Author

Topic: How long to crack 24 word phrase if you know all 24 words out of order? (Read 1190 times)

hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
...

You first have to work through at worst all 24! (equals 620,448,401,733,239,439,360,000) possibilities to arrange the 24 words to decide if your tried arrangements yield a valid checksum. If yes, you can go through the address derivation process to compare if your known address is among a certain derivation path or range of it.

Going through the whole process to derive addresses based on common derivation paths is computationally expensive because you have to go through a 2048 rounds of PBKDF2 to get to the master private key from which you go further on.

But to perform statistically at least half of 620,448,401,733,239,439,360,000 arrangements and computing SHA-256 alone to only validate a correct checksum doesn't look achievable within centuries or more (I'll leave it to your own calculation to estimate a needed timeframe, not to speak of needed amount of energy to perform such a brute-force attack). Doable for half the words, unfeasible for 24 words of unknown arrangement.
newbie
Activity: 4
Merit: 0
How about if I have the wallet address?

Also, if we account that we can use the checksum hack to further reduce the keyspace by 256?

We would have !24 possibilities \ 256 **minus any improvement gained from having the wallet?

Just brainstorming.
legendary
Activity: 2268
Merit: 18771
We have a custom script for 12 word seed which can crack any combination in 30 days using GPUs
Your script is very slow, if that's the case. My computer at home can descramble 12 words in around an hour using btcrecover.

You would also need to know the address
Or just use an address database to check for any funded address.
member
Activity: 378
Merit: 53
Telegram @keychainX
I am curious to know the actual difficulty/cost/time involved to put a 24 word seed phrase in the correct order if you have the 24 words but not the correct order? I can see that there are 24^24 number of combinations but what does that translate into difficulty/time/cost?

Not possible today.

We have a custom script for 12 word seed which can crack any combination in 30 days using GPUs

13 words would take 2-3 years, 14 words 100+ years.

So 24 words out of question today

You would also need to know the address

/KX
newbie
Activity: 5
Merit: 5


I wonder what you expect to achieve. It's your decission based on a wrong moral compass to continue to waste energy and your time.


maybe... maybe no...
the pc fan does not even go fast

i'm about to 200.000.000 unique, keep going...

EDIT
Cricktor and o_e_l_e_o you are absolutly right, but i read it about in a different way

what i mean.... it is RANDOM, i can never ever find a right wallet in 20 years like i can find some good wallets in some weeks


EDIT2
after 500.000.000 unique 24 words ( and also 400.000.000 unique 12 words) addresses tested i found a very very good one!!!

hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange


I wonder what you expect to achieve. It's your decission based on a wrong moral compass to continue to waste energy and your time.

The beauty of unimaginably large numbers, math in general and cryptography in particular is that it's highly highly unlikely that you will succeed to steal others coins. But keep on doing and the time and effort you waste will probably keep you from doing other stupid things.
legendary
Activity: 2268
Merit: 18771
maybe i will find something...
A large electricity bill? Some burnt out hardware? Cheesy

Given somewhere around 50,000,000 addresses which have ever been used, checking 93,000,000 million in a week means you'll only have to keep going for another trillion trillion trillion trillion years to have a 0.000000000002% of stumbling across one of those addresses! Let's hope that address isn't one of the empty ones!
newbie
Activity: 5
Merit: 5
i generated 93.000.000 unique 24 words addresses on those days, and keep going....
maybe i will find something...
legendary
Activity: 2268
Merit: 18771
Your password for this forum could be even a bit smaller, BUT i don't even know if you are using Uppercase or Numbers or Special, if you are using "real" words or as this case you are using random all togheter

A "secret phrase" is made by Words, and I (we) know the words, and I (we) know there are NO numbers, NO special characters, NO uppercase...
So, I very deliberately chose a password with 20 random characters drawn from uppercase, lowercase, numbers, and symbols, for my example.

There are 95 printable ASCII characters. 20 such characters gives 2095 combinations, which is 3.58*1039. This is the smallest number of characters needed to produce a password at least as strong as a 12 word seed phrase, which has 2128 combinations, which is 3.40*1038.

So even if you don't know if my password is using real words, or dates, or patterns, or numbers, or symbols, or upper or lower case, or whatever, and you have to brute force every possible combination, that password is still roughly as secure as a 12 word seed phrase, even when you know the full word list.
newbie
Activity: 5
Merit: 5
It's the same as anything else. My password for this forum might be Y}tz3Wd[^DkxY\2>5p$6. While it is theoretically possible someone could guess that on the first guess, in reality no one would ever be able to brute force that password.

Even if i think (and i know) that You are a Master, here, and you know the subject a lot better than me, i don't think it is really "the same".

Your password for this forum could be even a bit smaller, BUT i don't even know if you are using Uppercase or Numbers or Special, if you are using "real" words or as this case you are using random all togheter

A "secret phrase" is made by Words, and I (we) know the words, and I (we) know there are NO numbers, NO special characters, NO uppercase...
Yes, obviously is very hard to find but i think it is a good way to start the search.

Last thing... i don't think there are "money" inside your password, to push me a bruteforce that  Cheesy
legendary
Activity: 2268
Merit: 18771
however to brute force we would still need to go for the full 2^264 route since we cannot know if a phrase would result in a valid checksum, correct?
You would still have to calculate the checksum for all 2264 combinations, which simply involves a single SHA256. After checking the checksum you will be able to immediately exclude 255 out of every 256 seed phrases (on average).

For the one seed phrase which does pass the checksum, you must then perform 2048 rounds of HMAC-SHA512 to calculate the root seed number, then various more rounds of HMAC-SHA512 alongside elliptic curve multiplications and additions to work down the derivation path, then three SHA256s, one RIPEMD160, and a Base58 conversion to turn that final public key in to an address to check to see if it matches the one you are looking for.

This is obviously far more resource intensive and time consuming that performing a single SHA256 in order to calculate the checksum.
legendary
Activity: 2380
Merit: 5213
Your explanation for why it's actually 2^256 is quite clear - however to brute force we would still need to go for the full 2^264 route since we cannot know if a phrase would result in a valid checksum, correct?
It's true that you will need to check all the 2^264 combinations to see if they pass the checksum, but take note that you won't need to generate address from all those combinations.
You will need to generate address from 2^256 combinations.

Generating address from the seed phrase is much more expensive than just checking the checksum.
legendary
Activity: 2114
Merit: 1403
Disobey.
That's 2,96^79 combinations, a number 79 digits long!
The number you are looking for there is 2.96*1079, rather than 2.9679.

That number is not quite right, however. It is the same number as 204824 or 2264. However, not all 24 word combinations are valid seed phrases due to the checksum. With the checksum being 8 bits long, it means only one out of every 256 seed phrases on average is valid. This means the total number of valid 24 word seed phrases is 2256, which is 1.16*1077.
Ah yes, rookie mistake, of course it's 2.96 x 10^79. Thanks for the correction!
Your explanation for why it's actually 2^256 is quite clear - however to brute force we would still need to go for the full 2^264 route since we cannot know if a phrase would result in a valid checksum, correct? Or are there any ways to determine in advance which combinations to avoid checking at all?
legendary
Activity: 2268
Merit: 18771
That's 2,96^79 combinations, a number 79 digits long!
The number you are looking for there is 2.96*1079, rather than 2.9679.

That number is not quite right, however. It is the same number as 204824 or 2264. However, not all 24 word combinations are valid seed phrases due to the checksum. With the checksum being 8 bits long, it means only one out of every 256 seed phrases on average is valid. This means the total number of valid 24 word seed phrases is 2256, which is 1.16*1077.

So my thoughts were right.  Wink
It's the same as anything else. My password for this forum might be Y}tz3Wd[^DkxY\2>5p$6. While it is theoretically possible someone could guess that on the first guess, in reality no one would ever be able to brute force that password.
newbie
Activity: 5
Merit: 5
Thanks to: Pmalek, ranochigo, o_e_l_e_o  and FatFork

So my thoughts were right.  Wink
legendary
Activity: 2114
Merit: 1403
Disobey.
That's crazy and tbh "intuitively" I wouldn't have thought it's not possible if you have access to some strong (cloud/super) computing system.
What I really like about this question: it goes to show how INSANELY ASTRONOMICALLY impossible it is, to brute force a 24 word seedphrase if no word is known. If I am not mistaken, we have a wordlist of 2048 words? - That's 2,96^79 combinations, a number 79 digits long!
(nothing new, I know, but still, was fun to remember this)
legendary
Activity: 1820
Merit: 2700
Crypto Swap Exchange
and my script generate that exact sequence as the 4th result, is it not the same ??
have i found it in some seconds?

Yes, it is possible for your script to find a valid sequence in just a few seconds, but what are the chances of that happening?
legendary
Activity: 2268
Merit: 18771
when you say "For 18 words, 1500 years", you mean to just generate ALL possible combinations, right??
Based on the benchmark provided by btcrecover, that would be to exhaust 50% of the search space, which is the average amount of the space you would need to search to reach the desired combination.

and my script generate that exact sequence as the 4th result, is it not the same ??
have i found it in some seconds?
Yes. But it is equally likely that you find it in the 4th result or that you find it in the 4th last result after searching 99.9999....% of combinations.

and what about the "last" word, you call CHECKSUM, in my case "cat17".
it is not just a word "cat17" ??
That word encodes 11 bits of data. Of those bits of data, some of them represent a checksum. For a 12 word seed phrase, 4 bits are a checksum. For a 24 word seed phrase, it is 8 bits.

On average, to crack a key, you should assume that you need to exhaust the search space. If you average out every cracking attempt, then you will find that you should only find them when you're nearing the end of the search space and it should follow an exponential distribution.
That's not right, On average you need to exhaust half the search space. There is a 50% chance you find it in the first half, and a 50% chance you find it in the second half.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
Sorry to take back an old post, but i'm really curious about that thing.

when you say "For 18 words, 1500 years", you mean to just generate ALL possible combinations, right??

if my secret/mnemonic phrase is:

"cat15 cat2 cat3 cat4 cat5 cat6 cat18 cat8 cat9 cat10 cat11 cat12 cat1 cat14 cat7 cat13 cat16 cat17"

and my script generate that exact sequence as the 4th result, is it not the same ??
have i found it in some seconds?
On average, to crack a key, you should assume that you need to exhaust the search space. If you average out every cracking attempt, then you will find that you should only find them when you're nearing the end of the search space and it should follow an exponential distribution. Hence, it is exceeding rare for you to find the actual key within 4 seconds.
and what about the "last" word, you call CHECKSUM, in my case "cat17".
it is not just a word "cat17" ??
It is a word. But that word has to be selected such that it has a relation to the rest of the words. Hence, if you were to swap cat15 and cat2, any software would recognize it as being invalid.
legendary
Activity: 2730
Merit: 7065
when you say "For 18 words, 1500 years", you mean to just generate ALL possible combinations, right??

if my secret/mnemonic phrase is:

"cat15 cat2 cat3 cat4 cat5 cat6 cat18 cat8 cat9 cat10 cat11 cat12 cat1 cat14 cat7 cat13 cat16 cat17"

and my script generate that exact sequence as the 4th result, is it not the same ??
have i found it in some seconds?
Yes, in theory you could find the right combination with the first attempt as soon as you begin brute forcing the seed phrase. But the chances of you doing that are so small that it's not worth trying. It could also take thousands of years. Knowing all words (but not the order) significantly makes the task easier.

I am not a mathematician, so someone who knows will drop by to mention how much easier. Not knowing any of your words is an impossible brute forcing task though. But if you are only missing the order and have powerful machines, I think it's double within a few years of brute forcing. This is just my amateurish guess.
newbie
Activity: 5
Merit: 5
However,  if you know the location  of some of those words it would be easier (maybe possible) to brute force it. Because the difficulty increases exponentially
With good hardware, btcrecover will descramble a 12 word BIP39 seed phrase in an hour: https://btcrecover.readthedocs.io/en/latest/Usage_Examples/2020-05-02_Descrambling_a_12_word_seed/Example_Descrambling_a_12_word_seed/. Although not exactly the same due to the checksum, lets assume that if you know 12 out of the 24 words then you could descramble the remaining 12 words in roughly the same amount of time.

If you don't know the position of 13 words instead of 12, then there are 13x as many combinations to try, so that would take roughly 13 hours.
For 14 words, 7 days.
For 15 words, 16 weeks.
For 16 words, 5 years.
For 17 words, 85 years.
For 18 words, 1500 years.

No point calculating beyond that really. Tongue

Sorry to take back an old post, but i'm really curious about that thing.

when you say "For 18 words, 1500 years", you mean to just generate ALL possible combinations, right??

if my secret/mnemonic phrase is:

"cat15 cat2 cat3 cat4 cat5 cat6 cat18 cat8 cat9 cat10 cat11 cat12 cat1 cat14 cat7 cat13 cat16 cat17"

and my script generate that exact sequence as the 4th result, is it not the same ??
have i found it in some seconds?

and what about the "last" word, you call CHECKSUM, in my case "cat17".
it is not just a word "cat17" ??
legendary
Activity: 2268
Merit: 18771
Not with quantum computers. I assume we won't need to wait 1500 years for the next generation computer to be developed.
Quantum computers are not a magical bullet that can instantly solve any problem. They provide an exponential speed up to attempts to solve the ECDLP, and this is the main way they would be used to attack bitcoin. They provide a much smaller speed up to any hash functions, which is the limiting step in attempting to unscramble a seed phrase, since you must use a SHA256 to calculate the checksum, followed by 2048 rounds of SHA512 to generate the seed number, followed by several more rounds of SHA512 to work down the derivation path and generate the necessary addresses to check for funds. They will be able to speed the process up, sure, but they are unlikely to make unscrambling 18 words any less unfeasible for the average person.

Its just a simple matter of adding more words.
The security of your wallet should never depend on there being enough words in your seed phrase so that an adversary with access to all the words cannot unscramble them, but rather on an adversary never having access to your seed phrase in the first place. I would never scramble the words in a seed phrase to begin with, for the exact reasons highlighted above - if you mess up then wave goodbye to all your coins.
legendary
Activity: 2254
Merit: 2003
A Bitcoiner chooses. A slave obeys.
However,  if you know the location  of some of those words it would be easier (maybe possible) to brute force it. Because the difficulty increases exponentially
With good hardware, btcrecover will descramble a 12 word BIP39 seed phrase in an hour: https://btcrecover.readthedocs.io/en/latest/Usage_Examples/2020-05-02_Descrambling_a_12_word_seed/Example_Descrambling_a_12_word_seed/. Although not exactly the same due to the checksum, lets assume that if you know 12 out of the 24 words then you could descramble the remaining 12 words in roughly the same amount of time.

If you don't know the position of 13 words instead of 12, then there are 13x as many combinations to try, so that would take roughly 13 hours.
For 14 words, 7 days.
For 15 words, 16 weeks.
For 16 words, 5 years.
For 17 words, 85 years.
For 18 words, 1500 years.

No point calculating beyond that really. Tongue

Not with quantum computers. I assume we won't need to wait 1500 years for the next generation computer to be developed.

Still, at current present technology levels we do not even need to talk about whether or not its possible to crack it because theoretically it is possible but its just technically impossible. Which to humans is almost exactly the same as literally impossible.

Also it bears reminding that by the time we have quantum computers powerful enough to do the entire cracking in minutes or hours or even days, at that point in the future we will have already upgraded the security where even quantum computers cannot crack it.

Its just a simple matter of adding more words.
legendary
Activity: 2730
Merit: 7065
You did all those things and yet you managed to create a setup that is much less secure than taking a pen and a piece of paper and writing down 24 words nicely and in correct order. Was it worth it?

It's better to use simple and offline storage options and methods that have been working flawlessly for years. You now rely on several centralized services that have to stay online and operational until it's time for you or a successor to recover those coins.
legendary
Activity: 2268
Merit: 18771
maybe I personally would have to try this with a new wallet as an experiment for myself.
Feel free, but you won't get very far. Tongue

You can figure out why just by looking at the math without having to run any simulations yourself. You have 24 scrambled words. For the 1st word, you can pick any of the 24. For the second word, there are 23 words left to pick from. For the third word, there are 22 words left to pick from. For the fourth word, 21 words left. And so on. 24*23*22*21*......*3*2*1. Also known as 24!. This gives you the following number:

Code:
620,448,401,733,239,439,360,000

How many possibilities can your computer try in a second? A few million? Let's say a billion to be generous? The number above divided by a billion a second, 60 seconds in a minute, 60 minutes in an hour, 24 hours in a day, 365 days in a year, comes out to just short of 20 million years.
legendary
Activity: 2422
Merit: 1083
Leading Crypto Sports Betting & Casino Platform
When I first read the question op asked,  I was just about to comment and say that it should take maybe 24 hours at most,  but reading the comments really made me amazed,  I am still finding it difficult to believe that it is actually impossible to get a correct order of 24 word seed phrase wrongly arranged,  maybe I personally would have to try this with a new wallet as an experiment for myself.

Anyone wants to tell me what's the risk?
What If your email gets hacked?
What if for some reason, you lost access to your email?
What if opensea goes down in the future?
Or maybe gets hacked?
It is not my prayer for you,  but what If sudden death happens,  how will your family have access to your scrambled 24 word seed phrase,  how will they know how to unscramble it so they can gain access to the funds.?
How will they know theres an NFT you kept on opensea that holds the key to your funds?
(except you are going to show them this things).
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
...

As o_e_l_e_o points out, I stopped counting single points of failure, you rely on too many parts that you have no control of. Despite that, have you actually verified that you can recreate your mnemonic words properly?

Keep it simple and you less likely shoot yourself into your foot. There's so much that could go wrong in your scheme...
legendary
Activity: 2268
Merit: 18771
Anyone wants to tell me what's the risk?
  • Your email provider going defunct, blocking your account, deleting your data, suffering a server failure, suffering malware, or any other reason which could result in loss of your scrambled seed phrase back up.
  • Forgetting your additional word if it isn't also backed up.
  • Not remembering your method, how to find your code, how to interpret your code, etc.
  • Making a mistake in how you set up your code, so even if you find it you cannot unscramble your seed phrase.
  • Someone who has hacked your email figuring out your scheme and stealing your coins.
  • OpenSea is centralized. If OpenSea goes down (as it has in the past) then do you know how to extract the necessary information from the blockchain to access your code?
jr. member
Activity: 30
Merit: 3
I also scrambled my 24 seedphrase and added 1 word to make it more difficult  saved it on my emails and other places less secured. I am confident that no one will be able to guess it including me. And that's the reason why I wrote down the sequence like a code and made it into an NFT so it have a record in blockchain and will never be lost. So when the time comes that I want to access my assets, I will just search for my NFT in opensea (contains the code) and then run through my email for my scrambled seed phrase then I'm good to go. Anyone wants to tell me what's the risk?
legendary
Activity: 3472
Merit: 10611
So when you use this, what are you encrypting? The actual words of the seed phrase, or the binary representation?
The binary, just like BIP38. In fact that is why I used that example above. If I do anything else the length could be arbitrary and encoding becomes slightly more complicated.

Quote
I would argue that manually converting an encrypted seed phrase in to another set of BIP39 words is overly complicated for the majority of users. Some may well try to do it manually which creates the risk for error, and using a BIP39 tool could have unpredictable results as it tries to "fix" the incorrect checksum at the end or truncates some of the data you enter.

It would be better if there was a standardized way of doing this similar to BIP38. In the meantime I prefer to use methods which are standardized, such as multi-sig or passphrases.
No arguments there. My method requires some knowledge of programming since there isn't any implementations of it as far as I know but it is pretty simple to do.
I really hope someone comes up with a BIP38 like proposal for mnemonics to standardize it (at least to some extent).
legendary
Activity: 2268
Merit: 18771
So when you use this, what are you encrypting? The actual words of the seed phrase, or the binary representation?

I would argue that manually converting an encrypted seed phrase in to another set of BIP39 words is overly complicated for the majority of users. Some may well try to do it manually which creates the risk for error, and using a BIP39 tool could have unpredictable results as it tries to "fix" the incorrect checksum at the end or truncates some of the data you enter.

It would be better if there was a standardized way of doing this similar to BIP38. In the meantime I prefer to use methods which are standardized, such as multi-sig or passphrases.
legendary
Activity: 3472
Merit: 10611
The reason I don't like this is that it removes one of the main benefits of a seed phrase, which is that it is human readable, easy to write down accurately, easy to check for mistakes, and easy to error correct should you have a few smudged characters or a lost word or two. You lose all this if encrypt it, and should probably be using a printer to print it out rather than hand write it which adds another layer of risk.
No, you don't lose it. When you encrypt a 128-bit entropy for example, you end up with 128-bit encrypted data if you don't use IV. You can easily convert that to a human readable format, like with already available algorithm such as BIP39.
As an example you can check out BIP38 where we encrypt the 256-bit private key and get 256-bit result which we encode using base58. Just replace the last step with BIP39. You can even use a BIP39 library/tool that takes entropy.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
... and should probably be using a printer to print it out rather than hand write it which adds another layer of risk....

And use GOOD waterproof paper stored properly.
https://bitcointalksearch.org/topic/--5296179
Using cheap paper, and putting it in a location that can be subject to "stuff" can lead to loss of funds decades down the road.

If you are doing 'short term' cold storage it's one thing.
Planning to give to the grandkids, when you don't have your own kids yet is another.

Just something to think about.

-Dave


legendary
Activity: 2268
Merit: 18771
My favorite is always to encrypt the data (plain text mnemonic) using AES256 which is a very strong encryption algorithm
The reason I don't like this is that it removes one of the main benefits of a seed phrase, which is that it is human readable, easy to write down accurately, easy to check for mistakes, and easy to error correct should you have a few smudged characters or a lost word or two. You lose all this if encrypt it, and should probably be using a printer to print it out rather than hand write it which adds another layer of risk.

I'm not saying don't use encryption, but the reasons I've given above are why I prefer to add an additional passphrase or use a multi-sig set up rather than encrypting my seed phrase. Passphrases have the added benefit of plausible deniability, while multi-sig has the added benefit of not needing to use a single device (and therefore a single point of failure) to recover the wallet.

legendary
Activity: 3472
Merit: 10611
I vaguely remember someone trying to put together a list of books that have all the seed words in them. So in theory you could keep a copy on a shelf with other books and it does not look out of place.
All you would need at that point was a way to distinguish which was #1 and #2 and so on. But this goes back YEARS and people were pointing out ways it could go wrong.
Reinventing the wheel in cryptography is never a good idea for non experts, instead everyone should stick to the already available options. My favorite is always to encrypt the data (plain text mnemonic) using AES256 which is a very strong encryption algorithm, or at the very least the extension word of BIP39 could be used.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
I vaguely remember someone trying to put together a list of books that have all the seed words in them. So in theory you could keep a copy on a shelf with other books and it does not look out of place.
All you would need at that point was a way to distinguish which was #1 and #2 and so on. But this goes back YEARS and people were pointing out ways it could go wrong.

IIRC other then a dictionary they could not find one. I never really followed it as it seemed pointless and convoluted. Have to see if I can dig it up.

As @o_e_l_e_o said, stick with what works. Even if you do want to think a bit outside the box when doing it. https://bitcointalksearch.org/topic/n0nces-steel-washer-backup-jig-customisable-5363596

-Dave
legendary
Activity: 2268
Merit: 18771
Now, I can re-design my strategy to "hide" my seed words in plain sight.
Are you sure? We've just discussed above that 24 scrambled words essentially means your coins are lost forever. Are you sure you want to go scrambling your words? Are you sure you (or your family) will be able to successfully unscramble them?

We have seen countless examples on this forum of people who have come up with their own custom back up methods, including scrambled words, split up words, home made ciphers, etc. and permanently lost access to their coins because they can't remember what they did or how to reverse it. I always caution against any such home-made scheme. As I said in my previous post in this thread, far better to choose an established standard such as multi-sig or encryption.
legendary
Activity: 3542
Merit: 1965
Leading Crypto Sports Betting & Casino Platform
OP, Thanks man... this discussion has blown my mind, because I would have thought it would be much easier, if you know the 24 words. Now, I can re-design my strategy to "hide" my seed words in plain sight. (I have a method to store it in plain sight, but with a template to decipher it)

I do this, so that my family would be able to get to my bitcoins when I am gone. They know the answers to my questions and they have the template, so I can make it easier for them now.  Wink

19 million years.... Who would have guessed that.   Shocked
legendary
Activity: 3472
Merit: 10611
That's why I am not a big fan of providing exact data and saying "I will take 7 days". It will take 7 days on one specific computer, while on other it would take 6 days or 8 days.
In the context of "whether jumbled n-word seed is safe" you are correct but generally speaking stats like this are very useful but as long as they are reported with full details that includes the word count, derivation path, extra word (passphrase) length, and finally the hardware specs.
That way if you are trying to recover a similar case you could have some idea about how long it could take. Which is why I added the specs used in calculation above.
legendary
Activity: 2268
Merit: 18771
At any rate, I wouldn't advise scrambling the words as a safety measure, tempting as it may be due to the above. The focus should be on keeping the seed physically secure and easy for the owner to recover.
Yeah, this. If you cannot be sure that the safe location you have chosen to secure your seed phrase will remain safe, then your options are either to find a new location, or use one of the standard procedures for adding additional security to your wallet, such as:

  • Use a multi-sig which requires compromising multiple seed phrases to steal your coins
  • Add one or more additional passphrases to access the majority of your coins
  • Encrypt your seed phrase

In all scenarios, the additional information you need (other seed phrases, passphrases, decryption key) should also be backed up on paper and stored in one or more separate safe locations. Whenever people try to roll their own security by scrambling words, applying some sort of home made cipher, etc., it commonly leads to them forgetting what they've done and losing access to their coins.

The point it to understand how difficulty (time estimation) changes when we change length of seed - they say size does not matter, but we clearly see the longer the better  Grin
Well, I wouldn't necessarily agree with that conclusion. There is no good reason to scramble your seed phrase, and I would go as far as saying that you shouldn't be storing in a way which means scrambling is even a possibility. You shouldn't be aiming for a longer seed phrase because it is more difficult to unscramble - you should be focusing on keeping your seed phrase safe.
legendary
Activity: 952
Merit: 1386
If you don't know the position of 13 words instead of 12, then there are 13x as many combinations to try, so that would take roughly 13 hours.
For 14 words, 7 days.
For 15 words, 16 weeks.
For 16 words, 5 years.
For 17 words, 85 years.
For 18 words, 1500 years.

To be clear the "good hardware" in this context for this duration means a 48-core cloud computing server not a regular good hardware PC. With a PC with the best CPU you would get a couple of hours, possibly 5 or 6.
That's for BIP39 mnemonic, but for Electrum it should take a lot less by a factor of about 12.

Exactly. That's why I am not a big fan of providing exact data and saying "I will take 7 days". It will take 7 days on one specific computer, while on other it would take 6 days or 8 days. If Google or Amazon would like to use their datacenters and their hardware, maybe it would take 5 minutes.
The point is to understand how difficulty (time estimation) changes when we change length of seed - they say size does not matter, but we clearly see the longer the better  Grin
legendary
Activity: 3472
Merit: 10611
With good hardware, btcrecover will descramble a 12 word BIP39 seed phrase in an hour:
To be clear the "good hardware" in this context for this duration means a 48-core cloud computing server not a regular good hardware PC. With a PC with the best CPU you would get a couple of hours, possibly 5 or 6.
That's for BIP39 mnemonic, but for Electrum it should take a lot less by a factor of about 12.
legendary
Activity: 3654
Merit: 8909
https://bpip.org
19 million years. I am impressed,  because at first when I read the topic I thought it was possible.

It's also based on a very generous assumption about performance (1 billion permutations per second) so probably a lot more than 19 million years. Extrapolating o_e_l_e_o's example takes us into billions of years.

OTOH perhaps some very resourceful entity (a government, or Jeff Bezos) could potentially use millions of supercomputers and do it e.g. in 1 year... the question is - to what end? It's a very narrow use case, doesn't break Bitcoin protocol, and how many wallets are there that could be hacked this way and would justify the likely cost of $trillions?

At any rate, I wouldn't advise scrambling the words as a safety measure, tempting as it may be due to the above. The focus should be on keeping the seed physically secure and easy for the owner to recover.
legendary
Activity: 2268
Merit: 18771
However,  if you know the location  of some of those words it would be easier (maybe possible) to brute force it. Because the difficulty increases exponentially
With good hardware, btcrecover will descramble a 12 word BIP39 seed phrase in an hour: https://btcrecover.readthedocs.io/en/latest/Usage_Examples/2020-05-02_Descrambling_a_12_word_seed/Example_Descrambling_a_12_word_seed/. Although not exactly the same due to the checksum, lets assume that if you know 12 out of the 24 words then you could descramble the remaining 12 words in roughly the same amount of time.

If you don't know the position of 13 words instead of 12, then there are 13x as many combinations to try, so that would take roughly 13 hours.
For 14 words, 7 days.
For 15 words, 16 weeks.
For 16 words, 5 years.
For 17 words, 85 years.
For 18 words, 1500 years.

No point calculating beyond that really. Tongue
legendary
Activity: 2352
Merit: 6089
bitcoindata.science

Cryptography is really impressive.

I am curious to know the actual difficulty/cost/time involved to put a 24 word seed phrase in the correct order if you have the 24 words but not the correct order? I can see that there are 24^24 number of combinations but what does that translate into difficulty/time/cost?

However,  if you know the location  of some of those words it would be easier (maybe possible) to brute force it. Because the difficulty increases exponentially
legendary
Activity: 952
Merit: 1386
Of course, many depends on hardware. But:
1) we talk about the most pessimistic scenario (checking all the possibilities) - if you have luck, you may get correct result after one second
2) you may increase instantaneous speed of your calculations, but still you will process only a small fraction of all permutations during your life (or until Sun die).
legendary
Activity: 3472
Merit: 3217
Playbet.io - Crypto Casino and Sportsbook
I think it all depends on your hardware speed like on btcrecover.py on cracking password, encrypted key, or seed phrase.

They have a list of hardware performance both CPU and GPU you can find it here https://btcrecover.readthedocs.io/en/latest/GPU_Acceleration/
Based on that chart GPU is much faster than CPU.
hero member
Activity: 836
Merit: 1007
"How do you eat an elephant? One bit at a time..."
Thank you! Very fascinating!
legendary
Activity: 3654
Merit: 8909
https://bpip.org
The 128 to 256 bits of entropy and the checksum which will add 4 to 8 more bits (depending on the number of bits of entropy) that result to seed phrase generation are secure and safe and makimg seed phrase  brute force impossible.

That's not what the OP is asking.

Even if you have the 24 words to guess from?

Still quite unfeasible:

https://bitcoin.stackexchange.com/questions/92540/bruteforcing-a-seed-with-24-words-of-a-unknown-order
legendary
Activity: 952
Merit: 1386
I am curious to know the actual difficulty/cost/time involved to put a 24 word seed phrase in the correct order if you have the 24 words but not the correct order? I can see that there are 24^24 number of combinations but what does that translate into difficulty/time/cost?

It is not 24^24 but 24! (=24*23*22*...*2*1).
Think about it that way:
on first position you may have any of 24 words
on second position any word from 23 left
on third position any word from 22 left...

I have prepared something like that in my program: https://github.com/PawelGorny/lostword
Check worker 'PERMUTATION_CHECK'.
Anyway with 24 words..... it is a lot of work.
hero member
Activity: 836
Merit: 1007
"How do you eat an elephant? One bit at a time..."
The 128 to 256 bits of entropy and the checksum which will add 4 to 8 more bits (depending on the number of bits of entropy) that result to seed phrase generation are secure and safe and makimg seed phrase  brute force impossible.

Even if you have the 24 words to guess from?
hero member
Activity: 836
Merit: 1007
"How do you eat an elephant? One bit at a time..."
I am curious to know the actual difficulty/cost/time involved to put a 24 word seed phrase in the correct order if you have the 24 words but not the correct order? I can see that there are 24^24 number of combinations but what does that translate into difficulty/time/cost?
Jump to: