Pages:

Author

Topic: Given the first 15 words out of 24, can a hacker crack the wallet? - page 2. (Read 415 times)

nc50lc

legendary

Activity: 2394

Merit: 5531

Self-proclaimed Genius

Quote from: lyw123 on September 30, 2023, 01:33:15 AM

However, another possibility to consider is as follows: For example, I use a 24-word mnemonic (BIP39) and an 18-character passphrase. I handwrite 12 of the words and the passphrase. If I use a wallet that solely relies on these 24 words, it will leave a transaction record on the blockchain. Hackers can potentially crack the handwritten 12 words first by examining the transaction records, and then proceed to crack the remaining passphrase.

I'm not aware of any vulnerability that'll compromise the mnemonic from a transaction record in the blockchain.
Can you link me where this is based? TIA.

The closest I know is if you've compromised one of your private key and its parent's extended public key pair, that parent extended private key can be computed from those.
However, it wont affect the master private key or anything behind it like the mnemonic or seed if it used hardened derivation (default) to derive the compromised extended key.
So the wallet that used the 24-word plus passphrase wont be affected even if the wallet that used the same 24-words without the passphrase is compromised.
But still recommended to send to a new one if that happened no matter how strong the passphrase is.

lyw123

jr. member

Activity: 57

Merit: 4

Quote

Go for the simpler method, but why not 12 words out of 24?
mnemonic with 9 missing words is quite safe, but 12 missing is safer.

That is Ok, too.

Quote

For safety/deniability, fund each part with low amount so even if one got hacked, the attacker may think that it's the actual contents of the compromised seed phrase
so he wont be looking for your emails or flash drives for the other part.
On the other hand, Attackers will likely think that it has another part hidden if the seed phrase is only 15-words or invalid.

Your consideration is reasonable.
However, another possibility to consider is as follows: For example, I use a 24-word mnemonic (BIP39) and an 18-character passphrase. I handwrite 12 of the words and the passphrase. If I use a wallet that solely relies on these 24 words, it will leave a transaction record on the blockchain. Hackers can potentially crack the handwritten 12 words first by examining the transaction records, and then proceed to crack the remaining passphrase. If I have never used a wallet exclusively with those 24 words before, the hacker would have to simultaneously crack the handwritten 12 words and the passphrase. Is that correct?

lyw123

jr. member

Activity: 57

Merit: 4

Quote

The main problem is the methods you use which can make things complicated and possibly lead to problems when you want to recover your mnemonic from the complicated backup.
For example you said "encrypt the other 12 words", what algorithm are you going to use? AES? Will you use a KDF like BIP38 to derive the password used in AES? Will you use it correctly and will it be reproducible? Will you remember how you did it so that you can recover your mnemonic in the future?
You see when you come up with your own algorithm, unlike BIP38 I mentioned, it won't be standardized so a lot of details about it could be weak, buggy or not-reproducible.

My current knowledge is very limited. I plan to directly use WinRAR and 7-Zip for encryption, utilizing the AES256 algorithm. Regarding it must be reproducible, there are a few considerations as follows:

(1) For electronically stored files on the network, use strong passwords (>40 characters) and prepare password explanations. The passwords will primarily come from things or names that I am very familiar with but others are not, such as the names of childhood playmates, and so on! Most these things and names are unknown to my colleagues as well.

(2) I have purchased a few high-level encrypted USB drives, including two fingerprint USB drives. The seller claims that these encrypted USB drives cannot be cracked. Therefore, relatively weak passwords (~20 characters) can be used for the electronic files stored on these drives. If a hacker-level thief were to steal these USB drives, they would not have the ability to crack them immediately. Then I have time to send out the coins.

(3) The last line of defense is hardware wallets. As long as the hardware wallet continues to function properly, it remains secure.

nc50lc

legendary

Activity: 2394

Merit: 5531

Self-proclaimed Genius

Quote from: lyw123 on September 28, 2023, 11:05:44 PM

I am considering why not use a simpler approach?
For example, writing down 15 words on papers, and storing the remaining 9 words on an encrypted USB drives and online emails. Certainly, both the paper documents and electronic file should be kept with multiple copies.
-snip-
Question: Given the first 15 words out of 24, can a hacker crack the wallet?

Go for the simpler method, but why not 12 words out of 24?
mnemonic with 9 missing words is quite safe, but 12 missing is safer.

It can also provide you potential deniability if you can generate valid first 12 words or 12 last words when used stand-alone.
Creating a 24-word seed phrase with one half part valid has a good chance but getting both two parts as separate valid seed phrase may be low.
You may need a script to generate the latter. (can anyone provide the numbers if the latter if possible?)

For safety/deniability, fund each part with low amount so even if one got hacked, the attacker may think that it's the actual contents of the compromised seed phrase
so he wont be looking for your emails or flash drives for the other part.
On the other hand, Attackers will likely think that it has another part hidden if the seed phrase is only 15-words or invalid.

The main issue here is if you forget that it should be combined.

pooya87

legendary

Activity: 3444

Merit: 10537

Quote from: lyw123 on September 29, 2023, 04:54:43 AM

If there are any security risks, please tell me. I appreciate it much. Thank everyone!

hosseinimr93

legendary

Activity: 2380

Merit: 5213

Quote from: Bitcoin Smith on September 28, 2023, 11:20:39 PM

Still unlikely possible to brute force the remaining 9 seed words out 24, but technically the entropy dropped from 256 to 99 bits.

If the last 9 words of a 24 word BIP39 seed phrase are missing, the entropy would decrease to 91 bits, not 99 bits. The last 8 bits are checksum and are a function of the first 256 bits.

Quote from: Bitcoin Smith on September 28, 2023, 11:20:39 PM

So, to calculate the number of calculations required to brute force a 9-word seed phrase, you would raise 2048 to the power of 9 which is 2048^9 = 5.44 x 10^27 combinations needs to be done, still it will take.

The number of possible combinations would be 2⁹¹ which equals to 2.48 * 10²⁷.
If we don't consider the checksum, the entropy would be 2⁹⁹ or 2048⁹ which equals to 6.34 * 10²⁹. You made a mistake in your calculation.

lyw123

jr. member

Activity: 57

Merit: 4

Quote from: tenant48 on September 29, 2023, 03:29:13 AM

Trying to invent your own Seed storage methods will virtually guarantee that you will lose access to your funds in the future. Write down your 24 words on paper and keep copies in different places. If you want to additionally protect your 24 words with a passphrase, then 30 characters is overkill. Check out the article, which says that a passphrase of 10 - 12 characters is more than enough.

Your advice is very insightful. I am simply ignorant, which leads to fear, and fear leads to excessive complexity.

Quote from: lyw123 on September 29, 2023, 12:52:02 AM

then the hacker would need to crack both the remaining 9 words and the passphrase simultaneously. Is my understanding correct?

Yes, correct. But cracking the 12 or 24 words itself not possible, then the 30 character passphrase just an additional layer of protection and effectively additional entropy.

Thank you for your response. My plan is as follows: Write down 12 words of 24 and an 18-character passphrase (including 0-9, a-z, A-Z) on papers. Additionally, encrypt another 12 words into different electronic files with different keys, to prevent single point of failure. Multiple backups for each part and store them in different locations.

If there are any security risks, please tell me. I appreciate it much. Thank everyone!

Bitcoin Smith

sr. member

Activity: 868

Merit: 275

Cashback 15%

Quote from: lyw123 on September 29, 2023, 12:52:02 AM

The 24th word should not be included (it is a checksum word with only 8 possible choices).

You can say that only if you found the first 23 words of the recovery seeds and the remaining last word is just one from the potential 8 special words, but the checksum is actually derived from the remaining all the words in the seed that is 23, so I guess it also should be included in the calculation if you successfully want to crack the 24 word seeds.

Which is explained in detail here : https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki

Quote from: lyw123 on September 29, 2023, 12:52:02 AM

then the hacker would need to crack both the remaining 9 words and the passphrase simultaneously. Is my understanding correct?

Yes, correct. But cracking the 12 or 24 words itself not possible, then the 30 character passphrase just an additional layer of protection and effectively additional entropy.

tenant48

full member

Activity: 336

Merit: 161

lyw123

jr. member

Activity: 57

Merit: 4

Quote

Still unlikely possible to brute force the remaining 9 seed words out 24, but technically the entropy dropped from 256 to 99 bits.

If the seeds are BIP39 then there are 2048 sets of words.

So, to calculate the number of calculations required to brute force a 9-word seed phrase, you would raise 2048 to the power of 9 which is 2048^9 = 5.44 x 10^27 combinations needs to be done, still it will take.

Now if you have a super computer which can do one billion combinations per second

(5.44 x 10^27) ÷ (1,000,000,000) = 5.44 x 10^18 seconds

(5.44 x 10^18 seconds) ÷ (60 seconds/minute * 60 minutes/hour * 24 hours/day * 365 days/year) = 1.72 x 10^10 years

So, it would take approximately 1.72 x 10^10 or 17 billion years to brute force a 9-word seed phrase with 1 billion combinations per second.

The 24th word should not be included (it is a checksum word with only 8 possible choices). This still makes it impossible to crack. If a 30-character passphrase is added (using 0-9, a-z, A-Z), with 15 characters written on paper and the other 15 encrypted in an electronic file, it becomes even more secure.

If the 24-word mnemonic has been used before, then the blockchain will contain BTC transaction records. In that case, a hacker can first crack the remaining 9 words (by checking if the generated wallet has transaction records) and then attempt to crack the passphrase. However, if the 24-word mnemonic has never been used individually, then the hacker would need to crack both the remaining 9 words and the passphrase simultaneously. Is my understanding correct?

Bitcoin Smith

sr. member

Activity: 868

Merit: 275

Cashback 15%

Quote from: lyw123 on September 28, 2023, 11:05:44 PM

Question: Given the first 15 words out of 24, can a hacker crack the wallet?

lyw123

jr. member

Activity: 57

Merit: 4

I am currently using a highly complex method to store a set of 24 mnemonic words. Decoding the mnemonic requires 20 minutes.

I am considering why not use a simpler approach?
For example, writing down 15 words on papers, and storing the remaining 9 words on an encrypted USB drives and online emails. Certainly, both the paper documents and electronic file should be kept with multiple copies.

Question: Given the first 15 words out of 24, can a hacker crack the wallet?

I ask chatGPT, and it say that is secure. However, considering that AI models often give unreliable information, it would be better to seek advice from friends on this website. Thanks!

Adding passphrase is better, and some message is obtained here https://blog.trezor.io/is-your-passphrase-strong-enough-d687f44c63af
The official Trezor website has calculated the security length of a passphrase. It states that a passphrase containing characters from 0-9, a-z, A-Z is considered secure with a length of 10 characters. With 62^10 possible combinations, this is equivalent to approximately 5.41 words, or 2048^5.41.