The best passphrase | Bitcointalksearch.org

Saint-loup

legendary

Activity: 2590

Merit: 2348

Quote from: _act_ on April 04, 2022, 02:30:19 PM

I have been thinking of the best way of adding a passphrase to a wallet I want to create, but I do not know the passphrase I can use that will be impossible to brute force.

What comes to my mind is by generating a seed phrase which I will use as passphrase. Open electrum wallet, the wallet to create another seed phrase for me, add a passphrase to it which is the first seed phrase another wallet created for me.

The first seed phrase is my passphrase
The second seed phrase is my seed phrase
The second seed phrase and my passphrase (first seed phrase) create private keys and addresses for me which should be safer than just using a seed phrase without passphrase.

I am think of the way to use the passphrase, which one is difficult to brute? By writing the words together and not give space in between, or by seperating the words?

This should be a secure wallet if I do not have the seed phrase backup together with the passphrase but differently. I am thinking if seed phrase with space is secure enough, it should also secure if used as passphrase?

Is there others ways to have a more secure passphrase in a way the world would have extinct before anyone can brute force it.

I don't think it's a very bad idea tbh even if it prevents the ability of being memorized for a long time like a common passphrase, but since you don't need any checksum computation for it why using a computer and a software(along with an OS), potentially infected or bugged, without being sure of their reliability while you can use a safe way to do that and hence adding robustness to your seed? If I were you, I would just use physical dices in order to randomly pick words from the BIP39 list. The list is numbered. https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt

apogio

sr. member

Activity: 406

Merit: 896

Quote from: o_e_l_e_o on December 03, 2023, 12:53:54 PM

Quote from: AprilioMP on December 03, 2023, 09:22:35 AM

Ps. I am not sure whether all these 93 characters can be used but if I recall correctly they can, I am just busy at the moment and I can't check online. If someone could confirm this please

BIP39 actually specifies that any passphrase will be normalized to UTF-8 NFKD, so you can actually have a character set in the tens of thousands if you wanted, provided your wallet software supports these characters, and use any unicode character such as ½, Ü, or ←.

I wouldn't recommend going down this route, however, since there are a lot of unicode characters that look very similar or even identical, and would obviously lead to completely different wallets if confused. For example A, A and A are all different characters (Latin, Greek, and Cyrillic).

Yeah, I wouldn't go down this path.

The dataset I will use is:

A - Z (excluding O and I) -> 24 characters
a - z (excluding l) -> 25 characters
0 - 9 (excluding 0) -> 9 characters
@#$%^&* -> 7 characters

So in total I have 65 characters.

I plan to go for more than 20 characters long passphrases, which will give me ENTROPY > ln(65^20)/ln(2) ~= 120 bits.

I will collect random data using the following command:

Code:

cat /dev/urandom | tr -dc 'ABCDEFGHJKLMNPQRSTUVWXYZ123456789abcdefghijkmnopqrstuvwxyz@#$%^&*' | fold -w 20 | head -n 1

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Quote from: AprilioMP on December 03, 2023, 09:22:35 AM

Ps. I am not sure whether all these 93 characters can be used but if I recall correctly they can, I am just busy at the moment and I can't check online. If someone could confirm this please

BIP39 actually specifies that any passphrase will be normalized to UTF-8 NFKD, so you can actually have a character set in the tens of thousands if you wanted, provided your wallet software supports these characters, and use any unicode character such as ½, Ü, or ←.

I wouldn't recommend going down this route, however, since there are a lot of unicode characters that look very similar or even identical, and would obviously lead to completely different wallets if confused. For example A, A and A are all different characters (Latin, Greek, and Cyrillic).

apogio

sr. member

Activity: 406

Merit: 896

By the way, my conversation with o_e_l_e_o above intrigued me and I started reading some papers in regards with bitcoin's security level. I will not add them here, but I will, instead, add this topic I found https://bitcointalksearch.org/topic/bitcoins-public-key-security-level-2859033 which explains what o_e_l_e_o said above in more details, in case anyone is interested.

apogio

sr. member

Activity: 406

Merit: 896

Quote from: hosseinimr93 on December 03, 2023, 10:47:26 AM

All 95 printable ASCII characters can be used for a passphrase.

Here is a screenshot taken from electrum.

Brilliant! Thank you, so my numbers will change slightly (in decimal range). The bits will remain the same even with 95 instead of 93 available characters.

hosseinimr93

legendary

Activity: 2380

Merit: 5213

Quote from: apogio on December 03, 2023, 10:16:03 AM

Combining all the possible printable characters from the ASCII table(93 in total) wil give the following entropy (in bits):

There are 95 printable ASCII characters.

Code:

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

(whitespace is also included)

Quote from: apogio on December 03, 2023, 10:16:03 AM

Ps. I am not sure whether all these 93 characters can be used but if I recall correctly they can, I am just busy at the moment and I can't check online. If someone could confirm this please

All 95 printable ASCII characters can be used for a passphrase.

Here is a screenshot taken from electrum.

philipma1957

legendary

Activity: 4102

Merit: 7765

'The right to privacy matters'

Quote from: apogio on December 03, 2023, 10:16:03 AM

Quote from: AprilioMP on December 03, 2023, 09:22:35 AM

The combination of several capital letters, lower case letters, several numbers and several characters with a total of 10 to 15, for me is strong enough to be used as a password and passphrase. Using this combination makes it easier for me to remember a time.
For one device and another I use different, but not more than two passphrase.

Combining all the possible printable characters from the ASCII table(93 in total) wil give the following entropy (in bits):

For 10 total characters: 65 bits
For 15 total characters: 98 bits

So I suggest you use anything larger than 15 characters to get a good entropy.

Ps. I am not sure whether all these 93 characters can be used but if I recall correctly they can, I am just busy at the moment and I can't check online. If someone could confirm this please

Some website restrict the none number , letter symbols.
@ and * are restricted on a few websites I use.

apogio

sr. member

Activity: 406

Merit: 896

Quote from: AprilioMP on December 03, 2023, 09:22:35 AM

The combination of several capital letters, lower case letters, several numbers and several characters with a total of 10 to 15, for me is strong enough to be used as a password and passphrase. Using this combination makes it easier for me to remember a time.
For one device and another I use different, but not more than two passphrase.

Combining all the possible printable characters from the ASCII table(93 in total) wil give the following entropy (in bits):

For 10 total characters: 65 bits
For 15 total characters: 98 bits

So I suggest you use anything larger than 15 characters to get a good entropy.

Ps. I am not sure whether all these 93 characters can be used but if I recall correctly they can, I am just busy at the moment and I can't check online. If someone could confirm this please

AprilioMP

sr. member

Activity: 322

Merit: 306

Farewell LEO o_e_l_e_o

The combination of several capital letters, lower case letters, several numbers and several characters with a total of 10 to 15, for me is strong enough to be used as a password and passphrase. Using this combination makes it easier for me to remember a time.
For one device and another I use different, but not more than two passphrase.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Yes exactly, just pointing out that brute forcing a public key is pretty much beyond the realms of "theoretically" as well, given how much energy it would require.

apogio

sr. member

Activity: 406

Merit: 896

Quote from: o_e_l_e_o on December 03, 2023, 05:07:57 AM

Quote from: apogio on December 02, 2023, 12:59:47 PM

The PK can be theoretically brute forced regardless of the wallet setup by brute forcing 128 bits

I think the point to understand is that 128 bits of security will not be brute forced. The energy required to brute force a single key with 128 bits of security would boil all the oceans on Earth 16,384 times. So until we can construct a Dyson sphere to harvest the entire energy output of the sun, 128 bits is quite safe.

With that in mind, then all the additional security options we have - passphrases, multi-sigs, etc. - are not designed to increase this 128 bits of security (and indeed, as I've explained above, they can't. The final security of a bitcoin private key will never be more than 128 bits.) Rather, they are designed to protect against human error, compromised devices, viruses and malware, and so on.

Yeap that is exactly the point I made above, isn't it? I just ask to verify that I have understood properly.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Quote from: apogio on December 02, 2023, 12:59:47 PM

The PK can be theoretically brute forced regardless of the wallet setup by brute forcing 128 bits

I think the point to understand is that 128 bits of security will not be brute forced. The energy required to brute force a single key with 128 bits of security would boil all the oceans on Earth 16,384 times. So until we can construct a Dyson sphere to harvest the entire energy output of the sun, 128 bits is quite safe.

With that in mind, then all the additional security options we have - passphrases, multi-sigs, etc. - are not designed to increase this 128 bits of security (and indeed, as I've explained above, they can't. The final security of a bitcoin private key will never be more than 128 bits.) Rather, they are designed to protect against human error, compromised devices, viruses and malware, and so on.

apogio

sr. member

Activity: 406

Merit: 896

Quote from: o_e_l_e_o on December 02, 2023, 12:49:03 PM

...

Fascinating! Therefore, one can argue that security is only set in danger by human mistake. Even with multisig, or strong passphrase etc, the security level is technically equal. But, human error can lead to losses. So we have transitioned our focus to providing solutions that avoid human mistakes, not to solutions that add more security in terms of bits. The PK can be theoretically brute forced regardless of the wallet setup by brute forcing 128 bits

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Quote from: apogio on December 02, 2023, 12:26:13 PM

According to this, adding the passphrase is a protection measure only if someone steals the seed phrase, so you can make sure they would never guess the passphrase.

Correct.

Quote from: apogio on December 02, 2023, 12:26:13 PM

But, theoretically, an attacker that brute forces bit-by-bit could generate 128 bits that would lead to the exact same private key that the wallet of 12 words seed + 128 bits passphrase would create, correct?

An attacker brute forcing from scratch (not that anyone would ever do this) would either be generating 256 bit private keys or 128 bit seed phrases. But actually, every seed phrase can generate every possible address if you put in the "right" derivation path.

Quote from: apogio on December 02, 2023, 12:26:13 PM

And if so, this also applies to example I provided with the multisig, correct?

Yes. There will be literally trillions and trillions of scripts out there which will give the same script hash as your multi-sig script and therefore could unlock your coins. But just like standard addresses, the search space is so astronomically large that a collision will never happen.

apogio

sr. member

Activity: 406

Merit: 896

Quote from: o_e_l_e_o on December 02, 2023, 12:18:28 PM

The maximum security provided by a 256 bit private key on the secp256k1 curve is 128 bits. This is because the most efficient way to attack a 256 bit private key is not brute force, but by solving the ECDLP, which will take on average 2¹²⁸ operations. So all bitcoin private keys, regardless of how much entropy was used to generate them, will never provide more than 128 bits of security

You can see this in Standards for Efficient Cryptography. SEC 2: Recommended Elliptic Curve Domain Parameters. (Table at the bottom of page 4.)

According to this, adding the passphrase is a protection measure only if someone steals the seed phrase, so you can make sure they would never guess the passphrase.

But, theoretically, an attacker that brute forces bit-by-bit could generate 128 bits that would lead to the exact same private key that the wallet of 12 words seed + 128 bits passphrase would create, correct?

And if so, this also applies to the example I provided with the multisig, correct?

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Quote from: apogio on December 02, 2023, 11:48:34 AM

Ok this causes confusion. Would you please elaborate?

The maximum security provided by a 256 bit private key on the secp256k1 curve is 128 bits. This is because the most efficient way to attack a 256 bit private key is not brute force, but by solving the ECDLP, which will take on average 2¹²⁸ operations. So all bitcoin private keys, regardless of how much entropy was used to generate them, will never provide more than 128 bits of security

You can see this in Standards for Efficient Cryptography. SEC 2: Recommended Elliptic Curve Domain Parameters. (Table at the bottom of page 4.)

Quote from: apogio on December 02, 2023, 11:48:34 AM

Let's say I have a 2-of-2 multisig. Let's say both of the cosigners have 12 word seed phrases. Is the final security 256 bits? (128 + 128)

No. The most efficient way to attack a 2-of-2 P2WSH multi-sig would not be to attack both individual private keys, but to find any other script which has a collision with the SHA256 of your P2WSH multi-sig script. Given the script hash is the digest of a single SHA256, then again, you would expect to find a collision in 2¹²⁸ operations on average.

Quote from: apogio on December 02, 2023, 11:48:34 AM

Also if I have a wallet with 12 words seed phrase and a passphrase of 128 bits.

Still 128 bits.

apogio

sr. member

Activity: 406

Merit: 896

Quote from: o_e_l_e_o on December 02, 2023, 11:32:41 AM

Technically yes, but the final security of your private keys won't be any more than 128 bits.

Ok this causes me confusion. Would you please elaborate?

I also had another question:

Let's say I have a 2-of-2 multisig. Let's say both of the cosigners have 12 word seed phrases. Is the final security 256 bits? (128 + 128)

Also if I have a wallet with 12 words seed phrase and a passphrase of 128 bits. Is the final security 256 bits? You said it's not, but I would love it if you could explain.

Is the security of the 2 wallets equal?

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Quote from: apogio on December 02, 2023, 11:20:29 AM

1. Are my calculations correct?

Yes. 10³⁰ is 99.66 bits.

Quote from: apogio on December 02, 2023, 11:20:29 AM

2. What is the threshold above which the passphrase is secure? 100 bits? More?

Personally I would opt for 128 bits for obvious reasons, but 100 bits is probably secure enough.

Quote from: apogio on December 02, 2023, 11:20:29 AM

3. Is it correct to say that my wallet is derived from 228 bits of entropy in total?

Technically yes, but the final security of your private keys won't be any more than 128 bits.

Quote from: apogio on December 02, 2023, 11:20:29 AM

4. Is it better (in your opinion) to use characters that are easily read and written down? For example is it better to avoid 0 ,O, I, l ? Base58 does that, so I guess it's better to avoid these. However, when you write down the passphrase on paper you can use hand lettering for lowercase L etc.

If your writing is such that these characters are obviously different, then you don't need to. If you are concerned about confusing these characters, then by all means drop them from your character set.

apogio

sr. member

Activity: 406

Merit: 896

Question:

a seed phrase of 12 words offers 128 bits of entropy.

Let's say that I add a passphrase of 30 numbers from 0 to 9. This is just an example.

If my calculations are correct, this will add approximately 100 bits of entropy. I did: ln(10^30)/ln(2)

Assuming that the numbers are generated from a valid entropy source:

1. Are my calculations correct?
2. What is the threshold above which the passphrase is secure? 100 bits? More?
3. Is it correct to say that my wallet is derived from 228 bits of entropy in total?
4. Is it better (in your opinion) to use characters that are easily read and written down? For example is it better to avoid 0 ,O, I, l ? Base58 does that, so I guess it's better to avoid these. However, when you write down the passphrase on paper you can use hand lettering for lowercase L etc.

PrimeNumber7

copper member

Activity: 1610

Merit: 1899

Amazon Prime Member #7

Quote from: o_e_l_e_o on April 09, 2022, 03:31:52 PM

Quote from: PrimeNumber7 on April 09, 2022, 02:08:45 PM

Similarly, if someone is able to cause you to use flawed RNG to generate one seed, they can do the same for the other seed, although in this case, they may not know you are using two seeds this way.

That's a fair point, but I think it is a very unlikely method of attack. If someone is able to infiltrate both your home and your computer in order to plant some malware on your airgapped device to generate non-random seed phrases, then it is far more likely that they would simply steal your coins while they were there, plant a keylogger for your decryption key, $5 wrench attack you, etc.

Although it does raise another point, that using the same piece of software to generate both seed phrases does leave you open to flaws in that software, which I think is a far more likely attack vector. That would probably be a good reason not to use a seed phrase as a passphrase.

I was just using flawed RNG as an example. In bitcoin's early days, flawed RNG was implemented on android phones, which caused private keys to be generated in a small range of numbers -- too large for there to reasonably be collisions, but small enough for malicious actors to generate large numbers of private keys in the hopes of finding one with unspent coin. Android phones are not air-gapped computers, but this goes to your point about flawed software.

Topic: The best passphrase (Read 698 times)