Author

Topic: BIP39 vs Electrum Mnemonic seed (Read 677 times)

legendary
Activity: 2268
Merit: 18711
July 08, 2023, 03:30:24 AM
#41
There was an individual who managed to brute force 4 words using custom code and renting cloud computing. It cost him $350 and took 30 hours. To scale that up to 5 words, it would cost >$700,000 and take 7 years. And this is of course assuming you are 100% certain about the other 7 words, including their order and position.

So in short, it's almost certainly not worth your time to try to brute force 5 words.
legendary
Activity: 1624
Merit: 2594
Top Crypto Casino
July 07, 2023, 02:30:29 PM
#40
what do you thing about 12 mnemonic and only remember 7 words?
is there possible to recovery?

No. The BIP39 mnemonic dictionary contains 2048 words. This means that there are about 3.6x10^16 possible combinations for your 12-word mnemonic seed, even if you know the right order of those 7 known words. It gets even crazier if you don't know the word order at all. Trying to brute force those 5 missing words? Forget about it! It's flat-out impossible.
newbie
Activity: 48
Merit: 0
July 07, 2023, 11:40:10 AM
#39
what do you thing about 12 mnemonic and only remember 7 words?
is there possible to recovery?
legendary
Activity: 2604
Merit: 2353
March 16, 2023, 04:14:46 PM
#38
I wouldn't call it an ego conflict, simply conflicting standards. It reminds me of this: https://xkcd.com/927/

I do agree things should be kept as simple as possible, but if someone is already in the situation in which they are trying to recover a non-standard or invalid BIP39 seed phrase using an unknown wordlist, then they have already failed at keeping things as simple as possible. As I mentioned above, this feature in Electrum is a recovery tool for people who have already over-complicated things with such non-standard seed phrases. If you keep things simple by installing Electrum and generating a new seed phrase for your wallet, then you will never interact with this feature at all.
They couldn't fail to keep things as simple as possible, as you say, if softwares like Electrum were not allowing to do this kind of things without displaying serious warnings, in the first place. If someone wants to rob a layman he just needs to advise him to use a first and last name as a seed in Electrum like Sarah Azhari is doing, to lead him to get a very weak seed, easy to hack by him. Bitcoin should be safe to use for everybody.
legendary
Activity: 2268
Merit: 18711
March 12, 2023, 03:43:29 AM
#37
I wouldn't call it an ego conflict, simply conflicting standards. It reminds me of this: https://xkcd.com/927/

I do agree things should be kept as simple as possible, but if someone is already in the situation in which they are trying to recover a non-standard or invalid BIP39 seed phrase using an unknown wordlist, then they have already failed at keeping things as simple as possible. As I mentioned above, this feature in Electrum is a recovery tool for people who have already over-complicated things with such non-standard seed phrases. If you keep things simple by installing Electrum and generating a new seed phrase for your wallet, then you will never interact with this feature at all.
legendary
Activity: 2604
Merit: 2353
March 11, 2023, 05:59:25 PM
#36
but unfortunately it's not written anywhere in the messages displayed and they are not ashamed to call "BIP39" any random string with any random characters.
Because without knowing the wordlist, they have no way of knowing if a random string with any random characters is an incorrectly generated BIP39 seed phrase. They only ever call a phrase BIP39 after the user has checked the box indicating that they are entering a BIP39 phrase.

If I say "Here is a BIP39 seed phrase" and then enter some random string, Electrum (or any other software) has absolutely no way of saying "This is not a BIP39 seed phrase". All it can do is take me at my word, and tell me that it doesn't know the specifics of my BIP39 seed phrase, since I could be using any wordlist or any non-standard implementation. Plenty of other software already generates what they call BIP39 seed phrases which do not follow the standard. Iancoleman, for example, lets users generate seed phrases with only 3 words.
All it can do is to take me at my word ? No if it can't verify it can just say it hasn't been able to verify if it's a BIP39 seed or not, or it can just say nothing about it. Bitcoin is a new technology for most people on Earth, they need to be helped, accompanied and educated, not confused because of ego conflicts between devs. I hope being wrong but I wonder if this mention is here by accident, or because it's a way of showing that BIP39 is/could be crap.
legendary
Activity: 2268
Merit: 18711
March 11, 2023, 06:49:40 AM
#35
but unfortunately it's not written anywhere in the messages displayed and they are not ashamed to call "BIP39" any random string with any random characters.
Because without knowing the wordlist, they have no way of knowing if a random string with any random characters is an incorrectly generated BIP39 seed phrase. They only ever call a phrase BIP39 after the user has checked the box indicating that they are entering a BIP39 phrase.

If I say "Here is a BIP39 seed phrase" and then enter some random string, Electrum (or any other software) has absolutely no way of saying "This is not a BIP39 seed phrase". All it can do is take me at my word, and tell me that it doesn't know the specifics of my BIP39 seed phrase, since I could be using any wordlist or any non-standard implementation. Plenty of other software already generates what they call BIP39 seed phrases which do not follow the standard. Iancoleman, for example, lets users generate seed phrases with only 3 words.
legendary
Activity: 2604
Merit: 2353
March 10, 2023, 02:04:02 PM
#34
I read article and watch video that it's stupid idea to split mnemonic seed to different parts because it is bad if one of parts have word for checksum that is useless for wallet recovery.
What do you call a word for checksum that is useless for wallet recovery precisely? All words are needed to recover a wallet actually, so you won't get the same master key if you use a seed without its checksum even if the wallet accepts it like Electrum does. All words are used by the PBKDF2 function to generate the seed. So you will need to compute it again if the checksum is missing. In addition, there is no canonical BIP39 seed with words fully used as checksum because binary seeds must have a multiple of 32 bit seize and the longest checksum is 8bits (for a 256bits seed) while words are 11bits long.
https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki

Do you have links of those articles and videos btw? Because they are mistaken if they are telling that.
legendary
Activity: 3472
Merit: 10611
March 10, 2023, 02:58:28 AM
#33
Could you share how do I know what seed word is for checksum and what words in mnemonic seed are not for checksum, please.
In Electrum mnemonics, there is no specific part that contains the checksum. The whole combination also acts as a checksum (HMACSHA512 hash of the mnemonic should have a certain starting bits).
In BIP39 mnemonics the last world contains the checksum. Depending on the number of words it can be smaller (4 bits for 12 words to 8 bits for 24 words and each word is always 11 bits).
sr. member
Activity: 602
Merit: 387
Rollbit is for you. Take $RLB token!
March 09, 2023, 09:33:29 PM
#32
There is no way you can tell if a seed is BIP39 or Electrum simply by looking at it, if they are both using the same wordlist. You simply have to try to import the seed phrase and see if it has an valid/invalid BIP39 checksum or a valid/invalid Electrum version number.
Importing can lead to successful import or failed import.

Could you share how do I know what seed word is for checksum and what words in mnemonic seed are not for checksum, please.

I read article and watch video that it's stupid idea to split mnemonic seed to different parts because it is bad if one of parts have word for checksum that is useless for wallet recovery.

Like if I have a full mnemonic seed, how do I know what word is for checksum?
legendary
Activity: 2604
Merit: 2353
March 09, 2023, 01:01:18 PM
#31
In the same way, you should avoid to tell in the Beginners & Help section that a 2 words seed could very well be a BIP39 seed using a different wordlist
I never said any such thing. I have been very clear in my replies in this thread that generating your own seed phrase or wallet as OP has suggested is highly insecure.

This part of Electrum which allows you to recover non-standard seed phrase, is exactly that - a recovery tool. At no point does Electrum generate insecure seed phrases, nor even allow you to generate BIP39 seed phrases at all, valid or otherwise. There is no telling what errors or bugs other poorly coded wallets have implemented, and it is not Electrum's responsibility to police them, especially for a seed phrase system it doesn't use and in fact recommends against using. The whole point of Electrum allowing you to proceed with invalid checksums, unknown wordlists, wrong number of words, etc., is to allow people to attempt to recover such invalid seed phrases which other bad wallets have generated, or that they themselves have manually generated badly.
You are maybe right, they maybe see this "feature" as a so called "recovery tool" but unfortunately it's not written anywhere in the messages displayed and they are not ashamed to call "BIP39" any random string with any random characters. The warning message below the text box doesn't talk about their lax "recovery" policy, it just talks about their own safety standard and version number system.
After undergoing a long attack that made many victims, they could be more cautious of their users, especially the less educated ones IMO.
It's nice to be able to create a mnemonic seed with a huge entropy with only few words, but without any warnings it could lead to the opposite as in the case above.

Quote
Warning: BIP39 seeds can be imported in Electrum, so that users can access funds locked in other wallets. However, we do not generate BIP39 seeds, because they do not meet our safety standard. BIP39 seeds do not include a version number, which compromises compatibility with future software. We do not guarantee that BIP39 imports will always be supported in Electrum.
legendary
Activity: 2268
Merit: 18711
February 21, 2023, 09:39:29 AM
#30
You don't need to know if a wordlist has been used and which one it could be, neither to compute a checksum when it's mathematically not possible to meet the basic requirements of BIP39. Then the software shouldn't say it's a BIP39 seed, but should undeceive the users if they think it is one.
Feel free to open an issue on GitHub if you think this should be changed. I don't think it should though, for the reasons I've given below.

In the same way, you should avoid to tell in the Beginners & Help section that a 2 words seed could very well be a BIP39 seed using a different wordlist
I never said any such thing. I have been very clear in my replies in this thread that generating your own seed phrase or wallet as OP has suggested is highly insecure.

This part of Electrum which allows you to recover non-standard seed phrase, is exactly that - a recovery tool. At no point does Electrum generate insecure seed phrases, nor even allow you to generate BIP39 seed phrases at all, valid or otherwise. There is no telling what errors or bugs other poorly coded wallets have implemented, and it is not Electrum's responsibility to police them, especially for a seed phrase system it doesn't use and in fact recommends against using. The whole point of Electrum allowing you to proceed with invalid checksums, unknown wordlists, wrong number of words, etc., is to allow people to attempt to recover such invalid seed phrases which other bad wallets have generated, or that they themselves have manually generated badly.
legendary
Activity: 2604
Merit: 2353
February 21, 2023, 09:00:13 AM
#29
I don't agree with that, because here Electrum doesn't say at least that it's not a BIP39 seed. It just says it's a BIP39 seed using a wordlist unknown from them : "BIP 39 (unknown wordlist)".
One of the flaws with BIP39 is that it requires a known wordlist. Another flaw is that if you do not know the wordlist being used then you do not know whether or not what is being entered is a valid BIP39 seed phrase or whether it has a valid checksum. Electrum only displays "BIP39 (unknown wordlist)" if the user manually checks the "BIP39 seed" box. Electrum is assuming the user knows what kind of seed they are using. Electrum is not able to say "This is not a BIP39 seed" because it could very well be a BIP39 seed using a different wordlist.

This is not the fault of Electrum. It is the fault of BIP39, which Electrum is supporting as best as possible given these flaws.

Moreover BIP39 requires to issue a warning if the checksum is wrong, this message isn't a warning message and doesn't talk about the checksum.
As above. If you enter words from the common English BIP39 word list, then Electrum will indeed show you an invalid checksum warning. But if you enter words not on this wordlist, Electrum (or indeed, any software) is not able to tell you whether or not your checksum is invalid because it does not know the wordlist you are using. This is a flaw in BIP39, not Electrum.
There are certainly flaws in BIP39 but could you tell us how a 2 words seed could have an entropy between 128bits and 256 bits, with words encoding 11 bits each, as BIP39 is requiring? You don't need to know if a wordlist has been used and which one it could be, neither to compute a checksum when it's mathematically not possible to meet the basic requirements of BIP39. Then the software shouldn't say it's a BIP39 seed, but should undeceive the users if they think it is one. In the same way, you should avoid to tell in the Beginners & Help section that a 2 words seed could very well be a BIP39 seed using a different wordlist, because it's very misleading and dangerous, as the entropy would be critically low even if those words belong to 2 different languages.
legendary
Activity: 2268
Merit: 18711
February 21, 2023, 08:05:47 AM
#28
I don't agree with that, because here Electrum doesn't say at least that it's not a BIP39 seed. It just says it's a BIP39 seed using a wordlist unknown from them : "BIP 39 (unknown wordlist)".
One of the flaws with BIP39 is that it requires a known wordlist. Another flaw is that if you do not know the wordlist being used then you do not know whether or not what is being entered is a valid BIP39 seed phrase or whether it has a valid checksum. Electrum only displays "BIP39 (unknown wordlist)" if the user manually checks the "BIP39 seed" box. Electrum is assuming the user knows what kind of seed they are using. Electrum is not able to say "This is not a BIP39 seed" because it could very well be a BIP39 seed using a different wordlist.

This is not the fault of Electrum. It is the fault of BIP39, which Electrum is supporting as best as possible given these flaws.

Moreover BIP39 requires to issue a warning if the checksum is wrong, this message isn't a warning message and doesn't talk about the checksum.
As above. If you enter words from the common English BIP39 word list, then Electrum will indeed show you an invalid checksum warning. But if you enter words not on this wordlist, Electrum (or indeed, any software) is not able to tell you whether or not your checksum is invalid because it does not know the wordlist you are using. This is a flaw in BIP39, not Electrum.
legendary
Activity: 2604
Merit: 2353
February 20, 2023, 07:33:29 PM
#27
That's not a good behavior from Electrum, I would call that a bug.
It is not a bug, but rather intended behavior: https://github.com/spesmilo/electrum/issues/6860
I don't agree with that, because here Electrum doesn't say at least that it's not a BIP39 seed. It just says it's a BIP39 seed using a wordlist unknown from them : "BIP 39 (unknown wordlist)".
While only 2 words are used, which can't encode an entropy between 128 and 256bits with 11bits words, in addition to carrying a critically low and dangerous entropy for a seed.


legendary
Activity: 2268
Merit: 18711
February 20, 2023, 04:51:02 AM
#26
If it's true, I don't need to find the older version, because I still can access my fund when I keep also the private key beside brain seed.
Then there is no point in using a brain wallet at all. If you are going to back up your private keys on paper, then backing up the string you used to generate those private keys alongside them provides zero additional redundancy or protection. And so in that case, it is far preferable to use a piece of software like Bitcoin Core to generate a random private key in a cryptographically secure way and back that key up, instead of using a very insecure brain wallet method to generate a key.

All of the case above is just an experiment.
Sure, but generating wallets and private keys is not something which should be experimented with. There are provably secure ways of generating wallets and keys, which all good wallets will use. And if you don't trust any software, then you can flip a coin to generate physical entropy. Anything method or scheme you come up with yourself will almost certainly have huge vulnerabilities.
hero member
Activity: 868
Merit: 737
February 19, 2023, 09:16:12 PM
#25
you won't be able to access your funds anymore. You will need to find an older version able to run on your current environment, if you are able to remember it was a bug from a former version at least.
If it's true, I don't need to find the older version, because I still can access my fund when I keep also the private key beside brain seed.

so while we are still anonymous and No one knows who we are, none of the data on the internet, IP, phone number, SSN and etc, we are safe to use a brain wallet with an Air gap device with never connected to the Internet.
Absolutely not.

It is not the manner in which you use a brain wallet which makes it inherently unsafe (although using any wallet in an unsafe manner is a risk), but rather it is the very concept of a brain wallet which is unsafe. Humans are not random. Humans cannot be random. Even if you think you are being random, you aren't. Coming up with your own password, passphrase, seed phrase, whatever, in order to generate a wallet, will absolutely result in a wallet with less entropy than you think or that you want. There is a reason that all good wallets generate seed phrases randomly and all good password managers generate passwords randomly. Anything you come up with yourself will not be secure.

All it takes is someone else to come up with the same string as you did, and all your coins are lost, regardless of if you used an airgapped device or not. Using a string of a single number or word, or even a string of words from a book, movie, song, etc., will almost certainly result in your coins being stolen. There are dozens of bots out there continually watching entire databases of addresses composed of hundreds of thousands of brain wallets, just waiting to steal any coins sent to them.

Noted it.

I never used the human brain to store my fund.
All of the case above is just an experiment.
legendary
Activity: 2268
Merit: 18711
February 19, 2023, 10:27:17 AM
#24
so while we are still anonymous and No one knows who we are, none of the data on the internet, IP, phone number, SSN and etc, we are safe to use a brain wallet with an Air gap device with never connected to the Internet.
Absolutely not.

It is not the manner in which you use a brain wallet which makes it inherently unsafe (although using any wallet in an unsafe manner is a risk), but rather it is the very concept of a brain wallet which is unsafe. Humans are not random. Humans cannot be random. Even if you think you are being random, you aren't. Coming up with your own password, passphrase, seed phrase, whatever, in order to generate a wallet, will absolutely result in a wallet with less entropy than you think or that you want. There is a reason that all good wallets generate seed phrases randomly and all good password managers generate passwords randomly. Anything you come up with yourself will not be secure.

All it takes is someone else to come up with the same string as you did, and all your coins are lost, regardless of if you used an airgapped device or not. Using a string of a single number or word, or even a string of words from a book, movie, song, etc., will almost certainly result in your coins being stolen. There are dozens of bots out there continually watching entire databases of addresses composed of hundreds of thousands of brain wallets, just waiting to steal any coins sent to them.

That's not a good behavior from Electrum, I would call that a bug.
It is not a bug, but rather intended behavior: https://github.com/spesmilo/electrum/issues/6860
legendary
Activity: 2604
Merit: 2353
February 19, 2023, 06:16:03 AM
#23
Electrum is unique, it's different from the BIP39 seed, in electrum I can create an address with a custom seed like " Sarah Azhari" and get the address "bc1quql5me288nquwhjr432wakq949quwszzg4h588", it's different on BIP39 wallet, when I write that custom seed, I received "Sarah not in the wordlist, did you mean arch?"



so, is it dangerous when still keep an address; "bc1quql5me288nquwhjr432wakq949quwszzg4h588"?. because it's not normally seed, or maybe safe if only keep the private key?.
That's not a good behavior from Electrum, I would call that a bug. Because it allows people to use non-BIP39 seeds while thinking they are using true BIP39 ones. It's dangerous for you to use a seed like that, because if Electrum fixes this bug in its next versions, you won't be able to access your funds anymore. You will need to find an older version able to run on your current environment, if you are able to remember it was a bug from a former version at least.
hero member
Activity: 868
Merit: 737
February 18, 2023, 10:12:41 PM
#22
So, if an address appears on public, for example, bc1q00msv0lt4hhaks47yy2d26kg269r0r06vnccsp, how do we know that address is not standard generated?

or how to know the address is used BIP39 or electrum seed?
Address contains neither sensitive data nor the information about the approach that was employed to create it in the first place. Addresses are designed to be publicly revealed, otherwise it would be impossible to make transactions on the blockchain. You can't even convert a bitcoin address back to a public key (that is also considered relatively safe to share on the Internet), which makes it an impossible task to extract private keys directly from addresses. However, in the case of insecurely generated bitcoin wallet, an attacker doesn't need to break your address to guess your private key. He already knows that you used an insecure password when created your wallet, otherwise he wouldn't spend time and resources trying to brute force it. The first thing he will do is gather all your personal information available on the Internet such as your name, occupation, pet name, etc and he will use it to guess a custom seed phrase. You will be surprised when you find out how many people use personal information for passwords.
so while we are still anonymous and No one knows who we are, none of the data on the internet, IP, phone number, SSN and etc, we are safe to use a brain wallet with an Air gap device with never connected to the Internet. Because on electrum we can create an address by 1 letter/number when ticking BIP39 Seed.
legendary
Activity: 2450
Merit: 4415
🔐BitcoinMessage.Tools🔑
February 14, 2023, 01:26:03 AM
#21
So, if an address appears on public, for example, bc1q00msv0lt4hhaks47yy2d26kg269r0r06vnccsp, how do we know that address is not standard generated?

or how to know the address is used BIP39 or electrum seed?
Address contains neither sensitive data nor the information about the approach that was employed to create it in the first place. Addresses are designed to be publicly revealed, otherwise it would be impossible to make transactions on the blockchain. You can't even convert a bitcoin address back to a public key (that is also considered relatively safe to share on the Internet), which makes it an impossible task to extract private keys directly from addresses. However, in the case of insecurely generated bitcoin wallet, an attacker doesn't need to break your address to guess your private key. He already knows that you used an insecure password when created your wallet, otherwise he wouldn't spend time and resources trying to brute force it. The first thing he will do is gather all your personal information available on the Internet such as your name, occupation, pet name, etc and he will use it to guess a custom seed phrase. You will be surprised when you find out how many people use personal information for passwords.
hero member
Activity: 868
Merit: 737
February 13, 2023, 11:56:56 PM
#20
You can use it for testing purposes but always create a random seed when it comes to storing real money.
Of course, for testing only, I never used seed without standards procedure.

or maybe safe if only keep the private key?.
It's not safe at all. All this is is a glorified brain wallet, which instead of performing one hash to turn your string in to an individual private key is performing a few more hashes to turn your string in to a entire wallet. Either way, the result is highly insecure.
So, if an address appears on public, for example, bc1q00msv0lt4hhaks47yy2d26kg269r0r06vnccsp, how do we know that address is not standard generated?

or how to know the address is used BIP39 or electrum seed?
legendary
Activity: 2268
Merit: 18711
February 13, 2023, 05:17:40 AM
#19
Electrum is unique, it's different from the BIP39 seed, in electrum I can create an address with a custom seed like " Sarah Azhari" and get the address "bc1quql5me288nquwhjr432wakq949quwszzg4h588", it's different on BIP39 wallet, when I write that custom seed, I received "Sarah not in the wordlist, did you mean arch?"
All Electrum is doing here is ignoring the incorrect word list and incorrect checksum, and running your inputted text through the usual 2048 rounds of PBKDF2 in order to generate a wallet. This has nothing to do with the difference between Electrum seed phrases and BIP39 seed phrases.

or maybe safe if only keep the private key?.
It's not safe at all. All this is is a glorified brain wallet, which instead of performing one hash to turn your string in to an individual private key is performing a few more hashes to turn your string in to a entire wallet. Either way, the result is highly insecure.
legendary
Activity: 2450
Merit: 4415
🔐BitcoinMessage.Tools🔑
February 13, 2023, 02:10:16 AM
#18
Electrum is unique, it's different from the BIP39 seed, in electrum I can create an address with a custom seed like " Sarah Azhari" and get the address "bc1quql5me288nquwhjr432wakq949quwszzg4h588", it's different on BIP39 wallet, when I write that custom seed, I received "Sarah not in the wordlist, did you mean arch?"

so, is it dangerous when still keep an address; "bc1quql5me288nquwhjr432wakq949quwszzg4h588"?. because it's not normally seed, or maybe safe if only keep the private key?.
No, it is not safe at all to use custom seed phrases "generated" with the help of your brain because the randomness generated by the human brain is not cryptographically-secure. What you did was create a simple "brain wallet" with a very weak password which will take a couple of seconds to crack and steal all your money. Electrum is thus not unique in this sense, there are many other ways to create unique seed phrases and weak entropy but it also doesn't mean that you should use this functionality if given an option to do so. You can use it for testing purposes but always create a random seed when it comes to storing real money.
hero member
Activity: 868
Merit: 737
February 13, 2023, 01:11:49 AM
#17
Electrum is unique, it's different from the BIP39 seed, in electrum I can create an address with a custom seed like " Sarah Azhari" and get the address "bc1quql5me288nquwhjr432wakq949quwszzg4h588", it's different on BIP39 wallet, when I write that custom seed, I received "Sarah not in the wordlist, did you mean arch?"



so, is it dangerous when still keep an address; "bc1quql5me288nquwhjr432wakq949quwszzg4h588"?. because it's not normally seed, or maybe safe if only keep the private key?.
legendary
Activity: 2268
Merit: 18711
February 11, 2023, 06:50:02 AM
#16
Interesting. I did not know that Electrum applied this normalization to passphrases, which as you say, doesn't really make sense.

So a bit more testing on the standard Latin alphabet plus diacritics, Electrum will also use NFKD normalization, but it will also do the following: Make everything lowercase, remove all accents and turn the accented letter back to the "base" letter, reduce all white spaces of any length to one space only. This means that the following two passphrases produce the exact same wallet:

Code:
HÈLLÖ     thérê     $!?
hello there $!?

At least knowing this you could then apply the same rules to non-English letters and words to regenerate your wallet elsewhere, if you needed to.
legendary
Activity: 3472
Merit: 10611
February 11, 2023, 05:44:40 AM
#15
Good point. BIP39 uses NFKD - what does Electrum use? A very quick test shows that a passphrase of lower case letters and numbers will generate the same wallet between Electrum and an edited version of Ian Coleman, but upper case letters or symbols lead to different wallets.
The method is called "normalize_text"[1] and the behavior you found here is because for some reason Electrum calls the normalize_text method on both the mnemonic and its passphrase which treats them both the same. And although this method makes sense for the mnemonic, it makes no sense for the passphrase.
This means it will not only lower case all letters in your passphrase but also it will remove extra spaces from it (ie. pass="aB....cd" is the same as "ab.cd", I used dots instead of space to visualize it better).

The code looks pretty straight forward but last time I tried to reproduce it in c# I failed the part that affects CJK character:
[1] https://github.com/spesmilo/electrum/blob/df842af0b6b48074a510155fbfd28df295c200d4/electrum/mnemonic.py#L40-L90
legendary
Activity: 2730
Merit: 7065
February 11, 2023, 05:19:30 AM
#14
Electrum developers think that BIP39 seed is not safe enough so they tried to improve it by making their own system and fixing shortcomings.
Electrum's version numbering system was created before BIP39 seeds became a thing. Therefore, Electrum didn't have anything to fix in a time where BIP39 seeds and their workings didn't exist.

No one would throw away a seed they wrote down and stored themselves, especially when they are sure that they have Bitcoin in that address.
It happens, and we have seen such stories. It's usually old seeds to empty wallets the owners no longer plan to use. Unfortunately, they give their counterparties an address that belong to such a wallet and receive BTC in an address whose seed they threw away. Or someone sends them money to an address they used in the past by mistake.

Does Sparrow wallet not already support importing Electrum wallets?
Blue Wallet supports importing Electrum-native seeds. In the past, the wallet couldn't be empty for the import process to work, but now it works on empty wallets as well.
legendary
Activity: 2268
Merit: 18711
February 11, 2023, 04:13:55 AM
#13
-snip-
Good point. BIP39 uses NFKD - what does Electrum use? A very quick test shows that a passphrase of lower case letters and numbers will generate the same wallet between Electrum and an edited version of Ian Coleman, but upper case letters or symbols lead to different wallets.

Still, it's not outside the realms of possibility to edit the code of some other piece of wallet software to use the same normalization method as Electrum does in order to recover Electrum wallets, in the incredibly unlikely scenario that all copies of Electrum some disappear from the internet. Does Sparrow wallet not already support importing Electrum wallets?
legendary
Activity: 3472
Merit: 10611
February 09, 2023, 10:52:07 PM
#12
And if you don't have any old copy of Electrum, then literally the only difference between turning a BIP39 seed phrase in to a wallet and an Electrum seed phrase in to a wallet is the word that is concatenated with your passphrase prior to PBKDF2. BIP39 uses "mnemonic", while Electrum uses "electrum". You could take any open source wallet and change the code very easily to recover Electrum seed phrases.
This works for 99% of the cases where you are using a simple seed phrase with no passphrase and with default English word-list. Anything other than this and things get complicated. For example if you were using a passphrase or if you were using a different word-list like the default French list since the normalization method is different (in this case removes diacritics or accents) your BIP32 seed will be different and you'll end up with a different wallet.
(BIP39 only performs a very simple KD normalization.)
legendary
Activity: 2268
Merit: 18711
February 09, 2023, 09:50:05 AM
#11
Easy enough to just recover your seed phrase in any old copy of Electrum you have and then export your raw private keys or xprv to be imported in to another wallet, in the very unlikely event that Electrum ceased to be maintained.

And if you don't have any old copy of Electrum, then literally the only difference between turning a BIP39 seed phrase in to a wallet and an Electrum seed phrase in to a wallet is the word that is concatenated with your passphrase prior to PBKDF2. BIP39 uses "mnemonic", while Electrum uses "electrum". You could take any open source wallet and change the code very easily to recover Electrum seed phrases.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
February 09, 2023, 07:04:02 AM
#10
Yes, only that 1 way we know the difference, but if kept long and someone forgets if it's a different seed, he will throw it away after checking its invalid sum.
I think that's unlikely. What reason would someone have for backing up an invalid seed phrase to begin with? If they can't recover their wallet via BIP39, then they are going to search for other answers, not just immediately throw away their back up and assume their coins are permanently lost.

Note that Electrum isn't the only alternative to BIP39 either. There are others, such as AEZEED.

The problems start rolling in when other wallets do not implement these additional kinds of seed phrases besides BIP39, and then Electrum or whatever the custom seed software is ceases to be maintained. It will make recovering your funds in a different wallet a massive PITA as few wallets actually know how to recover Electrum seeds correctly.
legendary
Activity: 2268
Merit: 18711
February 09, 2023, 05:08:11 AM
#9
Yes, only that 1 way we know the difference, but if kept long and someone forgets if it's a different seed, he will throw it away after checking its invalid sum.
I think that's unlikely. What reason would someone have for backing up an invalid seed phrase to begin with? If they can't recover their wallet via BIP39, then they are going to search for other answers, not just immediately throw away their back up and assume their coins are permanently lost.

Note that Electrum isn't the only alternative to BIP39 either. There are others, such as AEZEED.
legendary
Activity: 3472
Merit: 10611
February 09, 2023, 01:18:05 AM
#8
Electrum developers think that BIP39 seed is not safe enough so they tried to improve it by making their own system and fixing shortcomings.
It has nothing to do with safety. Security of both algorithms are pretty much the same.
Read the link in first reply by @witcher_sense, in simple terms it is about the fact that BIP39 lacks certain features such as telling the software what type of address it should derive and at what derivation path (fixed by including a version number). That makes recovery using seed phrase a lot easier for users which is what Electrum aims for (ie user friendliness).
BTW Electrum seed algorithm existed before BIP39.
hero member
Activity: 644
Merit: 661
- Jay -
February 09, 2023, 12:50:43 AM
#7
...
No one would throw away a seed they wrote down and stored themselves, especially when they are sure that they have Bitcoin in that address.
You might get confused as to why it is marked invalid (although Electrum does not give an 'invalid' response when importing a seed that is not compatible) and ask on a forum, from a friend or just directly try another wallet.

About a thief discovering your bitcoins, if someone can look through your backups then you are not storing them securely.
It does not matter if you tag it "BIP39", simply seeing a list of keywords and knowing how popular crypto is right now, they would most probably know it has something to do with it.

- Jay -
hero member
Activity: 868
Merit: 737
February 08, 2023, 08:09:05 PM
#6
There is no way you can tell if a seed is BIP39 or Electrum simply by looking at it, if they are both using the same wordlist. You simply have to try to import the seed phrase and see if it has an valid/invalid BIP39 checksum or a valid/invalid Electrum version number.
Yes, only that 1 way we know the difference, but if kept long and someone forgets if it's a different seed, he will throw it away after checking its invalid sum. If we write specific "this is bip39 seed" and "this is electrum seed", a snatcher will find out if that word is bitcoin bag.
legendary
Activity: 2212
Merit: 7064
February 08, 2023, 01:03:13 PM
#5
Why Electrum doesn't use BIP39 seed? even use and have the same wordlist as BIP39 (2048 words).
Electrum developers think that BIP39 seed is not safe enough so they tried to improve it by making their own system and fixing shortcomings.
I know this could be confusing to some users, and I would suggest writing extra information when you are generating seed words, by simply writing small note like Electrum or BIP39.
In same way I would write derivation path that is not standard, passphrase, and anything that could help recover coins.

How to know if no.1 is bip39 seed and no.2 is electrum seed?
You can only know by importing words and checking your balance after that.
legendary
Activity: 3374
Merit: 3095
Playbet.io - Crypto Casino and Sportsbook
February 08, 2023, 12:54:02 PM
#4
Adding this just to clarify the ETFbitcoin post above when you are trying to import your seed to Electrum with BIP39 the next button is grayed out you can't able to click next until you check BIP39 under the option.

Unlike Electrum seed when you import and paste the seed the next button is clickable. That's the easiest way to check if you have BIP39 seed or Electrum seed.
legendary
Activity: 2268
Merit: 18711
February 08, 2023, 06:22:53 AM
#3
It's worth noting that Electrum's seed phrase system pre-dates BIP39 by several years. Also, Electrum does not use a fixed wordlist like BIP39 does. BIP39 seed phrases will only work with the BIP39 wordlist. Electrum seed phrases will work with any wordlist you want. It uses the BIP39 one simply out of convenience, but you can replace the wordlist in the Electrum directory and use any wordlist you like.

There is no way you can tell if a seed is BIP39 or Electrum simply by looking at it, if they are both using the same wordlist. You simply have to try to import the seed phrase and see if it has an valid/invalid BIP39 checksum or a valid/invalid Electrum version number.

legendary
Activity: 2450
Merit: 4415
🔐BitcoinMessage.Tools🔑
February 08, 2023, 12:05:36 AM
#2
Why Electrum doesn't use BIP39 seed? even use and have the same wordlist as BIP39 (2048 words).
Check the "Motivation" section of their docs: https://electrum.readthedocs.io/en/latest/seedphrase.html#motivation
And also this https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-March/007642.html
In short, BIP39 doesn't include a version number which would allow software to determine the scheme of key derivation. A wallet needs to try different derivation paths in order to find where coins are located. Users, on the other hand, are risking to never find their coins if wallets suddenly stop supporting certain derivation paths. The other reason is that BIP39 has a fixed wordlist which is being used in a very inconsistent way: you don't use wordlist for key and addresses derivation, but you use it to calculate a checksum. Moreover, BIP39 standard suggest to use one wordlist per language, which is terrible for portability.
Quote
so What the difference and how to differentiate between them? for example:
Just check the documentation I linked.
hero member
Activity: 868
Merit: 737
February 07, 2023, 10:44:31 PM
#1
Why Electrum doesn't use BIP39 seed? even use and have the same wordlist as BIP39 (2048 words).

so What the difference and how to differentiate between them? for example:

1. rally banner example horse judge travel erupt clean ball supreme main steak

2. orient endorse sketch enter spatial weasel suggest unique certain rude cluster sad

How to know if no.1 is bip39 seed and no.2 is electrum seed?
Jump to: