Bitcoin Forum

So i know brute force means like you try all the combinations..


1. But its a computer entering each one etc over and over right?  And not like a person doing it manually right?  Now with brute force, is it a program that does it or is it a computer?




Now the electrum seed is 12 words.  The nano ledger is 24 words.  I know other wallets have 12 as well and others have 24 in general




2. If say someone has all the words for each electrum and nano ledger s... is your seed basically compromised even if one doesn't know the order of each one?  I gotta assume electrum could easily be done by manually typing each word and combination right?  But with the nano ledger s, a lot more time but thats probably done in days?  And its a program that will brute force it?  Thus you see on the computer and it would auto type all the words and enter each time... then rinse and repeat?  Or is that not how brute force works?




3. How many words being exposed for electrum and nano ledger s would you consider your seed a bit compromised?  Obviously if you give 1-2 words out for electrum or nano ledger s... that is still very safe right?  But obviously electrum is not as safe because less words.  If someone has your first 6 words of electrum or the last 6 words... how long would it take to brute force that?  What about ledger with 12 words... say someone found one half of your 24 word seed?



4. Order is much less important than the words right?  Like is it better to have exposed 6 words of your 24 word seed as oppose to having say 3 words straight of your 24 word seed?




5.  I always felt the 12 word seed in electrum wasn't safe because I thought hey only 12 words and the word list is only over 2000 words or so.  I thought to myself, well imagine I just go to recovery seed in electrum and just trial and error all the words... surely I would make one hit ... but this is basically impossible right?  Because ppl I assume with brute force program could type the combinations of words for them in electrum?  Thus imagine it type each manually by looking at the word list while it would be doing the same but machine doing it and faster... is that right?  I thought well if it keeps entering words... wouldn't it eventually find a match?  Or is there a period where after you type in say 50 combinations and it doesn't work... it can't enter more words until a certain time period?  Like imagine you try to log into your email account with password and you are wrong three times then it won't let you log in for another hour or so etc... but no issue like that with brute force? 

Another thing.  But all wallets like nano ledger, electrum, armory, coinomi, use the same word list right?  Well what about wallets like myetherwallet, waves, and other types of wallets?  I can't imagine its all the same word list right?  So theres a separate word list for different wallets?  Then again i know most of those wallets might not even have wallets and use my ether wallet right?  But is there is so many wallets generated... how could someone even attempting say ten thousand different combinations not even generate a hit?



Surely someone has found crypto this way right?  I mean i dont know exactly how many combinations there are... but its not like okay you need to hit exactly one of these combinations... theres so many combinations of seed words.



Also does anyone have a clue how many seeds are generated in total for electrum or nano ledger s?  I thought with so many wallets out there... even if you brute force... how could you not hit one of them... or is my logic incorrect here?  Its not like okay I can try it only few times then it locks and you can't try anymore like when you attempt too many passwords for your email if you are wrong.

...

I think we're good on defense vs. Brute Force attacks, even with the 12 seed word wallets.  That works out to some 2048^12 word combinations (a comfortably large number).  

https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt

Yes, the word order is very important!

I would just add here, FYI everyone, that the words can be "re-used" within that seed, that is, I once generated a 12 word seed, and one of the words was used TWICE.



EDIT: I will leave most of your questions for those more advanced than I am in the technical aspects of wallets & seeds.

Technically, a person manually typing random seed phrases is also considered "bruteforce".
Wiki: Brute-force (https://en.wikipedia.org/wiki/Brute-force_attack).

If that happened, it's only a matter of time before 'the one who has the jumbled words' find the correct order.
12-words have about half a billion combinations that a typical computer can do in minutes/hours using BTCRecover (given that he knows one of the wallet's addresses).
24-words can stretch the time a lot longer but getting the correct order once all of the words got compromised is still inevitable.

12-words is indeed less secure than 24 but that doesn't make it unsecure.
If the attacker if bruteforcing the words than the "entropy", then just base it from the number of possible permutations;
like for example, 6 out of 12 words was compromised: 2048^6 = 73,786,976,294,838,206,464 which still a lot for a regular computer but you can consider it compromised.
For leaked 1 or 2 words, I can tell that it's not enough to be compromised.

Hmm, when it comes with exposing only a portion of the seed phrase, the attacker would never know if it's the correct order or straight.
I think, normally, an attacker will try to fill the missing words at the end or start first thus a seed phrase in a random order is much safer IMO.

As said by the above post, there too many combinations for a 12-word seed to be considered unsecure.
2048^12 is equal to 5,444,517,870,735,015,415,413,993,718,908,291,383,296 combinations.
I doesn't look much (that's why BIP39 wasn't implemented in Bitcoin Core) but the number is still impossible to bruteforce with the current supercomputers.

---

So far, there's none, if you can find some article or news about a seed-phrase collision, it's an FUD.

keep in mind that while this is theoretically correct, realistically the situation can be very different. if a portion of your seed phrase is leaked it is reasonable to assume the entirety of it could also leak because there is something seriously wrong with your security! so in a situation where you know some number of words of your seed phrase is leaked you must create a new wallet and transfer all your funds to that one.

 ;D
Theoretically, both is called bruteforcing.
But if you'd want to try to bruteforce a mnemonic (or a password or whatever), i'd recommend you use a computer for that.




Your 12 word mnemonic is secure.
4-5 words can be bruteforced quite easily currently. But you shouldn't think about it, since you shouldn't expose any words of your mnemonic at all.

Better keep it completely secure than to think about how many words you could expose and still be safe.

I think that's a little misleading.

12! is indeed half a billion, and could be brute forced in a few hours, as you say.
However, 24! is over 1 quadrillion times bigger than that.

Even if 12! could be brute forced in a single second, 24! would take over 41 million years.

I still wouldn't feel at all comfortable knowing that all 24 words of my seed phrase had been leaked, and I would still move all my coins to a new wallet as soon as possible, but practically speaking, they would still be safe for all intents and purposes.

Again, I don't think that's quite accurate.

This person bruteforced 4 words: https://medium.com/@johncantrell97/how-i-checked-over-1-trillion-mnemonics-in-30-hours-to-win-a-bitcoin-635fe051a752
On his own computer it would have taken him 25 years. By spending $350 renting cloud computing he was able to do it in 30 hours. If you make that 5 words, rather than 4, then it would have cost him $350*2048 = $716,800 and would have taken him 30 hours*2048 = ~7 years.

I think 4 words is the limit of what could be called "easily" brute forced (and even then, it's not that easy). 5 words is potentially possibly, but only with a significant amount of time, money, and resources.

Well if you do it manually, you are basically typing it yourself which is time consuming... but when a computer does it... can someone explain how that works?  So you would see on the screen... it typing those word combinations and pressing enter each time... then move on to the next word etc?  You can do this with a computer you have or you need to buy special equipment for it?

I think 4 words is the limit of what could be called "easily" brute forced (and even then, it's not that easy). 5 words is potentially possibly, but only with a significant amount of time, money, and resources.



You mean out of twelve words right?  So how much is limit for the twenty four word seed?



Well my thoughts are with just a twelve word seed... if you keep entering different combinations... why would it be hard to hit just one?  Because its not like okay theres 9999999999999999 combinations and you need to hit exactly one.  I mean theres tons of addresses out there so its like how could you not hit one.. does that make sense with my logic?  I mean with all the possible combination of seeds... does anyone know what percentage of them contain btc?  Like imagine you hit a twelve word phrase but then it shows 0 btc... but you hit the phrase correctly right?  But if you enter wrong seed, it shows error?

It creates a combination, checks that it is valid, and if it is then goes through the process of turning that combination of words in to usually either a master public key which it can compare against one you have entered, or in to an address which it compare against one you have entered or the blockchain for any previous transactions.

I mean, you could write a program to do this if you wanted, but given that it could likely check tens of thousands combinations a second, then there really is no point.

The same. If you are missing 4 words then there are 2048⁴ possible combinations, regardless of how many total words there.

Because there are this many possible valid 12 word seeds:
340,282,366,920,938,463,463,374,607,431,768,211,456

And there only approximately 30 million bitcoin addresses with balance on them. Divide those two numbers and you get a roughly 1 in 11 million trillion trillion chance of finding a collision. (Now, this is not quite accurate since any seed can generate potentially billions of addresses, but you get the idea.)

I had no idea there was this much seeds possible out of just 12 word seeds.  But how do you know there is 30 million bitcoin addresses with balance on them?  Where did you find this information out?


So you telling me on average, one address has around 0.6 btc in each wallet?  That seems way too high don't you think?  Obviously there are wallets with say 1000 btc in it and some with much less etc... but isn't like 95% of bitcoin addresses contain 1 or less btc and its more like 80% contain 0.5 btc or less or something like that?


Well take a look at those combinations.  I do know that a seed that repeat itself.  So you telling me some seeds would include seeds that repeat itself more than twice?  Here is the issue though.  Wouldn't that mean with all those combinations... then say the word is OVER.  I'm not sure if OVER is a word in the word list or not. So wouldn't OVER written 12 or 24 times be a possible seed?  Imagine when someone generates a seed with their nano ledger s or electrum... ley say it was electrum... and the seed was like



Over Over Dog Over Over Over Over Over Over Over Over Over


First off... this is possible for electrum or nano ledger s to generate this seed right?  Because if so, wouldn't you not want this seed since it repeats itself every word except Dog? 


Like if you know about seeds and generate a new seed and a word shows up say 6 times in a 24 word seed... surely you would reject it?  I mean I certainly wouldn't want a seed that repeats itself this many times right?


So with all those combinations of just 12 word seeds, what percentage of them uses the same word once?  Twice?  Three times?  Imagine 6 times?  Surely you wouldn't feel safe with that seed right?

Loyce has generated a list of all addresses with a balance from Blockchair's data dumps. There are 30 million entries. See: List of all Bitcoin addresses with a balance (https://bitcointalk.org/index.php?topic=5254914.0)

Yes. There is no rule against words being repeated.

The word "over" is indeed in the BIP39 list. However, the word over repeated 12 times is not a valid seed phrase, because the final word of each BIP39 phrase contains a checksum within it, and the checksum would be incorrect in this case. However, the phrase
Is perfectly valid. Or if you want to go with 24 words, the valid phrase would be:

Yes, it is entirely possible to generate this seed phrase. I do agree though, that if my wallet generated a seed phrase with 11 repeating words, I'd probably create another one.

Okay didn't know there were that much addresses with a balance.

Okay so OVER is a word... again i had no idea it was or not... but you say having OVER written like this


over over over over over over over over over over over ostrich

over over over over over over over over over over over over over over over over over over over over over over over nothing




Is actually valid... that is crazy.  But if it was someone who just created a wallet, wouldn't they probably not think that much of it though... but it looks weird?


I gotta assume ppl who when they got their seed... if it repeated once or twice, they probably get a new seed? 


Well im surprised how someone can't just hit a 12 word seed then... I would thought it wouldn't take that much time to hit even one.  But you sure nobody has found a balance this way though?  I have to assume some do but its only if they got a portion of the seed?  I mean if someone found a bitcoin address this way, wouldn't it be not safe for them to say hey i found a working seed though?

speed-wise recovering a missing word in a 24-word mnemonic should have a slight edge over smaller number of words such as 12 because there is far less number of collisions in 8-bit checksum than there is in 4. ::)

if someone did create such a mnemonic they should doubt the correctness of the RNG that their wallet is using because this type of distribution in the entropy is highly unlikely if the bits were generated randomly.

it could help if you stopped thinking about finding X number of words and think in terms of the entropy size these words represent. a 12-word mnemonic represents 128 bits of entropy and that is why it is not possible to randomly find one with balance in it.

If it makes a difference... your "over over over over over over over over over over over ostrich" 12 word seed mnemonic is actually just an encoding of 132 bits (128 bits entropy + 4 bits checksum):

Just because something looks "simple" to you when shown as some english words, does not mean that the underlying entropy is low. That's kind of the entire point of seed mnemonics. They're meant to allow humans to easily process (and "store") ridiculously large entropy values while minimising the chances for error.

Would you rather attempt to write down (and verify):

or


:P

Okay just to confirm, so if someone were to try to brute force and say the seed they wrote down is incorrect... it would show an error right such as this seed is not correct? 


As oppose to it just opening and showing no balance?


Still... how is it possible that a seed can't be brute forced if there are so many addresses out there and so many wallets?  Example with electrum and nano ledger s, waves, myetherwallet, bitcore and all of those?  But are the word seed list for those other wallets like waves and myetherwallet the same as for electrum/nano ledger s?

An Electrum seed is not the same as a Ledger Nano S generated seed. Ledger generates BIP39 seeds, Electrum doesn't. They have their own standard, however, Electrum also uses the same wordlist as other BIP39 seeds. Just by looking at a 12-word seed, you wouldn't be able to distinguish a Ledger from an Electrum-generated seed.

Any words that belong to the BIP39 words list will generate a wallet with addresses. You can try it yourself. Open your Electrum > click on standard wallet  > click on I already have a seed > open the options menu and tick the BIP39 options. Now enter any sequence of 12 words and click on next. Electrum will generate a wallet based on your entries. 

BIP39 seed phrases have a checksum built in to them. If you have the incorrect words, then with a 12 word seed phrase there is a 1 in 16 chance on average of having a correct checksum by pure luck. With a 24 word seed phrase, there is a 1 in 256 chance on average of having the correct checksum by pure luck. Most wallets would not let you proceed with an invalid checksum, but some like Electrum will simply tell you the checksum is invalid but still allow you to generate a wallet using that seed phrase. Note that a seed phrase with an incorrect checksum will generate a different wallet when compared to the same seed phrase with the correct checksum (or the same seed phrase with a different incorrect checksum).

Because a 12 word seed phrase encodes 128 bits of entropy. This is the same security as any given bitcoin private key. The reason people can't just randomly guess seed phrases is the same reason people can't just randomly guess private keys - the human race would be extinct before you even searched a tiny fraction of a millionth of a percent of all the possibilities.

Only for education purpose, it's possible to create a seed with only one word.

Example:
action action action action action action action action action action action action

And have a lot of similar cases.
 
Using the word action and the site iancoleman, the time to crack is only 65 years, in this case not so secure...
https://iancoleman.io/bip39/

Answering your question, is 100% safe the Mnemonic Code.

If you manually create a mnemonic like this, then it is no longer a "seed" but a brainwallet and it is not safe at all because there is no randomness in the entropy that was used at all.
The time it takes to crack it is also in seconds not years because all it takes is someone trying all the combinations of 2048 words where all words are the same (check 2048 seed phrases in total).

I have some question to ask, what actually is checksum in mnemonic seed phrases, what's the difference between seed phrase with valid checksum and the one with invalid checksum in respect to wallet vulnerability to be easily attack/brute force.
I'm getting to understand something here, manually selecting randomness of seed and seed extension( I mean adding additional word making the 13th word) is the same thing? Will it be possible to crack/brute force extended mnemonic seed phrase, if possible, then how long can it takes to be done.

My questions might seem to be out of context, correct me if I'm wrong, I'm learning a lot.

No they are not the same thing, the seed phrase itself (the 12 to 24 words) must be generated completely at random using a strong RNG and never manually. The extra word that extends this can be selected by the user "manually" because it was not meant to provide security but only "plausible deniability". Keep in mind that the extra word does NOT encrypt your seed, it just extends it using a very weak KDF.

Breaking it depends on the phrase that was used as the 13th "word". For example 123 is easier to brute force than ?Z1y-R?lKT/}. The time it takes depends on the number of characters in that word, type of them (upper/lower case, numbers, symbols) and whether it is actually random or a known phrase, meaning a poem or a famous quote like "remember remember the fifth of November" is not considered safe even though it is long (39 byte).

Each word in a seed phrase encodes 11 bits of data. A 12 word seed phrase has 128 bits of entropy. The checksum is calculated using hash functions and then appended to the end of the 128 bits to give 132 bits in total, which then encodes in to 12 words. (12 words x 11 bits = 132 bits). The last word of the seed phrase, then, includes some entropy and the checksum. For a 24 word phrase, it is 256 bits of entropy and 8 bits of checksum. In terms of how this looks, a seed phrase with the incorrect checksum will have a different last word.

In terms of being attacked by brute force, most attackers are presumably only going to try seed phrases with correct checksums since no wallet will generate a seed phrase with an incorrect checksum by default.

There is no such thing as manually selecting randomness. Humans cannot be truly random. Any source of entropy needs to come from something like coin flips or the /dev/urandom function.

A checksum is used to verify the integrity of data.
In the case of a mnemonic code, the checksum assures that the mnemonic code has been entered correctly (it checks whether it is a valid mnemonic). A checksum is calculated from the data it verifies the integrity from.

In regards to bruteforcing, it practically doesn't really matter.
An attacker has to bruteforce a 128 bit secure (12 word) mnemonic code.

Im still surprised by this.  So how many total combinations are there with this many words and how many total address have coins?  Like what what percentage?


I got to assume someone who brute force has to eventually hit just one address with coins right?  I just find this really damn hard to believe.  Surely someone has hit one bitcoin or crypto address right and not said anything about this? 

There are 5.44*10³⁹ possible 12 word seed phrases, if you don't pay attention to the checksum.
There are 3.40*10³⁸ possible 12 word seed phrases with a valid checksum.

There are 2¹⁶⁰ unique addresses of each type (P2PKH, P2SH, P2WPKH), and there are approximately 800,000,000 used addresses. Therefore, we have used approximately 0.00000000000000000000000000000000000002% of all addresses.

No. The sun will die before we ever hit a private key collision.

No, that's incorrect. It is impossible for anyone to generate a private key to a Bitcoin address and find the corresponding public key that has some bitcoin in it. There are simply too many combinations. 2^160 is such a ridiculously large number that it's hard to even imagine it.

I actually got the second number simply because it is 2¹²⁸, which is the amount of entropy encoded by a 12 word BIP39 seed phrase. But yeah.

2048¹² is the same as 2¹³². Each one of the 12 words in a seed phrase encodes 11 bits of data, giving 132 bits of data altogether. With the last 4 bits being a checksum, that leaves 2¹²⁸ bits of entropy. 4 bits has 2⁴ = 16 combinations. 2¹³²/2⁴ = 2¹²⁸.

In my wallet(https://bitcointalk.org/index.php?topic=5320048.0 (https://bitcointalk.org/index.php?topic=5320048.0)) I use a dictionary of 466550 words(https://github.com/dwyl/english-words (https://github.com/dwyl/english-words)), 12 of them give 10⁵⁶ combinations, this is an unthinkable amount.

There is this "other" method of brute force, and it's commonly known as $5 wrench attack. Does not matter how many words you use if you will give it up to save your life or someone else's.

Aside from technical computer security and taking all proper precautions as well as OPSEC (don't go telling the world you have bitcoins or else someone will hunt you), do you also have physical security? Do you lock your doors at night and with what? Can someone kick the front door in? (use 3 inch or longer screws on your door hinges for example.)

If you have 12 or 24 words, don't worry about that part, worry about if someone can break a window and rob you or something.

Please don't go down this rabbithole... we'll be back to ridiculous scenario's about co-ordinated attacks on bank vaults and safety deposit boxes and whether we should split our seed across 5 banks vaults or 6... and what happens if a concrete truck drives into one bank and destroys one part of the seed while there is simultaneously a fire at 2 of the others and a flood at the 4th... ::) ::)

Your own personal security is real and very possible. People have been robbed, kidnapped or tortured for bitcoins. Your scenario about 5 or 6 banks exploding is unlikely.

Banks are known to close down and sometimes they drill out and empty all their safety deposit boxes, so you should keep an eye on them at least once a year or every 6 months. Talk to the bank often.