Topic: The best passphrase (Read 698 times)

I don't think it's a very bad idea tbh even if it prevents the ability of being memorized for a long time like a common passphrase, but since you don't need any checksum computation for it why using a computer and a software(along with an OS), potentially infected or bugged, without being sure of their reliability while you can use a safe way to do that and hence adding robustness to your seed? If I were you, I would just use physical dices in order to randomly pick words from the BIP39 list. The list is numbered. https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt

Yeah, I wouldn't go down this path.

The dataset I will use is:

A - Z (excluding O and I) -> 24 characters
a - z (excluding l) -> 25 characters
0 - 9 (excluding 0) -> 9 characters
@#$%^&* -> 7 characters

So in total I have 65 characters.

I plan to go for more than 20 characters long passphrases, which will give me ENTROPY > ln(65^20)/ln(2) ~= 120 bits.

I will collect random data using the following command:

BIP39 actually specifies that any passphrase will be normalized to UTF-8 NFKD, so you can actually have a character set in the tens of thousands if you wanted, provided your wallet software supports these characters, and use any unicode character such as ½, Ü, or ←.

I wouldn't recommend going down this route, however, since there are a lot of unicode characters that look very similar or even identical, and would obviously lead to completely different wallets if confused. For example A, A and A are all different characters (Latin, Greek, and Cyrillic).

By the way, my conversation with o_e_l_e_o above intrigued me and I started reading some papers in regards with bitcoin's security level. I will not add them here, but I will, instead, add this topic I found https://bitcointalksearch.org/topic/bitcoins-public-key-security-level-2859033 which explains what o_e_l_e_o said above in more details, in case anyone is interested.

Brilliant! Thank you, so my numbers will change slightly (in decimal range). The bits will remain the same even with 95 instead of 93 available characters.

There are 95 printable ASCII characters.

(whitespace is also included)


All 95 printable ASCII characters can be used for a passphrase.

Here is a screenshot taken from electrum.

Some website restrict the none number , letter symbols.
@ and * are restricted on a few websites I use.

Combining all the possible printable characters from the ASCII table(93 in total) wil give the following entropy (in bits):

For 10 total characters: 65 bits
For 15 total characters: 98 bits

So I suggest you use anything larger than 15 characters to get a good entropy.

Ps. I am not sure whether all these 93 characters can be used but if I recall correctly they can, I am just busy at the moment and I can't check online. If someone could confirm this please

The combination of several capital letters, lower case letters, several numbers and several characters with a total of 10 to 15, for me is strong enough to be used as a password and passphrase. Using this combination makes it easier for me to remember a time.
For one device and another I use different, but not more than two passphrase.

Yes exactly, just pointing out that brute forcing a public key is pretty much beyond the realms of "theoretically" as well, given how much energy it would require.

Yeap that is exactly the point I made above, isn't it? I just ask to verify that I have understood properly.

I think the point to understand is that 128 bits of security will not be brute forced. The energy required to brute force a single key with 128 bits of security would boil all the oceans on Earth 16,384 times. So until we can construct a Dyson sphere to harvest the entire energy output of the sun, 128 bits is quite safe.

With that in mind, then all the additional security options we have - passphrases, multi-sigs, etc. - are not designed to increase this 128 bits of security (and indeed, as I've explained above, they can't. The final security of a bitcoin private key will never be more than 128 bits.) Rather, they are designed to protect against human error, compromised devices, viruses and malware, and so on.

Fascinating! Therefore, one can argue that security is only set in danger by human mistake. Even with multisig, or strong passphrase etc, the security level is technically equal. But, human error can lead to losses. So we have transitioned our focus to providing solutions that avoid human mistakes, not to solutions that add more security in terms of bits. The PK can be theoretically brute forced regardless of the wallet setup by brute forcing 128 bits

Correct.

An attacker brute forcing from scratch (not that anyone would ever do this) would either be generating 256 bit private keys or 128 bit seed phrases. But actually, every seed phrase can generate every possible address if you put in the "right" derivation path.

Yes. There will be literally trillions and trillions of scripts out there which will give the same script hash as your multi-sig script and therefore could unlock your coins. But just like standard addresses, the search space is so astronomically large that a collision will never happen.

According to this, adding the passphrase is a protection measure only if someone steals the seed phrase, so you can make sure they would never guess the passphrase.

But, theoretically, an attacker that brute forces bit-by-bit could generate 128 bits that would lead to the exact same private key that the wallet of 12 words seed + 128 bits passphrase would create, correct?

And if so, this also applies to the example I provided with the multisig, correct?

The maximum security provided by a 256 bit private key on the secp256k1 curve is 128 bits. This is because the most efficient way to attack a 256 bit private key is not brute force, but by solving the ECDLP, which will take on average 2¹²⁸ operations. So all bitcoin private keys, regardless of how much entropy was used to generate them, will never provide more than 128 bits of security

You can see this in Standards for Efficient Cryptography. SEC 2: Recommended Elliptic Curve Domain Parameters. (Table at the bottom of page 4.)

No. The most efficient way to attack a 2-of-2 P2WSH multi-sig would not be to attack both individual private keys, but to find any other script which has a collision with the SHA256 of your P2WSH multi-sig script. Given the script hash is the digest of a single SHA256, then again, you would expect to find a collision in 2¹²⁸ operations on average.

Still 128 bits.

Ok this causes me confusion. Would you please elaborate?

I also had another question:

Let's say I have a 2-of-2 multisig. Let's say both of the cosigners have 12 word seed phrases. Is the final security 256 bits? (128 + 128)

Also if I have a wallet with 12 words seed phrase and a passphrase of 128 bits. Is the final security 256 bits? You said it's not, but I would love it if you could explain.

Is the security of the 2 wallets equal?

Yes. 10³⁰ is 99.66 bits.

Personally I would opt for 128 bits for obvious reasons, but 100 bits is probably secure enough.

Technically yes, but the final security of your private keys won't be any more than 128 bits.

If your writing is such that these characters are obviously different, then you don't need to. If you are concerned about confusing these characters, then by all means drop them from your character set.

Question:

a seed phrase of 12 words offers 128 bits of entropy.

Let's say that I add a passphrase of 30 numbers from 0 to 9. This is just an example.

If my calculations are correct, this will add approximately 100 bits of entropy. I did: ln(10^30)/ln(2)

Assuming that the numbers are generated from a valid entropy source:

1. Are my calculations correct?
2. What is the threshold above which the passphrase is secure? 100 bits? More?
3. Is it correct to say that my wallet is derived from 228 bits of entropy in total?
4. Is it better (in your opinion) to use characters that are easily read and written down? For example is it better to avoid 0 ,O, I, l ? Base58 does that, so I guess it's better to avoid these. However, when you write down the passphrase on paper you can use hand lettering for lowercase L etc.

I was just using flawed RNG as an example. In bitcoin's early days, flawed RNG was implemented on android phones, which caused private keys to be generated in a small range of numbers -- too large for there to reasonably be collisions, but small enough for malicious actors to generate large numbers of private keys in the hopes of finding one with unspent coin. Android phones are not air-gapped computers, but this goes to your point about flawed software.

Absolutely, but brute forcing a seed phrase from scratch also has a zero percent chance of happening. A passphrase does not change that, nor was it ever designed to.

That's a fair point, but I think it is a very unlikely method of attack. If someone is able to infiltrate both your home and your computer in order to plant some malware on your airgapped device to generate non-random seed phrases, then it is far more likely that they would simply steal your coins while they were there, plant a keylogger for your decryption key, $5 wrench attack you, etc.

Although it does raise another point, that using the same piece of software to generate both seed phrases does leave you open to flaws in that software, which I think is a far more likely attack vector. That would probably be a good reason not to use a seed phrase as a passphrase.

The collisions you are referring to have basically a zero percent chance that two seeds will be generated as you describe. The chances are less than that of generating two private keys associated with the same address because flawed RNG will not cause these types of collisions.

Sure, if someone "accidentally" discovers one seed, they may not discover the other, although this would certainly be a sign that you are being careless in protecting your seeds.

If someone is actively looking for your seeds, if they are able to breach your countermeasures for one seed, they should be able to breach your countermeasure on the other seed. Similarly, if someone is able to cause you to use flawed RNG to generate one seed, they can do the same for the other seed, although in this case, they may not know you are using two seeds this way.

Also worth pointing out that 12 scrambled words (12! combinations) is very easy to brute force and can be done in under an hour on even modest hardware.

The protection offered by a passphrase has never been against brute forcing of a seed phrase from scratch - all the addresses generated by your passphrased wallet will also be generated at some derivation path by some other non-passphrased seed phrase.

Why? I would not say this is likely by any means, and definitely not immediately, unless you have stored both seed phrase and passphrase physically next to each other. If someone accidentally stumbles on one, there is no guarantee at all that they would be able to find the other provided it is well secured somewhere else.

A better option would be to use diceware.

Six to eight random words are enough for a secure passphrase according to Andreas Antonopoulos himself. If you have an English-to-English dictionary such as an Oxford or a Longman, you can just randomly open pages and put your fingers on random words that you can use to construct your passphrase. Any other book would work as well really.   

The seed is 132 bits but there is also a checksum inside the seed itself, in a way it is hidden.
Unlike BIP39 that simply concatenates the hash to the entropy, Electrum brute forces its seeds to find an entropy that would produce a hash that starts with certain bits indicating its version. This acts as a checksum.
You can see the loop here: https://github.com/spesmilo/electrum/blob/837fc1606cc83f99f8493c050b384cfcbb6c2835/electrum/mnemonic.py#L206-L220

If you are going to access your passphrase via looking at a written backup, it is probably best to have spaces between the words, even if there are not spaces in your passphrase. The reason being is that it will be much easier to type a series of words than a long string of characters.

---

I might point out that a passphrase is only ever going to give you incremental additional security. A properly generated, random seed is already ~impossible to brute force with current technology, and it is very unlikely future technology will ever be able to brute force a randomly generated seed.

If an adversary is somehow able to discover your seed, it is likely they can also discover your second seed which is your passphrase. Granted, storing small amounts of coin in both seeds may make an adversary believe they have found all the coin there is to find, however, if you have only stored a small amount of coin and have taken elaborate steps to protect your seeds, an adversary may not believe the decoy amounts are all that is stored by the two seeds they find.

There are 12! combinations if there are 12 known words and there are no duplicate words in the seed phrase.

In the case the seed phrase has been generated by electrum, it provides 132 bits of entropy, not 128.
There is no checksum in the seed phrase generated by electrum.


Right.  With increasing number of the words to more than 12, you don't really increase the security of your fund.
For example, a 15 word BIP39 seed phrase provides 160 bits of entropy. (165 bits of entropy if it has been generated by electrum)
Instead of trying to brute-force your seed phrase, the hacker can try to brute-force your private key which provides 128 bits of entropy.

I think 24 words would be longer without much benefit so far 12 words of seed phrase is safe enough, I am not saying the difficulty required to brute force 24 words is not more than 12 words but to brute force 12 words is unlikely. 12 words is also enough to avoid brute force attack too which should be a reason no necessary need of using 24 words.

On average, trying to brute force a wallet with 12 words (12! = 479,001,600) is a waste of time (a possible combination of 2^128= 340,282,366,920,938,463,463,374,607,431,768,211,456,) so if you want more security, use 24 words.

You can add words, but then you will increase the risk of losing one, which may mean wasting your money if the words become too many.
So 24 words is enough to avoid a brute force attack.

The biggest issue with security is balance. Balancing convenience, and security is one of the big  problems of today. Unfortunately, we take it to the extremes whatever end of the spectrum you might be. If you're security conscious, you probably overcompensate which reduces the convenience or if you are like your average internet user, you likely take convenience over security, and therefore are at risk of being compromised.

I can't tell you the right balance, since everyone has a different threat model. However, I can at least give my rationalisation about why balance is important.

While that might be true, since the information is fairly easy to remember. How convenient is it for you? For example, if this is for a cold wallet then the inconvenience it requires to enter that passphrase might be mitigated enough to not worry about it much. However, if it was a somewhat hot wallet, you needed to access it frequently then entering that long of a passphrase could potentially be annoying. I know you're probably going to be using this for a offline wallet, so I suspect it is mitigated. However, there's a point in which a longer password doesn't necessary bring much of a security benefit.

I agree with o_e_l_e_o that a overcomplicated, inconvenient passphrase is much better than a insecure setup. Though, lets say you have 50 characters as an example, that would be plenty enough for most situations, barring that it hasn't been generated from a famous quote etc. If its randomly generated 50 characters, then you're probably good. Whereas, adding an additional 50 to take it up to 100, would technically increase the entropy, right. Although, in reality the attack possibilities of a 50 character pass phrase is already quite small, and adding 50 onto it with current techniques, and technology wouldn't make much of a difference at all.

Underrated remark. If you're backing up your passphrases on paper, where ever you might store that. Don't label it as "BITCOIN PASSWORD TO MY MEGA WALLET", because if a malicious attacker theoretically gained access to that piece of paper they would have a field day. However, if you've written your backup down in such a way that they wouldn't be able to immediately determine its for a Bitcoin wallet, then that's part of the entropy.

Again, security, and convenience right? Since, if you forget what that backup phrase is for, you could be potentially in trouble.

Even if you use the default passphrase, it should be secure enough and no one can brute force it. I think you are anticipating that in the future
quantum computers may be able to brute force our passphrases and seeds but i don't think this will happen in our lifespan. I would suggest you not to make thing complicated, keep the default passphrases and focus on how to keep these passphrases secure.

It is not a complicated process for me, what if I want to use 2-of-2 multisig, I will still need two seed phrase that would be created, the two have to be protected. I am only having two seed phrase, one will not be used for seed phrase but for passphrase. If I use a strong passphrase, I can not remember, if the backup is lost, it is lost forever in a way I can no more access my coins anytime I want wallet recovery. If I can backup the passphrase and seed phrase differently, have three backup, it is good option for me. I do not see difference between a passphrase I created myself that I do not remember but backup and a seed phrase that I use as passphrase that I backup. Thank you all for your suggestions.

If the passphrase is written down on paper as it should be, then it will be no more complicated than storing a seed phrase and no more difficult to recover.

As is a seed phrase, with the added bonus that a seed phrase is much easier to write down and restore from without making any unrecoverable mistakes.

It is definitely irrelevant. Let's assume the weakest possible seed phrase of 12 words, with each word having only 3 characters, for 36 characters in total without spaces, and 47 with spaces.

An attacker who knows nothing about your seed phrase and brute forces all possible ASCII combinations of the relevant number of characters will be looking at ~237 bits without spaces and ~309 bits with spaces. Both impossible.
If they know you are only using lower case letters, then it becomes ~169 bits without spaces and ~223 bits with spaces. Both impossible.
If they know you are using a BIP39 seed phrase, then it is 128 bits in both cases, 129 bits if they try both options. Still impossible.

I don't use this method, as I prefer complex and random passphrases which could be a password or passphrase to anything rather than obviously being related to cryptocurrency, but it is still an acceptable method and far more secure than the single word or simple human generated password that many people use as their passphrase.

Memorize your bank data. They vary from country to country. But we take an example from Europe, personal IBAN: AZ04UBAZ04003214540060AZN001

Now divide the IBAN into two parts and start creating the password in the middle: 214540060AZN001
Now put a special character in it, like @ or &. After that the rest of the IBAN is used: AZ04UBAZ04003

Next step: assume your name is Antonio Sermucho

Now add the first letter of your last name at the end, but in lower case: s

And now at the beginning of the password add the first letter of your first name: a

Password is ready and cannot be cracked by any bruteforce program: a214540060AZN001@AZ04UBAZ04003s

The only thing you need to keep at home is your bank statement, which everyone has. There you can see your name and bank IBAN. Even an @ sign is also somewhere on it from the contact person of your bank.

This is just an example with the means that you have at home anyway and a hacker would not come to mind to work with it.

And if you lost a bank statement, you could always call your bank and ask for it. In this way, your bank keeps its private key without even knowing it.

As others have concluded, another seed as a passphrase is perhaps too much, because even a much shorter password consisting of random letters and characters is nowadays resistant to all known brute-force methods. I can’t say how accurate the various online password strength meters are, but here for this 10-character password, they claim it would take as much as 1 million years to be cracked. 

This time will probably decrease when quantum computers start to be used, but still, if you add at least 5 more characters you shouldn't worry too much about the fact that in the foreseeable future someone will be able to brute-force such a password.


Source

I don't understand why would you overcomplicate things doing shenanigans like this... making it very hard to recover in case you forget your order.
Plain strong passphrase made of multiple words with numbers and space combinations is very hard if not impossible to break (if done correctly).
If you want to be sure you are getting true random order of words, use offline method with casino dices instead of wallets for generating anything.

I don't think spaces are irrelevant.
For testing purposes, try generating passphrase in KeePass with and without spaces and check out results you will get

Lots of people giving you alternative suggestions, but actually this is a good way of generating a random passphrase and much better than just picking a couple of words or coming up with a single word passphrase yourself. Yes, it is probably overkill to use an entire second seed phrase as a passphrase, but I'd rather have too much security than have too little.

Do take the advice to do all this on a clean airgapped computer, though. And obviously your passphrase will need backed up by being written down on paper just like your seed phrase, and the two should be stored separately so the compromise of one doesn't immediately lead to the compromise of the other.

Spaces or no spaces is irrelevant, both will be impossible to brute force. I would go for spaces just so it is the same as your seed phrase.

Bonus points for putting a little bit of bitcoin on the base wallet of both phrases, giving you plausible deniability and obfuscating the fact that one of the seed phrases is being used as a passphrase.

Bitwarden, which is an open-source password manager, allows you to create passphrases. It uses EFF long wordlist that contains more than 7000 words: https://github.com/bitwarden/jslib/blob/1016bbfb9eb28c220de8d2ab86d1f2757328f254/common/src/misc/wordlist.ts  When you generate a passphrase with Bitwarden, you can specify which separator to use (either space or hyphen), whether to add additional symbols or not, etc. The maximum number of words is 20, which is more than enough for something like additional entropy for your keys. Still very unsafe, I believe, since you have to use a browser to run an extension. Personally, I still prefer offline methods of passphrase creation with dice or coin flips, especially when it comes to private keys.

It mostly depends on how many words are there in your passphrase, and which method you employed to generate those words. If you take a sentence from the book, it will be relatively easy to brute force. Otherwise, If you use cryptographically secure RNG or true RNGs such as dice, coins, cards, radiation, and noise, it will be difficult to crack for anyone, even for you should you lose your memory.
   

If you want a computer to generate a password for you using its RNG then why not use a password manager software that does that? I haven't seen any that generates words but it could be implemented, maybe suggest it on one of their github repositories. That way you could generate a smaller BIP39 specific words (~5 words ~64 bits) for the encryption which is trivial to implement.

That's too much adding a phrase or passphrase in your seed phrase.
For me, one phrase is enough to add in your seed phrase as an extra layer of security it takes more than decades I think before they can brute your wallet.

The very important thing is that you always keep your seed phrase and passphrase on the safety device or make an offline wallet(cold wallet) to make sure your wallet is safe from any online attacks.

Never been experienced someone hacking my accounts and wallets because I always protect them and think advanced and I always protect my network from any possible IP attacks.

There isn't really any difference.
A bitcoin private key provides 128 bits of entropy and there is no way to increase the security of your private key to more than 128 bits.

Let's say your seed phrase is compromised and the hacker needs to brute-force your passphrase to access your fund.
Whether you use space between the words or not, the entropy provided by your passphrase would be more than 128 bits. Even if the hacker knows that you have used a seed phrase generated by electrum as your passphrase, the entropy would be 132 bits which is still bigger than the entropy provided by a private key.

You're overthinking it.

There are things that matter a lot more. Are you connected to the internet while using your passphrase? How clean is your computer and network? Are you advertising on the internet that you have substantial value that can cause you to be target? Do you have backups?

The best passphrase that no one can guess is one that you can't guess. That has issues with you ending up broke through a lost piece. If you are putting substantial money into it, then you want to be able to recover it.

But if you really want to go down the rabbit hole, the best passphrase is one that isn't a passphrase. All bitcoin addresses are derived from 64 byte keys. 64 bytes can be anything, and that ends up being more possibilities than the atoms in the universe. It sounds like a clever person like you can find some very interesting ways to create keys, ways to lose your keys, or maybe even keep them safe in an interesting way.

The first thing that came into my mind when reading this is: it's overcomplicated, you may forget it in 5-10 years, if you are in trouble (brain damage, coma, ...) your family will have no chance to recover your coins.

Second, ... I may be wrong, but I don't think that such a long passphrase bring any benefits.

Third - everybody seems afraid of brute forcing, which happens rather seldom, while they forget to take care against 5$ wrench attacks and accidents/illnesses.

I have been thinking of the best way of adding a passphrase to a wallet I want to create, but I do not know the passphrase I can use that will be impossible to brute force.

What comes to my mind is by generating a seed phrase which I will use as passphrase. Open electrum wallet, the wallet to create another seed phrase for me, add a passphrase to it which is the first seed phrase another wallet created for me.

The first seed phrase is my passphrase
The second seed phrase is my seed phrase
The second seed phrase and my passphrase (first seed phrase) create private keys and addresses for me which should be safer than just using a seed phrase without passphrase.

I am think of the way to use the passphrase, which one is difficult to brute? By writing the words together and not give space in between, or by seperating the words?

This should be a secure wallet if I do not have the seed phrase backup together with the passphrase but differently. I am thinking if seed phrase with space is secure enough, it should also secure if used as passphrase?

Is there others ways to have a more secure passphrase in a way the world would have extinct before anyone can brute force it.