Topic: Create a seed from a selection of words (Read 1195 times)

Now this info helps a lot.
In Windows, you have two ways to use the command:

• 1. If pylauncher is selected when you installed Python, you can directly use "python" command in your Command Prompt or PowerShell
• 2. You can also go to python's install location where python.exe is located, use that as your working directory and launch that executable to use the command.

Any specific error when trying o_e_l_e_o's command?

I've added a heads-up because of my own tests in Windows, btcrecover and certain versions of python that couldn't compile a mandatory requirement for using seedrecover on ETH seed phrase.
Depending on your set-up and installed requirements, you may encounter that error.

First, can you test if python is installed correctly in your system?
Since it's on Windows, try to enter this command in your command prompt and see it it'll return with the installed version:
In the latest version, it should be like this (but has compatibility issue with seedrecover):

If nothing works, you need to do option2 which requires absolute paths.

Thanks brother I finally understood this. I will put the seed.txt in btcrecover folder.

Note: Win 11, I meant the desktop where all icons are like MyPc, ControlPanel, RecycleBin.

Well, it depends on if you are talking about the desktop of your computer or the desktop of your virtual machine, what OS you are running, what your account name is, and so on. Try finding the file in a file explorer and your OS might tell you path somewhere near the top of that window.

The easiest thing to do will be to put the file in the same directory as you extracted btcrecover to, then your path will simply be ./FILENAME.txt

I think I correctly installed the required software but my problem was with the command as I didn't had enough knowledge in command line. Also I didn't knew what derivation path was or how the path works (suppose the seed.txt file is in desktop then what will be the path? [ ./PATH/TO/YOUR/FILE.txt ] < Confused with this  )

Edit: All I know I Have the 12 seed words, but they were totally out of order, no seed word is missing and the wallet was ERC-20.

If you came across some issue with specific requirements for ETH, try python 3.10.
Then install the dependencies via requirements-full.txt file again.

Also, the other possible derivation paths are listed inside btcrecover directory: ./derivationpath-lists/ETH.txt
If you exclude the --bip32-path arg, seedrecover.py will prompt you to select the correct derivation path and if you choose Ethereum, it'll automatically use the uncommented paths in that file.

Ahh, I misunderstood your previous post. I thought you were saying the first unhardened 0 referred to your first receiving address, rather than referring to the category of external/receiving addresses.

I also do not use ETH, but you are right in saying it does not use change addresses, so I also wouldn't expect to see 1 at the change level unless someone did that manually or the wallet software was bugged or flawed.

Maybe I was not accurate enough:
I'm aware that ETH wallets use derivation paths up to address index level, should be standard, including the receive_or_external/internal derivation level, ie. m/44'/60'/0'/0/0 (as you point out) for ETH, first account, receive or external address type, first (receive or external) address.

Short legend: m/{purpose}'/{coin type}'/{account index}'/{external | internal}/{address index}

I'm not so fluent with ETH, but it would surprise me to see an address derivation like m/44'/60'/0'/1/n (n being some address index between 0...2³¹-1 (unhardened)) as to my limited knowledge about ETH I see no reason that an ETH wallet needs "internal" addresses like BTC wallets use them for the change coin return which is required due to the UTXO transaction model of BTC.


It's good to point this out for the less experienced users! As I have already worked with btcrecover, I know that.

That's not right. Ethereum does indeed use the change level of the derivation path, and for most wallets, the first Ethereum address will be at m/44'/60'/0'/0/0. The reason we don't specify the full derivation path here is because btcrecover will start deriving addresses on top of whatever we specify.

So if we specify m/60'/44'/0'/0, and give it an address limit of 1 as I did, then it will check the address at m/44'/60'/0'/0/0.
If we specify m/60'/44'/0'/0 and give it an address limit of 10, then it would check between m/44'/60'/0'/0/0 and m/44'/60'/0'/0/9.

My seed.txt file is in desktop, then what will be the path?
I know I am really stupid to ask this.

Edit: I think I almost got it, I'll try to run the program now. Thank you for your valuable time.

Regarding the topic "derivation path" to get a better understanding, I recommend to take a look here: https://learnmeabitcoin.com/technical/derivation-paths (of course you can have a look into BIP-32 but that is a quite technical read)

o_e_l_e_o's instructions are quite spot on but it will only work if the derivation path for ethereum is standard like what he put on the command line for it: m/44'/60'/0'/0 (the single tick marks ' are there for a purpose, don't mess this up).
Coin type 60' indicates ETH, the following 0' indicates first/standard account, the next 0 indicates receiving addresses (ETH normally doesn't use internal change addresses as it's not UTXO based like BTC)

Well, let's assume it was generated using the standard Ethereum derivation path.

First of all create a plain text .txt file with one of each of the twelve words per line. So, like this:


Save the file somewhere easy to find.

You'll then want to run the following command:


You'll need to insert your address and the path to the file you just created above in the relevant places.

The seeds were part of a puzzle competition. I cracked it but I don't know how or what wallet was used. And I don't know the derivation path of this address because I am unfamiliar with this term "Derivation Path" .

I need some more information first. Please can you answer each of the following questions:

Is the address you have a bitcoin address?
Is it legacy (1), nested segwit (3), or native segwit (bc1)?
Which wallet was used to generate the seed phrase? (Alternatively, is the seed phrase BIP39 or Electrum?)
Do you know if you have used non-standard derivation paths or more than one account? (If you don't know what this means, then the answer is probably no.)

Edit:

I see you've edited to say the address you have is an ERC20 address. So again, which wallet was used to create this address? Do you know the derivation path of this address?

Hello sir.

I know all 12 seed words but i don't know their order.
And I also have the address(ERC20). I tried the software you mentioned. But I have less knowledge in command line interface and etc. And his youtube guides are bit hard to understand for me as I am a newbie. So would you be kind enough to enlighten me. I have successfully installed the required software in a virtual machine.

Now suppose my 12 seed are: one two three four five six seven eight nine ten eleven twelve

Now what command do I have to input. Thanks in advance.

It won't happen during the lifetime of our solar system or even beyond (estimated), unless the RNG is severly flawed. Not for a 128-bit secret, beyond comprehension less for a 256-bit secret. The probability is in theory not equal to zero, but I'd say in practice it is basically zero.

Unless you do something stupid (and there's a lot of that possible) there's no need to move funds on some regular schedule into new wallets. You ruin any pseudonymity of your UTXOs with such moves. Unnecessary dangers. You would burden yourself with a lot of unnecessary safekeeping (remember, you shouldn't completely delete old wallets as you might receive funds on old addresses by accident or from someone who got some old addresses in the past). Then always have to renew your redundant storage for every new wallet iteration? No, thanks.

Simply use decent hardware wallets or a hot watch-only wallet with a proper cold wallet for the precious private keys.

When a wallet is created, first there's a as random as possible secret, most commonly 128 bit long (represented by 12 recovery words) or 256 bit long integer (represented by 24 recovery words). The software doesn't pick somehow first the recovery words. The software (be it a software or hardware wallet) first generates a long random integer which is encoded in human readable and easy storable recovery words. Not the other way round.

Yes, that's what I meant in the first place, it's meaningless to be afraid of 12 or 24 word seed. But as I see, out of no reason, people are afraid that since the 2048 word list is publicly available, their wallets may be bruteforced. I know, there is just no way for that to happen but as you see, people even think about their own word list for 'safety' over publicly available one. So, these people aren't going to stop. In this case, I think it's better if meaninglessly super paranoid people create a new wallet from time to time and transfer coins compared to the idea of using your own word list or manually creating a seed phrase.


What does it mean if someone get the same phrase like you? There is no way that someone will generate the same seed phrases in the same order as I generated becuase there are 2048 words in the list and there is simply no way for that accident to happen.

i also think you can do a new wallet from time to time but it also can be unsafe if you think there is a possibility, someone get the same phrase like you. there is a bigger possibility to get hacked if you use a hotwallet or a web3 wallet and infect it with ransomware. use a 24seed and make it as cold wallet. if you want to use the bitcoin for other stuff like collecting it, you can make a second wallet and use it as hot wallet.

Yes, it is possible to generate truly random numbers. Whether or not your seed phrase was generated using a truly random number or a pseudorandom number depends on the method in which you generated it.

https://en.wikipedia.org/wiki/Hardware_random_number_generator

You should certainly transfer everything to a new wallet if you have any concerns about your seed phrase being leaked or the security of your back ups, but such a transfer is meaningless when it comes to brute forcing, which does not need to be protected against in the first place.

I think one can feel secure till death or even after.

This is so right! And I don't really understand why do some people think that because 2048 word list is public, it will be dangerous and unsafe, I just can't figure it out because they can mathematically prove that the probability of someone bruteforcing their wallet with positive result is so low that we can confidently say that it will never happen. At least one can create a new wallet and transfer coins every year but logically and mathematically, absolutely everyone is safe.

I really pray that one day people will never look for alternative methods of generating bitcoin seeds.

Is proper randomization possible by proper randomization I mean true random phrase generation, I am asking this because, in most encryptions, we use pseudo randomization which is like randomization but cant generate real random phrases.

To be clear hash collision (even with weak algorithms) has nothing to do with finding a mnemonic collision.
The hash algorithms that are used under the hood of BIP39/BIP32 are there to give us a deterministic way of deriving child keys from an entropy and the security of this whole setup is determined by the size of that entropy not by the collision strength of the underlying hash algorithm. In other words in a 12-word seed you still have to face 2¹²⁸ possibilities even if the scheme was using a hash algorithm that is weak against collision attack like SHA1/MD5 (ignoring their small digest size).

I'd say as long as the hash algorithm doesn't produce biased digests, any algorithm can be used but there is no reason to since SHA256/512 are both fast and efficient for the job.

Give me break! By the time Satoshi wrote and sent his email the concept of hierarchicaly deterministic wallets (BIP-32) was not yet invented, nor was BIP-39 a thing. It's ridiculous to try to dig something from Satoshi's public messages and think he used it to derive his keys.

And it's proven that e.g. brainwallets based on publicly available data have been a recipe for desaster already.

There's first random entropy which is encoded into mnemonic words. The opposite direction is only used for a recovery. Just don't pick the mnemonic words by any human influenced ways, period! As @o_e_l_e_o said, you never pick mnemonic words by any humanish schemes, as that's usually a recipe for desaster.

Yeah, this is an awful way to generate a seed phrase. You definitely shouldn't be manually picking words, you definitely shouldn't be manually picking words from publicly available texts, and you definitely shouldn't be manually picking words from publicly available texts which are intrinsically linked to bitcoin.

It wouldn't surprise me at all if the addresses you generate through this method are already on one or more lists of addresses being monitored 24/7 by bots waiting to steal any coins which are sent to them.

Just generate your seed phrase properly and stop risking everything with such harebrained schemes.

I had originally found words in the first email from Satoshi Nakamoto that occurred in the 2048 words and 23 of them occurred in the email only 1x see image:
https://i.postimg.cc/L6sMjPdy/satoshi-email-Kopie.jpg
So I thought it could be a code. In the end I used lastWord (https://github.com/PawelGorny/lostword) to create all possible (valid) 24 seeds.

I used this config for that:


(of course 23 other words come in here) as you can see there was set 24 words, but there are only 23 words, so the tool goes through everything and spits out all valid combinations.

But as the others said it is not safe to mix it by yourself, I don't know if it is unsafe from the entropy, I personally think that someone could guess it.

e.g. you could take these 11 words and calculate the missing one to make it valid: satoshi payment perfect story unique unit use system cover bonus era galaxy

The phrase might be easy to remember but a person's mindset is vulnerable, the randomness that some wallets throw together is not and therefore a pattern is hard to discern. I think it is rather all that makes it insecure.

On the other hand, I often think, wallets can do anything if we can not see the source code, when generating the seed could go to the manufacturer, who collects them for 10 years and then clears all wallets that were created with the program. Therefore, open source is very important.

When a wallet is created that is represented by 12 mnemonic recovery words according to BIP39, the basic first steps are the following:

• a 128-bit random number is generated (some call it the entropy)
• these 128 random bits are devided in 11-bit chunks where each chunk is represented by one mnemonic word (11 bits can represent 2048 states, guess what, the BIP39 word list is 2048 words long, every word represents an unique 11-bit combination)
• 12 times 11 gives 132 bits, so there's room for a 4-bit partial hash checksum (the checksum is 4-bits from SHA256(the 128-bit random number))
• change a single bit in the 128-bit random number and due to properties of SHA256 the checksum will change completely, there's a good chance that this also changes the partial 4-bit part of it, though 4 bits is really short and there's a non-zero probability that the 4-bit checksum partial chunk isn't changed

It makes no sense that a human tries to fiddle with the BIP39 words and choose words by some crazy intuition of "feelings" or whatnot. It's likely going to be a recipe for bad entropy.

Seed phrases contain a checksum. If you start manually swapping words, chances are you will invalidate the checksum and so your wallet software will reject your new seed phrase.

But at a more basic level, you should never manually pick/swap/arrange words in your seed phrase. Humans are an incredibly poor source of entropy, and whatever you end up with will be less secure than you think or than you want.

Adding to the above discussion is it really possible to scramble the words that we actually receive from the automated generator? I don’t know depth of it, but when we generate any address the phrases are already associated with it and there is no way we can change it. I am saying the first time change when we generate it. Let us say I have newly generated address and creating a wallet with Back up keys. Wallet has given 12 words but I want to change them right away manually, why isn’t that possible?

Is it possibly because someone might overlap with my words and sequence? (Though this may not happen considering the 12 words and their numerous combinations. But just curious about the technical explanation behind this.

As I said above, there won't be an address (or seed phrase) collision before the sun dies in ~5 billion years.

Let's say all 8 billion people on the planet all generate 1,000 new addresses every second for the next 5 billion years non stop. After 5 billion years we will only have generated 0.00000000000000009% of all possible addresses.

If you don't trust any software to generate a seed phrase for you, then generate your own entropy by flipping a coin and converting each 11 bits to the corresponding word. You'll still need to use a piece of software to calculate the checksum and import the seed phrase to generate a wallet, however.

I also think that it is unlikely that someone will find the same seed or a seed that matches the same address.
Especially if you consider the following factors:

The normal user generates in his life maybe 10 addresses and not always the sum times the number of people who live in 100 years make it very unlikely.

A hacker generates wallets to crack an existing wallet with money in it, he would have to check all wallets every hour to see if there are coins in them.

Even if a hacker would do that, then his storage space is not enough and it is again limited.

Despite everything, what method would you recommend or what software to create a wallet?
I could also create a 23 digit seed by hand and use lastWord to convert it to a wallet, but that is again insecure. And I am so paranoid to trust the fewest companies. OpenSource Sacen would be a solution, but I don't know the programming languages to verify that.
Apart from the fact that the effort is higher than the value I could ever protect.

You definitely will.

Taking SHA256 as an example - the output is always 256 bits, so there are 2²⁵⁶ possible outputs. However, the input can be anything up to 2⁶⁴ - 1 bits in length, which works out to any data up to 2 million terabytes in size. Therefore, there are exponentially more possible inputs than possible outputs, so collisions are guaranteed.

The same seed phrase will always generate the same address at the same derivation path, regardless of what wallet you use (provided all the wallets are following the BIP39 standard and not doing something unique or non-standard).

Technically speaking, given the number of possible derivation paths, every seed phrase in existence is almost certainly capable of generating every possible address. But in practice, there will never be an address collision before the death of the sun.

I am not sure I am understanding you correctly. Are you asking if it's possible to generate the same address with different seed phrases?
If so, no. That's not possible.

Take note that in theory it's possible that you generate the same address with different seed phrases, but that's not practically impossible. Maybe, that's what you've heard before.

I did some research on hash collisions today and there are collisions in MD5 that have 2 inputs but the same output. In sha256 or even sha128 you will never have the same output. I am also aware that a seed of 12 words will surely be unbreakable for the next 50 to 100 years. I think I heard that it is possible to access coins in the wallet with different seeds, but probably with subaccounts.
Surely this will not refer to the direct address of the wallet but a generated in it. And as I understand it, you always have access to all sub-accounts created in the main wallet, no matter what the first generated address is. I mean when I log into Metamask with the seeds I have the same address as Exodus or the recently tiled Atomic Wallet, that's what I mean by main wallet.

What do you think it is possible to get access to the same coins with different seeds? Or did I record there stupid stuff?

If you did brute force a seed phrase which gave you the desired vanity address at m/84'/0'/0'/0/0 (for example), then bear in mind that only that single address would have your desired prefix, and every other address in that wallet would be completely random. Seems like a lot to go through for a single address, when you can already just use VanitySearch.

Note that I would use VanitySearch (https://bitcointalksearch.org/topic/vanitysearch-yet-another-address-prefix-finder-5112311) over VanityGen. It is much faster.

Also note that Bitcoin Core does not use seed phrases at all, so the concept of extending your seed phrase with a passphrase does not exist. As hosseinimr93 says, a passphrase in Bitcoin Core is simply the password for your local wallet file.

The private key which your vanity address is derived from is like any other private key. It provides 128 bits of security.
A 24 word BIP39 seed phrase provides 256 bits of entropy.


They are different.
The term "passphrase" is usually used to refer to characters or words you use to extend your seed phrase. When you add a passphrase to your seed phrase, you generate a completely different wallet.
In bitcoin core, the passphrase is like a password which encrypts your wallet file.

Thanks for all the info. How much entropy does Vanitygen have? So programs that generate 24 words have 256bit? Is there also 512bit with Bitcoin?
I also think that Vanitygen is a game in itself, an address that you can own to receive money on the Internet and have a cool address when there is little money on it.

And something else, there is a passphrase in Bip39 and a passphrase in Bitcoin Core, in Bitcoin Core you can change the passphrase and the addresses remain, but how is it with Bip39 there is a separate address generated?

That with the Bip39 passphrase and less entropy sounds strange at first but I think it has to do with Bip39 itself and any human intervention disturbs the algorithm somewhere?

As said here before 24 mnemonic words from the BIP39 set of words encode a 256-bit random number and include also a partial hash checksum which allows very certain detection of an error in the sequence of words. To me your 128-char mnemonic passphrase is a bit of over the top. It's random which is good, likely very few humans can type it without any error which is a risk. That means you have to store your mnemonic passphrase in a digital file on a computer which shouldn't ever go online for safety reasons. Practically you can only copy/paste such a mnemonic passphrase. If you care for security this mandates that you don't use any online device with such a mnemonic passphrase and it makes an analog backup copy of the passphrase nearly impossible as the smallest error will give you a different and empty wallet.

You're making your life harder than necessary. You can't have a hierarchical deterministic wallet with fancy addresses, very unlikely to happen. Vanitygen addresses might be fancy but are a pain to generate securely and to keep secure, too.

Get a decent hardware wallet (and that's no Ledger crap device) and have piece of mind. Learn on HD wallets and derivation paths e.g. at https://learnmeabitcoin.com and make yourself familiar with a good hardware wallet. Practice recovery with some Testnet bitcoins and you will have a much more secure storage of your wallet than with any online software wallet solution.

The meaning of the word "entropy" differs a little depending on the context.

A 24-word mnemonic is an encoding of 256 bits of entropy (in this case, "entropy" means random data). Adding a password to the mnemonic increases the entropy (in this case, "entropy" means the amount of randomness). The seed is then derived from the mnemonic plus password (if there is one).


The strength is determined by the number of digits in the number or the strength of its source, whichever is less, and not the value of the number itself.


So, if you want to create an address that looks cool like it was generated by vanitygen, why not just use vanitygen? Some wallets have the ability to import private keys, allowing you to spend the funds received at the address.

Note that a wallet and an address are different things. A wallet contains one or more addresses.

So, you want to have a seed which produces “nice” address for a given derivation path.
Testing addresses on the path is quite “expensive” operation, so the whole process will be much slower (less efficient) than “normal” vanitygen.
But I understand your doubts, you consider testing different seeds or one seed and different passwords.

I have understood a little more out there but only bip39 uses a Mnemonic seed? Because many wallets from different manufacturers are often compatible.
Assuming I have a 24 digit Mnemonic, example of the website you linked:
the seed is out:
Is this the entropy at the same time?

if i now add a 128 digit password:

the seed becomes:

In the hey area the f at the beginning is higher than the 1 so seen like this almost 8 times as strong, or how does this entropy calculate?

Background of my question is simply that I want to create a wallet that is as secure as possible but where also the address looks cool as generated by vanitygen.
If I wanted to create a wallet here now, how could I influence the entropy?
https://github.com/adrijano/Bitcoin-wallet-cracker

I could also use the links you sent to create a wallet offline but I can't see the source code and there could be providers who create and store millions of wallets and only these are generated and connected to the provider, even if you generate it offline, if it's from pre-generated seeds, it's all useless.

I think you will find answer for that question if you look at the page: https://iancoleman.io/bip39/

After you generate/paste seed, you may check addresses generated by different derivation paths.
In general, we may say we have: "m/[BIP]/[COIN]/["Account"]/address"

Using your example, m/44'/60 will produce addresses for Ethereum (see the list: https://github.com/satoshilabs/slips/blob/master/slip-0044.md)

Sorry it's been almost 1 year since my last message, I sat down today again on the subject of Bitcoin.

In the meantime I have also looked at the tool lostWord again more closely it can validate good seeds and look which combinations are valid.

Success has not brought the whole of course but I have learned a lot. What I didn't understand yet is the path of the seed, e.g. m/0/0 is used by lostWord by default (P2PKH).

What exactly do these paths mean:
m/84'/0
m/44'/60
m/44'/0'
m/84'/0

So the question is which BIP fits to which path and which path did you use in the beginning?

What I understood is that the addresses are as follows:
P2PKH = 1xxxx addresses
P2WPKH = bc1xxxxx addresses
P2SH = 3xxxxx addresses

maybe you can help me a little bit in dealing with the m/0/0 etc..

What I have not yet understood is how entropy works and how I can use the highest possible bne to generate a lot of security I think I read that Trust Wallet for example only has an entropy of 8 or was it 32bit?

What about Conomi, Bitcoin Core, Electrum or BlueWallet? and should I use any of these programs to generate a secure wallet? The higher the entropy, the more secure it will be, even in the quantum computer age.

Keep in mind that security of revealed 24 words out of order is still not as high as security of a private key because you are revealing your entropy and 620,448,401,733,239,439,360,000 is 6e+23 whereas security of a bitcoin private key is 2¹²⁸=3e+38.

Seed phrase, not private key.

It is only relatively secure if it is 24 words, which will essentially be impossible to bruteforce as outlined above. 12 scrambled words however are very easy to brute force, and can be done in minutes or hours depending on your hardware.

Either way, if you have accidentally revealed all or some of your seed phrase, even if scrambled, I'd still be moving everything to a brand new wallet as soon as I could, followed by re-examining my set up to figure out how I could have been so careless and insecure in the first place.

It’s really insane that even if you know all the seed words the security of your private key is still this high. Makes me laugh a bit about all this brute force attempts that don’t even know a single word 

yes. wallet.dat files contain a list of private keys. some pregenerated when 1st initialized, other keys added as needed when the pool of keys ran out.

early wallet.dat files did not have passord protection, it was added later.


google auth and yubikeys are whats called two factor authentication (2FA). totally different then a password, seed or keyfile.

Thanks for the many texts. It sounds very interesting so as I understand it then these wallet.dat files were the keys and you don't have a password and all that needed?

I can hardly imagine that, but surely there was a program where you could load the key and then access your wallet?

Maybe you can compare that with a Google Authenticator or these YoubiKeys or whatever they are called, i.e. a key file?

I just started working in 2009 and was also very involved in development, including Web 2.0 and the development of Bootstrap from Twitter and the whole browser development by Google etc... I was very fascinated, I still wonder why I never what had heard of bitcoin. Kind of a shame, not necessarily because of performance but just because you missed something, sort of like everyone has a Nintendo and you never hear about it.

Early wallets were not deterministic. Whenever the wallet needed a new key it just called up its RNG and created a new random key. That means there were no seed or seed phrase in early days. After some time, due to possibility of flaws in RNGs and bugs in some implementations, deterministic key derivation (BIP32) was introduced and wallets slowly started switching to that. Shortly after, in order to make backups user friendly the concept of using mnemonics or seed phrase (BIP39) was introduced.

As far as I remember the early Bitcoin Core wallet generated a pool of private keys, a fixed number of them. But frankly I don't know how those were generated and if by any deterministic way. If the key pool ran out of keys, the pool was extended by another fixed batch of fresh random keys. There was no 'visible' seed and Bitcoin Core doesn't use mnemonic seed words. Backup of a Bitcoin Core wallet was always file based: you had to backup the wallet file and restore your wallet from a file backup. This could lead to loss of funds if you restored a wallet file which contained a smaller key pool than your most recent wallet that you may have lost or which got corrupted or deleted.

For deterministic wallets nowadays Bitcoin Core uses a private key as seed and derives the keys and addresses of a HD wallet by BIP-32 mechanics. And descriptors should make, I say, an 'expected' key derivation easier/safer. (I'm still working on this topic to understand it as much as possible.)

Maybe Armory was one of the first wallets to implement some HD scheme where you were able to recover the wallet from some sort of seed numbers. Never used Armory myself, but I read a lot about it out of interest. Bitcoin Core's file based backup always made me feel uncomfortable, too digital and fixed to digital files.

And then there was the desaster with 'brain wallets', keys derived from hashing stuff that humans believed to be unique, secret and whatnot. That didn't go well for some Bitcoiners.

How were wallets generated in the early days of Bitcoin? And were words used?

The issue is j2002ba2 and that read the docs page are using different definitions of entropy.

Taking legacy Electrum phrases, then we all agree that the seed phrase encodes 132 bits of information. Two different scenarios then follow:

Electrum says "Well, only 1 in every 2⁸ seed phrases will have the correct prefix, but for each one that does have the correct prefix, it requires 2¹¹ hashes to generate a master private key." And so they work out 132 - 8 + 11 to give 135 bits of entropy.

j2002ba2 on the other hand says "We start with 132 bits, but since we are discarding all but one of every 2⁸ seed phrases, then that reduces the entropy to 124 bits, although it doesn't reduce the attack surface."

---

If you consider a BIP39 seed phrase, then you have 2¹²⁸ phrases, and for each one you have to go through 2048 rounds of PBKDF2, giving 2¹²⁸ * 2048 = 2¹³⁹ hashes.
If you consider a legacy Electrum seed phrase, then you have 2¹³² phrases, and for each one you must hash it once to check the prefix, and then for one in every 256 (on average) you have to go through 2048 rounds of PBKDF2. This means 256 + 2048 = 2304 hashes for every 256 seed phrases, which is an average of 9 hashes per seed phrase, giving a total of 2¹³² * 9 = 2^135.2 hashes.

Your arguments don't sound correct to me although I don't claim to be good at this type of math. Here is a quote from Electrum docs though:

Even now, BIP39 isn't a part of bitcoin rules and you always have to sign the transactions with your private key. A BIP39 wallet derives your private keys from your seed phrase and use them for making transactions.
In 2009, there was no seed phrase and people had to backup the wallet file or save their private keys.

First of all, thanks for the many people working on this thread, it shows how big this community is.

What options were there in 2009 before bip39 was used?

Yes, it is 132 bits, but only if there's no checksum or required version.

It very much affects the entropy, since 255 (or 4095 in segwit case) possibilities are rejected (plus the valid BIP39 ones, about one in 16, another loss of additional 0.0931 bits of entropy). You end up with smaller pool of possible seeds, hence smaller entropy.

It seems that entropy is a very tricky subject for many people. I'll give an example. Let's have a hypothetical seed generator, which starts randomly, and increments until it reaches only one specific seed. This is exactly 0 bits of entropy. If the generator stops when it reaches one of 2 seeds, we get 1 bit entropy. If an attacker has no information about these seeds, then he has to scan the whole 256 bit range (or whatever size it is in this case).

So, valid electrum seeds do have less entropy - 123.9 bits for standard, and 119.9 bits for segwit. That doesn't mean it's much easier to crack versus BIP39. If my calculations are correct, it's about twice harder to find a valid Electrum segwit seed versus both Electrum standard and BIP39. (if we are given an address to compare to)


Certainly only one in 2⁴ seeds are valid for BIP39, in 2^8.09 for Electrum standard, and in 2^12.09 for Electrum segwit. Hence the entropy is lower.

One might argue, that the attacker sees 132 bits of entropy, since nothing is certain for him. Then this is true for BIP39 as well, although it is generated using 128 bit entropy. Looking the other way if one insists BIP39 to have 128 bits entropy, then Electrum standard has 123.9, and segwit 119.9.

I mean, BIP39 wasn't created until 5 years after that email, until about 3 years after Satoshi disappeared, and was created by a bunch of people who aren't Satoshi. BIP39 contains a huge number of common English words. You will find many such words in any text of sufficient length. You are not going to find a BIP39 wallet encoded in Satoshi's emails.

We actually discussed this before about a year ago here: https://bitcointalksearch.org/topic/m.57328109

The 8 bit prefix for legacy addresses and 12 bit prefix for segwit addresses which Electrum uses does not reduce the entropy of the seed phrase itself, since an attacker still has to check every seed phrase to see if it hashes to the correct prefix. However, it does mean that for 4095 out of 4096 seed phrases (for segwit), an attacker does not have to go through the 2048 rounds of PBKDF2.

If you have selected each word manually and randomly and you have 12 words then each word represents 11 bits which makes the total 12*11=132 bits.

That is incorrect. Electrum actually starts with a 132-bit entropy (as an int) then increments it until it finds a correct checksum. Address type does not affect the entropy size, it only affects what checksum is expected.
https://github.com/spesmilo/electrum/blob/abe3955d916521f37e06b96d8996b270413e175f/electrum/mnemonic.py#L190

thank you that will help me, the website not find every time the right word but i see it is a very long way to go i search the 24 word of:
abstract version allow online one another digital provide solution still problem into record only pool long control best effort leave will what satoshi

the website find bonus as 24 word but there must be more working words.

here is what i try to: i have read the first email of satoshi and find out that he have many bip39 word inside the email, it looks a little bit like a puzzle or something:

https://i.postimg.cc/L6sMjPdy/satoshi-email-Kopie.jpg

i use all the light green words because they came only 1 time the multicolor are words with more than 1 each and the grey are words that looks like bip39 words.

maybe have someone more luck then me or can help me to find out if we find a wallet.

i also looks at the number of  the words the first 2 words are number 8 and 1943 maybe a year or something.

i try also the word from the beginning and jump over the double words it was:

main double prevent network proof power abstract version allow online payment direct

sorry my bad english

There cannot be more than 128 bits entropy in BIP39 12-words. There are not enough bits to represent it.

Electrum 12-word seeds have less than 128 bits entropy, IIRC it's slightly less than 132-8=124 for legacy addresses, and 132-12=120 for segwit addresses.

More entropy could be inserted, if you instead of using the 12 words directly mutate them with additional entropy. For example: make some letters lower case, while other upper case, change some words to "leet speak", etc. And then feed this into PBKDF2.

Of course, the easiest method of adding entropy is using password together with the seed.

First time I've looked at that site, but I don't like it I'm afraid.

Their method for generating the first 23 words does not specify that each raffle ticket needs to be returned to the bag/box for future draws. This reduces the entropy of the seed.
They always start the 24th word with "000" before appending the 8 bit checksum, again reducing the entropy of the seed.
They then show a P2WSH Zpub from derivation path m/48'/0'/0'/2'. I understand it is designed to be used in their specific wallet, but anyone taking that Zpub to another wallet will run in to a huge amount of trouble trying to recover their coins if they don't fully understand what they are doing.

If you want a website to tell you your 24th word (as opposed to manually calculating the checksum), then I would suggest generating 24 words in a properly random fashion and then just typing them all in to an offline version of Ian Coleman. If you then click on "Show entropy details", it will automatically swap your last word for the appropriate checksum word, but keeping the first 3 bits of entropy the same.

Exactly, another solution would be doing something similar to what Electrum does. You select 12 words and then increment the last word until you get a valid checksum. As long as the selection process is really random the entropy you get is more than 128 bits.
Same for any other word count.

Which means that one must "preselect" another 3 bits. It would look like selecting the last word, taking it's 3 bits and then replace the last word by the final one.
Unfortunately you cannot finish the manual process after 23 words.
Other option is to see which of 8 "correct" last words you like the best.

No one has mentioned yet that because the checksum at the end is just 5 bytes long, one could take a subset of words [security warnings aside], but keep their positions in the wordlist so as not to confuse wallet implementations, and present a GUI to allow the user to select from these combinations for 11 spots, and then put three checkboxes at the end to flip on or off the leading 3 bytes of the last "mnemonic word" that come before the checksum.

That would give you 121 (instead of 128) bits and 253 (instead of 256) bits of entropy respectively. It may not be important for the second one but your first entropy is going to be a slightly weaker one than the security that bitcoin keys need (at least 128-bits).
This is because the last word is not the checksum, it contains checksum.

You can do that but human brain is known to be bad for creating random results, so I would not do this if you want to hold larger amount of coins.
You could use any eleven words you want and calculate last word to create entropy.
There is a website called seedpicker that can calculate everything for you, you can select any 23 words you want from all 2048 words and last word will be calculated.
This is open source tool, but use it carefully, read their guide and only do it if you know what you are doing:
https://seedpicker.net/calculator/last-word.html

You could use iancoleman website totally offline, and it is even advised to be always used like that.
In your browser, select file save-as, and save this page as a file, than double click that file to open it in a browser on your offline computer:
https://iancoleman.io/bip39/

Exactly.
In other words:
11 bits * 23 words = 253 bits. But you want to have 256. Each word encodes 11 bits, so any word you take will give you 3 bits of "data" + 8 bits of "checksum". Which means you may have 8 possibilities for a "beginning" of word and 256 possibilities for "end" of word. Any 3 bits you select, produces (with the rest) one of 256 possible checksum.

There are always exactly 8 possibilities for the last word for BIP39 (in the 24-word case).

Last word represents 11 bits, 8 of which are checksum. For every of the 3 bits we choose, there is always exactly one word with the needed checksum bits.

For a 24 word seed, there is a 12.65% of the same word appearing twice or more, and a 0.0479% of the same word appearing three times or more. So one in every 2,000 seed phrases roughly would have the same word three times. So not that unlikely by any means.

The last word only contains 7 bits of that number in a 12 word seed phrase, or 3 bits of that number in a 24 word seed phrase. The rest is checksum.

Assuming the first 23 words are known, there are 8 possibilities for the last word on average.
It's not that there are always exactly 8 possibilities for the last word.

Edit:
I stand corrected.
Thank you j2002ba2 and PawGo for your explanation.

We weren't talking about creating the seed phrase either!

Let's agree to some common semantics: seed = big random number; mnemonic seed (words) = the set of commonly 12 or 24 words which represent 128 or 256 bits of randomness/entropy. For HD wallets this entropy is processed by iteration of a key derivation function into a BIP39 seed of 512 bits length from which by rules of derivation path the private and public keys are derived.

Your smaller selection of words will likely leed to a less random seed. It may still be safe but you can't be sure of that. I won't be happy not to know that my seed isn't safely random enough. And as indicated below, usually the mnemonic words are derived from the random seed, not the other way around.

A repeated mnemonic word doesn't matter and can happen. This only means that a sequence of 11 bits is repeated in the seed at certain bit boundaries. While I don't think this happens often, I wouldn't worry too much about it. I'd be suspicious if a word is repeated three or more times because that means the seed is somewhat patterned (which technically can still happen with "true" randomness where every bit sequence in the seed is equally possible).

This is not the way a mnemonic seed is made, except you're foolish enough to pick the words yourself from a foolishly chosen set of 24 words out of 2048 and you pick those 24 randomly one after the other from a diminishing set of words. This might not necessarily leed to a weak seed but there's a high chance that something in the process goes (horribly) wrong.

The mnemonic seed words are a human readable representation of a random binary number. The random binary number comes first and is then translated into mnemonic words where every word out of 2048 represents 11 bits of that random binary number. A human is terrible to produce randomness by some arbitrary choice actions. Flipping a coin is OK, rolling dice is OK, if you want to produce 128 bits (12 words out of 2048) or 256 bits (24 words out of 2048) of random entropy.

You can use a smaller word dictionary but then you'd have to use more words for the encoding into mnemonic seed words.

To be more precise, we may say that if unknown word is on the last position, could be treated as a checksum word (word which contains binary checksum), then the rest (23 words) produce 8 possibilities at the last position. So, it is possible to optimize algorithm that after checking 8th correct checksum, it is smart to update 23 first words and do not waste time on the last one.
If you have unknown word in the middle, you may use similar evaluation, BUT it is not precise - because you modify checksum generator, you may say that statistically after 8 hits (for the given "checksum word" on the last position) you may skip work for that combination. Unfortunately, it could happen that more words modified in the middle produce the same checksum, so that approach is wrong (too optimistic). Maybe, maybe if you would set limit of hits to 9-10, it wild make more sense, but still - it is based on guessing.

If you know all 12 words, then btcrecover could descramble this in a matter of hours even with modest hardware, or much faster with good hardware. See: https://btcrecover.readthedocs.io/en/latest/Usage_Examples/2020-05-02_Descrambling_a_12_word_seed/Example_Descrambling_a_12_word_seed/

However, since OP is talking about 24 words, descrambling this is already impossible. Add in an unknown word and it becomes 2048 times more impossible.

Unusual use case, but you may try to play with my program lostwords : https://github.com/PawelGorny/lostword

You are probably interested in the feature PRINT_SEEDS, where you may provide the list of words you want to use (or '?' for all the words) and then select the seed you like.
 


now we talk about something different, worker PERMUTATION. But with 24 words it a very difficult task.

Thanks, then it would only be an average of 19,674 years for 1trillion combinations per second bruteforce speed for a disarranged 24-words seed then.
And only 479,001,600 combinations for a disarranged 12-word seed.

Considering that OP said they have the words, you should use factorial to compute all the combinations not a power. We have 24 words and for first position we can select one out of 24, the second position one out of remaining 23 and so on. That is 24*23*22*...*1=24! = 620,448,401,733,239,439,360,000

Yes, the last word is part of the "checksum". It has to be the right one to make the seed phrase valid.

The simplest bruteforce formula is 24^24 for disordered 24-word seed, which is 1,333,735,776,850,284,124,449,081,472,843,776 combinations.
Even if you can get up to 1trillions of combinations per second, it would still take 42,292,484,045,227 years to find the right order.
Even 10000-times that speed isn't any better.

Compare it to 12 which is only 8,916,100,448,256 combinations.

even if it takes a long time let's assume i have 24 words then can this also occur in another existing sequence of the rhine?

simply combining the words somehow doesn't work, it has to have a certain validity

I know it's well meant to tell me how long it's going to take or why I shouldn't do it, but it also has a learning background for me even if I don't know much about programming I'd like to know to what extent that's possible and Is there a program for that already?

You can create a seed phrase from as few words as you like using your own method. But anyone who knows the words you are selecting from will have an easier time guessing the phrase. One problem with selecting from a subset of words is that the standard construction of the phrase involves a checksum. A wallet validating your phrase might say the phrase is invalid.

The probability of a word being repeated in a 12-word (from 2048 words) phrase is 1 - 2048!/(2036!2048¹²) = 3%



Edit: I wrote that before reading your followup post.

The is no possibility of success with a 24-word phrase because there are just too many possibilities. A 12-word phrase will take a very long time. There are tools that might help: btcrecover and FinderOuter

There's brute forcing software for this, but if you have 24 words in random order, you won't find it. With 12 words it might be possible.

because i want to try to recover a wallet for which i know the words but not the order of the words. I'm actually also missing a word, that is, the tool should be such that I can say these 23 words must definitely occur. The last word can be used from the 2048.

Why would you want that? It's much less secure if you don't use a proper random.

Hello dear community,

I would like to know if there is a possibility to create a 12 or 24 digit seed from a selection of words and not the whole 2048 words.

I would prefer if the whole thing is open source and I can possibly create it on my computer without internet (maybe a github project based on python).

And I also wanted to ask how likely it is that a word occurs twice in the 12 seed?

Best wishes,

unamic