Pages:
Author

Topic: info about Ian Colman mnemonic - page 2. (Read 403 times)

hero member
Activity: 630
Merit: 510
July 01, 2023, 01:17:24 PM
#15
If there are a total of 2256 combinations. one combination of 24 words has the same chance of being picked than another combination of 24 words. This probability is 1 out of 2256 whether how it was generated if each word was picked randomly.
Assuming that we are 10 billion people on this planet, we all decided to use Bitcoin and each of us had on average about 2000 wallets (which is a very large number), the sum of what we will get is 2.0e13 which is very far even if the wallet contains 12 words.

The problem lies if these words were not randomly chosen, and then the human brain gets used to choosing similar things and with the possibility of repeating more than one word, we will find that this possibility has become very weak, especially if social engineering is used to determine the words that you may use a lot, and therefore you will choose them to be seeds.

it is better to assume that any wallet that you did not generate or generated using your brain, or that is not randomly generated well is a hacked wallet.
legendary
Activity: 2380
Merit: 5213
July 01, 2023, 01:00:03 PM
#14
This probability is 1 out of 2256 whether how it was generated if each word was picked randomly.
If the words have been picked truly randomly, right. The point here is that if the words are chosen by human brain, then they are not random.
The correct way to generate a seed phrase is to generate a random entropy using a trustworthy software and then convert that to a seed phrase.
member
Activity: 154
Merit: 29
July 01, 2023, 11:14:09 AM
#13
If there are a total of 2256 combinations. one combination of 24 words has the same chance of being picked than another combination of 24 words. This probability is 1 out of 2256 whether how it was generated if each word was picked randomly.
legendary
Activity: 2268
Merit: 18771
July 01, 2023, 11:02:38 AM
#12
The entropy doesn't change the chance of guessing one seed phrase compare to another.
Yes, it absolutely does. If I have 256 bits of random entropy sourced from /dev/urandom, and you have 256 bits of entropy sourced from your browser fingerprint, then your seed phrase is exponentially weaker than mine and exponentially more likely to be broken.

Are there 24 words combination from words listed in BIP 39 protocol easier to guess than other?
Yes. It all depends on the entropy used to generate those words in the first place.

As there are 2048 words, total number of combination is 2048x2047x2046x...x2025x2024.
There is nothing preventing repeat words, and the last words contains a checksum, so as above there are 2256 combinations, not what you have written.
legendary
Activity: 2380
Merit: 5213
July 01, 2023, 10:52:49 AM
#11
Are there 24 words combination from words listed in BIP 39 protocol easier to guess than other?
A 24 word BIP39 seed phrase provides 256 bits of entropy while a 12 word BIP39 seed phrase provides 128 bits of entropy. Therefore, the probability of brute-forcing a 24 word seed phrase is smaller. Of course, a 12 word seed phrase is enough and again, take note that human is not a good source of entropy.


As there are 2048 words, total number of combination is 2048x2047x2046x...x2025x2024.
There are 204823 * 8 or 2256 combinations.
Take note that words can be repeated and the last 8 bits are checksum.
member
Activity: 154
Merit: 29
July 01, 2023, 10:37:51 AM
#10
It encodes this number generated into a seed phrase. whether it is done via JS or bitcoin Core, the resulting seed phrase has an equal chance to be guessed by someone trying every combination of words.
The entropy doesn't change the chance of guessing one seed phrase compare to another.

Are there 24 words combination from words listed in BIP 39 protocol easier to guess than other? If you pick at random those 24 words, you have the same probability to get each of those combination.   

As there are 2048 words, total number of combination is 2048x2047x2046x...x2025x2024. So when you pick one combination, you have one chance out of 2048x2047x2046x...x2025x2024 to get one specific combination independently from how it was generated
legendary
Activity: 2268
Merit: 18771
July 01, 2023, 10:05:39 AM
#9
First, I could myself generate a seed phrase without anything. I just pick 24 words from the list given in the BIP 39 protocol.
So if Ian colman give me a list of 24 words randomly in the same list what can be wrong? It is just picking word at random.
Picking random words yourself from the word list is widely recognized as highly insecure and one of the worst possible ways to generate a seed phrase. This is also absolutely not what Ian Coleman's software is doing. What Ian Coleman is actually doing is generating a pseudo-random number via crypto.getRandomValues and then encoding that in to a seed phrase. Your browser is simply not a very good source of entropy for this process. Compare this to Bitcoin Core, for example:

Most good wallets will be based on entropy directly from the OS and the computer's hardware. Bitcoin Core, as an example, draws entropy from /dev/urandom (which is from the OS, or the equivalent on non-Linux systems), RDSEED/RDRAND (which is from the processor), and a whole host of data from the computer itself, such as current resource usage, timestamps, kernel parameters, network data, version data, etc. All of this is then combined through a variety of techniques such as XORs and hashes, so if one source of entropy is weak or compromised then your final result should still be secure.

It is fine to not fully understand the process behind seed phrase generation or the risks which need to be considered and mitigated against. Most people don't. But you should at least try to realize this and stick to the tried, tested, and recommended methods instead.

If you are dead set on using a webpage to generate your seed phrase then ultimately, we can't stop you. But you are taking on unnecessary risk by doing so, especially when there are much safer alternatives available.
member
Activity: 154
Merit: 29
July 01, 2023, 09:12:52 AM
#8
Let's dive into JS generating seed phrase.

First, I could myself generate a seed phrase without anything. I just pick 24 words from the list given in the BIP 39 protocol.
So if Ian colman give me a list of 24 words randomly in the same list what can be wrong? It is just picking word at random.

The risk maybe is the code being change to give me a list of 24 word already known by somebody. But this is hacking not JS related.
legendary
Activity: 2268
Merit: 18771
July 01, 2023, 06:13:28 AM
#7
So what is the issue?
The issue is it uses Javascript.

Did you read the post hosseinimr93 linked to above? The bottom line is using Javascript is insecure and does not guarantee your safety. If you are going to all the hassle of using a live OS to set up genuine cold storage, then why would you want to use insecure code to generate your seed phrase?

Also what would you recommend to generate BTC private Keys for cold storage? I don't trust hardware wallet.
Use good quality, reputable, open source wallet software such as Core, Electrum, or Sparrow. Review the code yourself if you have the ability to do so. Verify all downloads (this includes your downloads of Tails).

About Electrum : Do you know if I can use it in tail OS and if it can be used like Ian Coleman to generate keys and mnemonic phrase only.
Yes. Tails comes with Electrum already installed, so this is very easy to do.
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
July 01, 2023, 05:50:52 AM
#6
My main goal is to generate BTC address on my own with javascript on a browser only without being connected tto the internet?
Do not use a browser to generate the seed phrase. Use text editor on an airgapped device.

About Electrum : Do you know if I can use it in tail OS and if it can be used like Ian Coleman to generate keys and mnemonic phrase only.
These are the OS that you can use with Electrum: https://electrum.org/#download

You can run Electrum on airgapped device too.
member
Activity: 154
Merit: 29
July 01, 2023, 05:16:00 AM
#5
I would rather download Ian Coleman mnemonic on github https://github.com/iancoleman/bip39

I use tail OS with no internet connection to generate my address.

Ian Coleman mnemonic is applying the same protocol to generate 24 words phrases and the resulting addresses as any other code. So what is the issue?

Also what would you recommend to generate BTC private Keys for cold storage? I don't trust hardware wallet.

About Electrum : Do you know if I can use it in tail OS and if it can be used like Ian Coleman to generate keys and mnemonic phrase only.

thanks
legendary
Activity: 3472
Merit: 3217
Playbet.io - Crypto Casino and Sportsbook
July 01, 2023, 04:50:17 AM
#4
It would be safe to generate mnemonic seed from iancoleman tool if you run it offline.
Make sure you never connect this device to the internet to make sure the seed you generated from the tool is safe.

I don't heard any alternative yet on iancoleman why not generate your seed into Electrum?
legendary
Activity: 2380
Merit: 5213
July 01, 2023, 04:48:19 AM
#3
My main goal is to generate BTC address on my own with javascript on a browser only without being connected tto the internet?
I recommend you to avoid any tool that generates the keys through javascript.
click here and read gmaxwell's explanation on why it's not a good idea to use javascript for generating keys.

And it may worth mentioning that if by "without being connected to the internet", you mean just disconnecting internet when generating the keys, that's not enough. You should use an airgapped device.
staff
Activity: 3500
Merit: 6152
July 01, 2023, 04:41:22 AM
#2
Yes, it should be safe. As for the alternative then you can use Bitaddress (you can generate multiple addresses/PKs but not a seedphrase). Both sites are open source[1][2] so you can easily download and run them locally offline.

[1] https://github.com/pointbiz/bitaddress.org
[2] https://iancoleman.io/bip39/
member
Activity: 154
Merit: 29
July 01, 2023, 04:33:42 AM
#1
Hello,

I would like to know if Ian Coleman mnemonic is still updated and safe to generate BTC address and key.

Also, are there alternative to this browser based solution?

My main goal is to generate BTC address on my own with javascript on a browser only without being connected tto the internet?

Thanks for your help
Pages:
Jump to: