How long to crack 24 word phrase if you know all 24 words out of order? - page 2.

doomguy

newbie

Activity: 5

Merit: 5

Quote from: o_e_l_e_o on December 20, 2021, 05:36:10 PM

Quote from: bitmover on December 20, 2021, 12:38:40 PM

However, if you know the location of some of those words it would be easier (maybe possible) to brute force it. Because the difficulty increases exponentially

With good hardware, btcrecover will descramble a 12 word BIP39 seed phrase in an hour: https://btcrecover.readthedocs.io/en/latest/Usage_Examples/2020-05-02_Descrambling_a_12_word_seed/Example_Descrambling_a_12_word_seed/. Although not exactly the same due to the checksum, lets assume that if you know 12 out of the 24 words then you could descramble the remaining 12 words in roughly the same amount of time.

If you don't know the position of 13 words instead of 12, then there are 13x as many combinations to try, so that would take roughly 13 hours.
For 14 words, 7 days.
For 15 words, 16 weeks.
For 16 words, 5 years.
For 17 words, 85 years.
For 18 words, 1500 years.

No point calculating beyond that really. Tongue

Sorry to take back an old post, but i'm really curious about that thing.

when you say "For 18 words, 1500 years", you mean to just generate ALL possible combinations, right??

if my secret/mnemonic phrase is:

"cat15 cat2 cat3 cat4 cat5 cat6 cat18 cat8 cat9 cat10 cat11 cat12 cat1 cat14 cat7 cat13 cat16 cat17"

and my script generate that exact sequence as the 4th result, is it not the same ??
have i found it in some seconds?

and what about the "last" word, you call CHECKSUM, in my case "cat17".
it is not just a word "cat17" ??

o_e_l_e_o

legendary

Activity: 2268

Merit: 18503

Quote from: goldkingcoiner on August 20, 2022, 08:51:57 AM

Not with quantum computers. I assume we won't need to wait 1500 years for the next generation computer to be developed.

Quantum computers are not a magical bullet that can instantly solve any problem. They provide an exponential speed up to attempts to solve the ECDLP, and this is the main way they would be used to attack bitcoin. They provide a much smaller speed up to any hash functions, which is the limiting step in attempting to unscramble a seed phrase, since you must use a SHA256 to calculate the checksum, followed by 2048 rounds of SHA512 to generate the seed number, followed by several more rounds of SHA512 to work down the derivation path and generate the necessary addresses to check for funds. They will be able to speed the process up, sure, but they are unlikely to make unscrambling 18 words any less unfeasible for the average person.

Quote from: goldkingcoiner on August 20, 2022, 08:51:57 AM

Its just a simple matter of adding more words.

The security of your wallet should never depend on there being enough words in your seed phrase so that an adversary with access to all the words cannot unscramble them, but rather on an adversary never having access to your seed phrase in the first place. I would never scramble the words in a seed phrase to begin with, for the exact reasons highlighted above - if you mess up then wave goodbye to all your coins.

goldkingcoiner

legendary

Activity: 2016

Merit: 1599

Verified Bitcoin Hodler

Quote from: o_e_l_e_o on December 20, 2021, 05:36:10 PM

Quote from: bitmover on December 20, 2021, 12:38:40 PM

However, if you know the location of some of those words it would be easier (maybe possible) to brute force it. Because the difficulty increases exponentially

With good hardware, btcrecover will descramble a 12 word BIP39 seed phrase in an hour: https://btcrecover.readthedocs.io/en/latest/Usage_Examples/2020-05-02_Descrambling_a_12_word_seed/Example_Descrambling_a_12_word_seed/. Although not exactly the same due to the checksum, lets assume that if you know 12 out of the 24 words then you could descramble the remaining 12 words in roughly the same amount of time.

If you don't know the position of 13 words instead of 12, then there are 13x as many combinations to try, so that would take roughly 13 hours.
For 14 words, 7 days.
For 15 words, 16 weeks.
For 16 words, 5 years.
For 17 words, 85 years.
For 18 words, 1500 years.

No point calculating beyond that really. Tongue

Not with quantum computers. I assume we won't need to wait 1500 years for the next generation computer to be developed.

Still, at current present technology levels we do not even need to talk about whether or not its possible to crack it because theoretically it is possible but its just technically impossible. Which to humans is almost exactly the same as literally impossible.

Also it bears reminding that by the time we have quantum computers powerful enough to do the entire cracking in minutes or hours or even days, at that point in the future we will have already upgraded the security where even quantum computers cannot crack it.

Its just a simple matter of adding more words.

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: alwaysmyn on August 17, 2022, 12:30:09 PM

You did all those things and yet you managed to create a setup that is much less secure than taking a pen and a piece of paper and writing down 24 words nicely and in correct order. Was it worth it?

It's better to use simple and offline storage options and methods that have been working flawlessly for years. You now rely on several centralized services that have to stay online and operational until it's time for you or a successor to recover those coins.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18503

Quote from: Fivestar4everMVP on August 18, 2022, 04:30:49 PM

maybe I personally would have to try this with a new wallet as an experiment for myself.

Feel free, but you won't get very far. Tongue

You can figure out why just by looking at the math without having to run any simulations yourself. You have 24 scrambled words. For the 1st word, you can pick any of the 24. For the second word, there are 23 words left to pick from. For the third word, there are 22 words left to pick from. For the fourth word, 21 words left. And so on. 24*23*22*21*......*3*2*1. Also known as 24!. This gives you the following number:

Code:

620,448,401,733,239,439,360,000

How many possibilities can your computer try in a second? A few million? Let's say a billion to be generous? The number above divided by a billion a second, 60 seconds in a minute, 60 minutes in an hour, 24 hours in a day, 365 days in a year, comes out to just short of 20 million years.

Fivestar4everMVP

legendary

Activity: 2226

Merit: 1049

Leading Crypto Sports Betting & Casino Platform

When I first read the question op asked, I was just about to comment and say that it should take maybe 24 hours at most, but reading the comments really made me amazed, I am still finding it difficult to believe that it is actually impossible to get a correct order of 24 word seed phrase wrongly arranged, maybe I personally would have to try this with a new wallet as an experiment for myself.

Quote from: alwaysmyn on August 17, 2022, 12:30:09 PM

Anyone wants to tell me what's the risk?

What If your email gets hacked?
What if for some reason, you lost access to your email?
What if opensea goes down in the future?
Or maybe gets hacked?
It is not my prayer for you, but what If sudden death happens, how will your family have access to your scrambled 24 word seed phrase, how will they know how to unscramble it so they can gain access to the funds.?
How will they know theres an NFT you kept on opensea that holds the key to your funds?
(except you are going to show them this things).

Cricktor

hero member

Activity: 714

Merit: 1010

Crypto Swap Exchange

Quote from: alwaysmyn on August 17, 2022, 12:30:09 PM

...

As o_e_l_e_o points out, I stopped counting single points of failure, you rely on too many parts that you have no control of. Despite that, have you actually verified that you can recreate your mnemonic words properly?

Keep it simple and you less likely shoot yourself into your foot. There's so much that could go wrong in your scheme...

o_e_l_e_o

legendary

Activity: 2268

Merit: 18503

Quote from: alwaysmyn on August 17, 2022, 12:30:09 PM

Anyone wants to tell me what's the risk?

Your email provider going defunct, blocking your account, deleting your data, suffering a server failure, suffering malware, or any other reason which could result in loss of your scrambled seed phrase back up.
Forgetting your additional word if it isn't also backed up.
Not remembering your method, how to find your code, how to interpret your code, etc.
Making a mistake in how you set up your code, so even if you find it you cannot unscramble your seed phrase.
Someone who has hacked your email figuring out your scheme and stealing your coins.
OpenSea is centralized. If OpenSea goes down (as it has in the past) then do you know how to extract the necessary information from the blockchain to access your code?

alwaysmyn

jr. member

Activity: 30

Merit: 3

I also scrambled my 24 seedphrase and added 1 word to make it more difficult saved it on my emails and other places less secured. I am confident that no one will be able to guess it including me. And that's the reason why I wrote down the sequence like a code and made it into an NFT so it have a record in blockchain and will never be lost. So when the time comes that I want to access my assets, I will just search for my NFT in opensea (contains the code) and then run through my email for my scrambled seed phrase then I'm good to go. Anyone wants to tell me what's the risk?

pooya87

legendary

Activity: 3402

Merit: 10424

Quote from: o_e_l_e_o on February 06, 2022, 05:57:30 AM

So when you use this, what are you encrypting? The actual words of the seed phrase, or the binary representation?

The binary, just like BIP38. In fact that is why I used that example above. If I do anything else the length could be arbitrary and encoding becomes slightly more complicated.

Quote

I would argue that manually converting an encrypted seed phrase in to another set of BIP39 words is overly complicated for the majority of users. Some may well try to do it manually which creates the risk for error, and using a BIP39 tool could have unpredictable results as it tries to "fix" the incorrect checksum at the end or truncates some of the data you enter.

It would be better if there was a standardized way of doing this similar to BIP38. In the meantime I prefer to use methods which are standardized, such as multi-sig or passphrases.

No arguments there. My method requires some knowledge of programming since there isn't any implementations of it as far as I know but it is pretty simple to do.
I really hope someone comes up with a BIP38 like proposal for mnemonics to standardize it (at least to some extent).

o_e_l_e_o

legendary

Activity: 2268

Merit: 18503

So when you use this, what are you encrypting? The actual words of the seed phrase, or the binary representation?

I would argue that manually converting an encrypted seed phrase in to another set of BIP39 words is overly complicated for the majority of users. Some may well try to do it manually which creates the risk for error, and using a BIP39 tool could have unpredictable results as it tries to "fix" the incorrect checksum at the end or truncates some of the data you enter.

It would be better if there was a standardized way of doing this similar to BIP38. In the meantime I prefer to use methods which are standardized, such as multi-sig or passphrases.

pooya87

legendary

Activity: 3402

Merit: 10424

Quote from: o_e_l_e_o on February 05, 2022, 08:18:20 AM

The reason I don't like this is that it removes one of the main benefits of a seed phrase, which is that it is human readable, easy to write down accurately, easy to check for mistakes, and easy to error correct should you have a few smudged characters or a lost word or two. You lose all this if encrypt it, and should probably be using a printer to print it out rather than hand write it which adds another layer of risk.

No, you don't lose it. When you encrypt a 128-bit entropy for example, you end up with 128-bit encrypted data if you don't use IV. You can easily convert that to a human readable format, like with already available algorithm such as BIP39.
As an example you can check out BIP38 where we encrypt the 256-bit private key and get 256-bit result which we encode using base58. Just replace the last step with BIP39. You can even use a BIP39 library/tool that takes entropy.

DaveF

legendary

Activity: 3458

Merit: 6231

Crypto Swap Exchange

Quote from: o_e_l_e_o on February 05, 2022, 08:18:20 AM

... and should probably be using a printer to print it out rather than hand write it which adds another layer of risk....

And use GOOD waterproof paper stored properly.
https://bitcointalksearch.org/topic/--5296179
Using cheap paper, and putting it in a location that can be subject to "stuff" can lead to loss of funds decades down the road.

If you are doing 'short term' cold storage it's one thing.
Planning to give to the grandkids, when you don't have your own kids yet is another.

Just something to think about.

-Dave

o_e_l_e_o

legendary

Activity: 2268

Merit: 18503

Quote from: pooya87 on February 01, 2022, 12:12:53 AM

My favorite is always to encrypt the data (plain text mnemonic) using AES256 which is a very strong encryption algorithm

The reason I don't like this is that it removes one of the main benefits of a seed phrase, which is that it is human readable, easy to write down accurately, easy to check for mistakes, and easy to error correct should you have a few smudged characters or a lost word or two. You lose all this if encrypt it, and should probably be using a printer to print it out rather than hand write it which adds another layer of risk.

I'm not saying don't use encryption, but the reasons I've given above are why I prefer to add an additional passphrase or use a multi-sig set up rather than encrypting my seed phrase. Passphrases have the added benefit of plausible deniability, while multi-sig has the added benefit of not needing to use a single device (and therefore a single point of failure) to recover the wallet.

pooya87

legendary

Activity: 3402

Merit: 10424

Quote from: DaveF on January 31, 2022, 01:17:25 PM

I vaguely remember someone trying to put together a list of books that have all the seed words in them. So in theory you could keep a copy on a shelf with other books and it does not look out of place.
All you would need at that point was a way to distinguish which was #1 and #2 and so on. But this goes back YEARS and people were pointing out ways it could go wrong.

Reinventing the wheel in cryptography is never a good idea for non experts, instead everyone should stick to the already available options. My favorite is always to encrypt the data (plain text mnemonic) using AES256 which is a very strong encryption algorithm, or at the very least the extension word of BIP39 could be used.

DaveF

legendary

Activity: 3458

Merit: 6231

Crypto Swap Exchange

I vaguely remember someone trying to put together a list of books that have all the seed words in them. So in theory you could keep a copy on a shelf with other books and it does not look out of place.
All you would need at that point was a way to distinguish which was #1 and #2 and so on. But this goes back YEARS and people were pointing out ways it could go wrong.

IIRC other then a dictionary they could not find one. I never really followed it as it seemed pointless and convoluted. Have to see if I can dig it up.

As @o_e_l_e_o said, stick with what works. Even if you do want to think a bit outside the box when doing it. https://bitcointalksearch.org/topic/n0nces-steel-washer-backup-jig-customisable-5363596

-Dave

o_e_l_e_o

legendary

Activity: 2268

Merit: 18503

Quote from: Kakmakr on January 31, 2022, 11:35:57 AM

Now, I can re-design my strategy to "hide" my seed words in plain sight.

Are you sure? We've just discussed above that 24 scrambled words essentially means your coins are lost forever. Are you sure you want to go scrambling your words? Are you sure you (or your family) will be able to successfully unscramble them?

We have seen countless examples on this forum of people who have come up with their own custom back up methods, including scrambled words, split up words, home made ciphers, etc. and permanently lost access to their coins because they can't remember what they did or how to reverse it. I always caution against any such home-made scheme. As I said in my previous post in this thread, far better to choose an established standard such as multi-sig or encryption.

Kakmakr

legendary

Activity: 3388

Merit: 1943

Leading Crypto Sports Betting & Casino Platform

OP, Thanks man... this discussion has blown my mind, because I would have thought it would be much easier, if you know the 24 words. Now, I can re-design my strategy to "hide" my seed words in plain sight. (I have a method to store it in plain sight, but with a template to decipher it)

I do this, so that my family would be able to get to my bitcoins when I am gone. They know the answers to my questions and they have the template, so I can make it easier for them now. Wink

19 million years.... Who would have guessed that. Shocked

pooya87

legendary

Activity: 3402

Merit: 10424

Quote from: PawGo on December 21, 2021, 04:09:01 AM

That's why I am not a big fan of providing exact data and saying "I will take 7 days". It will take 7 days on one specific computer, while on other it would take 6 days or 8 days.

In the context of "whether jumbled n-word seed is safe" you are correct but generally speaking stats like this are very useful but as long as they are reported with full details that includes the word count, derivation path, extra word (passphrase) length, and finally the hardware specs.
That way if you are trying to recover a similar case you could have some idea about how long it could take. Which is why I added the specs used in calculation above.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18503

Quote from: suchmoon on December 20, 2021, 05:47:59 PM

At any rate, I wouldn't advise scrambling the words as a safety measure, tempting as it may be due to the above. The focus should be on keeping the seed physically secure and easy for the owner to recover.

Yeah, this. If you cannot be sure that the safe location you have chosen to secure your seed phrase will remain safe, then your options are either to find a new location, or use one of the standard procedures for adding additional security to your wallet, such as:

Use a multi-sig which requires compromising multiple seed phrases to steal your coins
Add one or more additional passphrases to access the majority of your coins
Encrypt your seed phrase

In all scenarios, the additional information you need (other seed phrases, passphrases, decryption key) should also be backed up on paper and stored in one or more separate safe locations. Whenever people try to roll their own security by scrambling words, applying some sort of home made cipher, etc., it commonly leads to them forgetting what they've done and losing access to their coins.

Quote from: PawGo on December 21, 2021, 04:09:01 AM

The point it to understand how difficulty (time estimation) changes when we change length of seed - they say size does not matter, but we clearly see the longer the better Grin

Well, I wouldn't necessarily agree with that conclusion. There is no good reason to scramble your seed phrase, and I would go as far as saying that you shouldn't be storing in a way which means scrambling is even a possibility. You shouldn't be aiming for a longer seed phrase because it is more difficult to unscramble - you should be focusing on keeping your seed phrase safe.

Topic: How long to crack 24 word phrase if you know all 24 words out of order? - page 2. (Read 1041 times)