times what it is now to convert your 3 words to 12 words.  That's my off the cuff thinking but it might actually be different.  Anyway, assuming that then you would have to have a mnemonic word list that was 8,192 words long.  Obviously this could be done.  Then each word would represent 44 bits of entropy instead of the 11 that they currently represent.  3 words would represent 132 bits which is the 128 bits needed for the Private Key plus the 4 bits needed for the CHECKSUM value.  So your idea is achievable.  The first step would be to begin creating a longer mnemonic word list.  If you are serious about doing this I would be happy to collaborate with you and help you with it.

I have been working on a Private Key project that while not what you are trying to do is similar in some ways to what you are asking about.  I began in 2018 with the idea that I wanted to "Hide my Seed Phrases in Plain Sight".  The idea being that if anyone was able to acquire my seed phrase they could rob me of all my crypto.  Or at least all the crypto stored in that particular Private Key.  I launched a Kickstarter Campaign but the time was too early and we were in the midst of a bear market.  It went no where.  But I continued developing my concept.  I now have it close to completion and will be selling it soon.  During my 6 year journey developing this project I also developed a "seedless" Private Key method.  And by "seedless", I mean just that!  I have multiple stashes of bitcoin stored on the bitcoin network and NO SEED PHRASES written down for them.  There is method to my madness and I do have a few notes written down to ensure I don't totally forget how to access the bitcoin.  But these notes are not crypto related.  So anyone rummaging through my stuff wouldn't necessarily connect that those papers referred to my bitcoin.  Anyway, I don't want to give anything away regarding my personal crypto holdings but suffice it to say I am totally happy with my method.  I now have access to certain amounts of my crypto without carrying ANYTHING on me.  I don't need my notes unless I forget.  They are just a back up in case I get old and forget.

O.K. so I couldn't leave it alone.  I had to check if a BASE 8192 would work.  And it will!  So I will leave a short description of how you can accomplish what you want to do.

Step #1. You have to have a mnemonic word list that contains 8192 words.  You can create your own custom list but for purposes of my short tutorial here I am going to concatenate 4 of the 2028 BIP39 Word Lists off of Github.  There are 10 lists posted on Github in 9 different languages.  We're just going to use 4 of them.  ENGLISH + FRENCH + ITALIAN + SPANISH.  NOTE: The order is IMPORTANT!  The first word on the FRENCH list will represent word #2049.  Which brings up another wrinkle that must be addressed.  Word #1 on the ENGLISH list is really Word #0.  And the first word on the FRENCH list is really word #2048.  If you do not understand why this is then you probably shouldn't be doing this.  But suffice it to say the word lists should be numbered 0 thru 2047.  Not 1 thru 2048 like they are on Github.  So if you are going to do this I would recommend you copy all 4 lists off of Github and paste them into a text editor of your choice and re-number the entire list of 8,192 words.  The ENGLISH list should be 0 thru 2047.  Just subtract 1 from each number.  The FRENCH list should start with 2048 and run through 4095.  The ITALIAN list should start with 4096 and run through 6144.  And last the SPANISH list should start with 6145 and run through 8192.  It is ABSOLUTELY CRITICAL that these words have the proper number values associated with them!!!  NOTE: The 4 lists I am using I have arranged in alphabetical order.  This is to help ensure that you always arrange them in the correct order each time you go to re-assemble your 8192 mnemonic word list.

Step #2. Next step is to take your 12 or 24 word seed phrase and convert it into BINARY digits.  Here is how you will do that.  I will use the word list provided by "Pooya87". If you pull up the calculator on your Windows computer you can choose "Programming" option and pick "Decimal".  Put the decimal number into it and then pick "Binary".  It will convert your Decimal number into Binary.  I will do the conversions on these 12 words for you.  But I'm just trying to give you a helpful tip.  However, you are technically entering bits of your private key into your online computer if you do this.  So some die hard bitcoiners will tell you to manually calculate the conversion from decimal to binary.  I will leave it up to you how you handle that.  Just remember.  The conversions HAVE TO BE DONE CORRECTLY and ACCURATELY!!! Otherwise your new seed phrase will come out wrong.  I am going to list the DECIMAL number followed by the BINARY number and then followed by the WORD so that all the number digits will line up in nice neat columns.  The word lengths vary so I am putting the word on each row last.

legal winner thank year wave sausage worth useful legal winner thank yellow

#1019 - 01111111011 - legal (Note: On Github it is listed as word #1020.  But this is wrong.  The actual value represented by the word "legal" is 1019 when calculating a Private Key.)
#2015 - 11111011111 - winner
#1790 - 11011111110 - thank
#2039 - 11111110111 - year
#1983 - 11110111111 - wave
#1533 - 10111111101 - sausage
#2031 - 11111101111 - worth
#1919 - 11101111111 - useful
#1019 - 01111111011 - legal
#2015 - 11111011111 - winner
#1790 - 11011111110 - thank
#2040 - 11111111000 - yellow

Step #3. You now concatenate the BINARY numbers together into one long line that will be 132 BINARY digits long.  128 digits for the Private Key and 4 digits for the CHECKSUM.

0111111101111111011111110111111101111111011111110111111101111111011111110111111 10111111101111111011111110111111101111111011111111000

Step #4. You now have to pull off your 3 sets of 44 BINARY digits to create your 3 words.  Take the first 44, then the 2nd set of 44 and then the last 44.  Then convert the 44 digit BINARY number into a DECIMAL number.

01111111011111110111111101111111011111110111 - 08761598539767
11110111111101111111011111110111111101111111 - 17040274325375
01111111011111110111111101111111011111111000 - 08761598539768

Step #5.  Look up your new 3-word mnemonic phrase.  And this is where I am realizing I have errored in the number of words needed for the new mnemonic seed phrase list.  It is not 4 times the original amount but rather the original amount to the 4th power.  If you take 2048^4 this equals 17,592,186,044,416.  That is how many words you will need in your list in order to represent your 12 word seed phrase in just 3 words.

If you think O.K. I can remember 4 words.  Let's do 4 words instead of 3.  Then you would need 8,589,934,592 in your list.  That is over 8 BILLION WORDS!  To just cut the 12 words in half you would need 4,194,304 words.  Over 4 million words!

O.K. it was a fun exercise.  Hopefully you have enjoyed reading it as much as I enjoyed creating it! 
 
Kresp Rowland out.


sr. member
Activity: 906
Merit: 263
September 20, 2020, 04:02:41 PM
#29
18 characters alone is insane protection. Most passwords people use online are 6-12 digits. Using #$ upper and lower case makes it close to impossible. People don't hace your passwords directly they find them on your hdd or if you backup online or social engineering. There is no magical way to guess a password and there is not a program that can magically find passwords. Added to the fact you have the keyphrases. It's basically impossible to hack. I can't even remember what to buy when I fo the groceries so you could basically tell me your 12-word key and I would forget it while you were saying it...
legendary
Activity: 2268
Merit: 18711
September 20, 2020, 02:13:05 PM
#28
I get that it's possible I could have a stroke and forget.
Or Alzheimer's. Or dementia. Or trauma. Or sepsis. Or COVID. Or a thousand other things.

But I like the idea that if I were suddenly to find myself in a foreign country and needed funds.  I have them with me.  In my head.  All I have to do is find a bitcoin ATM.  Damn cool if you ask me!
Agreed, that is cool. However, that doesn't mean you only need to store the seed phrase in your head. I have memorized the seed phrase to my mobile "day to day spending" wallet, so I could recover it without my phone in desperate situations, but I also have the seed phrase backed up on paper in two secure locations.

Relying solely on your memory is incredibly risky, not just for the seed phrase you have memorized, but for all your different "encoding" and "misdirection" methods. Even if you have the right 24 words but in the wrong order, you are looking at 600 billion trillion combinations. pooya87 is right - we see users regularly who have come up with their own system and can't remember how to reverse it, locked out of their coins forever.

Write down your seed on paper, store it somewhere secure, write down your passphrase(s) on a different piece(s) of paper, store it/them somewhere else secure.
legendary
Activity: 3472
Merit: 10611
September 20, 2020, 10:32:07 AM
#27
~

saying you don't understand how something that is created by experts and reviewed by other experts and then not using it and instead using another thing you yourself create is just crazy. it is like saying i don't understand how airplanes work so i never get on one and build my own plane and use that while not having a clue what i am building.

worst thing you can do is also advise others to do the same!
most of the times when people think they've come up with their own "encryption" system they are either not adding any kind of meaningful security while doing the so called "encryption" or they have created something irreversible. i have seen so many users who did crazy things to their mnemonics and now after a couple of years they can't remember it and all their bitcoins are lost for good.

even if you are paranoid there are still better solutions. for a mnemonic (which is quite simply human readable encoding of an entropy) you can use a coin to flop or a 16 sided die to roll and create that entropy.
for storage and encryption there are secure encryption methods such as AES-256 that should be used.
anything else is most probably going to either be weak or could even be irreversible.
member
Activity: 994
Merit: 11
Daxetoken.net
September 20, 2020, 09:00:49 AM
#26

No, i am not suggesting to create your password like this. you can create something like !Went>P@r!$&be$tmem0ryev_r

Something that you can create that reflect to your experience and easy to remember and hard to crack

Not all people can memorize easily even a simple password, they still need to take it down or keep it in a place where they can easily get it if needed, so, what if they create 3 seed words and passphrase which is difficult to memorize. I think your opinion is just good for you because the mental capacity  of everyone to memorize something is different from each other. What if you memorized your password and the seed but after a year you are diagnose that have Alzheimer...what will happen to your account?
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
September 20, 2020, 07:32:31 AM
#25
1- losing it
2- confiscating it by government
3- robbed by nagger
4- forgetting where you stored seed phrase
5- not easy to cross board and can be confiscated by airport police officers.
6- extracted by hackers if they get access to your hardware wallet for a few minutes https://blog.kraken.com/post/3662/kraken-identifies-critical-flaw-in-trezor-hardware-wallets/
7- Government seize your hardware wallet and extract your seed phrase. So easy to extract your seed https://donjon.ledger.com/Unfixable-Key-Extraction-Attack-on-Trezor/
I don't think any of these are real weaknesses of BIP39. Points 1 through 4 are essentially "You lose access to it by some means or other". This is entirely preventable by making multiple back ups, and one of your back ups being stolen won't immediately lead to loss of your coins as long as you are using a long and random passphrase. Point 5 is easily negated by storing it in a way that TSA agents don't know what it is, or memorizing the 12 seeds for the brief duration of crossing the border. Points 6 and 7 are nothing to do with BIP39, but to do with the Trezor wallet, and are entirely negated by using a passphrase.


I agree. Hide it from airport police officers is very easy. Just write some of the words in your cell phone and memorize one or two of those words. Or just underline your 24/12 words in a book, something like that. Just to get past the airport police officers.

BIP39 is a very intelligent and resilient system imo. You can easily hide, backup, store, etc.
jr. member
Activity: 45
Merit: 35
September 20, 2020, 07:10:26 AM
#24


Bank's storage can be a valid place since it may be opened only by you or with your death certificate, afaik.

[/quote]

I thought the whole point of Bitcoin is be your own bank. If you have to store your seed in a bank storage, what is the point of having Bitcoin in the first place?
[/quote]

alexkrypto, I couldn't agree with you more.  Don't let all the hate you received on this post deter you.  It is not 100% clear to me how the "mnemonic phrase" and the "password phrase" get used in creating the final bitcoin private key and addresses.  I get that if no password were involved the 3-word mnemonic phrase would produce a less secure private key then a 6-word mnemonic phrase.  And I get what you are trying to achieve.  The whole point of bitcoin WAS so we wouldn't have to trust and use the banks!  I support your efforts and desire to completely cut the banks out of your life as much as possible!  Especially after how irresponsibly the FED has behaved this past year!  They can all... well I better not say.  But I am totally with you!  I have developed several methods myself and got a lot of hate when I tried to clarify certain aspects of my ideas as well.  I don't understand why most bitcoiners seem to think we have to walk the straight and narrow on proper protocol for securing your private bitcoin keys!  I think the metal plates to stamp your mnemonic keys into are stupid!  Unless the mnemonic key is encoded first!  None of my mnemonic keys are written down in the right order or even the right words.  Everything I do is encoded one way or another. I use mis-direction.  I use all kinds of methods!  The government nor the banks will ever get my crypto!  I am working on leaving some information that is written down behind for my kids after I die.  But they will first have to get the decryption keys that I will leave with my will.  Those will only decrypt the documents that explain where they can find the jump drives and other documents and decryption keys to finally decrypt the documents that will explain how to decrypt my mnemonic phrases.  Hopefully they will be able to properly follow the trail of breadcrumbs.  If not.  Oh well.  I'm not leaving my fortunes to the government or banks.  And if my grandkids are too stupid to figure it out.  I don't care if they get my money.  There will be a clear trail to follow.  It just won't be a trail that the Lawyers handling my will or the government will be able to follow.  Because you'll have to know certain things about me and my family.  About my past and whatnot.  Call me crazy!  I don't really care.  Carry on with your innovative ideas!  Nothing wrong with what you are trying to achieve.  I have several bitcents (0.01 BTC) stored in bitcoin addresses that exist ONLY IN MY HEAD.  I have written down some information that when properly decyphered will allow a family member to re-create the private key but I don't actually have the private key written down or stored anywhere.  Not even the mnemonic words.  Nothing!  It's all derived from information that I can remember easily and given a few hours I could sit down and reproduce the private key.  I have method to my madness.  I get that it's possible I could have a stroke and forget.  But I like the idea that if I were suddenly to find myself in a foreign country and needed funds.  I have them with me.  In my head.  All I have to do is find a bitcoin ATM.  Damn cool if you ask me!  And if those 7 or 8 bitcents get lost forever.  Oh well.  I've just increased the value of everyone elses bitcoin.  You're welcome!

I'd be happy to continue this discussion with you privately if you're interested in more ideas.  I'm not going to give away what I am doing but I think it's fun to discuss ideas of how bitcoin can be hidden in plain sight.

And for the record.  The first word of each sentence isn't that secure either.  Especially when there are exactly 24 random sentences???  I mean really?  The fact that they are random and disconnected would immediately make me suspicious that they were a mnemonic phrase.  I think there are better ways to disquise which words in a given paragraph of writing are the mnemonic words.  The writing should make sense.  There could be punctuation marks or just random things that would make the mnemonic phrase much less obvious. 

O.K. I'll get down off my soapbox now.  All the rest of the people in this thread of posts who think the OP has to write all his phrases down correctly and store them in a bank vault can leave now.  You can do what you want with your hard earned money.  I'm not trusting a bank to keep mine safe.

Kresp
member
Activity: 845
Merit: 52
June 06, 2020, 02:56:12 PM
#23
Just 3 seed phrase will post a strong security threat because it's too weak, I feel the longer it's the more difficult it takes to decode.
legendary
Activity: 2268
Merit: 18711
June 06, 2020, 07:08:36 AM
#22
1- losing it
2- confiscating it by government
3- robbed by nagger
4- forgetting where you stored seed phrase
5- not easy to cross board and can be confiscated by airport police officers.
6- extracted by hackers if they get access to your hardware wallet for a few minutes https://blog.kraken.com/post/3662/kraken-identifies-critical-flaw-in-trezor-hardware-wallets/
7- Government seize your hardware wallet and extract your seed phrase. So easy to extract your seed https://donjon.ledger.com/Unfixable-Key-Extraction-Attack-on-Trezor/
I don't think any of these are real weaknesses of BIP39. Points 1 through 4 are essentially "You lose access to it by some means or other". This is entirely preventable by making multiple back ups, and one of your back ups being stolen won't immediately lead to loss of your coins as long as you are using a long and random passphrase. Point 5 is easily negated by storing it in a way that TSA agents don't know what it is, or memorizing the 12 seeds for the brief duration of crossing the border. Points 6 and 7 are nothing to do with BIP39, but to do with the Trezor wallet, and are entirely negated by using a passphrase.

What you are suggesting is essentially a brainwallet. We obviously can't stop you from using one, but there is a reason that every serious user of bitcoin thinks that brainwallets are a terrible idea. BIP39 was specifically created to be a secure and easy to use method of backing up your coins.

In terms of guaranteed sufficient entropy, you can your own and test it on http://rumkin.com/tools/password/passchk.php
That's a garbage site, I entered "11111111111111111111" and it said it's "reasonable".
The flaw with that site is that if you enter a single number (such as 1), it assumes you are using all numerical digits and adds 10 to your character set. If you enter a single lowercase or uppercase letter, it adds 26 (or 52 if you use both) to your character set. Same idea for symbols.

This approach makes sense if your password or passphrase is truly random. It doesn't make sense if your password is something you have picked yourself and isn't random, such as a password based on a phrase with some substituted characters, as OP has done, or if you use a repeating digit as you have done. Both these passphrases are not as secure as that site makes them out to be.
legendary
Activity: 3024
Merit: 2148
June 06, 2020, 02:07:17 AM
#21
But with Crypto, it is a different story. First, the hacker needs:

1- to figure out that the public key on blockchain belongs to YOU.
2- then he needs to figure out whether the public key was created based on BIP39 or legacy way (private key only per each public key).
3- then need to know that your way of creating passwords is like this.


Hackers don't want to crack some specific key, they just pre-generate lists of addresses with weak entropy, and then simply check if these addresses were used when a new block is found, and if they were, they instantly sweep the coins. They already do that with brainwallets, and as storage and computing power gets cheaper, it becomes more feasible to extend this method to target more sophisticated schemes.

In terms of guaranteed sufficient entropy, you can your own and test it on http://rumkin.com/tools/password/passchk.php

Test for example, !Went>P@r!S-Be$tMem0ryEv_r

That's a garbage site, I entered "11111111111111111111" and it said it's "reasonable".
hero member
Activity: 2702
Merit: 716
Nothing lasts forever
June 06, 2020, 01:14:01 AM
#20
these "words" are actually representing the "entropy" that is used to generate the individual private keys. so unless you can come up with a way to generate the same level of security entropy (at least 128-bits) using 3 words, it won't work.


You can do it using https://iancoleman.io/bip39/ and i understand you wont achieve 128 bits, this is where the passphrase with strong password is extremely important.

are you really suggesting that memorizing 3 words + something like
Code:
J\{m^"
is easier than memorizing this:
Code:
legal winner thank year wave sausage worth useful legal winner thank yellow
i'm not convinced!

No, i am not suggesting to create your password like this. you can create something like !Went>P@r!$&be$tmem0ryev_r

Something that you can create that reflect to your experience and easy to remember and hard to crack
To be really honest, even that would be easily guessed since
!c@nwr!t3l!k3th!5f0r3v3r

It is predictable. A nerd wont take longer to crack your seed phrase if he digs up a little.
The current seed phrase though works like a charm since it maintains higher security with the given entropy.
legendary
Activity: 2170
Merit: 1789
June 06, 2020, 01:12:16 AM
#19
I for one tried to do this and left the text somewhere inside a book and used it as my bookmark for sometime. It works, it's secure, and no one will ever get interested on it due to its nonsensical phrases and purely unconnected sentences.

That's a nice trick. Did that a few times myself but there's still a risk that you can forget you ever do it if you got a stroke or whatever. I think it's nearly impossible to completely eliminate this risk, so making multiple secure backups (and the way you encode it) is always needed.

Btw stop doing multiple posts in a row, it broke forum rules.
newbie
Activity: 10
Merit: 8
June 06, 2020, 01:01:51 AM
#18

[/quote]

Bank's storage can be a valid place since it may be opened only by you or with your death certificate, afaik.

[/quote]

I thought the whole point of Bitcoin is be your own bank. If you have to store your seed in a bank storage, what is the point of having Bitcoin in the first place?
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
June 06, 2020, 12:51:26 AM
#17

They can be achieved. I already gave you an example. I can also give you another example like !Went>P@r!S-Be$tMem0ryEv_r

Go check http://rumkin.com/tools/password/passchk.php
You can. Depending on your method of generating it, it could take a reasonably long time for you to crack it.

Now, do you understand why seed phrase is extremely dangerous?
I highly doubt anyone wold be able to memorize such a confusing passphrase accurately over long periods of time without confusing which of the letters are changed.

BIP39 is actually very useful in terms of the properties that it has. The range of words allows easy correction of the seeds, there is a built in checksum with the seed, it doesn't have to rely on the user's judgement to make a secure password. I bet if people are actually forced to create their own passphrase this way, I would see loads of people asking how to bruteforce their passphrase because they cannot figure out which symbols they inserted. What you've described is basically brainwallet which has been cracked thoroughly and isn't recommended for use. It could be more secure it being salted and it would take a much longer time to bruteforce.

You can certainly keep a passphrase this way, I wouldn't recommend it but it's definitely quite safe if you choose a secure way to generate your private/public keypair.
newbie
Activity: 10
Merit: 8
June 06, 2020, 12:50:24 AM
#16
"!Went>P@r!$&be$tmem0ryev_r" is a good password, but a 12-word or 24-word random seed is more secure. As @pooya87 stated, a password must be weakened in order to be memorizable. Your idea may work for you, but it cannot be recommended for general use.

That's not true.

!Went>P@r!S-Be$tMem0ryEv_r     is more secure than 12-word random seed
newbie
Activity: 10
Merit: 8
June 06, 2020, 12:35:30 AM
#15
No, i am not suggesting to create your password like this. you can create something like !Went>P@r!$&be$tmem0ryev_r

Something that you can create that reflect to your experience and easy to remember and hard to crack

And how is it easy to remember? If it's some sort of substitution scheme, like replacing O with 0, then it's easy to crack, if it's truly random (which can only be generated by some rng and not human mind), then it's really hard to memorize and you will forget it unless your repeat it multiple times per day every single day.

Compared to that, mnemonic seeds have guaranteed sufficient entropy and they are easy to remember because our brains are good at remembering natural words in sequences.


Don't you think it is easy to remember such password !Went>P@r!S-Be$tMem0ryEv_r

Well, you're right and wrong at the same time.

Right if you were referring to a traditional way of accessing "username" & "password" on servers, and the hackers can sense your way of creating password is like this.

But with Crypto, it is a different story. First, the hacker needs:

1- to figure out that the public key on blockchain belongs to YOU.
2- then he needs to figure out whether the public key was created based on BIP39 or legacy way (private key only per each public key).
3- then need to know that your way of creating passwords is like this.

You REALLY think it is easier to remember 12 random words (in order) THAN creating a strong password of your choice???

In terms of guaranteed sufficient entropy, you can your own and test it on http://rumkin.com/tools/password/passchk.php

Test for example, !Went>P@r!S-Be$tMem0ryEv_r
newbie
Activity: 10
Merit: 8
June 06, 2020, 12:27:44 AM
#14
Something that you can create that reflect to your experience and easy to remember and hard to crack

then that's another problem. almost always, these two can not be achieved together.
people aren't known to be able to create strong passwords. to be able to remember their passwords they always end up with weak ones that could be guessed in most cases.
and if the password were strong (truly random) then it can't be memorized over long term. they still have to write it down so that they won't forget it (after like in a year), and if they are writing it down then why not use the method that is already tested and is considered safe meaning BIp-39?


They can be achieved. I already gave you an example. I can also give you another example like !Went>P@r!S-Be$tMem0ryEv_r

Go check http://rumkin.com/tools/password/passchk.php

You will see,such password achieve more than 128 bits.


Well, the problem with BIP39 is actually many:

1- losing it
2- confiscating it by government
3- robbed by nagger
4- forgetting where you stored seed phrase
5- not easy to cross board and can be confiscated by airport police officers.
6- extracted by hackers if they get access to your hardware wallet for a few minutes https://blog.kraken.com/post/3662/kraken-identifies-critical-flaw-in-trezor-hardware-wallets/
7- Government seize your hardware wallet and extract your seed phrase. So easy to extract your seed https://donjon.ledger.com/Unfixable-Key-Extraction-Attack-on-Trezor/

I am not referring to Trezor only but also Ledger can have the same issue in the future.

Now, do you understand why seed phrase is extremely dangerous?
legendary
Activity: 2338
Merit: 1084
zknodes.org
June 05, 2020, 12:57:54 PM
#13
I have to admit that it came to me a number of times how quite hard it is to be your own bank, especially if you have tens of BTC. I have a little amount myself and created a total of three copies of my seed words and I can only remember the hiding place of a single copy. I cannot remember where I kept the other two, must be somewhere in the pages of one of my books or under files of old papers. If this tiny box I'm living in right now will catch fire while I am away-- God forbid-- I will lose everything of it. And I also don't deem it safe to keep a copy in my wallet.

If my memory serves me right, I think even Andreas Antonopoulos himself ironically mentioned in an interview that he's got a copy of his seed words written on a piece of paper and kept in a bank's storage.
Having a lot of BTC and being a bank for yourself is very difficult, Must be more vigilant and pay attention to the security and confidentiality of the documents that we keep in a place that has been provided. Divide documents in 3 copies must know each place that will be used as storage, not to forget that it is very dangerous if found by someone else. instead of having to keep several copies in your own place, it is better to save in a safer bank deposit and only you open it or there is another power of attorney to open the document besides you.
legendary
Activity: 3542
Merit: 1352
Cashback 15%
June 05, 2020, 09:47:53 AM
#12
No, i am not suggesting to create your password like this. you can create something like !Went>P@r!$&be$tmem0ryev_r

Something that you can create that reflect to your experience and easy to remember and hard to crack

Ngl. leet speak paired with symbols and everything is actually a good password maker, but humans aren't really good at creating good passwords that are secure enough to keep them safe from hacks. Also, the 12-word seed IMO is easier to keep/hide in plain sight, and more robust and secure rather than a 3-word, 1-phrase combo that you're suggesting of.

Some people keep their 12-word seed in a rather unconventional yet witty way. Let's use these words for example:

Code:
there wake tomorrow carry cold since lose open practice road shame witch

Quote
"There used to be some sort of blabbering around town. Wake, my child, as he often say to his daughter. Tomorrow, we shall feast with the gods! Carry these cloth round town and try to sell them in the market. Cold feet is attributed to being afraid or nervous of the current situation. Since 1971, the gold standard was no longer in effect. Lose something important and you'll never feel the same again. Open-air stadiums are preferable during viral outbreaks. Practice makes perfect, or so they say. Road trips are fun with your friends and family! Shame that I didn't have the last piece of beef. Witch hunting was a popular activity back in the Victorian era.

I for one tried to do this and left the text somewhere inside a book and used it as my bookmark for sometime. It works, it's secure, and no one will ever get interested on it due to its nonsensical phrases and purely unconnected sentences.
legendary
Activity: 2170
Merit: 1789
June 05, 2020, 06:25:06 AM
#11
So I do think that passphrases are much easier to memorize for the human brain than some kind of random generate password with a combination of numbers and letters.

You are not suggested to do that. Make a backup (as secure as possible) and don't rely on memory. There are dozens of stories where people forget what's their password or seed and lost their coins.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
June 05, 2020, 04:59:07 AM
#10
I have to admit that it came to me a number of times how quite hard it is to be your own bank, especially if you have tens of BTC.

I am on the same page, I don't have a huge problem yet with my private keys, there's no life changing amount to hide  Smiley

I have a little amount myself and created a total of three copies of my seed words and I can only remember the hiding place of a single copy. I cannot remember where I kept the other two, must be somewhere in the pages of one of my books or under files of old papers. If this tiny box I'm living in right now will catch fire while I am away-- God forbid-- I will lose everything of it. And I also don't deem it safe to keep a copy in my wallet.

If my memory serves me right, I think even Andreas Antonopoulos himself ironically mentioned in an interview that he's got a copy of his seed words written on a piece of paper and kept in a bank's storage.

Bank's storage can be a valid place since it may be opened only by you or with your death certificate, afaik.
But back at hiding in plain sight: somebody from the family also needs to know where to look, obviously. Preferably somebody who doesn't know much about computers and bitcoin. (So yes, the suggestion still stands.)

And about catching fire, well.. I see it the same as burglars coming in (so this makes crypto steel useless) : backup at somebody else. And this backup can be made in a way only you can understand it - sealed envelope with a "letter" in a specific format to a password protected USB stick... it's up to one's ingenuity. If Bitcoin gets to 100k-500k a piece I will give it a bigger thought.  Wink
sr. member
Activity: 868
Merit: 251
Empowering crypto w/ sustainable energy
June 05, 2020, 04:39:40 AM
#9
No, i am not suggesting to create your password like this. you can create something like !Went>P@r!$&be$tmem0ryev_r

Something that you can create that reflect to your experience and easy to remember and hard to crack

And how is it easy to remember? If it's some sort of substitution scheme, like replacing O with 0, then it's easy to crack, if it's truly random (which can only be generated by some rng and not human mind), then it's really hard to memorize and you will forget it unless your repeat it multiple times per day every single day.

Compared to that, mnemonic seeds have guaranteed sufficient entropy and they are easy to remember because our brains are good at remembering natural words in sequences.

I am totally with you by this point. So I do think that passphrases are much easier to memorize for the human brain than some kind of random generate password with a combination of numbers and letters.
legendary
Activity: 2576
Merit: 1860
June 05, 2020, 04:37:13 AM
#8
and if the password were strong (truly random) then it can't be memorized over long term. they still have to write it down so that they won't forget it (after like in a year)

Actually everything has to be written down - seed words and password - even if it's something very simple.

I've seen cases when people got a stroke and forgot even to walk and of course even their kids' names (!).
One has to think / plan for long term and what I've said can happen because of a car or motorcycle crash too, so it's not age related.

If this, then would your suggestion at the bottom still stand?

worrying that the (seed phrase 12 or 24 words) is stolen or lost
You can keep the seed written onto paper buried between many other useful and / or useless papers. Most people will not know what's that and what to use it for.
Or you can write here and there onto the pages of a book your seed words.
I mean that a seed has to be written down and it's not too difficult to hide in plain sight.



I have to admit that it came to me a number of times how quite hard it is to be your own bank, especially if you have tens of BTC. I have a little amount myself and created a total of three copies of my seed words and I can only remember the hiding place of a single copy. I cannot remember where I kept the other two, must be somewhere in the pages of one of my books or under files of old papers. If this tiny box I'm living in right now will catch fire while I am away-- God forbid-- I will lose everything of it. And I also don't deem it safe to keep a copy in my wallet.

If my memory serves me right, I think even Andreas Antonopoulos himself ironically mentioned in an interview that he's got a copy of his seed words written on a piece of paper and kept in a bank's storage.
legendary
Activity: 3024
Merit: 2148
June 05, 2020, 03:55:42 AM
#7
No, i am not suggesting to create your password like this. you can create something like !Went>P@r!$&be$tmem0ryev_r

Something that you can create that reflect to your experience and easy to remember and hard to crack

And how is it easy to remember? If it's some sort of substitution scheme, like replacing O with 0, then it's easy to crack, if it's truly random (which can only be generated by some rng and not human mind), then it's really hard to memorize and you will forget it unless your repeat it multiple times per day every single day.

Compared to that, mnemonic seeds have guaranteed sufficient entropy and they are easy to remember because our brains are good at remembering natural words in sequences.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
June 05, 2020, 02:41:30 AM
#6
and if the password were strong (truly random) then it can't be memorized over long term. they still have to write it down so that they won't forget it (after like in a year)

Actually everything has to be written down - seed words and password - even if it's something very simple.

I've seen cases when people got a stroke and forgot even to walk and of course even their kids' names (!).
One has to think / plan for long term and what I've said can happen because of a car or motorcycle crash too, so it's not age related.

worrying that the (seed phrase 12 or 24 words) is stolen or lost

You can keep the seed written onto paper buried between many other useful and / or useless papers. Most people will not know what's that and what to use it for.
Or you can write here and there onto the pages of a book your seed words.
I mean that a seed has to be written down and it's not too difficult to hide in plain sight.
legendary
Activity: 4466
Merit: 3391
June 05, 2020, 01:51:55 AM
#5
"!Went>P@r!$&be$tmem0ryev_r" is a good password, but a 12-word or 24-word random seed is more secure. As @pooya87 stated, a password must be weakened in order to be memorizable. Your idea may work for you, but it cannot be recommended for general use.
legendary
Activity: 3472
Merit: 10611
June 05, 2020, 01:07:59 AM
#4
Something that you can create that reflect to your experience and easy to remember and hard to crack

then that's another problem. almost always, these two can not be achieved together.
people aren't known to be able to create strong passwords. to be able to remember their passwords they always end up with weak ones that could be guessed in most cases.
and if the password were strong (truly random) then it can't be memorized over long term. they still have to write it down so that they won't forget it (after like in a year), and if they are writing it down then why not use the method that is already tested and is considered safe meaning BIp-39?
newbie
Activity: 10
Merit: 8
June 05, 2020, 12:51:59 AM
#3
these "words" are actually representing the "entropy" that is used to generate the individual private keys. so unless you can come up with a way to generate the same level of security entropy (at least 128-bits) using 3 words, it won't work.


You can do it using https://iancoleman.io/bip39/ and i understand you wont achieve 128 bits, this is where the passphrase with strong password is extremely important.

are you really suggesting that memorizing 3 words + something like
Code:
J\{m^"
is easier than memorizing this:
Code:
legal winner thank year wave sausage worth useful legal winner thank yellow
i'm not convinced!

No, i am not suggesting to create your password like this. you can create something like !Went>P@r!$&be$tmem0ryev_r

Something that you can create that reflect to your experience and easy to remember and hard to crack
legendary
Activity: 3472
Merit: 10611
June 05, 2020, 12:39:10 AM
#2
these "words" are actually representing the "entropy" that is used to generate the individual private keys. so unless you can come up with a way to generate the same level of security entropy (at least 128-bits) using 3 words, it won't work.

The idea is, people just need to memorise 3 words + passphrase (of their choice) (strong password) rather than worrying that the (seed phrase 12 or 24 words) is stolen or lost. Any reason why this cannot be practical or recommended?
are you really suggesting that memorizing 3 words + something like
Code:
J\{m^"
is easier than memorizing this:
Code:
legal winner thank year wave sausage worth useful legal winner thank yellow
i'm not convinced!
newbie
Activity: 10
Merit: 8
June 05, 2020, 12:21:04 AM
#1
I want to ask what is the dangerous of creating a seed phrase that generate 3 words only + passphrase (strong password 18 characters)? Is it safe? Is it possible to lose the funds this way? If yes, how?

The idea is, people just need to memorise 3 words + passphrase (of their choice) (strong password) rather than worrying that the (seed phrase 12 or 24 words) is stolen or lost. Any reason why this cannot be practical or recommended?

I understand that seed phrase can easily be guessed by a hacker but then he needs to be able to crack the 18 characters (combination of lower, upper case, number, special characters such as * ? >< !@#}|_-&^%$)


Jump to:
© 2020, Bitcointalksearch.org