Bitcoin Forum

The electrum seed is 12 words randomly generated from 2048 words list
the word list is public and everyone know what the words are so for someone to brute force it they dont need to brute force 12 words but simply 12 characters since every word is known
how can it be secure?
i want to store some of my BTC with electrum but i just do not see how a 12 word seed from 2048 public words can be secure it seems like very bad protection

See https://bitcointalk.org/index.php?topic=1606740.msg16154287#msg16154287

But in electrum there are 2048 words that are public so we can consider that each word is 1 alphabet letter so brute forcing a 12 character password from 2048 pool doesn't seem that hard to do?
And after the seed is used is it possible to force it to use user generated password for make any transaction or after someone gets seed they have full access

You didn't read the post, did you? The search space is massive, in fact much more so than a 12 character password. Read the post and look at the math.

Electrum's mnemonic is similar to BIP39 but not the same. AFAIK, Electrum actually uses 13 words. That means that there are 11,150,372,599,265,311,570,767,859,136,324,180,752,990,208 possible combinations. Furthermore, there are 5 languages, so if you don't know the language, there are 55,751,862,996,326,557,853,839,295,681,620,903,764,951,040 possible combinations. Because the seed is random, there is no pattern, so the only way to get the seed is through brute force. Even if you were able to guess 50 Million seeds per second, it would still take 1.3274253094363466155676022781338310420226438095238095... × 10^31 years to go through the search space.

Basically, to sum up the post achow101 is refering to... It's like cracking a 12 character password written in an alphabet containing 2048 letters... But 4 different alphabets can be used.

Mathematically, it's waaaaaaaaaaaay harder than cracking a 12 character password written using a standard 26 character alphabet.

At least, that's how i always understood it.

Just tried Electrum and i can only make english so where are the others

It depends on your computer's language. Default is english, if your computer's language is chinese, japanese, portuguese and spanish, then it will be in one of those languages.

Also, read my edited post for the math.

In case you're intersted, the wordlists themselfs can be found here:
https://github.com/spesmilo/electrum/tree/master/lib/wordlist

I wouldn't recommand using them for a brute force attack tough, as explained above, it would be wasting resources because the probability of finding a used seed is astronomically small...

As some in this thread have been trying to explain to you, most alphabets have a LOT less than 2048 letters.

Humans seem to have a very difficult time wrapping their minds around big numbers.  I'll try to put it in perspective for you as best I can.

Lets try some simple math:

The english alphabet has 26 letters.  That means that you have 26 possibilities for the first character. Each of those 26 possible first characters can match up with another 26 possibilities for the second character, so that's 26 X 26 possibilities for 2 characters.  We can keep doing this for however many characters there are in the "seed":

26 X 26 X 26 X 26 X 26 X 26 X 26 X 26 X 26 X 26 X 26 X 26 = 26¹² = 9.54 X 10¹⁶

That's just a little bit less than 10,000,000,000,000,000 total possibilities for a 12 character seed from a 26 character alphabet.  If you could try 10 billion passwords per second, it would take you about 11.5 DAYS to try all possibilities.  This is why a 12 character seed doesn't "feel" very secure to you.


Now lets try the same with a 2048 character alphabet...

2048 X 2048 X 2048 X 2048 X 2048 X 2048 X 2048 X 2048 X 2048 X 2048 X 2048 X 2048 = 5.44 X 10³⁹
That's a bit more than 5,000,000,000,000,000,000,000,000,000,000,000,000,000 total possibilities for a 12 character seed from a 2048 character alphabet.  If you could try 10 billion passwords per second, it would take you more than 1.7 X 10²² YEARS to try all possibilities.

That's significantly longer than the earth has existed. If you worked for the entire time that the earth has existed so far, and then again, and then again, and so on... You'd have to repeat that entire time more than 3.7 X 10¹² times.

1.7 X 10²² YEARS is significantly longer than the universe has existed.  If you worked for the entire time that the universe has existed, and then again, and then again, and so on...  You'd have to repeat that entire time more than 1,000,000,000,000 times!

As anyone else has said electrum is one of the most secure desktop wallets and the seed is a great way to protect your bitcoins.

Only install it on a clean PC( after a fresh format, or in a PC you are sure you are clean) then copy the seed words in a document with a password.

Add this document to RAR with a strong password and keep it in a few USB sticks. This is the best protection you can have with a desktop wallet like electrum.

If you want extreme protection go for a hardware wallet instead.

Look at it this way. 4 years ago I created a brute force calculator.

A 5 character password from a 95 key keyboard, going through 1,000,000 passwords per seconds would take 2.15 hours to go through all the combinations.

6 characters = 8.51 Days
7 characters = 2.21 Years
8 characters = 210.37 Years
9 characters = 19,985.08 Years
10 characters = 1,898,582.38 Years
11 characters = 180,365,326.06 Years
12 character = 17,134,705,976.11 Years


Now a 5 word password from a list of 2048 words, going though 1,000,000 passwords per seconds  will take 1,142.47 years to go through all the combinations.

6 words = 2,339,769.67 Years
7 words = 4,791,848,282.97 Years
8 words = 9,813,705,283,528.19 Years
9 words = I get an error, because the number of passwords that is generated is over the .Net limit.

Try Wolfram Alpha:  https://www.wolframalpha.com/

9 words = 20,084,711,768,769,320.25 Years
10 words = 41,133,489,702,439,567,873.75 Years
11 words = 84,241,386,910,596,235,005,438.12 Years
12 words = 172,526,360,392,901,089,291,137,276.56 Years

How can a password of 12 characters be secure? It uses letters, numbers and special characters that are all known.

Normal passwords only have about 50 characters to choose from, these seeds use 2048 "letters" as others have explained. You can see the signficant increase in security there. In addition, if the attackers doesn't know you use a seed like this (for a normal password, as for electrum it is obvious), the password is even longers as he would have to guess all random characters including spaces.

Also, I think for each seed, you would have to scan the blockchain to check for outputs belonging to the generated keys, and it's not like blockchain.info is going to let you use their public API 10 billion times per second.

Thanks. I thought of using WA, but I didn't want to input the formula, since I was using the program I created.

What about hardware wallets that like ledger have 24 words, is it double this time to brute force them ? It feels great to have such wonderful wallets in our power and it feels even better to know that behind such wallets, desktop ones like electrum being discussed here has a very active team of developers, same with ledger hardware wallet because they want to make it even better to sell more. I can sleep alright at night now after reading this.

It's not double, it's exponential. There would be 2048^24 possible combinations then.

Why is it that a dictionary of 2048 words are used? While the search space is inconceivably large, what is the advantage in not using random sequences of letters in place of the 2048 words, which would increase the search space dramatically?

Presumably the chance of a brute-force attack finding ANYONE's seed is also too small. But if it did happen by chance, it could be quite damaging to that individual? Because no one presumably uses multiple wallets/seeds, and since 1 seed is controlling all the private keys, what if someone had hundreds of millions of USD in bitcoin, eg? Or would they have multiple seeds/wallets?

It isn't possible to brute force a seed.

Now as to why we use English words it is so that we can write it down easily. The seed is actually a really large random number that gets encoded as English words so we humans can write it down with our meaty hands. You could just as easily represent it as a hexadecimal number or base64 or some other encoding. It just wouldn't be very user friendly.

Based on the above posts, it seems that even half the seed should be secure?


However, this is in conflict with this post https://bitcointalk.org/index.php?topic=1012535.msg10985641#msg10985641, which states that it would be easy to break.

The idea would be to store half the seed in 1 secure location, and the other half in another.

ulhaq you should create a multisig wallet if you want to create split backups.

You seem to be having some difficulty multiplying and dividing.

2048 X 2048 X 2048 X 2048 X 2048 X 2048 = 73786976294838206464

If you could try 10 billion passwords per second, it would take you:
73786976294838206464 / 10000000000 = 7378697629.4838206464 seconds.

There are 60 seconds in a minute, so that's about:
7378697629 / 60 = 122978293.817 minutes

There are 60 minutes in an hour, so that's about:
122978293 / 60 = 2049638.21667 hours

There are 24 hours in a day, so that's about:
2049638 / 24 = 85401.5833333 days

There are about 365.25 days in a year.  Therefore, using the numbers from earlier posts, the result would be only
85401 / 365.25 = just a bit more than 233.8 years.

That's a LOT less than the 2,339,769.67 years that you came up with, and its a small enough number that I'd worry that someone could get lucky, or find a shortcut to a solution.

I didn't come up with that value, it was quoted from above. But I did get a large number, and your 233 years still seems safe. But clearly a multisig wallet is the way to go. Thanks for the input.

Im curious but let say someone got a portion of your seed.  Electrum there are 12 words.  If someone were to get say the first 6 words, then are you still pretty safe?


Now what if someone knows say the first 10 or even 11 words of your seed.  Well if they know the first 11 words of your seed in the exact order, then i assume they could brute force this very quickly right?  But if they have the 10 or 11 words but not in the right order, i assume they could still brute force it but it would take longer?  And thus if they know the first 10 or 11 words, well they obviously know what language it is right?  How many words would you say is to the point where okay your seed is not safe anymore?  Im guessing the first 6, its still safe.  But probably if they got the first 8, then thats the point where its not safe?  The other thing is wouldn't the nano ledger s be more safe then since well its 24 words plus an option to make your own word?  Surely 24 words is safer than 12 words.


The other thing is this.  Aren't there going to hackers that would look at the entire word list say in english.  Then just trial and error putting random 12 words together and then magically eventually getting access to an account?  I mean how many electrum wallets are really out there?  How many in english?  Surely they could eventually hit one right after trial and error?  When i mean trial and error, i mean doing it themselves manually.  But those guys that do that, they use a program to brute force people say?  So brute force is basically a program that would just test every 12 word phrase on electrum click enter, it doesn't work, then try another word etc?  So if someone brute forces electrum, then they look at the computer and its basically like someone manually typing 12 different words over and over again?  And when brute force is done, do they do like 12 words where first 11 words are so and so, then the 12th word they take the next one on the 2000 word list etc?

2048 words in the word list.

12 words in the seed phrase

2048¹² = 5,444,517,870,735,015,415,413,993,718,908,291,383,296 possible combinations

If you try to "brute force" 1 million combinations of 12 words every second, it will take you:
5,444,517,870,735,015,415,413,993,718,908,291 seconds = 172,526,360,392,901,089,291,137,276 years

to try all the possibilities.

The universe has only existed less than 14,000,000,000 years.

That means if you started searching through 1 million addresses every second at the moment of the Big Bang, and continued until today you would have searched through less than  0.00000000000001% of the possible addresses.

At that rate (1 million per second) you'd have to start all over again with additional Big Bangs and search for more than 12,323,311,456,635,791 entire universes worth of time to get through all the possibilities.



If you have the first 11 words in order, and you know which position the 12th word belongs in, then you'll find it in less than 2048 tries (since there are only 2048 words to choose from).

If you have the first 11 words in order, but you don't know where the 12th word belongs in the list, then the number of possibilities is 2048 X 12 = 24,576 possibilities since each of the 2048 words could be in any 1 of 12 possible positions.

There are quantities that are easy to say are "secure" such as 2048¹².  There are also quantities that are easy to say are "insecure" such as 2048¹.  Trying to find an exact line between the two where you can say that +1 = secure and -1 = insecure is impossible.  Instead, choose a number that is obviously secure, and then keep your entire seed a secret!  That way you won't have to guess if the seed is "secure enough".

Hi there.  So you mean if someone has say the first 11 or 10 words of your seed, then that would mean they could brute force it very easily then?  Thus if they know 11 or 10 but even if they are not in order, then that would be pretty easy for them then?


Also another question.  When people say private keys, what does that mean?  Because thats not the same as the seed?  I read in another thread that someone mentioned a bitcoin private key is not the same as the seed.

Yes.
You shouldn't give out any part of your seed at all.

A bitcoin private key is not a mnemonic seed but a mnemonic seed is equivalent to a set of private keys.
A mnemonic seed is a way to encode (represent) a bitcoin private key, and it is deterministic meaning that the same seed will always generate the same private key and thus the same bitcoin addres(es). (Which is why it's called a "seed": it will "grow" into the tree of bitcoin private keys)
It's also a one-way function: you can generate a private key from a seed but you can't generate a seed from a private key.
TL;DR: a mnemonic seed is an easy way to abstract (represent) bitcoin private keys for easy storage even though they're not literally the same they are equivalent because you can produce the private key from the seed.


You seem to have a lot of (basic) questions about bitcoin.
I suggest you read Andreas Antonopolous' book Mastering Bitcoin
It will help you a lot to learn about how bitcoin works.
You can get a soft copy from Amazon or you can read it online for free here:
https://github.com/bitcoinbook/bitcoinbook/blob/develop/book.asciidoc