Topic: What's the best way to create a super/meta/mother/master mnemonic seed? (Read 432 times)

It can't happen. There is no way on earth, especially considering that we should check our backups every now and then. Bugs and mice will never eat a backup seed phrase.

BTW: I just noticed the "professional shitposter" 

Toner. I like toner a lot better.

I have books that I've owned since childhood. They're fine. If I'd place a piece of paper between them, the mice would have to eat so many books that I'd have to notice. Or use a metal container, or a safe.

That's an interesting solution, thank you for detailing it here but unfortunately, neither multisig wallets nor SLIP39(Mnemonic Shamir's Secret Shared) seeds resolve my main issue "For obvious privacy concerns, I would like to be able to use several wallets based on different seeds."  I should have said multiple wallets and multiple seeds.

You should have a better ink than mine. Yes bugs can eat paper, but mice too. I don't have mice at home, but if one day I get some it could be too late for my paper once I discover it.

It's a good idea, maybe I should think about it. For me it doesn't look useful and to be the most safe practice to generate seeds long time before using them but it could be the most convenient way to solve my problem actually.

Why don't use a PRNG and use a 12 words mnemonic phrase as the seed for generation ?

You can F.E. just add at the generation to the seed a nonce for each wallet ...    ( + 0001 , 00010 ... )





but you should learn your lessons about the PRNG very hard to not stay depending on the available provided tool !  

Yes. And by default it works for Legacy addresses only.

Using BIP-38 encryption to store mnemonic seed phrase.

Looks promising, I need to study it a bit more. Does it work only with encrypting single private keys? Or does it also work with seeds (HD wallets)?

This is all theoretical: I'd be comfortable printing it, but I wouldn't be comfortable using multisig.

You'll print this:
6PYS1nzuGgFB4WunA9xzHRWxd5xWhLBFxpgTGEQ2z7fggB767rLnKSYHQK (I created this one with a random private key as password, so there's absolutely no way this can ever be recovered (but the 6P-key is valid)).
An attacker has no idea what's in it. But for your own convenience, adding the address makes funding a lot easier. As always, it's a balancing act between security and convenience.

Or print a whole page filled with lines like this, and only one that works with your password. The attacker will have no idea which one is the real one, and if you forget, you can spend half an hour trying your password on all of them. I consider half an hour of typing a small price to pay for peace of mind.

Okay, so it sounds are comfortable with printing the xpubs. Unfortunately I am not.

I am also reluctant to store all the xpubs in the same place. I am not extra-paranoid, I just don't want to expose my addresses to the attacker for privacy reasons. Yeah, I know, no big deal, because I will find out that one of my backups was compromised in one of my regular health checks, but still, I want to avoid this.


This sounds interesting, gonna check it now. I was aware of it, but I never dived into it.

Print it?

Or store all xpubs on each location. The drawback is that "a thief" would know your address and balance, but you add redundancy in case you can't read all characters on the paper.

I've typed some private keys (for offline Fork recovery), and in my experience my typing is more accurate than my reading. So now I print everything in a large font, which makes it easier to distinguish between similar characters. If you make a mistake, just keep trying until you get it right.

I like BIP38 encryption.

Well... Look, I understand that a 2-of-3 seems better and many people advise in favour of it.

However, I don't like it because I haven't found a way to properly backup the xpubs.

For those who read this, but don't know how multisig works, you basically need all the xpubs of all the cosigners to describe the wallet, but you need part of them to sign the transaction.

So:

2-of-3 : A, B, C - You need all the xpubs and 2 of the seed phrases

2-of-2: A, A, B, B: You need all the xpubs and the 2 seed phrases.

Let's back these up.

In the 2-of-2 you need 4 backups for the seed phrases but you don't need to backup the xpubs because they can be derived from the seeds.

In the 2-of-3 you need one backup of each seed phrase and one backup of each xpub.
You could do it like this:

Location 1: Seed A, xpub B
Location 2: Seed B, xpub C
Location 3: Seed C, xpub A

You have the same redundancy, because losing one location will allow you to have the necessary pieces to unlock the wallet (all the xpubs and the 2 seeds)

But, I haven't found a good way to backup the xpubs. They are huge sentences of random characters, so one simple mistake can lead to money loss.

This is why I avoid 2-of-3.


I understand. So, without giving away your setup, what do you think is a better way to do your self-custody ?

That would be the holy grail of self-custody. I've never been able to find it, and until this day I'm not completely comfortable with the balance between keeping my funds secure, and making sure nobody else gains access. I am content with my current setup, but it's not perfect. I've never seen a perfect solution.

Why not 2-of-3, so you only need locations A, B and C? With this setup, 2 locations are always enough to restore your funds. With your 4 locations, having only 2 remaining locations gives a 50% chance of losing access to your funds.

I don't like multisig. It's not intuitive, I'd always fear I'd mess up, and it increases transaction fees.

So your biggest fears are

• Backup being destroyed by some unexpected event (fire, flood etc).
• Locking yourself out because you have lost / forgotten the backup of the wallet (or a piece of the backup).

Well in this occasion you are clearly looking for a multisig wallet.
The easiest way to go about it is:

1. Generate 2 wallets (A, B) with 12 words each. Generate them offline of course.
2. Create a dual backup for each wallet. So you will have the following backups: A, A, B, B.
3. Generate a multisig vault, offline. Set it up to be a 2-of-2 multisig where the cosigners are A and B. Create the vault in watch only mode, using the xpubs of A and B.
4. Send a small amount of funds to one of the addresses. Then try to send the amount of the wallet, signing offline with both the wallets. This will essentially test the wallet
5. Fund the wallet with your funds.
6. Save the backups A, A, B, B in 4 separate locations.
7. Check the locations once or twice a year, replacing the old paper with new ones.

So, now, you have eliminated both of your fears.

1. Its highly unlikely that the backups will be destroyed at the same time due to some flood or fire. In fact even if 2 of the 4 papers get destroyed you still have a chance to recover the wallet if the backups were not from the same wallet. Even if one of the backups gets destroyed you are perfectly fine.

2. You have great redundancy with this system. The wallet is safe because there is not a single point of failure. As I said, you can lose one of the backups. It's ok. You can even lose two and still have a chance to save the situation with a bit of luck.

To be honest, the 2nd and the 4th event are my biggest fear, and I think the most likely to happen to me, objectively. The first one(robbery) comes after them. And I would put the 2 last ones at the same rank, after those 3. Because if you think you are unable to cope with that, or too much afraid of that, for me it doesn't make sense to invest or at least, to hold critical amounts of funds in cryptocurrencies since it's an inherent risk to this asset.

Ok, let's narrow down the solution list. Shall we?
Firstly, can you put in order your biggest fears / threats?

• Thief finding the backup and stealing the money.
• Backup being destroyed by some unexpected event (fire, flood etc).
• Locking yourself out of the wallet due to some technical error (example: not being able to re-create a multisig vault properly).
• Locking yourself out because you have lost / forgotten the backup of the wallet (or a piece of the backup).
• Losing funds because of a hack (brute-force, malware, keylogger etc).

Add any other threat you want.

It's not safe enough for me, a sheet of paper can be too easily burnt, torn, erased, lost, eaten... and even with a back-up hidden in another place it's not a convenient solution for me, since I can't go to this place whenever I want, especially within few hours when I need to add a new seed.

I'm looking for a safe and convenient solution precisely, if I already knew one way to address all those matters you are referring to, I wouldn't open a topic for that purpose. But I don't think your first 2 questions are really difficult to overcome. At least, I'm less scared by that, than to lose my seeds because of an unexpected event. The 2 last ones, are more concerning actually.

Me too. It all depends on what you are most afraid of.
If you fear that the backup location is not very safe, then you can add a passphrase.
If you are sure that the location is safe, then there is no need to add a passphrase, since the backup can't be easily compromised in the first place.

Following BIP85 standard Passport 2 allows to generate up to 20 child-seeds from the single master SEED. Those master SEED can be stored in both way SeedQR format (either Compact SeedQR or SeedQR) and ordinary writable one.  Also, each of 20 child-seeds can be saved in both format. Initial master SEED can not be found back by using any number of those child-seeds.

You could use words instead of a password, to prevent mistakes writing it down. I prefer to use different seeds though, it seems easier.

Well, to be exact, it is not very difficult to brute-force, but it rather, it is infeasible to brute-force.

This passphrase will never be brute-forced. But, I make 2 assumptions here:
1. There are no uppercase characters.
2. There seem to be some patterns, but I guess they must be copy-pasted to showcase the length of the passphrase.

If the assumptions are true, then:

(a) You have 146 characters.
(b) Your dataset consists of LowerCase, Numbers and Symbols. Thus, your dataset includes 95 (total printable ASCII characters) - 26 (upper case letters) = 69.

Therefore, the complexity in bits is: ln(146^69)/ln(2) = 496.09 bits.

---

BIP85:

• BIP85 is easier to backup. You will only backup 12 words twice and then you will backup the "index number" for each wallet. The latter can be backed-up anywhere. It's just a number (eg. 107, or 9, or 999), so nobody can expect that this has anything to do with Bitcoin. So, you can just backup the words and you can derive all the wallets at indices 107, 9, 999 with the same words and a wallet that supports BIP85.
• It's not as secure as passphrases. The index numbers can go up to 10,000 so brute-forcing the wallets is super easy, if the attacker gains access to the words.

Passphrases:

• Passphrases are better if you want to make sure the the attacker who gains access to the words has no way to access your wallet.
• Passphrases are more difficult to backup. You absolutely need to backup the passphrase twice. Not once. So this leads to the need for more secure places to store your backups.

To conclude, if you are afraid that the seed words can be compromised, then use passphrases, making sure to backup the passphrases in separate locations.
If you think that your words are safe, then simply use BIP85 and use random index numbers from 1 to 10,000. Also add some sats to the wallet on index 0, so that the attacker may think that these are your only funds.

That is true. But I have made no mistake yet. I will read more about BIP85. I have not read about it before and it can be a good solution and it is exactly what Saint-loup is looking for. Thanks for bringing my notice to some flaws about my backup.