Bitcoin Forum

Electrum does not let you use an arbitrary sequence of words as seed. This is because humans are not good at generating really random phrases.

The seed generated by Electrum is a 128-bit random number. It is encoded as a sequence of 12 words, for the purpose of memorization. However, it is important to understand that it has 128-bits of entropy. A phrase generated by a human, or picked from a random book opened at a random page, will in general be much less random, and much more vulnerable to attacks. (and "much more" here means astronomically more).

In this type of attack, time is on the side of the attacker. It is perfectly possible for an attacker to try all the phrases existing in a large database of books, and some variants of those, until they find a wallet. In contrast, it is not possible to do the same with 2^128 random phrases.

As you may have noticed, it is possible to bypass this protection; if you restore your wallet from a hexadecimal string, any string length will be accepted. However, this will only work with hexadecimal inputs. Thus, if you absolutely insist on using an arbitrary phrase as seed, you will need to hex-encode it yourself. Consider this as a protection.

This is a good post to go to the http://electrum.org FAQs and Tutorials

I agree that it is important to have a random, unguessable passphrase, but 12 random words with 128 bits of entropy is overkill. My passphrase utility (https://bitcointalk.org/index.php?topic=148620.0) allows you to safely use 6 random words.

We are not talking about an encryption passphrase here. We are talking about the entropy of Bitcoin addresses used by the client.
For this, 128 bits is not overkill. Bitcoin BIP 32 recommends to use at least 128 bits for this: https://en.bitcoin.it/wiki/BIP_0032
As an additional safety measure, Electrum adds a little bit of key stretching to generate the master key (100000 iterations of sha256, which is equivalent to adding a few extra bits of entropy to the seed)

I approve of this message.  This is why Armory uses a different alphabet, and uses checksums.  Of course checksums are there for checking that data was entered correctly, but it also requires users to manually compute the checksums if they want to enter their own data.  It's a nice protection from people just cramming "aaaaaaaaa..." into the wallet recovery screen.

Of course, Armory uses waaaay more than 128 bits of entropy, but I'll be bringing it down to 128 or 160 in the next release -- I was thinking 160 because I wanted to give a little margin in case your system does not have a high-quality entropy pool at creation time.  This because I totally agree with ThomasV -- 128 bits is a nice, unbreakable value.  Maybe in 1000 years when we have Dyson spheres around a few different stars for the purpose of collecting energy to break my wallet, they might break 128 bits.  

"Can someone with the list of words from the Electrum code get an electrum user's seed trough brute force? How can it be avoided?"

The list of words used by Electrum is public; everyone can read it: https://github.com/spesmilo/electrum/blob/master/lib/mnemonic.py
The security of your seed does not reside in a secret algorithm; Electrum is open source, anyone can see how it works.
Security is based on the length of your seed: your seed is safe because it is long enough to make brute force attacks impossible.

Talking about security, guessing and entropy; what are your thoughts about this http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html ?

This is the most basic rule of ECDSA -- use a different random number for each signature.  I'd say that this should be a very difficult mistake to make, but apparently Playstation 3 also had some under-qualified developers (http://exophase.com/20540/hackers-describe-ps3-security-as-epic-fail-gain-unrestricted-access/) in this regard.  

It's nothing new.  It's just the risk of "rolling your own" when dealing with crypto algorithms -- you don't understand the importance of each step, or have any guarantee you did it right.

Even when you think you did it right, you're probably open to things like timing attacks -- where someone gets your system to sign a whole bunch of stuff and collects statistics on the time it took -- which reveals information about the private key.  Proper implementations avoid this.

You answered my question even before I could refresh the page! Good to see it can be avoided taking the right minds to work. It seems that there are still people that don't get it is money what they are playing with.

I know a 128-bit seed is good enough to defeat brute force attacks, but then wouldn't it be even better to support a 256-bit seed? Any thoughts on allowing that option?

I understand that the seed in number form is 128bits of entropy. But is the mnemonic 128 bits too? 12 words out of 1600 are 128bits of entropy? Just curious.

Yes. As long as they are *randomly* chosen.

I hope you where exaggerating. 128 bits encryption could be breaked "routinely" in 100 years. Armchair explanation: DES at 56 bits can be breaked "routinely" by NSA/CIA ecc. If Moore's Law is sustainable the number of transistors in a chip will double every 1.5 years. Let's say that every doubling in number of transistors double the speed (because, in the end, cracking a code is a highly parallelizable task, so doubling the number of processors WILL double the speed). So each 1.5 years the number of bits that can be cracked "routinely" is raised by 1 (double speed = +1 bits, because +1 bit doubles the keyspace)... So 72 * 1.5 = 108 years... But note that DES was cracked "routinely" some years ago.

(read for example here. http://en.wikipedia.org/wiki/EFF_DES_cracker , in 1998 EFF brute-force cracked DES in 56 hours for 250,000$. So if Moore Law is sustainable, in 2106 AES128 could be cracked in 56 hours, but note that some years before a resolute cracker with some million $ and a month of time could probably crack it)

Well, technically you can:

• Run electrum with parameter: -w fun.bin (to generate new custom wallet named fun.bin)
• Select [Restore]
• Enter word "god" 12 times :) (or any combination of words from electrum dictionary)
• You got your own fully functional, funny-seeded and hence very insecure, likely to be cracked by someone wallet :)

Gleb

Whoops, I was under the impression assumed that Electrum was using RFC 1751 for translating bits to words...

http://tools.ietf.org/html/rfc1751

Can I ask what the reason for not using it and going with a poetry frequency list instead?

From Thomas...

What are your thoughts on this: http://www.sendspace.com/file/68tgbd (http://www.sendspace.com/file/68tgbd)
You have to roll your own seed. 5 dice for each word = 60 rolls, if a roll is invalid (i.e. under certain circumstances not applicable), roll again. IMO this should lead to a truly random seed, which can't be compromised by faulty or limited random number generators implementations. It's a bit cumbersome, but for long-term storage a decent decision.

Any downsides or potential risks I don't see?

This method is well known as Diceware - http://world.std.com/~reinhold/diceware.html

Good question! How Diceware (5 words with dice, dictionary size of 7776) compares to Electrum (12 words, from a dictionary of 1600) for practical purposes; to use as your master password?

I am not a cryptographer (what are some good sources to learn some very basic concepts? Maybe one good article for noobs), so this is a basic question: let's say I used my own passphrase and I am happy with it, my passphrase is (obviously)

the quick brown fox jumps over the lazy dog

then how do I hex-encode it to become an Electrum seed?

and just for fun, can I also convert it for Electrum style 12 words?

Diceware 5 words bit strength:

>>> log(7776**5,2)
64.624

Electrum 12 words bit strength:

>>> log(1626**12,2)
128.005


What this means: Diceware 5 words is no longer secure. With dictionary size 7776, use at least 7 or 8 words for critical/financial stuff.

Here you go:

https://www.google.com.pk/search?q=letters+to+hex


Easiest way for you is to create a new wallet and use the restore function. Paste in the hex and then view the seed to get the electrum words.

edit: python is not my strong suit so I am sure this can be done in the electrum console as well. But to do it in the Linux shell you just run python, then do "import electrum", and then "electrum.mnemonic.mn_encode( '34343' )" ofcourse replacing the numbers wiht your hex.

Edit2: Yeah you can do it in the electrum console too. Just type import electrum first and then the rest.

If you or someone could show this quotation with 'normal' mathematical signs (a picture or external link with different numbers are OK), that would be helpful.

I have found this as well: https://security.stackexchange.com/questions/36246/what-is-the-entropy-of-just-1-diceware-passphrase-like-my-passphrase

Still not clear.

If we assume that a flawed(?) electronic random number generator is as random than an actual dice.

https://www.google.com/search?q=log(1626**12%2C2)

https://www.google.com/search?q=log(7776**5%2C2)

Entering these into Google calculator give different results - doesn't help, either.

The randomness ("entropy") of one word, chosen at random from a list of 1600, is simply 1600, and the number of bits in 1600 is 10.644 because 2^10.644=1600.  So in a string of words chosen at random from a list of 1600, each word contributes 10.644 bits of randomness (entropy).  To get 128 bits of entropy you need 128/10.644=12 words.  1600 is a pretty short list, which is why electrum makes such long seeds.
Diceware uses a longer list of 7776 words.  Log2 (7776)=12.925;  128/12.925=9.9.  10 words in diceware would give 129 bits of entropy.
I generated a spreadsheet with about 55,000 words by collecting scrabble lists and pasting them into excel.  More entropy there.  By using random numbers to select words, I can generate a strong passphrase which is short enough that I have some chance of remembering it.  The scrabble list also has some real oddball words.  Makes for a memorable passphrase.  The extremely commonplace vocabulary words in the electrum and diceware lists generate very bland phrases that are not memorable at all, besides just being very long.
Electrum should have gone with a much bigger word list.

Have you read this?

So, I've been trying this... I'm a bit confused...I chose some arbitary words , hex-encoded them , entered that hex code as the seed... and then viewed the seed, and the seed become like 45 words or 100 words even sometimes when viewed in electrum.  is this normal?  

(Even when I chose only words from the electrum passphrase dictionary, it still redid them... i chose 16 words and they become like 60 words)

In the current version, seeds are treated in groups of 3 words. ThomasV might explain how this affect what you are trying to do. The new version of the seeds will let you use larger seeds as it will be hashed.

My concern is that the 12 words might not be secure enough...

I guess as long as I can import a hex value and it gives me a seed of
words, it will work, right?

A seed generated by electrum is more secure than any hex you manually input however long the latter might be.

If you absolutely want more than 12 words then do it right. Use openssl to generate a random seed for you:


Then use the restore wallet option to create a new wallet and enter the output of the above as seed.

well  1600^12  < 2^128....

but i guess not by much.

1626^12

https://github.com/spesmilo/electrum/blob/master/lib/mnemonic.py

Hi Guys

I’m assuming the 128-bit seed could be increased to 256-bit instead. I would prefer this as it would be more secure.
What changes (code) would be required to have the Electrum wallet go from 128bit seed to 256-bit seed?


https://electrum.org/faq.html
Electrum uses a 128-bits random seed to generate your private keys. The seed can be represented as a 12-words mnemonic code. You do not need to perform regular backups, because your wallet can be recovered from the seed that you can memorize or write on paper.

Example:
hexadecimal: 431a62f1c86555d3c45e5c4d9e10c8c7
mnemonic: "constant forest adore false green weave stop guy fur freeze giggle clock"
There are 2128 possible seeds for a deterministic wallet in Electrum. For comparison, the total number of Bitcoin addresses is 2160.

Thanks

Hi Egg,

Welcome to the forum.

I had the exact same thoughts as you're having now.

Turns out:

1. Private keys "only" have maximum 160 bits of security anyway
and sometimes 128.

2. Electrum does a 100,000 round key-stretching hash,
effectively adding another 16 bits of security.  So,
you really have 144 bits, which is plenty.

So, plenty of security and nothin to worry about.

 ;D

JF

Hi JF
Thanks for the reply

Yes, but the seed should at least be a minimum of 160bit as are the Bitcoin address.
But ideally even more as you have multiple Bitcoin addresses derived from this single key.

Wouldn't it become enough profitable then for someone to keep generating seeds and looking it up against the blockchain until they find the seed of somebody else?
With bitcoin addresses, the task is quite harder since it's actually a hash of a public address (which is even larger than the 160 bit bitcoin address). Hence, the attacker has to work on all the possibilities of the private address - which is 256 bits, so even larger.
But with this seed, it's just 128 bit possibilities (2^128) (and even, divided by the number of wallets used to find one of them)

No, the seed is for your wallet, which contains many addresses.  
So that's a 1-to-many relationship.  Hence, you will have
less seeds than addresses.

There are many threads here on the forum discussing the
feasibility of cracking a private key.  Bottom line,
it can't really be done.  2^128 is simply too big a number.

Although there are 2^256 possible private keys,
if you know the public key (which is possible
only if a transaction was already sent from
the corresponding address), you can use
the elliptic curve math to find the private key
in 2^128 operations.  

Otherwise, if you don't know the public key
of an address, you're struck with a brute-force
approach, hoping for a hash collision
with probability on the order of 2^160.
(Something to do with RIPEMD-160,
although i'm not yet up to speed on
exactly how that last point works.)

With electrum, the 12 word seed is
run through an iterative loop... hashing
it 100,000 times through SHA-256,
so if you want to try to brute-force
the 2^128 combinations, each try
will take 100,000 times as long.

 

I might not have explained myself correctly.
Yes, I know the seed is for the wallet and contains multiple addresses, which was my original point.
I was talking about a brute force attack on the seed until one generates a set of addresses that the block chain shows as owning Bitcoin.

But I didn't get this earlier, a 100,000 times SHA256 of the original seed is done before addresses are taken. I see your point.
That's good.

However, if SHA256 on the original seed is done, this means the original seed could easily well be 256 bit instead of 128.
With 256 bit feed, it would be even more difficult brute force, in addition to the 100,000 times.

Thanks for the input.

Well a hash can have any size input.  Why stop at 256 bit, why not 512 bit, or 1,024 bit, or 94832049823409238490238490324872 bits just to be super duper uper secure?

128 RANDOM bits is beyond brute force.  Electrum then engages in key stretching giving you 144 bit security.  Still I expect the author will allow infinitely sized seeds so people can engage in feel good security.

If you could perform 2^128 operations you could steal nearly half a million bitcoins right now from a handful of the top addresses right now.  Just checked and they are still there so I imagine your seed is safe.

I may be wrong, but it would seem like you can just choose the option "restore a wallet from its private seed" and then add more words to your 12 word seed.
Just make sure you know what you're doing though (read this thread in full and understand entropy) 

EDIT:
Maybe not.  I tried this and can't seem to get any receiving addresses, nor can I see
the master public key.  But I think there's a way to do it (review the thread).

But its pointless.

2^128 can't be brute-forced.   Even if you could do could try
a trillion trillion key combinations a second (and you cant),
it would take 8.9 million years to try all the combinations.

 

If eggdescrambler wants a larger seed he should have one:

- Create a 256 bit random seed and output as hex:


- Create a new electrum wallet, choose the restore function and paste in the hex seed.

The only caveat is that you can't do a restore from seed for this >128bit seed wallet under electrum 2.0+. You will be able to use the wallet file softcopy. But not restore from seed. The reason being that the seed format is changing and electrum won't know which seed version you are using just from the bare seed. The wallet file, OTOH,  contains the seed version.

That's all there is to it.

Quick question
I've done an experiment on electrum
I've started fresh and said "restoring from seed" where the seed is a 256 bit hexnumber (like the output of a sha256)
With that, I got 24 mnemonic words and a given set of 5 bitcoin addresses

Then, I deleted my wallet and started again, this time I've used the first 128 bit of that 256 bit hexnumber I've used earlier as the seed in the input GUI.
With that, I got the 12 mnemonic words, which matches the first 12 mnemonic words from the prior experiment.
I also got 5 Bitcoin addresses that differs entirely from the prior experiment.

So it seems like, although the Electrum documentation says it takes a 128 bit seed, that it actually can take more, leading to a different set of bitcoin addresses.

Can anyone explain what is going on?
And perhaps the documentation on Electrum's website could be updated to specify this.

Thanks

Yes that's correct. It can take an arbitrary size seed but it is not recommended unless you know what you are doing. See the caveat I wrote about on page 2:

https://bitcointalk.org/index.php?topic=153990.msg6627649#msg6627649

Ok, so the next upcoming release is 2.0 and it won't accept those > 128 bit.
I'm wondering, why this change?

Thanks for your answers.

The GUI representation to users for the seed and how it is displayed/used is made with the least experienced user in mind.

The unexperienced user will likely think "OMG MOAR WORDS IS SAFER!!! PUT IN ALL TEH WORDZ!" and make a 500 word seed or something.

In reality, the entropy is capped at 160. So any words over a certain amount is worthless.

Not to mention that if users can choose the length of their seeds, some users will inevitably choose a 1 or 2 word seed, get their bitcoins stolen, and then post about it all over the internet.

If you have confidence in your ability to alter Electrum to create your own seed, and you can restore that seed properly. Go ahead.

But if you try to leave that seed to your family when you die or something, and they try to put it into Electrum after Electrum has already moved on to something else and only offers backwards compatibility to the one type of seed that was supported, then you better hope your family knows how to restore your seed manually, or alter Electrum in order to restore your seed.


If you want to roll dice and make your own entropy, use paper wallets with bitaddress.org.

I think there's also a site that you can download that will accept independantly generated seeds to create BIP32 extended private keys.

The thing is: Yes, this is some variant of Diceware. But this page is specifically engineered for Electrum's seed-words. I'm no expert but somewhat familiar and experienced with typical problems when it comes to 'true' randomness or cryptographically secure keys. I'd really like a word from the developers on that specific idea as it seems really neat!

on what specific idea?   

Rolling your own Electrum seed with dice. It's a little bit different than diceware, because you effectively directly roll 12 Electrum seed words, and don't rely on some other entropy dimensions, but exactly on those offered by Electrum itself! I suggested it here: https://bitcointalk.org/index.php?topic=153990.msg4502689#msg4502689 (https://bitcointalk.org/index.php?topic=153990.msg4502689#msg4502689)

Well i'm not an electrum developer but I see no reason you can't. 

You will want to synch up with the 12 word seed schema, though,
at least if you want to use Electrum the way it is intended.
You need the seed for restore functions as well as generating
new addresses.

The way I would do it:

Assuming you're using standard 6-sided dice, you roll a dice
5 times... This gives you 6^5 combinations = 7776. 
Now divide by 4 and throw away the remainder.
This gives you a number between 1 and 1944.
If the number is greater than 1626, throw it away.
If it 1626 or lower, keep it, write it down.

Repeat the whole process 12 times, now you have
12 numbers that you can use to match up
with the 12 words in the electrum dictionary.

The file I quoted in my original post contained all of Electrum's seed words in a way that they could be addressed by rolling 5 dice. By repeating this procedure 12 times, you get an Electrum seed (discard all throws that are invalid, i.e. since 5 6-sided dice have an entropy that's too high, there are less words than possible combinations).

This is slightly more efficient:
https://bitcointalk.org/index.php?topic=50936.msg7836442#msg7836442

What happens if all the electrum servers are taken offline. Would there be a  way to use the seed phrase to recover?

server have nothing to do with the seed and never see your seed.

All the servers do is tell you your up-to-date balances and broadcast transactions to the network.

Yea but why can't i have the choice atleast. Who knows that my RNG on my PC is flawed, and i might use an external RNG or have a radio that generates random entropy.

128 bit is only 16 character, guys I use 70-80 character random passwords.


Even my flawed RNG 70 character password is better than your "bulletproof" 16 character password

You can still use external entropy.  Just format it into a valid electrum seed format and voila.

How? I cannot edit that initial box where the seed is in, it pops out random words, but i cannot put there random characters.

start a new wallet and choose 'restore from seed', then enter the seed you want.
it has to be a valid seed (containing the proper amount of words all from the electrum dictionary.)

I get that 99% of people aren't able to generate a good sentence to remember, but I still don't like being given the chance to use my favourite sentence.

It's nothing I've found on internet, I searched for it and there's NO MATCHES on internet, and it's a sentence of 16 WORDS, that could also include punctuation.

Having to fiddle with hex is not fun for a non-coder and may also lead to problems in future updates I guess so I won't go that direction.

But in example, to not get bored with that sequence of words, I just snapshot it and send it to my email, which has a password of only 10+ characters... is that really better?
And I guess many people are doing it like that.

Printing those words on paper? And if somebody stumble on that paper?
Remembering 12 words without any sense? Good luck with that: nobody will even try. I didn't, for sure.

You searched for it?  Meaning you typed your passphrase into Google?
Now Google knows it.  Plus it might even show up on some search phrase list.
You don't want to be doing that.

As far not being able to remember 12 words, first of all, I think you
have very low standards of what the human brain can achieve.
Some people memorize full books!  I can easily remember 12 words and
the trick is to make a little mental picture.  

But if you don't think you can memorize it, then trust your gut feeling
about your limitations and use another kind of wallet.

OMG you typed into google? Are you serious?

Did you e-mailed it to your other e-mail?

Man you must be the most uneducated person in internet security ever. You totally compromized your password and it's only a matter of time before you get robbed.

If you can't memorize 12 words then fucking carve it into a tree in a forest somewhere, to make sure nobody stumbles on that paper.

Man you need to keep your sensitive data more secure, because the thieves always love newbies who cannot secure their sensitive info.

I snapshotted a picture of the seed and sent it to myself in the email.
That should be QUITE PRIVATE I think.
And I am pretty sure that if you ask 100 people they will not be learning by memory those 12 words, maybe 1 on 100 will.
And that's exactly the same reason why people don't make longer and more complex passwords.
Implying that I am "limited" is a subtle stupid insult, if you want to talk with me please refrain from being so presumptuous and not constructive at all.
I have exposed what I consider an issue, even though the developers made it that way considering it a feature.

Btw, my IQ, believe it or not (I don't care) is over 140.

Below, just some results from a game.

https://scontent-fra3-1.xx.fbcdn.net/hphotos-xtp1/v/t1.0-9/11035292_10205218431773829_2489588171798260949_n.jpg?oh=605d8397c48a378c3b173c37b8b6af22&oe=56517AE1

I typed only the initial part of my sentence, just to see if it would have found any reference.

Still not recommended, especially if you do it from you own IP, because it can link back to you, and a clever hacker could use it if he ever breaks into your PC.

For example if your sentence is this:            "My baby is feeded 3 cups of milk/day, and he giggles."

Then obviously this sentence might occur in some pregnant women forum somewhere in the obscure part of the internet, and google could find it, but if it has no link back to you then the odds of somebody taking a sentence from the obscure part of the web and linking it back directly to your bank account password or bitcoin password is very very unlinkely.

But if you per-se write it into google, then it is directly linked to you, and as i told above, a hacker can use any snippet of info to guess/bruteforce your PC and the sensitive stuff you might keep there.

Even if you wrote half of the sentence, that means that now your sentence is only half strong as it was before because half of it is compromized...

I suggest you to immediately change your password, and never ever use it in any public site/forum or search engine!

Dude, thank you for all your effort first of all, but... can you tell me how my search can be directly linked to me?
Also, my provider still groups many users under one IP, so I think I shouldn't be so easy to trace.
And last but not least, where should my IP be published?

you always think these ways of getting hacked are unlikely until they actually happen.
I think the bottom line is to never type your cold storage Bitcoin password on a live computer.

A much simpler case is that you have a keylogger that is sending all your information to a
hacker who can later use it.

If you have static IP then its horrible, because once anybody gets a hold of that they can track you every website you visit, if they obtain the websites logs.

If its dynamic it adds a little bit more security.

Every website you visit knows your IP address because everytime a connection is made to another site, your IP is revealed. Every instant messaging software reveals your IP. So any stranger you have skyped with, yahoo messengered with, or any other instant messenger you used to talk with strangers can have you IP.

Also if a hacker puts a tracking cookie on your PC (which many advertising sites already do, but a hacker with malicious desires i mean), he can track every site you visit.

Also trojans, and keyloggers are the other part, when if you get a virus that logs everything and sends it to the hacker, he can log your entire internet activity, from every mouse movement to every keystroke.

Yes privacy is very shallow on the internet, you must take extra precautions if you dont want your sensitive data to be revealed.

Oh i`m very tinfoil hat when it comes to cold storage :D

I took out everything from my offline PC, left with only a cd reader ,motherboard, and ram, and a keyboard with wires.

Wireless stuff are insecure. The operating system is booted from CD, and and data storage is on a double encrypted USB stick. All other connections are disabled from BIOS and sealed with tinfoil to not leak password through radio/infrared signals.

http://www.wired.com/2014/11/airhopper-hack/

No because dice rolls are not reliable source of generating random numbers as the texture that is generated on can lower the cryptographic security of it.

But what I did was to compile random text from 3 different sources , and merged them together in a random but discretionary way and that generated my master private key.

dang you are paranoid.

but i would disagree that dice rolls aren't reliable.  I think any bias you could find would be far too small to exploit.

I use computers since I was 11.
I am now 45.
I have antivirus installed since ever and always updated.
I update Windows every week.
People that find keyloggers in their pc are no tech savvy at all, they roam shitty websites and click yes on every window that pops up, then run or install everything.
That's not me.
I'm bold on this: I've never been hacked, and only got a virus in 2001 when internet here was pretty fresh.
I'm nothing special, just a user that uses antivirus and closes all the shit that pop up and install only known source software.
So thank you for your effort, but believe me: nobody is going to enter here.

I honestly don't know if it varies, but I know that I'm not in Rome and my connection always shows up like I'm in Rome.
Anyway, to hack my wallet, a hacker should have got my IP when I made my search at that time (years ago). I since then changed home and internet provider many, MANY times. And even if he's a "friend" and sees my IP now, he only knows part of my passphrase. I have no virus on my computer, no keylogger or anything (of course I may be wrong, but I have always updated antivirus and system, and there's firewall of course).



Anyway, my security is all off topic.

Back on topic.

I can remember EASILY my passphrase, and many people could do that as well.
It's much more difficult to remember random words, especially when those words are all in english and not all the world speaks english.
This leads to people escaping remembering those words and adopting solutions like the ones I explained.
Only security maniacs will store those words in memory at all costs.
Common people have huge difficulties remembering a password of 15 characters 5 minutes after they set it.
I KNOW THIS, because I help all friends and relatives with their fuckin accounts...
So, just to recap, not giving the chance to set up an arbitrary seed doesn't increase security.
Most common users won't store those words in memory.
People will either snapshot the screen (like I did) and send it to their email.
Or print it. Or write those words in email or in a txt document (that can be lost and/or stolen).
ALL these solutions lead to security issues and this means the mandatory random seed doesn't work as wanted, while an arbitrary seed can be better remembered and would probably be used as intended.

Now, this is my opinion, of course, and it may be wrong.
But I suggest then a poll to verify if I'm so wrong, because I may be not that far from reality.

Electrum is open source.  You can always make your own version with different parameters.
Or you can choose another HD wallet.

I think remembering 12 words is easier than 12 random characters, because you
can paint a mental picture with those words.  If you have "horse battery",
you can remember a horse licking a battery.  Much easier to remember than "hb".

Although human chosen passphrases with high entropy are indeed possible,
most average users do not understand enough about security and high entropy
and thus, many will make the mistake of choosing a low entropy password. 
This is why Electrum doesn't do it.  It wants to be "idiot proof".

Not everyone needs to memorize their seed.  You can write it down
and store it in a secure location.

Thank you but I'm not such a coder.
So I just make present my opinion here, in the right section of the forum, in hope devs reconsider their choice.

Last but not least, your can FORCE the user to generate a high entropy passphrase.
This already happens on many websites when you make an account, they FORCE you to put caps and numbers and symbols, I'm sure you know it, so I can't understand why you keep on putting false obstacles only to keep saying that my considerations are wrong. It looks you just keep posting because you want to be right at all costs.
Anyway, because HE thought the passphrase, he will better remember it and there are more chances he won't need to store it anywhere.

Listen, I'm more than happy to be wrong (about anything).  And I'm not trying to put any
"obstacles" on your opinion.  Your opinion has been noted.

You do have a good point about the ease of memorization.
However, the devs are unlikely to change their opinion
as far as this:
 

(That's straight from the OP in this thread).
Forcing the users to put caps and numbers and symbols is not sufficient to create Bitcoin level entropy.

This is an example of password people should use (don't use this example)

JhXb3gDtr8sDBhSmN3Pe5qwKMT3D4DgAqrYEZ8Ngqh5hW97cQEmrKuV3D
(57 character, cryptographically secure, totally random, impossible to guess & bruteforce)


It's called precaution, sure i have less than 15 bitcoins now in my posession, which arent worth alot to go through all the hassle to steal it compared to the security i put in, but one day that 1 bitcoin can be worth 1 million dollar, and then its another story.

I`m thinking ahead in the future.

I just remember some idiot had 1000 bitcoins in the blockchain.info account and he got hacked and lost it all.

There is a saying:  "A fool and his money are soon parted.And it's true."

My passphrase is more than 12 words, more than 90 characters, includes punctuation and cannot be found anywhere on the internet and not even on my computer ;)
Oh, and it's not even in english!

You can't compare an alphanumeric string to the set of 12 words automatically generated as a seed: that SURELY is more entropic than any human phrase, but maybe 1 person on 1000 can remember that string. I can remember my fiscal code that is 15 characters, and I could probably learn that string, but I still don't think that's needed.

We are talking about the possibility to let users write their own key phrase.

Btw: I'll be back when my money will be parted ;)

Look:

I loved my little furry Jeenee, got her at the beach in an afternoon of summer 1992. Now Jeenee is no more but my memory for her still lives.

You have a word that was nowhere to be found on internet before (bad spelling from my ex-girlfriend), caps, numbers, punctuation and a total of 140 characters.
What do you think about this?

Just to not let hackers waste time: those sentences have nothing to do with my passphrase :D :D :D

again, yes, 140 characters is good but many aren't that savvy.
If you think you can convince Thomas to change electrum, go ahead and try :)

The problem with this is that it's a grammatically well-formed sentence, not a randomly chosen sequence of items. That probably makes it easier for you to remember, but it's also easier to predict what follows next. For example, after "I loved my little ...", the next word has to be an adjective or a noun (phrase), so a search can exclude (or at least, discount) inflected verbs, prepositions, etc.

(EDIT) And the problem with "original" words is that (a) you have no guarantee that they are original, and (b) they constitute a single point of failure, i.e. if the security of your (otherwise not so secure) passphrase rests on the originality of a single word, and you are wrong about it being original, you're screwed.

Maybe I'm wrong, but I think we are a bit on the paranoic side of the matter now.

You can search a word like Jeenee: if it brings less than N results, you can be sure it will be in the last positions as a tried password term. Or even just passed altogether.
Also, the originality of that phrase doesn't rest on a single word, it's just ONE additional measure of security. The phrase itself is all original, or at least self produced.

Also on your assumption "the next word has to be an adjective or a noun" the paranoic is powerful in you :D
It's not wrong what you say, but it's a very complex programming matter imho.
I could have put Jeenee, which is a name, following in there, no nouns or adjectives or anything. Or I could have separated the adjectives with commas. Or not, no commas. As you can see there's more options that you think. Screw jumping one in your hacking code, in you can let it search up forever.

But I want to consider another factor, that I think many people forget: time.
How many tries can you do in one second?
I mean, you have the best connection out there, and you try and try and try to hack into one Bitcoin account with false credentials with your hacking routine. How many tries can be done PRACTICALLY?
NOT theorethically. PRACTICALLY.
So don't bring up IBM supercomputers, and imagine a common hacker, with common CPU power, that wants to hack a common person address.

I don't think knowing what part of speech might come next is meaningful here.
Not only are there enough words, but there is also plenty of flexibility in
possible sentence structures. 

For example "I would like" could be followed by a noun ("I would like ice cream")
or something else

("I would like to talk to you")
("I would like two scoops of icecream")
("I would like that")
("I would like nothing more than to smash your face lol")

And the farther you go into the sentence, the less prediction you will have
from the beginning, and since you need the entire phrase, this kind of analysis
means nothing in this context.

It's neither "paranoid", nor is the exact POS example I gave, and whether there can be exceptions, important. I just picked it as an example to make the problem more relatable.

To be clear: if your sequence of (dictionary) words is the output of a grammar, it is more predictable than a random sequence of dictionary items. See for example Shannon's classic paper on the entropy of English. (http://pil.phys.uniroma1.it/~labcalc/SC/shannon_51.pdf)

Note that Shannon makes no theoretical assumptions about which grammar underlies English. I'm not an expert in password cracking methods, so I can't give you any hard numbers, but I imagine that an n-gram based method (i.e. the classical SML model) would provide a relevant speed up in the search (under the assumption that the sequence is a grammatically valid sentence of English).

From Shannon's paper: "This method is based on a study of
the predictability of English; how well can the next letter of a text be predicted
when the preceding N letters are known"

We should note that when brute forcing seeds, none of the preceding letters are known.

Branching out in a tree-like fashion quickly yields too combinations to make use of the predictability
methods you speak of. It's like trying to brute force guess all the moves of billions of chess games
played between relatively strong engines.  Yes, only certain moves make sense,
but the combinations still branch out exponentially.

You might find marginally higher security in choosing a pure random sequence, but
I think the overwhelming factor in having a week seed isn't found in grammatical predictability,
but instead in the simple bad decision of using a previously known combination from
a book, movie, etc.

Completely agree on this.
You can try guess my sentence, but you never know if the first 3 words are ok: you will have to go with all the sentences that can be realized anyway. Still huge work.
Also note that my sentence is 140 characters long and INCLUDES PUNCTUATION, thing that the random generated words do not.

But now I throw another dice on the table: HOW LARGE IS THE DICTIONARY USED TO GENERATE THE RANDOM SEED?
Have you thought about a hacker that knows there are maybe 10 or 12 available dictionaries online and uses them to generate his sequence?
Now how QUICK would that be? Or anyway, QUICKER than hacking my sentence, with EXTRA INVENTED WORDS that the commonly used dictionary hasn't, with PUNCTUATION, that the random generated seed doesn't put in for obvious reasons, with CAPS LETTERS, that the random generated seed doesn't put in.

So, is my request so bad after all? I really don't think so.
And as you force the user to learn 12 words, you can force the user to generate a sentence that is SO LONG, contains SUCH CHARACTERS like at least 2 or 3 cap letters, and at least 3 punctuation signs.

I'm still on my position with random seed:
1) very few people will learn the seed by memory.
2) I have very good memory (tested) and IQ over 140, and still I didn't want to waste energy learning that sequence of words.
3) limited dictionary probably easily exploitable by hackers
4) people will write those words down somewhere.
Result: the seed is out of the user's brain.

User defined sentence seed:
1) easier to remember because the user can generate a sentence of his/her will.
2) harder to break: no words from more or less know dictionaries, caps letters, punctuation, invented words.
3) less people will write down the sentence, and even then... it's just a sentence, maybe a sentence on a diary, nobody could spot it if it's well hidden in plain sight.

@jonald_fyookball

> We should note that when brute forcing seeds, none of the preceding letters are known.

You don't need to /know/ any actual element of the password. The speed up comes from knowing - for English - the conditional probabilities of certain lexical items or characters, so you don't have to run an exhaustive search over all combinations over the dictionary, or rather: you can try the more likely combinations first, then the slightly less likely ones, etc.


> It's like trying to brute force guess all the moves of billions of chess games played between relatively strong engines.

Not really. It's closer to having a slightly better algorithm for finding the optimal move in a chess game than the next best alternative algorithm. Which sounds exactly like something you'd want to use if you plan to win at chess.

---

I said it before, I'm not an expert on password cracking algorithms, and I can't say what speedup to expect in exact numbers. But I know enough about (statistical) language models to say that I'm pretty sure it could make quite a difference if implemented right, and if the assumption is correct that you try to find not a random sequence, but something generated by "English", or "close to English".

Now then, let's see what a quick Google search comes up with...

(1)


from: https://www.trustwave.com/Resources/SpiderLabs-Blog/Hashcat-Per-Position-Markov-Chains/

Which describes (from what I can tell) an application to password cracking of Shannon's insight mentioned above.


(2)


from: http://www.wired.co.uk/news/archive/2013-05/28/password-cracking/page/2

That one is not even based on any underlying "English grammar", but it's the same principle: there's a set of conditional probabilities they can work with given that the sequence hasn't been chosen at random.

In a sense, the "grammar" here is the "grammar of previously discovered passwords".

Super slick, by the way, must admit that.


(3)


from: https://www.ma.rhul.ac.uk/static/techrep/2013/MA-2013-07.pdf on page 38

This one's probably the closest to what I had in mind. Password cracking based on Markov Chains that encode some form of "English knowledge" to guide the search. And, who would have thought, it's faster than brute forcing.

---

Sorry if this comes across as rude, but that was the last message on this topic from me.

I've made the point I believe is the one that needs to be mentioned in the context of this discussion, and that this point itself is not matter of discussion, but a mathematical certainty:

Entropy of English or near English phrases is lower than that of randomly generated sequences.

Now, admittedly, whether you think the above is worth making it more difficult for users to remember their password is a different matter. But that's a 'weighing off' decisions then, between usability and (guaranteed) safety.

And all these things considered, I think that Thomas V found an excellent solution: by default, seed generation is random, because on average, humans suck at coming up with randomness.

If however you have shown that you have a modicum of technical knowledge, you can enter your own seed, and then it's your own responsibility to ensure it is good enough.

Think of it like a "You must be this tall to ride" sign at the entrance of a roller coaster, and even placing a pair of walking stilts next to it.

If you're sure you want to roll your own, you can already do so. I don't see any need to ask Thomas to invite everyone to come up with their own seed, because the likely result is that average seed quality would decrease.

---

(EDIT) One thing, to be clear: I agree with you guys that it's hard, if not impossible, for most people to memorize the random seed. That's why you should probably write it down or print it, and find a way to store it away.

Hell, if your funds warrant that level of security, put it into a sealed envelope and place that one into an insured bank vault. The same principles of storing anything physical of great value applies here, only that in our favor (a) you rarely if ever need to get the item (only to recover your keys), and (b) the item is small, so hiding it or renting some safety box is easier than having to do so for a larger object.

You can 3D print a ring and stamp the words inside it, just an idea :D

(screw my claim that I'm not writing again in here :D)

You're probably joking, but I'm not so sure that "on body safekeeping" is necessarily worse than traditional safekeeping by hiding, or placing things into vaults.

Now I wonder if there's any research into this, how "on body" compares to "hiding" compares to "vaulting"...

Hiding is better than vaulting. If a thief breaks into your house he knows exactly where to look for valuables if he finds a vault.

If you carve the private key in a tree branch in your nearest forest, or put a piece of paper in a box, and bury it in your nearby forest, is a better solution.

oda krell, interesting article.

You may be able to argue that you lose a few bits of entropy with a grammatically correct
sentence.  This is why experts really don't recommend that you create your own phrase
to begin with:  Its difficult to accurately measure the entropy.

What if my sentence was written in... italian? (it is, actually)
Should a hacker implement several languages grammar?
I still think we are going a bit too far in the paranoid field here...

What if my sentence is written in... a dialect, of any language?

Also keep in mind there's quite some people that CAN'T write correctly.
Just to stay on the english side: many mistake IT'S with ITS, HIS with HE'S, YOUR with YOU'RE, and much more...

Professional password breakers, use dictionary attacks on the passwords, and they got a dictionary of all words, dialects, new words, of all languages.

Probably they focus on major ones.

If your password is in like Navajo or some really obscure language then it might be harder to break, but even then dont put your address,name, or birthdate in it.

Seems to me like you people want to refuse the reality.

Anyway, after thinking well around all this, I'm definitely sure that a sentence:

- more than 100 characters
- unknown language
- possibly with invented words
- possibly with grammar errors
- with caps letters
- possibly with numbers
- possibly with punctuation.

is more secure than:

- always-english
- common dictionary
- no caps
- no numbers
- no punctuation

randomly generated seed of 12 words.

AND it's much easier to remember, thus giving an actual chance to many users to just hold the sentence in their brain and nowhere else.

Yes but i dont understand why we are forced to only 12 words.

The devs force use to have 12 words, what if i want 30 words?

I just dont understand why are they deciding it for us with the pretense "that they know better".

I want to decide my own password and length of it.

They don't allow it because, hoping that Bitcoin will become common use money, there will be a huge effort by hackers to break into users accounts.
This situation will be associated with the fact that the common user usually sets too weak passwords. This would happen with the seed as well.
But then again: as it's commonly use to force users to put caps and numbers in passwords, other mandatory rules can be added when generating a seed.
And I'm pretty sure I demonstrated that a user generated sentence with the rules I set up is more difficult to break than a random generated seed of 12 words without caps, numbers, punctuation, generated from some much used dictionary library... and there's the additional feature that you can easily remember your sentence.

yep pretty much this.

Its designed to mathematically give you 128+ bits of entropy, and each word in the dictionary is mapped
to numbers, so its random.  There's only 128 bits anyway of security in a spent address.

If you want something different, use brain wallet.

Well, it seems Electrum doesn't like fun.

maybe that word isnt in the electrum dictionary.

Fun is part of the word list:
https://github.com/spesmilo/electrum/blob/master/lib/wordlist/english.txt (https://github.com/spesmilo/electrum/blob/master/lib/wordlist/english.txt)

Are you telling me that... the dictionary used in Electrum is well known and available?

So I'm sorry, but this fixed automatic method to generate the seed is TOTAL AND UTTER BULLSHIT and my proposed method is infinitely better.

Why?
Because if I'm an hacker I can just test all the WORDS, I DON'T NEED TO TEST CHARACTER AFTER CHARACTER!
I know the words! So I only need to swap ENTIRE WORDS instead than CHARACTERS, it's so fuckin stupid!
If the dictionary is 1000 words, then the number of possible combinations in the seed is 1000^12!
That's 1 followed by 36 0. I don't say it's little, but it's surely waaaaaay less than a sentence human generated with some punctuation, numbers and caps.

Basically, this automatic seed generation is 12 "bytes" long: the number of words used in the seed! Only a Byte is 256 combinations, while the dictionary has 1000 combinations (I don't know how many words are in the dictionary).
But SURELY this method has NOTHING with testing characters, any hacker could just test WORDS.

Really, I wonder how nobody can see this.
Shit, I thought the dictionary was internal and encripted in the software, this is incredible, an incredible fallacy.

http://vignette1.wikia.nocookie.net/walkingdead/images/0/0c/Double_facepalm.jpg/revision/latest?cb=20131001135318

ehhh...how to say this politely...You're wrong.

First of all, its 1626 words.  1626^12 = 3.4 * 10^38.
It's the same as 2^128, or 128 bits of security, which is the same for any bitcoin address
that has already spent funds.  ECDSA for Bitcoin is 256 bits which provides 128 bits of
security.  Unspent addresses benefit from additional security because of RIPEMD-160 hash,
increasing it to 160 bits.  However, electrum uses key stretching of an 100,000 round hash
once you know the seed, increasing the security to 144 bits.

You ARE correct that human generated phrases POTENTIALLY could have much higher
levels of security, but it doesn't matter because A) 128 bits is beyond brute forcing
by any form of classical computing (do the math and see how many super computers
and millions of years you need) and B) Bitcoin is limited to 160 bits of security no
matter what.

However, its impossible to measure with certainty the entropy level of a human generated
phrase and potential for error exists that does not exist with computer generated pass phrases.

Great explanation, thank you!
And it's not rude to say that someone is just wrong, we can't know everything :)

However, as the two methods give presumably good enough protection, we are still on the line that a human generated phrase can be remembered more easily than a group of random words.

It wouldn't require too much work at all to allow a user to write his sentence, check that he uses caps, lower letters, punctuation and possibly numbers.
The random words method could be left active as an option.

I agree 100% that its possible to create a good passphrase with a very high probability of it being ultra secure
IF YOU KNOW WHAT YOU'RE DOING.

But since many people do not know what they are doing, Electrum chose to idiot-proof it.

As I wrote: it's easy to put a check in it.
You press enter and there's no punctuation and no caps and the sentence is not long enough and various enough: the program won't accept it.
Easy.

Recently one of my friend's computer got hacked by downloading the exe file which was actually a keylogger and the hacker hacked his electrum seed key and now he is also operating his electrum address and what ever his address are receiving the bitcoins he is just simply withdrawing it.

So how can you help him to recover his old wallet from that hacker, can we change the seed pass phrase key . Please help me to recover that electrum wallet from the hacker as my friend is not have that much knowledge about the software 

I believe that Electrum should be able to allow these seeds. Maybe there should be extensive warnings, but it should be allowed nevertheless.

I have a ledger wallet and Electrum, I want to be able to use both :(

You can "input" custom seed to generate a BIP-32 Hierarchical Deterministic Wallet with this tool:

https://coinb.in
 (https://coinb.in)

I used the wallet restore function and made a new wallet using a hexstring taken from the output of

echo -n "My own string"|sha256sum

in a linux conole. If a truly unique string (perhaps involving personal informtion) is used for "My own string" which can be easily remembered, (e.g. "cyberguy was born on the 29th of February 1976 in the middle of the atlantic") what are the security implications of this. Could this be considered an alternative for a "brain wallet"