Author

Topic: Given the first 15 words out of 24, can a hacker crack the wallet? (Read 474 times)

jr. member
Activity: 57
Merit: 4
How can thieves or ordinary hackers crack it?
I already showed you a link where someone cracked a fingerprint reader on a $1000 smartphone in 3 minutes. The fingerprint reader on a $20 USB drive will be trivial by comparison.

Thank you very much, o_ e_ l_ e_ o!
I saw that video, and knew that the fingerprint U disks were not unbreakable.
So the handwritten documents (corresponding to the unencrypted files of USB drives), will not be stored at my home (off site backups).
legendary
Activity: 2268
Merit: 18748
If all two parts are hidden in my home, once they are found by thieves, I am died. What should I do?
Hide them better and also have off site back ups.

You can hide a piece of paper in hundreds of places in your home a thief would never find it. Under a floorboard. Inside a door. Inside some piece of furniture or equipment. Inside some fitting or socket.

And having your only back ups in the same place as your wallets themselves (i.e. at home) is incredibly risky as a single event can still wipe you out. Everyone should have at least one off site back up.

How can thieves or ordinary hackers crack it?
I already showed you a link where someone cracked a fingerprint reader on a $1000 smartphone in 3 minutes. The fingerprint reader on a $20 USB drive will be trivial by comparison.

Can your solution deal with such extreme situations?
Yes. Unless the thief has a month to systematically disassemble and dismantle my entire house, they won't find the back ups I have hidden at home. And even if they did, they wouldn't be able to access my wallets since the other necessary information is backed up off site.
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
Also, keep in mind that if you use 24 words seed phrase, even if you reveal words in unordered way, hacker still won't be able to crack your wallet, but will be able to crack if you use 12 words seed phrase and reveal all of them.

I own 4 trezor one. There are two ways to recover the seed phrase of Trezor One on Trezor Suite, one is standard and the other is advanced.
When restoring with the standard mode, the words are entered directly in a unordered way. If 12 out of 24 words have been exposed, then this recovery method is obviously not secure. If I enter in advanced mode, will there be no problem? Of course, a safer way is to write down the 24-word password and encrypt only the passphrase.
I don't own trezor but I'll explain what I mean.
Let's say that your wallet's seed phrases are: good, absent, ability, hair, icon, jealous, hammer, ignore, jaguar, machine, napkin, observe. Let's say that you have to enter these words in an ordered way, i.e. at first you have to enter good, then ability, then hair, then icon and so on. If you leak these words in an unordered way, in case of 12 words seed phrase, hacker will be able to crack your wallet in half an hour with good rtx GPU but if you have 24 words seed phrase, if you leak even 24 words in an unordered way, hacker won't be able to crack it because it will take him probably million years to crack it. That's all I wanted to say.
jr. member
Activity: 57
Merit: 4
Storing partial unencrypted wallet data on a fingerprint-encrypted USB drive or writing it directly on paper doesn't make much difference. These fingerprint-encrypted USB drives are specifically designed for protecting corporate trade secrets, and I don't think they can be easily cracked.
Digital storage has other shortcomings that just being hacked/cracked. For example hardware problems that is where the USB disk is harmed either physically or due to electrical issues or other things and the data on it becomes inaccessible. Or we have the data decay/degradation by passage of time.
The most terrible thing is that all U disks are broken at the same time. I currently have 3 encrypted USB drives and plan to buy one more. In addition, I have added another preventive measure.


Also, keep in mind that if you use 24 words seed phrase, even if you reveal words in unordered way, hacker still won't be able to crack your wallet, but will be able to crack if you use 12 words seed phrase and reveal all of them.

I own 4 trezor one. There are two ways to recover the seed phrase of Trezor One on Trezor Suite, one is standard and the other is advanced.
When restoring with the standard mode, the words are entered directly in a unordered way, via the computer. If someone saw all the unordered words, he should try 24*23*22*...3*2*1 times to crack the wallet.
If 12 out of 24 words have been exposed, he should try 12*11*10*...3*2*1 times, then this recovery method is obviously not secure. If I enter in advanced mode, will there be no problem?
Of course, a safer way is to write down the 24-word password and encrypt only the passphrase.



As others have pointed out: go for proven schemes (mnemonic words and separate mnemonic passphrase; stored safely in redundant safe and secret locations // multi-sig stored safely in redundant locations // use hardware wallet(s)). Mnemonic recovery words and (if used) a mnemonic passphrase should only be backed up on physical non-digital media (paper and for protection against paper harming conditions or events: stamped in stainless steel or titanium).

        I divided the seed phrase and passphrase into two parts, one handwritten and the other stored on USB drives. If the files in the fingerprint U disks are not encrypted, then I do not need to remember any passwords to recover the wallet data. If I have three fingerprint-encrypted USB drives, and check whether they work properly every year. Then the probability will be very very low that they all are unusable at the same time. Your method: seed phrase and separate passphrase were backed up on physical non-digital media. There are no much difference between yours and mine?

        Handwriting all the seed phrase and passphrase on papers is also risky. First of all, I have to divide them into two parts, and each part must have multiple backups. If all two parts are hidden in my home, once they are found by thieves, I am died. What should I do? Doesn't it hurt my head? The encrypted fingerprint U disks are specially made for corporate secrets, with AES256 hardware encryption. How can thieves or ordinary hackers crack it? Top hackers may be able to, but they don't care about my altcoins. The main problems for encrypted USB drives are: 1) they may all fail simultaneously. 2) All were stolen by thieves. 3) In the distant future, AES256 encryption will no longer be unbreakable.

        As for storing the wallet file encrypted  (only winrar)  with a strong password on the email, there are two purposes: 1) Once all USB drives and hardware wallets fail, or they all were stolen by thieves. 2) If my house catches fire, all files, USB flash drives, and hardware wallets may be burned. This is the final recovery plan.
        
        If the thief knows that you have a lot of Bitcoin, he may steal all related things in your home, including hardware wallets, handwritten papers, anything. Can your solution deal with such extreme situations?

[moderator's note: consecutive posts merged]
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Question: Given the first 15 words out of 24, can a hacker crack the wallet?

No.

Quote
I am considering why not use a simpler approach?
For example, writing down 15 words on papers, and storing the remaining 9 words on an encrypted USB drives and online emails. Certainly, both the paper documents and electronic file should be kept with multiple copies.

You're taking a big risk in not only storing the words on a single USB drive, but also storing it on the internet. At least use two USB drives in case you lose one.

And email is the last place you'd want to store any sensitive information in because the protocol is so ancient, that everyone can get their dirty hands on it without even opening your account.
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
I am currently using a highly complex method to store a set of 24 mnemonic words. Decoding the mnemonic requires 20 minutes.

I am considering why not use a simpler approach?
For example, writing down 15 words on papers, and storing the remaining 9 words on an encrypted USB drives and online emails. Certainly, both the paper documents and electronic file should be kept with multiple copies.

Question: Given the first 15 words out of 24, can a hacker crack the wallet?

I ask chatGPT, and it say that is secure. However, considering that AI models often give unreliable information, it would be better to seek advice from friends on this website. Thanks!

Adding passphrase is better, and some message is obtained here https://blog.trezor.io/is-your-passphrase-strong-enough-d687f44c63af
The official Trezor website has calculated the security length of a passphrase. It states that a passphrase containing characters from 0-9, a-z, A-Z is considered secure with a length of 10 characters. With 62^10 possible combinations, this is equivalent to approximately 5.41 words, or 2048^5.41.
Keep in mind that increased security comes with increased responsibilities. There have been complains about losing seed phrase but there hasn't been a case when wallet was cracked by someone via bruteforcing (unless seed owner made a huge mistake). For sure, you have to save it securely but don't save it in a way that you'll lose access on it.
Also, if you are so afraid of your wallet getting cracked, then keep in mind that even if it's possible to crack your wallet in a year, you still have a timeframe that allows you to create a new wallet and transfer coins from old wallet to new one. Even if you know that you lost some part of your seeds and attacker will crack it in a day, you still have time to create a new one and transfer from old to new wallet.

Also, keep in mind that if you use 24 words seed phrase, even if you reveal words in unordered way, hacker still won't be able to crack your wallet, but will be able to crack if you use 12 words seed phrase and reveal all of them.

Storing partial unencrypted wallet data on a fingerprint-encrypted USB drive or writing it directly on paper doesn't make much difference. These fingerprint-encrypted USB drives are specifically designed for protecting corporate trade secrets, and I don't think they can be easily cracked.
Digital storage has other shortcomings that just being hacked/cracked. For example hardware problems that is where the USB disk is harmed either physically or due to electrical issues or other things and the data on it becomes inaccessible. Or we have the data decay/degradation by passage of time.
He can probably buy some waterproof, fireproof, extreme conditions proof safe and store his USB there. Btw instead of storing something on USB disk, if I were him, I would buy Coldcard or Passport wallet.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
Considering OP's lack of knowledge in crypto safety, he will likely handle his mnemonic recovery words stuff on a potentially unsafe device or (even worse) on his daily computer. o_e_l_e_o already pointed this out that any handling of mnemonic recovery words on a computer should be done on a safe and permanently offline (or agnostic disposable) device.

I find overly complex encryption schemes, self invented worst of it, a quite sure road to loss and desaster later, unless you perfectly document everything. How do you protect your documentation then? Never rely on your memory alone, it will fail you in some future (I speak from own experience).

As others have pointed out: go for proven schemes (mnemonic words and separate mnemonic passphrase; stored safely in redundant safe and secret locations // multi-sig stored safely in redundant locations // use hardware wallet(s)). Mnemonic recovery words and (if used) a mnemonic passphrase should only be backed up on physical non-digital media (paper and for protection against paper harming conditions or events: stamped in stainless steel or titanium).

If OP needs some inspiration: you may have a look into free PDF book at https://www.smartcustody.com. But understanding crypto and Bitcoin in particular is also important to judge what is appropriate or what is silly. Work through everything on https://learnmeabitcoin.com, you won't regret it.
legendary
Activity: 3472
Merit: 10611
Storing partial unencrypted wallet data on a fingerprint-encrypted USB drive or writing it directly on paper doesn't make much difference. These fingerprint-encrypted USB drives are specifically designed for protecting corporate trade secrets, and I don't think they can be easily cracked.
Digital storage has other shortcomings that just being hacked/cracked. For example hardware problems that is where the USB disk is harmed either physically or due to electrical issues or other things and the data on it becomes inaccessible. Or we have the data decay/degradation by passage of time.
jr. member
Activity: 57
Merit: 4
(2) I have purchased a few high-level encrypted USB drives, including two fingerprint USB drives. The seller claims that these encrypted USB drives cannot be cracked. Therefore, relatively weak passwords (~20 characters) can be used for the electronic files stored on these drives. Also, every encrypted file must have a password explanation.

I doubt security of such USB drive, especially since usually biometric usually only used as authentication (not encryption). And there's also possibility serious theft would just open the USB drive and take NAND/flash drive.
[/quote]
Storing partial unencrypted wallet data on a fingerprint-encrypted USB drive or writing it directly on paper doesn't make much difference. These fingerprint-encrypted USB drives are specifically designed for protecting corporate trade secrets, and I don't think they can be easily cracked.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
The file is encrypted with WinRAR and 7-Zip.

Both WinRAR and 7-Zip use AES-256 which usually considered secure (although as @o_e_l_e_o said, it comes down how they implement it). Anyway, if you plan to store the encrtypted data for really long time, you need to consider possibility AES-256 deemed obsolete or no longer secure enough in distant future.

(2) I have purchased a few high-level encrypted USB drives, including two fingerprint USB drives. The seller claims that these encrypted USB drives cannot be cracked. Therefore, relatively weak passwords (~20 characters) can be used for the electronic files stored on these drives. Also, every encrypted file must have a password explanation.

I doubt security of such USB drive, especially since usually biometric usually only used as authentication (not encryption). And there's also possibility serious theft would just open the USB drive and take NAND/flash drive.
member
Activity: 143
Merit: 82

Thank your suggestion. I will store a portion of the unencrypted wallet data on USB drives, but the remaining handwritten portion is not stored at my home.

I would recommend encrypting "seed phrase" into two complementary encryption keys using standard XOR operation. You would preserve the security strentgh and be able to recover without remembering unique, non-standard scheme. BIP39-XOR, SeedXOR, SeedTool tools (available in GitHub) demonstrate the concept.
jr. member
Activity: 57
Merit: 4
The file is encrypted with WinRAR and 7-Zip. To ensure that encrypted electronic files can be opened, I have done the following works:
Have you personally reviewed the code of 7zip to ensure there are no flaws in its encryption algorithms?
Did you take steps to mitigate against known vulnerabilities such as this one: https://nitter.cz/3lbios/status/1087848040583626753?
Did you make sure to build the app yourself from the source code you reviewed to ensure you haven't downloaded a fake or malicious one?
How to you plan to do any of that for WinRAR given that it isn't even open source?
Did you only encrypt your data on a permanently airgapped device with a clean OS?
Did you make sure to delete all the temporary files it creates in the archiving process, and then write over those sections of your computer's memory with junk data?
Did you make sure to delete the unencrypted text file you would have first stored on your computer before encrypting it, and then write over that section of your computer's memory with junk data?
I know nearly nothing about 7-zip and winrar. Even if the electronic file is leaked, hackers only know part of the wallet data.
The encryption of all files is done on offline computers. The file is temporarily stored on a USB flash drive, and the data on the USB flash drive will be cleared using the software DiskGenius. The encrypted data is then transmitted to the network through this USB flash drive.

I have purchased a few high-level encrypted USB drives, including two fingerprint USB drives.
Biometrics, especially fingerprints, can be very easily bypassed, even on high end 3D ultrasonic fingerprint scanners such as those on the latest flagship phones - https://bitcointalksearch.org/topic/m.55391797. It will be trivially easy to fool a basic USB fingerprint scanner.
Even if the thief takes the U disk and breaks it, he still needs to crack the password of Winrar or 7-Zip, and get the handwritten portion.

Quote
There is a reason that everyone here and every good wallet tells you to write down your seed phrase and store it offline. If you want to ignore all that advice and do your own thing then obviously we can't stop you, but you greatly increase the risk of loss.
Thank your suggestion. I will store a portion of the unencrypted wallet data on USB drives, but the remaining handwritten portion is not stored at my home.
legendary
Activity: 2268
Merit: 18748
The file is encrypted with WinRAR and 7-Zip. To ensure that encrypted electronic files can be opened, I have done the following works:
Have you personally reviewed the code of 7zip to ensure there are no flaws in its encryption algorithms?
Did you take steps to mitigate against known vulnerabilities such as this one: https://nitter.cz/3lbios/status/1087848040583626753?
Did you make sure to build the app yourself from the source code you reviewed to ensure you haven't downloaded a fake or malicious one?
How to you plan to do any of that for WinRAR given that it isn't even open source?
Did you only encrypt your data on a permanently airgapped device with a clean OS?
Did you make sure to delete all the temporary files it creates in the archiving process, and then write over those sections of your computer's memory with junk data?
Did you make sure to delete the unencrypted text file you would have first stored on your computer before encrypting it, and then write over that section of your computer's memory with junk data?

So passwords will only relying on memory and password explanation. I test this method for a long time, and it is very reliable.
It isn't reliable. Here are 100 million reasons not to rely on your memory: https://bitcointalksearch.org/topic/m.60342177

I have purchased a few high-level encrypted USB drives, including two fingerprint USB drives.
Biometrics, especially fingerprints, can be very easily bypassed, even on high end 3D ultrasonic fingerprint scanners such as those on the latest flagship phones - https://bitcointalksearch.org/topic/m.55391797. It will be trivially easy to fool a basic USB fingerprint scanner.

The seller claims that these encrypted USB drives cannot be cracked.
Do they also have a bridge to sell you? People will say anything to sell their product. How do you plan to verify this claim?

Check whether the encrypted files can be opened normally once a year. If not, transfer funds through a hardware wallet immediately.
Will you only be decrypting them them on a permanently airgapped device? Will you be writing over the sections of the computer's memory which held those unencrypted files after you are done?

There is a reason that everyone here and every good wallet tells you to write down your seed phrase and store it offline. If you want to ignore all that advice and do your own thing then obviously we can't stop you, but you greatly increase the risk of loss.
jr. member
Activity: 57
Merit: 4
You may need a script to generate the latter. (can anyone provide the numbers if the latter if possible?)
Let's see.

You can generate a 12 word seed phrase with a valid checksum and use that as the first 132 bits of entropy for your 24 word seed phrase. Concatenate another 124 bits of entropy, and then calculate the 8 bit checksum to give yourself a valid 24 word seed phrase. Take the last 12 words of this seed phrase. Given 12 words have a 4 bit checksum, then there is a 1/16 chance that this checksum is valid. So it won't take long at all to bruteforce a valid combination.

Here's one I just made in just a few minutes:
Code:
pupil magic fun throw lecture sunset pizza fashion helmet couch auto impact despair height humor impose near plunge clever abstract swing laundry scheme acquire

Both the first 12 words and the last 12 words are valid seed phrases on their own:
Code:
pupil magic fun throw lecture sunset pizza fashion helmet couch auto impact
despair height humor impose near plunge clever abstract swing laundry scheme acquire

This method is very deceptive. The first 12 words and the last 12 words are all valid wallets. And then store them separately in different places? (different houses, even different cities?) To improve reliability, it is advisable to consider adding this scheme.



Quote
As I said to OP in another thread, his back up scheme is not great. He is planning to have some words written down, some words stored electronically, a variety of different encryption techniques, a variety of different passwords (are these being backed up too? Where? Or are you relying on memory? (Which is even worse!)), and more. It is far too complicated, and he runs a significant risk of failing to recover from his back ups and inadvertently locking himself out of his own wallets.

The file is encrypted with WinRAR and 7-Zip. To ensure that encrypted electronic files can be opened, I have done the following works:
(1) For electronically stored files on the network, use strong passwords (>40 characters) and prepare password explanations. The passwords will primarily come from things or names that I am very familiar with but others are not, such as the names of childhood playmates, and so on! Every encrypted file must have a password explanation.  So passwords will only relying on memory and password explanation. I test this method for a long time, and it is very reliable.

(2) I have purchased a few high-level encrypted USB drives, including two fingerprint USB drives. The seller claims that these encrypted USB drives cannot be cracked. Therefore, relatively weak passwords (~20 characters) can be used for the electronic files stored on these drives. Also, every encrypted file must have a password explanation.

(3) The last line of defense is hardware wallets. As long as the hardware wallet continues to function properly, it remains secure.

(4) Check whether the encrypted files can be opened normally once a year. If not, transfer funds through a hardware wallet immediately.
legendary
Activity: 2618
Merit: 6452
Self-proclaimed Genius
You may need a script to generate the latter. (can anyone provide the numbers if the latter if possible?)
Let's see.

You can generate a 12 word seed phrase with a valid checksum and use that as the first 132 bits of entropy for your 24 word seed phrase. Concatenate another 124 bits of entropy, and then calculate the 8 bit checksum to give yourself a valid 24 word seed phrase. Take the last 12 words of this seed phrase. Given 12 words have a 4 bit checksum, then there is a 1/16 chance that this checksum is valid. So it won't take long at all to bruteforce a valid combination.

Here's one I just made in just a few minutes:
Code:
pupil magic fun throw lecture sunset pizza fashion helmet couch auto impact despair height humor impose near plunge clever abstract swing laundry scheme acquire
Nice, thanks for sparing the time.

So it's faster than I anticipated, I was thinking of generating the whole 24-words from a 256-bit entropy in one go.
Pre-generating the valid first half and filling the rest is one nice trick to minimize the search space for a valid whole (24-words) and last half (12-word) checksum.
hero member
Activity: 644
Merit: 661
- Jay -
I am currently using a highly complex method to store a set of 24 mnemonic words. Decoding the mnemonic requires 20 minutes.

I am considering why not use a simpler approach?
If you really want to use a simpler approach then simply write down the seedphrase on paper and store that, as a contingency have more than one back up sites.

If you really want to complicate it, then add a passphrase or use a multi sig wallet and store that separately. These are tried and tested methods and they allow you to easily recover it when you need to. Do not over complicate the process.

- Jay -
legendary
Activity: 2268
Merit: 18748
You may need a script to generate the latter. (can anyone provide the numbers if the latter if possible?)
Let's see.

You can generate a 12 word seed phrase with a valid checksum and use that as the first 132 bits of entropy for your 24 word seed phrase. Concatenate another 124 bits of entropy, and then calculate the 8 bit checksum to give yourself a valid 24 word seed phrase. Take the last 12 words of this seed phrase. Given 12 words have a 4 bit checksum, then there is a 1/16 chance that this checksum is valid. So it won't take long at all to bruteforce a valid combination.

Here's one I just made in just a few minutes:
Code:
pupil magic fun throw lecture sunset pizza fashion helmet couch auto impact despair height humor impose near plunge clever abstract swing laundry scheme acquire

Both the first 12 words and the last 12 words are valid seed phrases on their own:
Code:
pupil magic fun throw lecture sunset pizza fashion helmet couch auto impact
despair height humor impose near plunge clever abstract swing laundry scheme acquire



As I said to OP in another thread, his back up scheme is not great. He is planning to have some words written down, some words stored electronically, a variety of different encryption techniques, a variety of different passwords (are these being backed up too? Where? Or are you relying on memory? (Which is even worse!)), and more. It is far too complicated, and he runs a significant risk of failing to recover from his back ups and inadvertently locking himself out of his own wallets.

If you want to avoid a single point of failure, then you should use a standardized and tried-and-tested method for doing so, such as multi-sig or passphrases.
jr. member
Activity: 57
Merit: 4
I am simply ignorant, which leads to fear, and fear leads to excessive complexity.
I've seen more topics from people who lost access to their funds, than people who had their seed phrase physically compromised. Don't take irrational decisions based on fear.

Last year, I didn't even know what a passphrase was. I came up with a complicated method to store my mnemonic phrases, which I improved at least ten times to enhance its reliability, and it took me two months to do so. It was really foolish. The current method seems much simpler. The main issue now is the possibility of being unable to access the encrypted files. I have prepared different solutions to prevent this problem.
jr. member
Activity: 57
Merit: 4
However, another possibility to consider is as follows: For example, I use a 24-word mnemonic (BIP39) and an 18-character passphrase. I handwrite 12 of the words and the passphrase. If I use a wallet that solely relies on these 24 words, it will leave a transaction record on the blockchain. Hackers can potentially crack the handwritten 12 words first by examining the transaction records,  and then proceed to crack the remaining passphrase.
I'm not aware of any vulnerability that'll compromise the mnemonic from a transaction record in the blockchain.
Can you link me where this is based? TIA.

The closest I know is if you've compromised one of your private key and its parent's extended public key pair, that parent extended private key can be computed from those.
However, it wont affect the master private key or anything behind it like the mnemonic or seed if it used hardened derivation (default) to derive the compromised extended key.
So the wallet that used the 24-word plus passphrase wont be affected even if the wallet that used the same 24-words without the passphrase is compromised.
But still recommended to send to a new one if that happened no matter how strong the passphrase is.

I'm sorry, I know very little about blockchain. Thank you for your help.
hero member
Activity: 1659
Merit: 687
LoyceV on the road. Or couch.
I am simply ignorant, which leads to fear, and fear leads to excessive complexity.
I've seen more topics from people who lost access to their funds, than people who had their seed phrase physically compromised. Don't take irrational decisions based on fear.
legendary
Activity: 2618
Merit: 6452
Self-proclaimed Genius
However, another possibility to consider is as follows: For example, I use a 24-word mnemonic (BIP39) and an 18-character passphrase. I handwrite 12 of the words and the passphrase. If I use a wallet that solely relies on these 24 words, it will leave a transaction record on the blockchain. Hackers can potentially crack the handwritten 12 words first by examining the transaction records,  and then proceed to crack the remaining passphrase.
I'm not aware of any vulnerability that'll compromise the mnemonic from a transaction record in the blockchain.
Can you link me where this is based? TIA.

The closest I know is if you've compromised one of your private key and its parent's extended public key pair, that parent extended private key can be computed from those.
However, it wont affect the master private key or anything behind it like the mnemonic or seed if it used hardened derivation (default) to derive the compromised extended key.
So the wallet that used the 24-word plus passphrase wont be affected even if the wallet that used the same 24-words without the passphrase is compromised.
But still recommended to send to a new one if that happened no matter how strong the passphrase is.
jr. member
Activity: 57
Merit: 4

Quote
Go for the simpler method, but why not 12 words out of 24?
mnemonic with 9 missing words is quite safe, but 12 missing is safer.
That is Ok, too.

Quote
For safety/deniability, fund each part with low amount so even if one got hacked, the attacker may think that it's the actual contents of the compromised seed phrase
so he wont be looking for your emails or flash drives for the other part.
On the other hand, Attackers will likely think that it has another part hidden if the seed phrase is only 15-words or invalid.
Your consideration is reasonable.
However, another possibility to consider is as follows: For example, I use a 24-word mnemonic (BIP39) and an 18-character passphrase. I handwrite 12 of the words and the passphrase. If I use a wallet that solely relies on these 24 words, it will leave a transaction record on the blockchain. Hackers can potentially crack the handwritten 12 words first by examining the transaction records,  and then proceed to crack the remaining passphrase. If I have never used a wallet exclusively with those 24 words before, the hacker would have to simultaneously crack the handwritten 12 words and the passphrase. Is that correct?
jr. member
Activity: 57
Merit: 4
Quote
The main problem is the methods you use which can make things complicated and possibly lead to problems when you want to recover your mnemonic from the complicated backup.
For example you said "encrypt the other 12 words", what algorithm are you going to use? AES? Will you use a KDF like BIP38 to derive the password used in AES? Will you use it correctly and will it be reproducible? Will you remember how you did it so that you can recover your mnemonic in the future?
You see when you come up with your own algorithm, unlike BIP38 I mentioned, it won't be standardized so a lot of details about it could be weak, buggy or not-reproducible.

My current knowledge is very limited. I plan to directly use WinRAR and 7-Zip for encryption, utilizing the AES256 algorithm. Regarding it must be reproducible, there are a few considerations as follows:

(1) For electronically stored files on the network, use strong passwords (>40 characters) and prepare password explanations. The passwords will primarily come from things or names that I am very familiar with but others are not, such as the names of childhood playmates, and so on! Most these things and names are unknown to my colleagues as well.

(2) I have purchased a few high-level encrypted USB drives, including two fingerprint USB drives. The seller claims that these encrypted USB drives cannot be cracked. Therefore, relatively weak passwords (~20 characters) can be used for the electronic files stored on these drives. If a hacker-level thief were to steal these USB drives, they would not have the ability to crack them immediately. Then I have time to send out the coins.

(3) The last line of defense is hardware wallets. As long as the hardware wallet continues to function properly, it remains secure.
legendary
Activity: 2618
Merit: 6452
Self-proclaimed Genius
I am considering why not use a simpler approach?
For example, writing down 15 words on papers, and storing the remaining 9 words on an encrypted USB drives and online emails. Certainly, both the paper documents and electronic file should be kept with multiple copies.
-snip-
Question: Given the first 15 words out of 24, can a hacker crack the wallet?
Go for the simpler method, but why not 12 words out of 24?
mnemonic with 9 missing words is quite safe, but 12 missing is safer.

It can also provide you potential deniability if you can generate valid first 12 words or 12 last words when used stand-alone.
Creating a 24-word seed phrase with one half part valid has a good chance but getting both two parts as separate valid seed phrase may be low.
You may need a script to generate the latter. (can anyone provide the numbers if the latter if possible?)

For safety/deniability, fund each part with low amount so even if one got hacked, the attacker may think that it's the actual contents of the compromised seed phrase
so he wont be looking for your emails or flash drives for the other part.
On the other hand, Attackers will likely think that it has another part hidden if the seed phrase is only 15-words or invalid.

The main issue here is if you forget that it should be combined.
legendary
Activity: 3472
Merit: 10611
If there are any security risks, please tell me. I appreciate it much. Thank everyone!
The main problem is the methods you use which can make things complicated and possibly lead to problems when you want to recover your mnemonic from the complicated backup.
For example you said "encrypt the other 12 words", what algorithm are you going to use? AES? Will you use a KDF like BIP38 to derive the password used in AES? Will you use it correctly and will it be reproducible? Will you remember how you did it so that you can recover your mnemonic in the future?
You see when you come up with your own algorithm, unlike BIP38 I mentioned, it won't be standardized so a lot of details about it could be weak, buggy or not-reproducible.
legendary
Activity: 2380
Merit: 5213
Still unlikely possible to brute force the remaining 9 seed words out 24, but technically the entropy dropped from 256 to 99 bits.
If the last 9 words of a 24 word BIP39 seed phrase are missing, the entropy would decrease to 91 bits, not 99 bits. The last 8 bits are checksum and are a function of the first 256 bits.

So, to calculate the number of calculations required to brute force a 9-word seed phrase, you would raise 2048 to the power of 9 which is 2048^9 = 5.44 x 10^27 combinations needs to be done, still it will take.
The number of possible combinations would be 291 which equals to 2.48 * 1027.
If we don't consider the checksum, the entropy would be 299 or 20489 which equals to 6.34 * 1029. You made a mistake in your calculation.
jr. member
Activity: 57
Merit: 4
Trying to invent your own Seed storage methods will virtually guarantee that you will lose access to your funds in the future. Write down your 24 words on paper and keep copies in different places. If you want to additionally protect your 24 words with a passphrase, then 30 characters is overkill. Check out the article, which says that a passphrase of 10 - 12 characters is more than enough.

Your advice is very insightful. I am simply ignorant, which leads to fear, and fear leads to excessive complexity.

then the hacker would need to crack both the remaining 9 words and the passphrase simultaneously. Is my understanding correct?
Yes, correct. But cracking the 12 or 24 words itself not possible, then the 30 character passphrase just an additional layer of protection and effectively additional entropy.

Thank you for your response. My plan is as follows: Write down 12 words of 24 and an 18-character passphrase (including 0-9, a-z, A-Z) on papers. Additionally, encrypt another 12 words into different electronic files with different keys, to prevent single point of failure. Multiple backups for each part and store them in different locations.

If there are any security risks, please tell me. I appreciate it much. Thank everyone!
sr. member
Activity: 910
Merit: 284
The 24th word should not be included (it is a checksum word with only 8 possible choices).

You can say that only if you found the first 23 words of the recovery seeds and the remaining last word is just one from the potential 8 special words, but the checksum is actually derived from the remaining all the words in the seed that is 23, so I guess it also should be included in the calculation if you successfully want to crack the 24 word seeds.

Which is explained in detail here : https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki

then the hacker would need to crack both the remaining 9 words and the passphrase simultaneously. Is my understanding correct?
Yes, correct. But cracking the 12 or 24 words itself not possible, then the 30 character passphrase just an additional layer of protection and effectively additional entropy.
full member
Activity: 343
Merit: 167
Trying to invent your own Seed storage methods will virtually guarantee that you will lose access to your funds in the future. Write down your 24 words on paper and keep copies in different places. If you want to additionally protect your 24 words with a passphrase, then 30 characters is overkill. Check out the article, which says that a passphrase of 10 - 12 characters is more than enough.
jr. member
Activity: 57
Merit: 4
Quote
Still unlikely possible to brute force the remaining 9 seed words out 24, but technically the entropy dropped from 256 to 99 bits.

If the seeds are BIP39 then there are 2048 sets of words.

So, to calculate the number of calculations required to brute force a 9-word seed phrase, you would raise 2048 to the power of 9 which is 2048^9 = 5.44 x 10^27 combinations needs to be done, still it will take.

Now if you have a super computer which can do one billion combinations per second

(5.44 x 10^27) ÷ (1,000,000,000) = 5.44 x 10^18 seconds

(5.44 x 10^18 seconds) ÷ (60 seconds/minute * 60 minutes/hour * 24 hours/day * 365 days/year) = 1.72 x 10^10 years

So, it would take approximately 1.72 x 10^10 or 17 billion years to brute force a 9-word seed phrase with 1 billion combinations per second.


The 24th word should not be included (it is a checksum word with only 8 possible choices). This still makes it impossible to crack. If a 30-character passphrase is added (using 0-9, a-z, A-Z), with 15 characters written on paper and the other 15 encrypted in an electronic file, it becomes even more secure.

If the 24-word mnemonic has been used before, then the blockchain will contain BTC transaction records. In that case, a hacker can first crack the remaining 9 words (by checking if the generated wallet has transaction records) and then attempt to crack the passphrase. However, if the 24-word mnemonic has never been used individually, then the hacker would need to crack both the remaining 9 words and the passphrase simultaneously. Is my understanding correct?
sr. member
Activity: 910
Merit: 284
Question: Given the first 15 words out of 24, can a hacker crack the wallet?

Still unlikely possible to brute force the remaining 9 seed words out 24, but technically the entropy dropped from 256 to 99 bits.

If the seeds are BIP39 then there are 2048 sets of words.

So, to calculate the number of calculations required to brute force a 9-word seed phrase, you would raise 2048 to the power of 9 which is 2048^9 = 5.44 x 10^27 combinations needs to be done, still it will take.

Now if you have a super computer which can do one billion combinations per second

(5.44 x 10^27) ÷ (1,000,000,000) = 5.44 x 10^18 seconds

(5.44 x 10^18 seconds) ÷ (60 seconds/minute * 60 minutes/hour * 24 hours/day * 365 days/year) = 1.72 x 10^10 years

So, it would take approximately 1.72 x 10^10 or 17 billion years to brute force a 9-word seed phrase with 1 billion combinations per second.
jr. member
Activity: 57
Merit: 4
I am currently using a highly complex method to store a set of 24 mnemonic words. Decoding the mnemonic requires 20 minutes.

I am considering why not use a simpler approach?
For example, writing down 15 words on papers, and storing the remaining 9 words on an encrypted USB drives and online emails. Certainly, both the paper documents and electronic file should be kept with multiple copies.

Question: Given the first 15 words out of 24, can a hacker crack the wallet?

I ask chatGPT, and it say that is secure. However, considering that AI models often give unreliable information, it would be better to seek advice from friends on this website. Thanks!

Adding passphrase is better, and some message is obtained here https://blog.trezor.io/is-your-passphrase-strong-enough-d687f44c63af
The official Trezor website has calculated the security length of a passphrase. It states that a passphrase containing characters from 0-9, a-z, A-Z is considered secure with a length of 10 characters. With 62^10 possible combinations, this is equivalent to approximately 5.41 words, or 2048^5.41.
Jump to: