Author

Topic: Can I use a 12 word seed extension and store it separately? (Read 399 times)

legendary
Activity: 2268
Merit: 18771
If your wallet software failed to generate properly a multi-sig wallet, what makes you think that it won't happen to a single-sig too? I'm not sure that I'm following you.
Think about the malicious Electrum version which was stealing coins. If your wallet was multi-sig instead, then it would not have been able to steal the coins. Even if it was multi-sig with two malicious Electrum wallets, it would require you to manually transfer the partially signed malicious transaction between your two devices, which would be highly unlikely to happen unless you really weren't paying attention. Only if it was a variant of the malwaee which uploaded private keys to a server instead of making a transaction, and you updated both versions of Electrum to this malicious version, would your coins still have been stolen in a multi-sig set up.

Using different hardware and software for all parts of your multi-sig provides even more security against one of your wallets being attacked or malicious.
hero member
Activity: 491
Merit: 1259
Nihil impunitum
If you have a wallet that contains malicious functions, you shouldn't even consider to use it for transactions.

100% correct
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Well, let me consider the hypothetical situation when one of the wallet has backdoor that give the adversary  chance to steel my fund.
In this hypothetical scenario, you're the owner of your funds; you don't divide your bitcoins' possession with someone else. If that's true, then you'll need to sign from both public keys. If you choose a wallet software to sign from both, you won't avoid the assumed backdoor. If you sign from different wallets, then the possibilities for funds' loss drop.

However, isn't that a really complicated way to pretend that you're safe? If you have a wallet that contains malicious functions, you shouldn't even consider to use it for transactions. Not to mention that you'll lose your privacy, because theoretically the thief could access your master public keys.
hero member
Activity: 491
Merit: 1259
Nihil impunitum
I was considering the aspect of the trust to developer(s)/team(s) that have  responsibility  for wallet. Multisig would help to safe  my funds if the security design pertaining to particular wallet were failed somehow.

If your wallet software failed to generate properly a multi-sig wallet, what makes you think that it won't happen to a single-sig too? I'm not sure that I'm following you.

 The latter  happen
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
I was considering the aspect of the trust to developer(s)/team(s) that have  responsibility  for wallet. Multisig would help to safe  my funds if the security design pertaining to particular wallet were failed somehow.

If your wallet software failed to generate properly a multi-sig wallet, what makes you think that it won't happen to a single-sig too? I'm not sure that I'm following you.
legendary
Activity: 2268
Merit: 18771
Definitely the multisig wallet would be better than  single-sig one,
Well, it depends on what aspect of the wallet you are considering when you say "better". Multi-sig is likely going to be more secure than a single sig wallet, even one with a passphrase. However, to back up a multi-sig wallet properly you need to store the other xpubs along with each seed phrase, meaning if someone finds one of your back ups they can view the entire contents of your wallet. This is obviously not the case if someone finds one of your back ups in a single-sig-with-passphrase set up, as they can neither view your passphrased wallets or even know that they exist. Multi-sig also provides no plausible deniability.

I suppose you could combine multi-sig with additional passphrases, but at some point, you risk making things so complicated that you would struggle to recover your coins in an emergency.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
I am not sure how reliable sites like https://howsecureismypassword.net/ are (don't enter a real password into in no matter what), but it says it would take 15 octillion years to crack it.
Note that these years are probably referred to just hashing preimages until you've found a hash collision or the original password. But, if you went through the same procedure including the PBKDF2 rounds and the HMAC-SHA256/512 calculations it'd take much more time.

You would get something like this: WCPFSODCRAIC iorehperogie
While it's very long, it could be predicted. I'd advice you to use randomly generated passwords such as "N(sCy>7)". The attacker's only option to steal your money would be by brute forcing, besides the $5 wrench attack. You can't predict this and thus, he'd have to go through pure brute forcing which is meaningless.
legendary
Activity: 2730
Merit: 7065
One could protect his passphrase in plain sight. Let's say this is your Electrum seed > https://en.bitcoin.it/w/images/en/6/60/Mnemonic-seed-still-life.jpg.
You could use the first, second, or any number of letters to create your passphrase. Naturally, you are relying on your memory not to forget which letters you used.

You would get something like this: WCPFSODCRAIC iorehperogie 

I am not sure how reliable sites like https://howsecureismypassword.net/ are (don't enter a real password into in no matter what), but it says it would take 15 octillion years to crack it.
HCP
legendary
Activity: 2086
Merit: 4363
It's more than just preventing access though.
Of course... I was just trying to show an additional benefit to complement the rather exhaustive list that you had already shown.

Granted, they're not necessarily for "everyone"... but I still think they're a good idea and that the benefits outweigh and additional "complexity"
legendary
Activity: 2268
Merit: 18771
If someone were to get hold of your 12/24 word seed, they might find a small amount of coins in the "base" account, but would be unable to access anything that was protected by a passphrase (assuming that your passphrase is not co-located with the seed backup... which obviously it should not be)
It's more than just preventing access though. More importantly, provided you haven't made any obvious links on the blockchain or revealed the existence of the passphrased wallet in another manner, then an attacker can not even prove that one or more passphrased wallets even exist. It's like using hidden volumes when encrypting data - it's not only that the attacker can't access the data/wallets, it's that they don't even know there are additional data/wallets there to be accessed in the first place.

This obviously depends on you keeping the existence of your passphrased wallet(s) secret. If an attacker sees 90% of the coins move out of your main wallet to a new address, and then not move from that new address for months or years, then that's a dead give-away that you still have control of them and have simply moved them to a different wallet for safer keeping.
HCP
legendary
Activity: 2086
Merit: 4363
to... Enhance their security? It's already infeasible to brute force.
As o_e_l_e_o has mentioned, it adds another layer to the "physical" security of your seed backup... If someone were to get hold of your 12/24 word seed, they might find a small amount of coins in the "base" account, but would be unable to access anything that was protected by a passphrase (assuming that your passphrase is not co-located with the seed backup... which obviously it should not be)

Additionally, attempting to bruteforce passphrases is actually quite time consuming because of the methods used (ie. every passphrase generates a "valid" wallet, so you need to go through many "costly" derivations to derive and then check addresses)

And... If you happen to be using a Trezor ONE, it's pretty much required to prevent total loss in the event that the device is physically compromised. ie. it is stolen or lost.
legendary
Activity: 2268
Merit: 18771
Would you like to explain me why they're a good idea?
  • It provides an easy way to split your back up in to two - one piece of paper with your seed phrase, and one piece of paper with your passphrase, stored in separate locations.
  • It provides plausible deniability, as you can turn over your seed phrase and any coins protected by it, while keeping the coins in the passphrased wallet safe and the very existence of the passphrased wallet secret.
  • You can use multiple passphrases with the same seed phrase to further improve the security I described above. You can even create multiple decoy passphrases, all holding small amounts of coins you can hand over to an attacker.
  • It provides a very easy way to create multiple different wallets, which can improve your privacy by keeping coins received from different places entirely separate with no risk of accidentally combining them in the same transaction. I know this can also be done with derivation paths, but using passphrases provides two advantages over derivation paths - additional security, as described above, and you can use passphrases which remind you which wallet is which. For example, If I use 5 different derivation paths, I might forget which derivation path is for which purpose, but if I use the passphrase 4j!SALARY'5#, then I know immediately what that wallet is for.
legendary
Activity: 2380
Merit: 5213
Would you like to explain me why they're a good idea? For the average user at least, I find it pretty useless and as you said, it brings potential pitfalls.
If you use a passphrase in the right way, they aren't really useless.
A passphrase isn't used for reducing the chance of successfully being brute-forced. As you rightly said, 128 bits of entropy is more than enough.

Let's say I have written my seed phrase on a paper and the paper is stolen. The thief can't steal my fund without the passphrase.
Using a passphrase has its own downsides. But it has advantages too.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Seed extension phrases are a good idea... but you do need to be aware of the potential pitfalls.
Would you like to explain me why they're a good idea? For the average user at least, I find it pretty useless and as you said, it brings potential pitfalls. You're leaving the users to use a password that may be predictable, to... Enhance their security? It's already infeasible to brute force.

The only reason that I'd ever use a passphrase is if I had a hardware wallet. It keeps the seed phrase into it, but the password is obviously not kept; it's being asked every time you want to open your wallet.
legendary
Activity: 2268
Merit: 18771
But the possibility of making a mistake when using 12 new words is, of course, greater than when using just one or two.
But one or two is not secure.

If you want the same amount of security, then the alternative to using a 12 word seed phrase as your passphrase is using some other string which has approximately 128 bits of entropy. If you draw from the full ASCII set of 95 printable characters, then you need 20 characters. Your passphrase, then, might look something like one of these:

Code:
@&!1Q~h{Wy)m=FG9ZP"f
l~]Oj6%Mn=cd7Xo(`CW`
}ZOr5}Uls?Rbt#A6+s3>

It is going to be far easier to copy down something like that incorrectly or enter it incorrectly than it will be to copy down or enter a 12 word seed phrase incorrectly, even if the seed phrase is far longer.
legendary
Activity: 2730
Merit: 7065
Any mistake you make while creating a backup of your seed extension will result in recovering a completely different wallet and set of addresses. But the possibility of making a mistake when using 12 new words is, of course, greater than when using just one or two.

If my passphrase is 'Pmalekpass' and I entered 'Pmalekspass', it would also result in a failure of recovering my original wallet. 
HCP
legendary
Activity: 2086
Merit: 4363
Seed extension phrases are a good idea... but you do need to be aware of the potential pitfalls.

So, one very important thing to note... if you're going to use a second (randomly generated) 12 word seed phrase as your "seed extension"... is that the seed extension phrase has NO checksum detection.

This means you can type literally anything you like in the seed extension box and Electrum will quite happily use it and generate a wallet. A small typo and you get a completely different wallet.

So:
Code:
this is a seed extension phrase

will generate a different wallet from:
Code:
this is a seedextension phrase

But the software will not be able to tell you that you've made a mistake, even though technically the 12 word seed has a checksum included, it's effectively useless...

So, you will need to be very very careful when both recording and subsequently entering your seed extension phrase else you might end up with a "bad backup" and run into issues in the future when trying to recover your wallet.
legendary
Activity: 2268
Merit: 18771
-snip-
It all depends on how much knowledge of the passphrase the attacker has.

If they know it is 12 words from the BIP39 wordlist, then there are 204812 = 5.44*1039 possibilities.
If they know it is a valid 12 word BIP39 seed, then it is 2128 = 3.40*1038.
If they know it is 12 English words (assuming 150,000 English words) then it is 150,00012 = 1.30*1062.
If they know it is 12 four character strings, with each string drawing from the full range of 95 ASCII characters, then it is 9548 = 8.53*1094.
legendary
Activity: 2730
Merit: 7065
I don't know anything about brute forcing (and hopefully will never have to find out), but how plausible is some sort of dictionary attack made up from the BIP39 words list for finding 12 English words compared to bruteforcing an extended seed with random characters that represent 12 word-like structures (Jbf-1, 5nY9?, Unf^%8, etc.)? I hope you understand my question.   
legendary
Activity: 2268
Merit: 18771
If I break the 24 word seed with 256 bits into two 12 word parts, can I safely store them in two separate locations like I can with the seed extension?
You could, but using a 12 word seed and 12 word extension is preferable to splitting a 24 word seed in half. If an attacker finds half a 24 word seed, they will not be able to recover it, and so will know to keep looking the other half. If an attacker finds either your 12 word seed or extension, they will be able to recover a wallet. Further, if you put a small amount of funds in these two wallets, then if gives you plausible deniability that these are all the coins you own if someone finds one of your back ups or forces you to reveal your wallets.

The resulting private keys are all 128 bits regardless.
Correct. The maximum security of a bitcoin private key is 128 bits. This is due to the characteristics of the secp256k1 curve which bitcoin uses.
copper member
Activity: 37
Merit: 14
Let me put it this way:
We simply have a key derivation function that takes 2 inputs, A and B. If A is created from a 128 (or 132) bits of entropy and B has 0 entropy (no extension word) then your KDF is deriving its keys using that much entropy. If B also has 128 (or 132) bits of entropy then your KDF is deriving its keys using A + B bits of entropy.
Additionally we can say that in order to brute force this to get the BIP32 seed you'll have to generate and check both A and B so the entropy size is A+B.

If A + B = bits of entropy used by the key derivation function, then using a 256 bit seed = using a 128 bit seed + a 12 word extension. The resulting private keys are all 128 bits regardless.

Am I correct?
legendary
Activity: 3472
Merit: 10611
I might be a bit dense today, and hence deleted my previous post after realizing something.  Cheesy

If I'm not wrong, the seed isn't extended by adding 'Electrum' to it. The salt is however, 'Electrum + passphrase' instead of 'mnemonic + passphrase'. If the seed can be used in the salt to produce a different 512bit output, wouldn't there still be a considerable increase in entropy as long as the ENT of the input < length of the output? I'm sure I'm missing something here.
Let me put it this way:
We simply have a key derivation function that takes 2 inputs, A and B. If A is created from a 128 (or 132) bits of entropy and B has 0 entropy (no extension word) then your KDF is deriving its keys using that much entropy. If B also has 128 (or 132) bits of entropy then your KDF is deriving its keys using A + B bits of entropy.
Additionally we can say that in order to brute force this to get the BIP32 seed you'll have to generate and check both A and B so the entropy size is A+B.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
Each electrum seed is already extended with the word “electrum”, if you choose to extend it more with another seed phrase it'd become “electrum”. So it doesn't double the entropy, instead, the entropy remains the same. What it does change is a salt. Once you're done with the seed generation and salt selection, the result is being put through a key derivation function called “PBKDF2”. But, you can of course do it, it'll provide around the same security for a human being.

Would this effectively double my entropy?
No.
I might be a bit dense today, and hence deleted my previous post after realizing something.  Cheesy

If I'm not wrong, the seed isn't extended by adding 'Electrum' to it. The salt is however, 'Electrum + passphrase' instead of 'mnemonic + passphrase'. If the seed can be used in the salt to produce a different 512bit output, wouldn't there still be a considerable increase in entropy as long as the ENT of the input < length of the output? I'm sure I'm missing something here.

My main motivation behind this post is to have my backup in two pieces to protect against a physical intrusion. A 24 word seed with higher entropy has no benefit over a 12 word seed if the physical backup is stolen. If I break the 24 word seed with 256 bits into two 12 word parts, can I safely store them in two separate locations like I can with the seed extension?
Yes. I'll suggest using the method using Electrum console as mentioned above. You'll be covered under the checksum and won't have to mess with the passphrase as much. I'll consider Shamir secret sharing for some redundancy as well and split them up further.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
My main motivation behind this post is to have my backup in two pieces to protect against a physical intrusion. A 24 word seed with higher entropy has no benefit over a 12 word seed if the physical backup is stolen. If I break the 24 word seed with 256 bits into two 12 word parts, can I safely store them in two separate locations like I can with the seed extension?

Of course you can store your extension separately from your seed, regardless of it's length or the origin of the words.  As Leo mentioned above, it's actually recommended.  If you want to, you can generate two 24-word seeds and store them separately.  
legendary
Activity: 3472
Merit: 10611
If I break the 24 word seed with 256 bits into two 12 word parts, can I safely store them in two separate locations like I can with the seed extension?

With a 256 bit seed, are my addresses and keys still the same entropy as normal?
Yes. When the number of words change (12 vs 24) the size of your initial entropy is changing and the only thing difference is what goes into the key derivation function to derive your BIP32 seed. After that everything else is the same, and bitcoin private keys only have 128 bits of entropy no matter how you create them.
copper member
Activity: 37
Merit: 14
@xmready, I've used a 12-word seed as an extension in the past.  When I was a younger bitcoiner I thought that would double my entropy, but I've since learned that it does not.  Take a look at hosseinimr93's post above, he is showing you how to generate an honest-to-goodness 24-word seed with double the entropy of a standard 12-word seed.  I also advise against using the same pool of words (i.e. Bip39 word list) for your extension, just to add an extra level of security.

My main motivation behind this post is to have my backup in two pieces to protect against a physical intrusion. A 24 word seed with higher entropy has no benefit over a 12 word seed if the physical backup is stolen. If I break the 24 word seed with 256 bits into two 12 word parts, can I safely store them in two separate locations like I can with the seed extension?

With a 256 bit seed, are my addresses and keys still the same entropy as normal?
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
@xmready, I've used a 12-word seed as an extension in the past.  When I was a younger bitcoiner I thought that would double my entropy, but I've since learned that it does not.  Take a look at hosseinimr93's post above, he is showing you how to generate an honest-to-goodness 24-word seed with double the entropy of a standard 12-word seed.  I also advise against using the same pool of words (i.e. Bip39 word list) for your extension, just to add an extra level of security.

legendary
Activity: 3472
Merit: 3217
Playbet.io - Crypto Casino and Sportsbook

I never mentioned anything about another wallet owner. This thread is regarding a single owner setup.

Well, you can do that as well on Multisig wallet.
Just generate a standard wallet and make a backup of that 12-word seed and also the master public key. Now make a Multisig "2 of 2" wallets it will generate a new 12 words seed and then paste the master public key on "Enter consigner key". After successfully generated you must have a wallet with two 12 words seed phrase.


You can follow the guide from my post above to make a single setup wallet. Make sure you have a backup of them for future recovery.
copper member
Activity: 37
Merit: 14
So you mean you want them to split and have two seeds generated for two owners of the wallet?

I never mentioned anything about another wallet owner. This thread is regarding a single owner setup.
legendary
Activity: 3472
Merit: 3217
Playbet.io - Crypto Casino and Sportsbook
My reasoning is: if my 12 words are compromised via a physical intrusion, the extension stored in a separate location will guarantee that my wallet is not compromised. Simply splitting the 12 words in half and storing 6 words separately makes a brute force attack easier (I think). That is why I ask.

So you mean you want them to split and have two seeds generated for two owners of the wallet?

The extension is not actually your best choice for this the only solution for this is Multisig wallet with 2 of 2 multisig consists of 2 separate wallets
it will generate P2SH addresses after successfully generated a Multisig wallet.
I never heard someone was hacked or brute force by using MultiSig wallet so I'm sure this is the best option you looking for?
The only problem is that the transaction fees from this wallet are pretty expensive compared to the normal wallet that's the only disadvantage of this wallet but if your purpose is to make a wallet secured with a co-owner then MultiSig still the best option.

If you want to make a Multisigwallet you can follow this guide below

- https://bitcointalksearch.org/topic/guide-how-to-create-multisig-electrum-wallet-for-beginners-5039220
copper member
Activity: 37
Merit: 14
Is there any specific reason why you want that method? Goin' with electrum's 136 bits is more than fine.

My reasoning is: if my 12 words are compromised via a physical intrusion, the extension stored in a separate location will guarantee that my wallet is not compromised. Simply splitting the 12 words in half and storing 6 words separately makes a brute force attack easier (I think). That is why I ask.

Each electrum seed is already extended with the word “electrum”, if you choose to extend it more with another seed phrase it'd become “electrum”.

If each Electrum seed is already extended with the word "electrum", then why don't we have to input that as a seed extension when recovering a wallet with Electrum or another Electrum compliant wallet?

So it doesn't double the entropy, instead, the entropy remains the same. What it does change is a salt. Once you're done with the seed generation and salt selection, the result is being put through a key derivation function called “PBKDF2”. But, you can of course do it, it'll provide around the same security for a human being.

Are you saying that an attacker would try to brute force the output of the PBKDF2 key derivation function, thus it would be the same difficulty? I would imagine if the attacker were trying to guess words and extension words, then it does double the difficulty.
legendary
Activity: 2380
Merit: 5213
First of all, electrum doesn't generate or imports 256 bits of entropy, but only 128, that's why it returns you only 12 words.
If someone wants to have a seed phrase with 256 bits of entropy, that can be done via console.

For generating a seed phrase with 256 bits of entropy, you can use the command below.

Code:
make_seed(256)

Or the following command if you want legacy addresses.

Code:
make_seed(256,"","standard")

After generating the seed phrase on console tab, you can create a new wallet with importing the 24-word seed.


legendary
Activity: 2268
Merit: 18771
If I use Electrum to generate a 12 word seed, and then generate a new wallet with a different seed, can I use the first 12 words as the seed extension for the new wallet?
Yes.

Would this effectively double my entropy?
No.

Can I store the 12 word seed and the 12 word seed extension in two different places safely?
This is the only way you should store them. Storing both your seed phrase and your seed extension together renders the seed extension nearly pointless, since if an attacker compromises your back up they immediately have both and can take your coins.

Are there any major flaws in this method?
Not really. Using a seed extension is a good idea, and by using a randomly generated seed phrase as the extension you can be sure that it is complex enough to be resistant to brute forcing. The only issues would be human error - getting confused as to which is which, making a mistake when writing them down, etc.

Would using a multisig wallet be better?
That depends on what you are trying to achieve. A seed phrase with an extension provides protection against one of those two back ups being compromised, but doesn't protect against your wallet itself being compromised. It does however keep your transactions small, and can also give you plausible deniability (depending on how you use it). A 2-of-3 (for example) multi-sig protects against one of your back ups being compromised, and protects against one of your wallets being compromised, but requires more complex back ups and results in larger transaction sizes (although not for long once Taproot is activated).
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
If I use Electrum to generate a 12 word seed, and then generate a new wallet with a different seed, can I use the first 12 words as the seed extension for the new wallet? Would this effectively double my entropy?
If you take twelve randomly generated words and combine them with twelve different randomly generated words you don't exactly double your entropy. First of all, electrum doesn't generate or imports 256 bits of entropy, but only 128, that's why it returns you only 12 words.

Each electrum seed is already extended with the word “electrum”, if you choose to extend it more with another seed phrase it'd become “electrum”. So it doesn't double the entropy, instead, the entropy remains the same. What it does change is a salt. Once you're done with the seed generation and salt selection, the result is being put through a key derivation function called “PBKDF2”. But, you can of course do it, it'll provide around the same security for a human being.

Can I store the 12 word seed and the 12 word seed extension in two different places safely?
Yes, but whether you lose the extension or the seed, you'll lose your money.

Are there any major flaws in this method?
Is there any specific reason why you want that method? Goin' with electrum's 136 bits is more than fine.

Would using a multisig wallet be better?
If you need to divide up the responsibility for possession of your funds among multiple people, you should use multisig, otherwise the 12 words are more than enough.
copper member
Activity: 37
Merit: 14
  • If I use Electrum to generate a 12 word seed, and then generate a new wallet with a different seed, can I use the first 12 words as the seed extension for the new wallet? Would this effectively double my entropy?
  • Can I store the 12 word seed and the 12 word seed extension in two different places safely?
  • Are there any major flaws in this method?
  • Would using a multisig wallet be better?
Jump to: