Topic: The best passphrase - page 2. (Read 698 times)

Absolutely, but brute forcing a seed phrase from scratch also has a zero percent chance of happening. A passphrase does not change that, nor was it ever designed to.

That's a fair point, but I think it is a very unlikely method of attack. If someone is able to infiltrate both your home and your computer in order to plant some malware on your airgapped device to generate non-random seed phrases, then it is far more likely that they would simply steal your coins while they were there, plant a keylogger for your decryption key, $5 wrench attack you, etc.

Although it does raise another point, that using the same piece of software to generate both seed phrases does leave you open to flaws in that software, which I think is a far more likely attack vector. That would probably be a good reason not to use a seed phrase as a passphrase.

The collisions you are referring to have basically a zero percent chance that two seeds will be generated as you describe. The chances are less than that of generating two private keys associated with the same address because flawed RNG will not cause these types of collisions.

Sure, if someone "accidentally" discovers one seed, they may not discover the other, although this would certainly be a sign that you are being careless in protecting your seeds.

If someone is actively looking for your seeds, if they are able to breach your countermeasures for one seed, they should be able to breach your countermeasure on the other seed. Similarly, if someone is able to cause you to use flawed RNG to generate one seed, they can do the same for the other seed, although in this case, they may not know you are using two seeds this way.

Also worth pointing out that 12 scrambled words (12! combinations) is very easy to brute force and can be done in under an hour on even modest hardware.

The protection offered by a passphrase has never been against brute forcing of a seed phrase from scratch - all the addresses generated by your passphrased wallet will also be generated at some derivation path by some other non-passphrased seed phrase.

Why? I would not say this is likely by any means, and definitely not immediately, unless you have stored both seed phrase and passphrase physically next to each other. If someone accidentally stumbles on one, there is no guarantee at all that they would be able to find the other provided it is well secured somewhere else.

A better option would be to use diceware.

Six to eight random words are enough for a secure passphrase according to Andreas Antonopoulos himself. If you have an English-to-English dictionary such as an Oxford or a Longman, you can just randomly open pages and put your fingers on random words that you can use to construct your passphrase. Any other book would work as well really.   

The seed is 132 bits but there is also a checksum inside the seed itself, in a way it is hidden.
Unlike BIP39 that simply concatenates the hash to the entropy, Electrum brute forces its seeds to find an entropy that would produce a hash that starts with certain bits indicating its version. This acts as a checksum.
You can see the loop here: https://github.com/spesmilo/electrum/blob/837fc1606cc83f99f8493c050b384cfcbb6c2835/electrum/mnemonic.py#L206-L220

If you are going to access your passphrase via looking at a written backup, it is probably best to have spaces between the words, even if there are not spaces in your passphrase. The reason being is that it will be much easier to type a series of words than a long string of characters.

---

I might point out that a passphrase is only ever going to give you incremental additional security. A properly generated, random seed is already ~impossible to brute force with current technology, and it is very unlikely future technology will ever be able to brute force a randomly generated seed.

If an adversary is somehow able to discover your seed, it is likely they can also discover your second seed which is your passphrase. Granted, storing small amounts of coin in both seeds may make an adversary believe they have found all the coin there is to find, however, if you have only stored a small amount of coin and have taken elaborate steps to protect your seeds, an adversary may not believe the decoy amounts are all that is stored by the two seeds they find.

There are 12! combinations if there are 12 known words and there are no duplicate words in the seed phrase.

In the case the seed phrase has been generated by electrum, it provides 132 bits of entropy, not 128.
There is no checksum in the seed phrase generated by electrum.


Right.  With increasing number of the words to more than 12, you don't really increase the security of your fund.
For example, a 15 word BIP39 seed phrase provides 160 bits of entropy. (165 bits of entropy if it has been generated by electrum)
Instead of trying to brute-force your seed phrase, the hacker can try to brute-force your private key which provides 128 bits of entropy.

I think 24 words would be longer without much benefit so far 12 words of seed phrase is safe enough, I am not saying the difficulty required to brute force 24 words is not more than 12 words but to brute force 12 words is unlikely. 12 words is also enough to avoid brute force attack too which should be a reason no necessary need of using 24 words.

On average, trying to brute force a wallet with 12 words (12! = 479,001,600) is a waste of time (a possible combination of 2^128= 340,282,366,920,938,463,463,374,607,431,768,211,456,) so if you want more security, use 24 words.

You can add words, but then you will increase the risk of losing one, which may mean wasting your money if the words become too many.
So 24 words is enough to avoid a brute force attack.

The biggest issue with security is balance. Balancing convenience, and security is one of the big  problems of today. Unfortunately, we take it to the extremes whatever end of the spectrum you might be. If you're security conscious, you probably overcompensate which reduces the convenience or if you are like your average internet user, you likely take convenience over security, and therefore are at risk of being compromised.

I can't tell you the right balance, since everyone has a different threat model. However, I can at least give my rationalisation about why balance is important.

While that might be true, since the information is fairly easy to remember. How convenient is it for you? For example, if this is for a cold wallet then the inconvenience it requires to enter that passphrase might be mitigated enough to not worry about it much. However, if it was a somewhat hot wallet, you needed to access it frequently then entering that long of a passphrase could potentially be annoying. I know you're probably going to be using this for a offline wallet, so I suspect it is mitigated. However, there's a point in which a longer password doesn't necessary bring much of a security benefit.

I agree with o_e_l_e_o that a overcomplicated, inconvenient passphrase is much better than a insecure setup. Though, lets say you have 50 characters as an example, that would be plenty enough for most situations, barring that it hasn't been generated from a famous quote etc. If its randomly generated 50 characters, then you're probably good. Whereas, adding an additional 50 to take it up to 100, would technically increase the entropy, right. Although, in reality the attack possibilities of a 50 character pass phrase is already quite small, and adding 50 onto it with current techniques, and technology wouldn't make much of a difference at all.

Underrated remark. If you're backing up your passphrases on paper, where ever you might store that. Don't label it as "BITCOIN PASSWORD TO MY MEGA WALLET", because if a malicious attacker theoretically gained access to that piece of paper they would have a field day. However, if you've written your backup down in such a way that they wouldn't be able to immediately determine its for a Bitcoin wallet, then that's part of the entropy.

Again, security, and convenience right? Since, if you forget what that backup phrase is for, you could be potentially in trouble.

Even if you use the default passphrase, it should be secure enough and no one can brute force it. I think you are anticipating that in the future
quantum computers may be able to brute force our passphrases and seeds but i don't think this will happen in our lifespan. I would suggest you not to make thing complicated, keep the default passphrases and focus on how to keep these passphrases secure.

It is not a complicated process for me, what if I want to use 2-of-2 multisig, I will still need two seed phrase that would be created, the two have to be protected. I am only having two seed phrase, one will not be used for seed phrase but for passphrase. If I use a strong passphrase, I can not remember, if the backup is lost, it is lost forever in a way I can no more access my coins anytime I want wallet recovery. If I can backup the passphrase and seed phrase differently, have three backup, it is good option for me. I do not see difference between a passphrase I created myself that I do not remember but backup and a seed phrase that I use as passphrase that I backup. Thank you all for your suggestions.

If the passphrase is written down on paper as it should be, then it will be no more complicated than storing a seed phrase and no more difficult to recover.

As is a seed phrase, with the added bonus that a seed phrase is much easier to write down and restore from without making any unrecoverable mistakes.

It is definitely irrelevant. Let's assume the weakest possible seed phrase of 12 words, with each word having only 3 characters, for 36 characters in total without spaces, and 47 with spaces.

An attacker who knows nothing about your seed phrase and brute forces all possible ASCII combinations of the relevant number of characters will be looking at ~237 bits without spaces and ~309 bits with spaces. Both impossible.
If they know you are only using lower case letters, then it becomes ~169 bits without spaces and ~223 bits with spaces. Both impossible.
If they know you are using a BIP39 seed phrase, then it is 128 bits in both cases, 129 bits if they try both options. Still impossible.

I don't use this method, as I prefer complex and random passphrases which could be a password or passphrase to anything rather than obviously being related to cryptocurrency, but it is still an acceptable method and far more secure than the single word or simple human generated password that many people use as their passphrase.

Memorize your bank data. They vary from country to country. But we take an example from Europe, personal IBAN: AZ04UBAZ04003214540060AZN001

Now divide the IBAN into two parts and start creating the password in the middle: 214540060AZN001
Now put a special character in it, like @ or &. After that the rest of the IBAN is used: AZ04UBAZ04003

Next step: assume your name is Antonio Sermucho

Now add the first letter of your last name at the end, but in lower case: s

And now at the beginning of the password add the first letter of your first name: a

Password is ready and cannot be cracked by any bruteforce program: a214540060AZN001@AZ04UBAZ04003s

The only thing you need to keep at home is your bank statement, which everyone has. There you can see your name and bank IBAN. Even an @ sign is also somewhere on it from the contact person of your bank.

This is just an example with the means that you have at home anyway and a hacker would not come to mind to work with it.

And if you lost a bank statement, you could always call your bank and ask for it. In this way, your bank keeps its private key without even knowing it.

As others have concluded, another seed as a passphrase is perhaps too much, because even a much shorter password consisting of random letters and characters is nowadays resistant to all known brute-force methods. I can’t say how accurate the various online password strength meters are, but here for this 10-character password, they claim it would take as much as 1 million years to be cracked. 

This time will probably decrease when quantum computers start to be used, but still, if you add at least 5 more characters you shouldn't worry too much about the fact that in the foreseeable future someone will be able to brute-force such a password.


Source

I don't understand why would you overcomplicate things doing shenanigans like this... making it very hard to recover in case you forget your order.
Plain strong passphrase made of multiple words with numbers and space combinations is very hard if not impossible to break (if done correctly).
If you want to be sure you are getting true random order of words, use offline method with casino dices instead of wallets for generating anything.

I don't think spaces are irrelevant.
For testing purposes, try generating passphrase in KeePass with and without spaces and check out results you will get

Lots of people giving you alternative suggestions, but actually this is a good way of generating a random passphrase and much better than just picking a couple of words or coming up with a single word passphrase yourself. Yes, it is probably overkill to use an entire second seed phrase as a passphrase, but I'd rather have too much security than have too little.

Do take the advice to do all this on a clean airgapped computer, though. And obviously your passphrase will need backed up by being written down on paper just like your seed phrase, and the two should be stored separately so the compromise of one doesn't immediately lead to the compromise of the other.

Spaces or no spaces is irrelevant, both will be impossible to brute force. I would go for spaces just so it is the same as your seed phrase.

Bonus points for putting a little bit of bitcoin on the base wallet of both phrases, giving you plausible deniability and obfuscating the fact that one of the seed phrases is being used as a passphrase.

Bitwarden, which is an open-source password manager, allows you to create passphrases. It uses EFF long wordlist that contains more than 7000 words: https://github.com/bitwarden/jslib/blob/1016bbfb9eb28c220de8d2ab86d1f2757328f254/common/src/misc/wordlist.ts  When you generate a passphrase with Bitwarden, you can specify which separator to use (either space or hyphen), whether to add additional symbols or not, etc. The maximum number of words is 20, which is more than enough for something like additional entropy for your keys. Still very unsafe, I believe, since you have to use a browser to run an extension. Personally, I still prefer offline methods of passphrase creation with dice or coin flips, especially when it comes to private keys.

It mostly depends on how many words are there in your passphrase, and which method you employed to generate those words. If you take a sentence from the book, it will be relatively easy to brute force. Otherwise, If you use cryptographically secure RNG or true RNGs such as dice, coins, cards, radiation, and noise, it will be difficult to crack for anyone, even for you should you lose your memory.
   

If you want a computer to generate a password for you using its RNG then why not use a password manager software that does that? I haven't seen any that generates words but it could be implemented, maybe suggest it on one of their github repositories. That way you could generate a smaller BIP39 specific words (~5 words ~64 bits) for the encryption which is trivial to implement.

That's too much adding a phrase or passphrase in your seed phrase.
For me, one phrase is enough to add in your seed phrase as an extra layer of security it takes more than decades I think before they can brute your wallet.

The very important thing is that you always keep your seed phrase and passphrase on the safety device or make an offline wallet(cold wallet) to make sure your wallet is safe from any online attacks.

Never been experienced someone hacking my accounts and wallets because I always protect them and think advanced and I always protect my network from any possible IP attacks.