Topic: HACK IT! (a friendly challenge for the forum's experts) (Read 398 times)

ok so lemme relate something that is (well sorta) related to this. its about the pin on a hardware wallet. it was something i knew very very well as it was related to things known only to me and i had used variations of it successfully for years.

but i figured it was time to up its complexity.. so i ran the numbers through my genius, unable for me to forget, algorithm. a bit of substitution and reordering. genius! i figure bullet proof. especially as i had hints hidden to help me out. this was a couple years ago.

fast forward to today. here i sit with my trezor telling me that there will be 8000+ seconds to check my latest attempt to enter the pin entry (12th try i think).

now i have the seeds, so im good. so at this point im just still trying to find my genius, bulletproof pin to see how badly i did. with like 4 tries left till the hardware wallet erases itself.

the point? dont outsmart yourselves.  yes this is about the pin but the point is, like you, i tried to use my own way of "increasing" security. and guess what? i suck at it lol

i wont lose anything if i fail as i do have the seed. but still learn from my mistake.

To be honest, if your going into this much trouble in order to over complicate things you might as well just memorise the private key, which is definitely doable. However, like it was pointed out pretty early, this isn't secure, since you aren't protecting against other issues that might prop up in life. I know you said you'd let your family know how to decipher whatever contraception you come up with to encrypt your seed, however they are unlikely to remember it in the long run, it isn't their money, and as long as something doesn't happen to you prematurely, they aren't going to remember it. For example, I could care less about what someone is going to give me for their inheritance, I'd rather them here, so I probably wouldn't care about remembering anything.

While it's definitely true that security, and convenience don't always work together, they are still intricately tied together. You can't have security without convenience, and you can't have security while having too much convenience.

Like I said, if you want to over complicate things to a unnecessary degree, there's probably easier ways to do it, while still retaining the same security.

Alright, so that's not a black box protocol, since I already revealed several  aspects of it on my OP. And calling it a string is not an oversimplification, it's a statement of fact, since it IS, undoubtedly (albeit a long one), a string.

Thank you Nakamura12, that's exactly the kind of answer I was hoping for.
About the rest of your reply, that's waaaay above my head, sorry, but what I imagine is if I'm gonna input my plain seed words in the computer (at any time) or in a hardware wallet, of course I'm taking a risk. What I intend is to secure the seeds while they're not in use, when I'm storing them.

Well, I am not against on how you make your seed phrase safe but if you decided to import it on a wallet provider then there's still a chance no matter how small it is that your wallet will get stolen by a hacker. The only thing that keeps it safe is when you keep a back up and instead of storing the normal seed phrase is you make it encrypted it in your own way (kinda as you have said) but you would still decrypt it and import it when you want to use the wallet and you won't know that your device might have malware that can steal your seed phrase. I can't crack it that's my answer.

ETFbitcoin: you're arguing for the sake of arguing. I have clearly stated, both in my OP and in my second post, I haven't used any state of the art (or any at all, actually) encryption method.
Any penetration tester, ethical (or not-so-ethical) hacker, or computer security expert knows how to crack a string, you don't need to be Ralph Merkle to do it.
And I don't know what a "black box protocol" is, so maybe I'm using it, maybe I'm not.

That wasn't the question. The question was if it IS easy to crack, not what it looks like.
Of course, reinventing the wheel is not a good idea. Maybe we should get in contact with Jim Dunlop and let him know that. Why not using a passphrase? I'm using one! Really?


Thank you! That is as close to a good answer as I can hope for, considering. I'll take it. 


There are a number of members here who clearly know a lot about security. You don't need to be a security auditor to know how to crack a string.

Obviously, by looking at the string you posted in the OP, no one can come to the conclusion that those are Spanish words translated from English and written down backwards. Not only that, but they were also inserted into that Argentinian book you mentioned. So if you only want a straight answer to the question if that is easily recoverable. No, it isn't. I am going to refrain from commenting on anything else then.   

I wasnt able to cracked it in 5minutes.

Maybe I would be able to in a few hours, if needed.

Anyway, the answer to your question is: it looks easy to crack.


As Pmalek said, reinvent security ia not a good idea. Why don't  you look for  a real encryption method? Such as using a passphrase?


Notedown the seed and add the 13rd word, the passphrase. It can be a word, a letter , a music, whatever you want. This will add security to your method. your coins will be safer using this method.

I'm not. I'm trying to find out if the method used above is difficult to crack, but so far all I could find out it's what's difficult is to answer a simple question, and this thread has turned into a "you should do (or NOT do) this because I know better" rant. I never told anybody to protect their seeds. I never told anybody to use this or any other method.
I just want to know if it's hard to crack.
Is it such a difficult question to answer?

It seems like you are trying to get someone's confirmation that your method is good, but as you can see, no one agrees that should be the way to do things. You shouldn't try to reinvent security. If you think everyone is wrong, do it your way. If you are confident of your method's success, go ahead. Throughout the years we have seen all kinds of things. I remember a case where a member changed the positions of the words he wrote down to protect the seed in case someone found it. After a few years, he forgot which words go where.

Painting an entire wall with different words and phrases including your seed is also something you can do. And remember which words are from your seed. It's awful but it doesn't mean you will lose your coins if someone sees it.  

You now have 2 piece of papers to hide, which cannot be stored in the same place.


I don't agree.

I am certain a lot of users here have small kids.

Let's suppose you have a 2 year old kid. You kindly ask your old father (who knows little about computers) to take care of your precious seed for you, in case you die, so your kid can have access to your money.

Many of us wouldn't trust the kid's mother (as she could just ran away with your money and kid). Should your kid be reap off his rights just because you have a capricious desire for an extra layer of protection (which is technically not needed and not recommend by the community).

Alright, this thread is getting ridiculous.
Just for the record: I started this thread to gauge how difficult it might be to crack a homemade attempt at securing the seed words, and the example posted is just that: an example, and so is the method used. My seed words are already protected, they're (obviously) not the ones I posted above, and the method I used is also different from the one I used in this thread. Instead, I got a bunch of replies trying to dissuade me from doing that, and not  a single post was made following the thread's topic.
In any case, the purpose was to make everybody aware you CAN protect your seed words, should you choose to do so. I made (and make) no guarantee whatsoever that you may not forget it nor have any other problem in the future that might make you unable to  recover your seeds, and/or your funds. Securing your seeds is meant as protection against thieves, not against "everything". That protection just doesn't exist.


Well, then I fully disagree with both of you.
I can't even start to understand how you can thing any kind of encryption would be "less secure" than having your stuff just laying around, waiting for somebody to find it. Yeah, I can forget "my method" (or any method), but if I leave my seeds unprotected and somebody drains my account, I can recite my seed words in Esperanto, but my funds are not coming back.
Using that criteria you should make a wallet without any seed words (that you CAN forget, and you can search the forum on all the threads that have been opened about it), without passwords, and without any protection whatsoever. That would avoid the risk about you forgetting anything, wouldn't it? Then again, you could even forget you had a wallet to begin with...


Well, if they wouldn't put in the effort, they shouldn't reap the benefits, should they?


Not a family member, I already wrote it down, but not on the same piece of paper. You're begging for the lion to eat you.
The point is, with your seeds protected, you can tattoo the string on your ass if you like, and it will be as safe as if you hid it anywhere else (though it may be a bit unconfortable to read...  ).


I am someone who is 100% alone in my life. My dad died in '84. My mother is also dead. My best friend lives over 10000 miles away from me, maybe in Georgia, maybe in Finland, I don't know. I haven't been able to get in contact with her since 2017.

 
Argentinian, born and raised. Currently living in Buenos Aires.



Yeah, and so will a thief.
The risk is the same, there are no "tiers" for things you can forget. You can forget what you had for breakfast. Even if you leave your seeds unprotected, you can still forget them, of you can forget your wallet, or even the fact you even had any crypto to begin with.


Huh? Sorry, I didn't understand. 


Tell me: why would I give a flying shit about my crypto if I end up in a coma "or worse"?


Ok, as I said, no family. As to the couple of broken fingers, I have an idea: to avoid any kind of potential violence, why don't you just make everything you have available to anybody that may want it? Even if they don't know about crypto, you can teach them, and help them rob you. Hey, you may even make some new friends along the way...


I don't know the first thing about bip39. Either way, the initial idea was to use methods that can be decoded without the use of any hardware.


True. But "coche", "carro", "auto", or "automovil" all translate to "car" in English, and "ficha" translates to "token".
In any case, I do get your point. As I said, that method above is just one possible  method, and not to be copied. Take it as a "proof of concept"...

As far as I understand, the only thing that is really important in those list of words is the number associated with the words.

For example, in the  BIP 39 Spanish word list the word carro is associated with the number (line) 351. The word Cloth in English is also 351

So, he could just make a list of numbers associated with the words. In the end, the seed is just a combination of numbers as well.

Then, he could make something like this:

0001035100102048

which would translate to words:
0001 (abandon) 0351 (cloth) 0010  (abuse) 2048 (zoo)

Anyway, any of those methods don't really add any security, and saving the words just like the wallets recommends is the best.

Just a few additional notes on the already commented on this thread:

There is a BIP 39 Spanish word list, but the words are not equivalent to those found on the English version, nor are they interchangeable.
I’ve read about a few wallets that support creating your seed in a language of your choice (out of a few delimited options), but then these wallets I believe are very few, which is going to delimit options. I would therefore stick to the English list, due to having a much broader array of compatible wallets, facilitating migration if need be.

Some words translate different depending on the context. Since there is no context here per word, some words may present multiple alternative both on the way down (English to Spanish) and on the way back (Spanish to English). Spanish, as we know, may also have some minor variants between countries.

For example, "car" may be translated into "coche", but also to "carro", "auto" or "automobil". One of the given possibilities, "carro" could be translated as "cart", so depending on who is performing the translations may end-up with "cart" instead of "car" after completing the whole procedure.
 
Likewise, "token" could be translated as "ficha", but also as "símbolo", which, once translated back into English, could render a different word to the original.


It all depends of who does the translation process, but if the encryptor is different to the decryptor, the chances of one of these above examples taking place increases. Of course, using the BIP 39 list as a contrast reference may discard some of the reverse translation options when there are multiple available.

One other thing that may happen with some resulting string combinations is that, since there are no spaces between the words, the extraction process may present itself with a couple of options of breaking-up the words.
For example, after discarding the letters from the verse, we’d still need to reverse this:

"noimacasacdadrevsaremlapadartnesaglupazneugrevasemodinosorrohcacahcifadibeb"

Which is:

"bebidafichacachorrosonidomesaverguenzapulgasentradapalmerasverdadcasacamion"

Although there is little to no doubt on how to break-up the above into words, there may be other cases where one is presented various alternatives that make sense. Again, checking against the BIP 39 English word list should reduce the scope of dubious situations.

No, the risk is much higher. If you, your family, or your relatives find a piece of paper or metal with 12/24 words on it, they will have everything that's required to recover the coins. Assuming you didn't use a passphrase or a multisig setup. On the other hand, if they find a string like the one you shared in your OP, they might have no idea how to proceed with decoding it. And you might forget it with age as well.   

You are familiar with the method, are your heirs?

You slip, fall, and hit your head on cement while clearing snow from your yard. You end up in a coma or worse. What do the chances for recovery look like now? A drunk driver hits you with his car on your way home from the general store, etc.   

OK, fair question. But how are you going to explain to a thief what the encoded string is if he finds it in a safe or tucked away somewhere neatly in your home? Are you going to tell him it's a poem?  You keep a poem on a piece of paper in a safe or in your wall? A couple of broken fingers or threats to your family might motivate you to tell him what it really is. If you want your family to depend on their memory, why not make them remember a passphrase only. Write down and hide the recovery phrase normally. Put a little bit of money on it. Store the rest behind a passphrase and have your family memorize that passphrase. If an intruder finds the seed, and understands what it is, he can't know you have more coins stored behind a passphrase. He will just steal the seed and you and your family will live. 

Are you a native Spanish speaker, or you have utilized some online tool like google translate to present your seed words in Spanish? If the latter, your encryption method that encrypts nothing has already been broken, and your funds have been stolen. Different translation tools, dictionaries, and vocabularies will likely translate words a bit differently, which means you will have a hard time decrypting your seed back if you, for some reason, forget what tool you have used. What if you remember what you used, but a translation algorithm has changed, or Spanish people changed the meaning of a certain word? Assume you translated, all words are in the BIP39 wordlist, but checksum doesn't match? Good luck brute-forcing your seed. You will likely compromise your seed again upon this process of brute-forcing.

You are overcomplicating things which are already complicated, and I fully agree with Neurotic Fish.

Technically, your funds are not more secure now then before, and they are less secure because you are more likely to lose them.

12-24 words method is secure enough. If you can't hide it from a thief inside your house, you should think about that and not about a complicated method which you can remember "easily".


The problem here is that your family member probably won't remember it, or even care about this whole music coded stuff.
As it is very unlikely that you will accidentally die, you are asking for something very complicated for a family member that will most likely never do it (so he also won't put all effort you are demanding him in his "traning" to recover your funds)

This Family member will probably have to write down that music, your code, and the seed, all in the same piece of paper. That seed of paper is now bigger than before, and it is harder to hide from a thief.

Also, let's suppose you ask for your father/mother to recovery your funds in case you die. They are probably old now and will be much older in 10 years. Will they have a good memory to remember all your crazy code? It is already hard for an old family member to download electrum and insert a seed...

---

Having a family member to secure your funds is very important. Unless you are someone who is 100% alone in your life, most of us should share our seed with family members. All of us can die at anytime, and our sons/daugthers (or other important family member) might need those BTC.

Alright, no interest whatsoever.

Neurotic Fish: I think your concerns are unfounded, but I do appreciate them. Seriously.   

Now, as promised, here's the explanation. And I will, while we're at it, explain the method to my madness.

The risk of me (or anybody) forgetting the method used to secure the seed is exactly the same as the risk of forgetting where you hid the seed phrase to begin with. The idea is to use a method you're very familiar with, so, short of having a stroke (I already had one, so it'd be my second. And I'm actively working not to repeat the experience) or any other health issue that would cause such memory loss, it'd be very difficult for that to happen. To achieve that, and after thinking long and hard about the whole problem, I decided to:

1. Use simple methods I've been using for a very long time.
2. Use language to my advantage.
3. Use a phrase I've known since I was a kid.

The phrase I posted above is the result of combining those methods:

I have used a childish method (writing the words backwards), together with translating each words into my native language (Spanish), and finally inserting said words into the first verse of what is arguably the absolute best known Argentinian classic of all times: "Martín Fierro", by José Hernández. I have known that book (and its first verse by memory) since I was 9 (and I'm turning 57 today, so it's been a long time), so the chances of me forgetting it are... well... nil.

From the get go, it has been surprising to me that, in a world that's all about security, the seed words are not only always left unsecured, but they're also created to be insecure from the very beginning.

For example:

• All seed words are in English, therefore denying users the chance of using another language, and at the same time greatly limiting the available words, for the benefit of the thief.
• Seed words are not capitalized, ever, which gives thieves some extra help.
• Most wallets (as far as I know) have 12 seed words. Some have 24. Did anybody think about making them 17? Or maybe "any number between 10 and 30"? With all wallets having 12 words, the thief knows to look for a 12 word set. One might think that shouldn't be that hard, right?

And then come the excuses.

"What if you forget or die, and your family can't access the funds?" Well, that could be easily solved by making your family memorize the securing method from the beginning, wouldn't it?
Meanwhile, what happens if a thief gets ahold of your unprotected seed words, and drains your funds? Then your family won't be able to access said funds regardless.
What do you think would be easier, for a thief to get his hands on a seed phrase, written plain as day, and take advantage of it, or for you and your family to get strokes, or somehow all to forget how you secured your seeds?

"But what if you do forget anyway?" Again, what would be easier, to write a guide on how to "remember" your securing method and keep it elsewhere, or to hide your plain seeds in a bunch of different houses, find a bunch of people you can absolutely trust with them, and who won't get curious at all about you poking holes on their walls and then covering them and painting them over? Does that really sound like a feasible way to do it?

In any case, I started the thread just to proof my initial idea. It's not meant to be an imposition to anybody: you can use it if you feel it may help. That said, like with anything else, and as I've said before many times, security is the enemy of convenience, and if you use this or any other method to secure your seed phrase you should be aware of the risks and act accordingly.

So the initial words are: truck house truth palms entry fleas shame table sound puppy token drink

I initially translated each word to Spanish, ending up with camion casa verdad palmeras entrada pulgas verguenza mesa sonido cachorro ficha bebida

Then, I wrote them backwards:
 
noimac asac dadrev saremlap adartne saglup azneugrev asem odinos orrohcac ahcif adibeb

And finally, I inserted, letter by letter, into this verse:

"Aqui me pongo a cantar               "Here I get to sing
al compas de la viguela,                 to the guitar's rhythm,
que al hombre que lo desvela         that a man that's kept awake
una pena estraordinaria,                by an extraordinary pain,
como el ave solitaria,                     like a lonely bird,
con el cantar se consuela."             comforts himself by singing."

And the result was posted above.
So, like I said, that's the result of combining an "encryption method" I  used when I was a kid with my own native language and a verse from a book I loved since I first got my hands on it.

It's not encrypted. There's no hash to forget.
No hardware is needed.

This is not meant for anybody to copy it. Adapt it you your circumstances if you want to use it, and come up with your own method. Or don't use anything at all, it's up to you. The idea is to provide you a tool to be safer, not to impose anything on anybody. [/list]

That's a different animal. Security is the enemy of convenience, we all know that.


Thank you, I just did. there's  no spaces whatsoever in the whole string.