Pages:
Author

Topic: How long to crack 24 word phrase if you know all 24 words out of order? (Read 1190 times)

hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
...

You first have to work through at worst all 24! (equals 620,448,401,733,239,439,360,000) possibilities to arrange the 24 words to decide if your tried arrangements yield a valid checksum. If yes, you can go through the address derivation process to compare if your known address is among a certain derivation path or range of it.

Going through the whole process to derive addresses based on common derivation paths is computationally expensive because you have to go through a 2048 rounds of PBKDF2 to get to the master private key from which you go further on.

But to perform statistically at least half of 620,448,401,733,239,439,360,000 arrangements and computing SHA-256 alone to only validate a correct checksum doesn't look achievable within centuries or more (I'll leave it to your own calculation to estimate a needed timeframe, not to speak of needed amount of energy to perform such a brute-force attack). Doable for half the words, unfeasible for 24 words of unknown arrangement.
newbie
Activity: 4
Merit: 0
How about if I have the wallet address?

Also, if we account that we can use the checksum hack to further reduce the keyspace by 256?

We would have !24 possibilities \ 256 **minus any improvement gained from having the wallet?

Just brainstorming.
legendary
Activity: 2268
Merit: 18771
We have a custom script for 12 word seed which can crack any combination in 30 days using GPUs
Your script is very slow, if that's the case. My computer at home can descramble 12 words in around an hour using btcrecover.

You would also need to know the address
Or just use an address database to check for any funded address.
member
Activity: 378
Merit: 53
Telegram @keychainX
I am curious to know the actual difficulty/cost/time involved to put a 24 word seed phrase in the correct order if you have the 24 words but not the correct order? I can see that there are 24^24 number of combinations but what does that translate into difficulty/time/cost?

Not possible today.

We have a custom script for 12 word seed which can crack any combination in 30 days using GPUs

13 words would take 2-3 years, 14 words 100+ years.

So 24 words out of question today

You would also need to know the address

/KX
newbie
Activity: 5
Merit: 5


I wonder what you expect to achieve. It's your decission based on a wrong moral compass to continue to waste energy and your time.


maybe... maybe no...
the pc fan does not even go fast

i'm about to 200.000.000 unique, keep going...

EDIT
Cricktor and o_e_l_e_o you are absolutly right, but i read it about in a different way

what i mean.... it is RANDOM, i can never ever find a right wallet in 20 years like i can find some good wallets in some weeks


EDIT2
after 500.000.000 unique 24 words ( and also 400.000.000 unique 12 words) addresses tested i found a very very good one!!!

hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange


I wonder what you expect to achieve. It's your decission based on a wrong moral compass to continue to waste energy and your time.

The beauty of unimaginably large numbers, math in general and cryptography in particular is that it's highly highly unlikely that you will succeed to steal others coins. But keep on doing and the time and effort you waste will probably keep you from doing other stupid things.
legendary
Activity: 2268
Merit: 18771
maybe i will find something...
A large electricity bill? Some burnt out hardware? Cheesy

Given somewhere around 50,000,000 addresses which have ever been used, checking 93,000,000 million in a week means you'll only have to keep going for another trillion trillion trillion trillion years to have a 0.000000000002% of stumbling across one of those addresses! Let's hope that address isn't one of the empty ones!
newbie
Activity: 5
Merit: 5
i generated 93.000.000 unique 24 words addresses on those days, and keep going....
maybe i will find something...
legendary
Activity: 2268
Merit: 18771
Your password for this forum could be even a bit smaller, BUT i don't even know if you are using Uppercase or Numbers or Special, if you are using "real" words or as this case you are using random all togheter

A "secret phrase" is made by Words, and I (we) know the words, and I (we) know there are NO numbers, NO special characters, NO uppercase...
So, I very deliberately chose a password with 20 random characters drawn from uppercase, lowercase, numbers, and symbols, for my example.

There are 95 printable ASCII characters. 20 such characters gives 2095 combinations, which is 3.58*1039. This is the smallest number of characters needed to produce a password at least as strong as a 12 word seed phrase, which has 2128 combinations, which is 3.40*1038.

So even if you don't know if my password is using real words, or dates, or patterns, or numbers, or symbols, or upper or lower case, or whatever, and you have to brute force every possible combination, that password is still roughly as secure as a 12 word seed phrase, even when you know the full word list.
newbie
Activity: 5
Merit: 5
It's the same as anything else. My password for this forum might be Y}tz3Wd[^DkxY\2>5p$6. While it is theoretically possible someone could guess that on the first guess, in reality no one would ever be able to brute force that password.

Even if i think (and i know) that You are a Master, here, and you know the subject a lot better than me, i don't think it is really "the same".

Your password for this forum could be even a bit smaller, BUT i don't even know if you are using Uppercase or Numbers or Special, if you are using "real" words or as this case you are using random all togheter

A "secret phrase" is made by Words, and I (we) know the words, and I (we) know there are NO numbers, NO special characters, NO uppercase...
Yes, obviously is very hard to find but i think it is a good way to start the search.

Last thing... i don't think there are "money" inside your password, to push me a bruteforce that  Cheesy
legendary
Activity: 2268
Merit: 18771
however to brute force we would still need to go for the full 2^264 route since we cannot know if a phrase would result in a valid checksum, correct?
You would still have to calculate the checksum for all 2264 combinations, which simply involves a single SHA256. After checking the checksum you will be able to immediately exclude 255 out of every 256 seed phrases (on average).

For the one seed phrase which does pass the checksum, you must then perform 2048 rounds of HMAC-SHA512 to calculate the root seed number, then various more rounds of HMAC-SHA512 alongside elliptic curve multiplications and additions to work down the derivation path, then three SHA256s, one RIPEMD160, and a Base58 conversion to turn that final public key in to an address to check to see if it matches the one you are looking for.

This is obviously far more resource intensive and time consuming that performing a single SHA256 in order to calculate the checksum.
legendary
Activity: 2380
Merit: 5213
Your explanation for why it's actually 2^256 is quite clear - however to brute force we would still need to go for the full 2^264 route since we cannot know if a phrase would result in a valid checksum, correct?
It's true that you will need to check all the 2^264 combinations to see if they pass the checksum, but take note that you won't need to generate address from all those combinations.
You will need to generate address from 2^256 combinations.

Generating address from the seed phrase is much more expensive than just checking the checksum.
legendary
Activity: 2114
Merit: 1403
Disobey.
That's 2,96^79 combinations, a number 79 digits long!
The number you are looking for there is 2.96*1079, rather than 2.9679.

That number is not quite right, however. It is the same number as 204824 or 2264. However, not all 24 word combinations are valid seed phrases due to the checksum. With the checksum being 8 bits long, it means only one out of every 256 seed phrases on average is valid. This means the total number of valid 24 word seed phrases is 2256, which is 1.16*1077.
Ah yes, rookie mistake, of course it's 2.96 x 10^79. Thanks for the correction!
Your explanation for why it's actually 2^256 is quite clear - however to brute force we would still need to go for the full 2^264 route since we cannot know if a phrase would result in a valid checksum, correct? Or are there any ways to determine in advance which combinations to avoid checking at all?
legendary
Activity: 2268
Merit: 18771
That's 2,96^79 combinations, a number 79 digits long!
The number you are looking for there is 2.96*1079, rather than 2.9679.

That number is not quite right, however. It is the same number as 204824 or 2264. However, not all 24 word combinations are valid seed phrases due to the checksum. With the checksum being 8 bits long, it means only one out of every 256 seed phrases on average is valid. This means the total number of valid 24 word seed phrases is 2256, which is 1.16*1077.

So my thoughts were right.  Wink
It's the same as anything else. My password for this forum might be Y}tz3Wd[^DkxY\2>5p$6. While it is theoretically possible someone could guess that on the first guess, in reality no one would ever be able to brute force that password.
newbie
Activity: 5
Merit: 5
Thanks to: Pmalek, ranochigo, o_e_l_e_o  and FatFork

So my thoughts were right.  Wink
legendary
Activity: 2114
Merit: 1403
Disobey.
That's crazy and tbh "intuitively" I wouldn't have thought it's not possible if you have access to some strong (cloud/super) computing system.
What I really like about this question: it goes to show how INSANELY ASTRONOMICALLY impossible it is, to brute force a 24 word seedphrase if no word is known. If I am not mistaken, we have a wordlist of 2048 words? - That's 2,96^79 combinations, a number 79 digits long!
(nothing new, I know, but still, was fun to remember this)
legendary
Activity: 1820
Merit: 2700
Crypto Swap Exchange
and my script generate that exact sequence as the 4th result, is it not the same ??
have i found it in some seconds?

Yes, it is possible for your script to find a valid sequence in just a few seconds, but what are the chances of that happening?
legendary
Activity: 2268
Merit: 18771
when you say "For 18 words, 1500 years", you mean to just generate ALL possible combinations, right??
Based on the benchmark provided by btcrecover, that would be to exhaust 50% of the search space, which is the average amount of the space you would need to search to reach the desired combination.

and my script generate that exact sequence as the 4th result, is it not the same ??
have i found it in some seconds?
Yes. But it is equally likely that you find it in the 4th result or that you find it in the 4th last result after searching 99.9999....% of combinations.

and what about the "last" word, you call CHECKSUM, in my case "cat17".
it is not just a word "cat17" ??
That word encodes 11 bits of data. Of those bits of data, some of them represent a checksum. For a 12 word seed phrase, 4 bits are a checksum. For a 24 word seed phrase, it is 8 bits.

On average, to crack a key, you should assume that you need to exhaust the search space. If you average out every cracking attempt, then you will find that you should only find them when you're nearing the end of the search space and it should follow an exponential distribution.
That's not right, On average you need to exhaust half the search space. There is a 50% chance you find it in the first half, and a 50% chance you find it in the second half.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
Sorry to take back an old post, but i'm really curious about that thing.

when you say "For 18 words, 1500 years", you mean to just generate ALL possible combinations, right??

if my secret/mnemonic phrase is:

"cat15 cat2 cat3 cat4 cat5 cat6 cat18 cat8 cat9 cat10 cat11 cat12 cat1 cat14 cat7 cat13 cat16 cat17"

and my script generate that exact sequence as the 4th result, is it not the same ??
have i found it in some seconds?
On average, to crack a key, you should assume that you need to exhaust the search space. If you average out every cracking attempt, then you will find that you should only find them when you're nearing the end of the search space and it should follow an exponential distribution. Hence, it is exceeding rare for you to find the actual key within 4 seconds.
and what about the "last" word, you call CHECKSUM, in my case "cat17".
it is not just a word "cat17" ??
It is a word. But that word has to be selected such that it has a relation to the rest of the words. Hence, if you were to swap cat15 and cat2, any software would recognize it as being invalid.
legendary
Activity: 2730
Merit: 7065
when you say "For 18 words, 1500 years", you mean to just generate ALL possible combinations, right??

if my secret/mnemonic phrase is:

"cat15 cat2 cat3 cat4 cat5 cat6 cat18 cat8 cat9 cat10 cat11 cat12 cat1 cat14 cat7 cat13 cat16 cat17"

and my script generate that exact sequence as the 4th result, is it not the same ??
have i found it in some seconds?
Yes, in theory you could find the right combination with the first attempt as soon as you begin brute forcing the seed phrase. But the chances of you doing that are so small that it's not worth trying. It could also take thousands of years. Knowing all words (but not the order) significantly makes the task easier.

I am not a mathematician, so someone who knows will drop by to mention how much easier. Not knowing any of your words is an impossible brute forcing task though. But if you are only missing the order and have powerful machines, I think it's double within a few years of brute forcing. This is just my amateurish guess.
Pages:
Jump to: