Author

Topic: is securing recovery seed this way logical? (Read 294 times)

hero member
Activity: 2520
Merit: 783
September 07, 2021, 04:41:07 AM
#21
i want to write my recovery words not in order and have another recovery card indicate the order of words and put the different places. so i want to know is it possible if some one found the recovery words make a script or something to test them and found the order of my recovery word (i know this is possible but the spent time is not worthy of doing this i think!)

so is it secure to write recovery all words disorderly (all original words) and have another key to to order the recovery words.

thanks by the way

For making it more vulnerable to any possible hacks due to easily giving tracks to other people especially if they know you well better to use those random phrase generated since its more secure than creating your own but make sure that you stored your secret phrase on safe places where other people doesn't have any access towards it. Also think about other said here since it can make you realize that their methods mentioned is more safe rather than what you are thinking.
legendary
Activity: 2730
Merit: 7065
September 07, 2021, 04:27:22 AM
#20
You are trying to invent a method which is ultimately less secure than using standard ways of storing your seed and additional passphrase.

Let's say you do it the way you explained.
You write down the seed with the words in a scrambled order on one piece of paper.
On the second paper, you write down the correct order of the words.

What did you get from that? Finding the note that shows the correct order of words is useless by itself. So far so good. But if someone found your seed, they could maybe brute-force it (even without knowing the correct order of words) to discover the correct order with the technology available today or one developed in the future. Maybe, the note with the scrambled seed is all that is needed for you to lose your coins to a well-prepared hacker.

If you used a recommended model with seed + passphrase, here is what you have.
You have your seed on one piece of paper. If someone found that, they still wouldn't have access to your wallet protected by the passphrase.
If someone finds the paper with your passphrase, they can't do anything with that alone without the seed. If you use a strong and long enough passphrase, it's impossible to brute-force it. Andreas Antonopoulos recommends using 4-6 random words as a passphrase. You can use 6, or 8, or 10... if you want.

If you compare the two models, you see that the 2nd one is better because finding either the seed or the passphrase alone gets you nowhere.
In your model, finding the seed could potentially lead to trouble. Why lower the security of your coins even by 1% if you can use standard recommendations?       
legendary
Activity: 3024
Merit: 2148
September 07, 2021, 03:30:25 AM
#19
That's a cool method and all that but there is a good chance to mess things up, for example if you look up wrong indexes for your words (eg. using 1 instead of 0 for first word) then the result will be wrong and you may have a very tough time recovering your coins in the future. If this is supposed to be done with code and automatically then why not use an actually safe encryption method such as AES? In the end you'll end up with 2 separate strings that have to be stored separately in 2 safe places.

Because AES is not human readable. It's very tedious to write down a base64 text on paper and screwing up a single symbol will be catastrophic. While this method has all the conveniences of mnemonic seed format. After all, why people use these mnemonic seeds these days instead of printing out private keys like they used to? That's what OP wanted with their method, if they wanted to store their encrypted seed digitally, this would have been a different story.

But I personally prefer to store my seed unencrypted, because I think that the added complexity of managing a key and ciphertext and storing them in separate places is more likely to backfire in some way than someone getting to my unencrypted seed.
legendary
Activity: 2268
Merit: 18748
September 07, 2021, 03:02:24 AM
#18
it is just to switch positions of the words, 2nd is 1st and 1st is 2nd, 4th is 3rd and so on, and I just throw like 10 or 20 bucks in there, so whoever find it would think they got it and I don't think they would try to do anything else.
There is only a 1 in 16 chance that this would work for a 12 word seed phrase, and only a 1 in 256 chance that this would work for a 24 word seed phrase, given that the last word is the checksum. I suppose you could brute force seed phrases until you get one which fits your desired scheme, or far more simply (and far more securely) you just add an additional passphrase. Send some decoy amount of coins to the base wallet, and send you main stash to the hidden wallet protected by the additional passphrase.

That's a cool method and all that but there is a good chance to mess things up
Completely agree. I wouldn't trust a lot of people to add 24 sets of 2 numbers together without making a mistake. As soon as you add in the modulo operation, which the vast majority of people are completely unfamiliar with, then the chance of mistakes increases drastically. There are already a number of tried and tested methods for effectively requiring two factors to restore you wallet, namely encrypting the seed phrase, adding a passphrase, or using multi-sig. Choose one of these instead.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
September 07, 2021, 01:26:21 AM
#17
I do not know the importance of seed phrase split aside for inheritance reasons, if I do not want my heir to know the amount of bitcoin stored, I can just go for the option of shamir seed phrase split, aside this reason, I can not use it, they are even indicated as experimental prototype which is the reason it will be the last I can go for. I will prefer to use multisig in most cases or just add passphrase to my seed phrase and save it differently from my seed phrase.
SLIP39 is adopted by Trezor and it isn't an experimental implementation, there is a standard for it. If done correctly, Shamir Secret Sharing gives you the benefits of having N-1 parts of your shares exposed without them of being any use for the attacker and plausible deniability as well. MultiSig can function the same, but the process is done on-chain while a passphrase doesn't give you sufficient redundancy.
legendary
Activity: 3472
Merit: 10611
September 06, 2021, 10:47:01 PM
#16
Here's a better method.
~
That's a cool method and all that but there is a good chance to mess things up, for example if you look up wrong indexes for your words (eg. using 1 instead of 0 for first word) then the result will be wrong and you may have a very tough time recovering your coins in the future. If this is supposed to be done with code and automatically then why not use an actually safe encryption method such as AES? In the end you'll end up with 2 separate strings that have to be stored separately in 2 safe places.
full member
Activity: 1204
Merit: 100
September 06, 2021, 06:05:35 PM
#15
i want to write my recovery words not in order and have another recovery card indicate the order of words and put the different places. so i want to know is it possible if some one found the recovery words make a script or something to test them and found the order of my recovery word (i know this is possible but the spent time is not worthy of doing this i think!)

so is it secure to write recovery all words disorderly (all original words) and have another key to to order the recovery words.

thanks by the way
I think this way, it does look like a puzzle which can make whoever find them try to solve it expecting a lot from it since it shows that you're trying to hide something, the idea that I thought of before is so simple but it might be risky, it is just to switch positions of the words, 2nd is 1st and 1st is 2nd, 4th is 3rd and so on, and I just throw like 10 or 20 bucks in there, so whoever find it would think they got it and I don't think they would try to do anything else.
sr. member
Activity: 1764
Merit: 260
Binance #SWGT and CERTIK Audited
September 06, 2021, 04:41:21 PM
#14
i want to write my recovery words not in order and have another recovery card indicate the order of words and put the different places. so i want to know is it possible if some one found the recovery words make a script or something to test them and found the order of my recovery word (i know this is possible but the spent time is not worthy of doing this i think!)

so is it secure to write recovery all words disorderly (all original words) and have another key to to order the recovery words.

thanks by the way
The spent time of testing of different order of your seed phrase is worthy specially if it "can" be generated by some computer programs on a life-time scale of time, specially if the wallet has lots of funds on it.
I agree, and I support the fact that the higher the count of your phrases the harder it gets to decipher as it takes longer time and can't be easily brute forced by currnet existing computer.
legendary
Activity: 3024
Merit: 2148
September 06, 2021, 04:06:31 PM
#13
Here's a better method.

1. Take your seed, replace the words with their positions in the word list.

2. Generate another random seeed, do the same as step 1, this will be your key.

3. Add the numbers for each word together with modular arithmetic. For example the first word in the seed is 1234 and the first word in the key is 999. The word list has 2048 words. So 1234+999 mod 2048 = 185

4. Do this for all words to get your ciphertext which will be another list of words.

5. To decrypt you need to subtract the numbers of key from the numbers of ciphertext. If you get a negative number, you need to add this number to the modulo. For example 185-999= -814 and then 2048-814=1234 the original number.

This method is a one-time pad, since the key is random and is as long as the message, the only way to crack it is to brute force it, which can't be done because it has the same security as the seed. So you can use it even with 12 word seed.
legendary
Activity: 1624
Merit: 1200
Gamble responsibly
September 06, 2021, 01:26:35 PM
#12
Depending on what you are looking to achieve, I think either a passphrase with 128 bits of security or a multi-sig set up of your choice are both superior to seed splitting, particularly once Taproot removes the financial penalty of multi-sig addresses.
I do not know the importance of seed phrase split aside for inheritance reasons, if I do not want my heir to know the amount of bitcoin stored, I can just go for the option of shamir seed phrase split, aside this reason, I can not use it, they are even indicated as experimental prototype which is the reason it will be the last I can go for. I will prefer to use multisig in most cases or just add passphrase to my seed phrase and save it differently from my seed phrase.
legendary
Activity: 2268
Merit: 18748
September 06, 2021, 07:41:08 AM
#11
I really don't like the seed splitting method. You are reducing the security to a minimum of 80 bits (depending on which card is found by an attacker), even with a 24 word seed phrase. I know we discussed in another thread recently regarding the incentive to attack seed phrases and how feasible it would be to crack 80 bits, but thinking long term this is not necessarily an unrealistic goal, particularly for a determined attacker and particularly as bitcoin's value increases.

Depending on what you are looking to achieve, I think either a passphrase with 128 bits of security or a multi-sig set up of your choice are both superior to seed splitting, particularly once Taproot removes the financial penalty of multi-sig addresses.
legendary
Activity: 2450
Merit: 4415
🔐BitcoinMessage.Tools🔑
September 06, 2021, 06:32:40 AM
#10
Has anyone heard about or tried in practice the Seed XOR method of seed phrase splitting previously? Personally, I haven't tried it yet but the reason it caught my attention is that the process of calculation can be done manually without additional online tools. You can split your real seed phrase into as many parts as you see fit, more importantly, you don't have to remember the right order to calculate it back because every order is right. These "fake" parts look like normal seed phrases and you can fund them with a small amount, which allows for plausible deniability. The only problem is that you have to keep all the parts safely because if you lose one you can't generate your original seed back. However, if you already have "working" seeds you can generate a new deterministic seed by XORing your existing phrases together.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
September 05, 2021, 11:11:00 PM
#9
Your method is fine. It is about what you're trying to achieve. Are you sure that you can secure both of them, the seeds and the order, such that you'll never ever lose them? Losing either of them is equivalent to losing the whole seed.

I would recommend a split seed system, not something like SSS but a simpler one. IanColeman does this in the form of a mnemonic card; https://iancoleman.io/bip39/. Where you need at least two of the cards to be able to recover the seeds. Unlike SSS, an additional card gives you an easier time to bruteforce it but it is still both time and resource intensive.
legendary
Activity: 4466
Merit: 3391
September 05, 2021, 05:31:21 PM
#8
so if i mixing 24 recovery seed phrase it will ok but 12 word seed phrase is not secure for my method.

That is correct because it 1,295,295,050,649,600 times longer to guess the order of a 24-word phrase than it takes to guess the order of a 12-word phrase, and if the pooya87's estimate of a couple of seconds for a 12-word phrase is accurate, then it would take nearly a million centuries to find the order of a 24-word phrase.
legendary
Activity: 2268
Merit: 18748
September 05, 2021, 06:30:04 AM
#7
I don't know if someone found 2 shares can hack it, to make sure you have to try this chalenge. I tried and can't do it. there have 1 BTC on an address still there over 1 year, this means the challenge didn't been solved yet.
Shamir's secret sharing is designed in such a way so that if you have any number less than the threshold number of shares, it is the same as having no information at all. In that example, you need three shares to recover the secret. Having two shares provides absolutely no information, and is the same as having no shares at all. Anyone trying to break that will be trying to brute force every possible 12 word seed phrase, which is obviously impossible.

However, Shamir's secret sharing is generally a poor method and is not recommended for a number of reasons: https://en.bitcoin.it/wiki/Shamir_Secret_Snakeoil

so if i mixing 24 recovery seed phrase it will ok but 12 word seed phrase is not secure for my method.
Unscrambling 12 words is almost trivial while unscrambling 24 words is computationally impossible, provided no additional information, yes. But that does not mean this is a good way to back up your seed phrase or protect your wallets. If you are uncomfortable with simply backing up your seed phrase normally, then you should either use an additional passphrase or a multi-sig wallet, rather than trying to create your own method. I've lost track of the number of users who have come to the forum looking for help because they cannot recover from their own back ups after doing something non-standard like what you are proposing.
newbie
Activity: 3
Merit: 0
September 05, 2021, 04:18:44 AM
#6
It is easy to find the right order of the words specially if the word count is small, for example the most used word count which is a 12 word mnemonic, the permutations to check is 12!=479,001,600 and it is trivial to check those in less than half an hour in slowest way on a CPU, while a parallel GPU rig solves this in a couple of seconds.

Additionally, total permutations could be reduced to 1/16 if you automatically skip words which fail checksum. Checking checksum is computationally very cheap compared with generating an address from 12 words.

is this right?

It''s correct, but don't forget the calculation is 24 words, you should try it with 12 words.
so if i mixing 24 recovery seed phrase it will ok but 12 word seed phrase is not secure for my method.
newbie
Activity: 3
Merit: 0
September 05, 2021, 04:03:34 AM
#5
i want to write my recovery words not in order and have another recovery card indicate the order of words and put the different places. so i want to know is it possible if some one found the recovery words make a script or something to test them and found the order of my recovery word (i know this is possible but the spent time is not worthy of doing this i think!)

so is it secure to write recovery all words disorderly (all original words) and have another key to to order the recovery words.

thanks by the way

DannyHamilton had this theory :
So, you have 24 words.

That means that you have 24 possibilities for the word in position number 1.

If you try each of those words in position number 1, that leaves 23 words to try in position number 2.

Try the first word, with each of the other 23 in the second position, then try the second word with each of the other 23 in the second position, then the third word with each of the other 23 in the second position and so on.

When you've done that, you'll have tried:24 X 23 = 552 different possibilities.

Each of those 552 possibilities will have 22 remaining words that you can try in the third position.

So that's:
552 X 22 = 12144 possible combinations of 3 out of the 24 words.
(Notice that's the same as 24 X 23 X 22 = 12144)

Then for each of those 12144 possibilities will have 21 remaining words that you can try in the third position

That's:
12144 X 21 = 255024 possible combinations of 4 out of the 24 words.
(Notice that's the same as 24 X 23 X 22  X 21= 255024)

Perhaps you can see now that as we continue, by the time you try all the 24 word combinations of 24 words, the pattern will repeat all the way to:
24 X 23 X 22 X 21 X 20 X 19 X 18 X 17 X 16 X 15 X 14 X 13 X 12 X 11 X 10 X 9 X 8 X 7 X 6 X 5 X 4 X 3 X 2 X 1 = ?
In maths that pattern is called a "factorial" and is represented as:
24!

If you do that multiplication, you'll find that the total number of combinations you'll have to try will be:
620448401733239439360000

That's about 6.2 X 1023.

Lets assume that you have enough computing power to try 100 trillion combinations per second.

620448401733239439360000 combinations / 100000000000000 combinatins per second = 6204484017 seconds.

Since there are 60 seconds in a minute, that is:
6204484017 seconds / 60 seconds per minute = 103408066 minutes.

There are 60 minutes in an hour, so:
103408066 minutes / 60 minutes per hour = 1723467 hours.

There are 24 hours in a day...
1723467 hours / 24 hours per day = 71811 days.

There are about 365.25 days per year...
71811 days / 365.25 days per year = 196.6 years.

If you actually had the ability to try 100 trillion combinations per second, then it's going to take you nearly 200 years of trying non-stop 24 hours a day to try all the combinations.

If the number of attempts you can make per second is less, then obviously it's going to take you longer than that.

link: https://bitcointalksearch.org/topic/m.21044932

is this right?
legendary
Activity: 2366
Merit: 2054
September 05, 2021, 03:28:04 AM
#4
If your recovery card indicates the order of words were lost, that makes you confused.

another way, you can split your seed to be 4 or over (with 3 Threshold) and you can write down 4 shares in another place also. (make sure you aren't careless)

https://github.com/satoshilabs/slips/blob/master/slip-0039.md
https://iancoleman.io/slip39/
https://wiki.trezor.io/Shamir_Backup

I don't know if someone found 2 shares can hack it, to make sure you have to try this chalenge. I tried and can't do it. there have 1 BTC on an address still there over 1 year, this means the challenge didn't been solved yet.
legendary
Activity: 2534
Merit: 6080
Self-proclaimed Genius
September 05, 2021, 02:56:08 AM
#3
IMO, Adding a BIP39 passphrase is a better solution, info: https://en.bitcoin.it/wiki/Seed_phrase#Two-factor_seed_phrases
Your seed phrase on your main backup, and the passphrase on the other backup.
legendary
Activity: 3472
Merit: 10611
September 05, 2021, 02:15:18 AM
#2
It is easy to find the right order of the words specially if the word count is small, for example the most used word count which is a 12 word mnemonic, the permutations to check is 12!=479,001,600 and it is trivial to check those in less than half an hour in slowest way on a CPU, while a parallel GPU rig solves this in a couple of seconds.

This is exactly why you should never "invent" your own cryptography.
newbie
Activity: 3
Merit: 0
September 05, 2021, 02:08:38 AM
#1
i want to write my recovery words not in order and have another recovery card indicate the order of words and put the different places. so i want to know is it possible if some one found the recovery words make a script or something to test them and found the order of my recovery word (i know this is possible but the spent time is not worthy of doing this i think!)

so is it secure to write recovery all words disorderly (all original words) and have another key to to order the recovery words.

thanks by the way
Jump to: