Bitcoin Forum

I have an electrum wallet that has both a seed phrase and a passphrase, now I mistakenly exposed my seed phrase to someone but I still have my passphrase safe. My question is this, with only the seedphrase compromised, can someone send my bitcoins out of my electrum wallet?

Anyone has the seed phrase needs the passphrase too.
Without the passphrase, your seed phrase will generate completely different addresses.

Although it's not possible to access your fund without the passphrase, I recommend you to create a new wallet and move all your fund to it as soon as possible.
I don't know how complicated your passphrase is. But there's a probability that it can be brute-forced.  

Edit:
As mentioned by jackg in the below post, if by passphrase you mean the password used for encrypting your wallet file or the password asked when sending bitcoin, then the seed phrase is enough for spending your fund.
What I said above is true only if by passphrase you mean the custom words or characters you add to extend your seed phrase.

Tldr just move the funds to a new wallet as soon as possible and you feel up for it - not too tired to make a bad mistake.

Is the passphrase on the wallet or is it actually on the seed mnemonic.

If it's the mnemonic then it should be temporarily fine until you move the funds to a new wallet. If its the passphrase it asks you for before sending funds that you haven't released then the other person might have access to your funds if they have a way to access the seed - if they just saw it then it's unlikely they memorised it.

For the new wallet, would it be wise to add 2fa to the new electrum wallet?

To know more about 2fa enabled on Electrum, read this: TrustedCoin (https://api.trustedcoin.com/#/faq)

There are fee charges while making transactions which you can see in the link above, if you are okay with it, 2fa is another layer of protection which is 2-of-3 multisig. Make sure you backup your 2fa, I will recommend open source ones like Agies and andOTP. Backup your seed phrase, know that your seed phrase is not stored on your Electrum wallet if it is 2fa wallet.

It will be better to use Segwit addresses for low fee, latest version 4.1.4 is Segwit by default.

I do not get this clear, the passphrase I know are just two:

1. The BIP38 passphrase needed to encrypt paper wallet
2. The mnenomic passphrase which is also regarded as extended word.

What do you want to achieve?

If you create a 2FA wallet, you will be asked to enter the 2FA code whenever spending bitcoin.
This will make your fund secure in the case your device is stolen or someone manage to access your wallet file.

Note that even if your wallet is 2FA, your seed phrase is enough for spending your bitcoin. If your seed phrase is compromised, your fund will be stolen.

Also note that, as stated by Charles-Tim, you will have to pay an additional fee to trustedCoin (Electrum 2FA wallet provider).

---

jackg meant the password you use for encrypting the wallet file.
Since OP doesn't seem to have much information about electrum, seed phrase, passphrase, etc, there's a probability that he is confusing password with passphrase .  

Yes I want to secure it with the Google 2FA so that before sending btc I would enter both the passphrase and the 2fa btc my fear now is this, if I lose the 2fa then what? is there a way to recover the 2fa in my electrum account?

In my opinion, I do not think jackg is right, or may I am the person that is wrong. Like I commented also above, the passphrase that I know are:

• The BIP38 passphrase needed to encrypt paper wallet
• The mnenomic passphrase which is also regarded as extended word

I remembered when I was using Coinomi (close source not recommended), I set a password which is always require before broadcasting a transaction, but, this is not called passphrase but password. I have been using Electrum quite awhile now, I make transactions without this type of password needed while electrum also do not support BIP38 passphrase which can be enabled using paper wallet to encrypt the private key. So, it is clear enough that the OP is asking about mnemonic which you perfect answered.

You only needs the 2fa OTP code to make transaction, passphrase is not needed. You passphrase is mnemonic passphrase and only needed along with seed phrase during wallet recovery.

If you lose your seed phrase (and passphrase if included) and 2fa backup, you may lose your funds. Backup your seed phrase (and passphrase if included) which is most important because you can still be able to bypass the 2fa during wallet restoration.

So, by passphrase you meant the password you need when spending the fund. If that's the case, seems that your seed phrase hasn't been extended by any passphrase.
The person who has access to your seed phrase is now able to spend the fund.

Now, let's go back to your question about 2FA.
If you lose 2FA, you can recover your wallet with your seed phrase.

---

You are 100% right.
The problem is that a newbie may confuse password with passphrase.
Just read the last post of OP. He is saying that he enters the passphrase when he wants to send bitcoin.

OP hasn't used any passphrase when creating the wallet.
He has only encrypted the wallet file with a password. Now he is calling that password a passphrase.

@Charles-Tim @hosseinimr93 Ok, so luckily, I was able to transfer my bitcoins to a new electrum wallet that I created with a password and an extended mnemonic seedphrase. My question is this safe enough or would I have to create a new wallet with a password, extended mnemonic seedphrase AND also add 2FA?

@hosseinimr93 As for the passphrase that you mentioned, what do you mean exactly? is this different from the seed phrase and the password?

As long as no one has access to your seed phrase (a series of 12 words) and your passphrase (the words or characters you entered to extend your seed phrase), your fund is secure.


The 12 words electrum gave you is called seed phrase.
The words or characters you added to your seed phrase when creating the wallet is called passphrase.
What you need to enter when opening the wallet or sending bitcoin is called password.

If you don't use any passphrase, the seed phrase is enough for recovering the wallet.
If you use a passphrase, for recovering the wallet, you need both seed phrase and passphrase.

Note that your password is stored locally and is used only for encrypting the wallet file.
Anyone has access to the seed phrase (+passphrase if there's any) doesn't need the password.

What if my system gets compromised and someone has access to the 12 word seed phrase BUT not the pass phrase (extension words), is it still safe? As for 2FA, I feel like I should add that for extra security, is it necessary? My concern for 2FA is if it goes missing, then what?

If your seed phrase has been extended by passphrase, both seed phrase and passphrase will be needed.
Note that if the passphrase is simple, there's a probability that it can be brute-forced.  


Even if your wallet is 2FA, anyone who has access to your seed phrase (+passphrase, if there's any) can steal the fund without any need to 2FA code.


You can disable 2FA using your seed phrase (+ passphrase, if there's any)
You can also keep the secret key in a safe place and recover the 2FA in future.

Both the seed and seed extension (passphrase) are stored in the wallet file so if someone compromises your system and gets past your wallet password they will have everything they need to steal from you. They can get the wallet password by installing a key logger on your system so that when you enter the password it gets recorded and they can use it to decrypt the wallet file.

if your worried about a system compromise then create a 2fa wallet or a multisig wallet. this way if one device is compromised the attacker can't steal from you. they have to compromise multiple devices.

you will have to create a new wallet with a fresh electrum generated seed if you want to use 2fa or multisig. Note that 2fa wallets can be recovered using the seed phrase so that's how you get access to your coins in the event you lose your phone. In the case of 2fa wallets the seed is only displayed during the wallet creation process and is not stored in the wallet file. During normal use you need the services of trusted coin to cosign your 2fa wallet transactions which they will do when you enter the correct OTP code from google authenticator.

You can simplify it down to this... To be able to send bitcoins from, or recover, a "standard" wallet... a person would need:

- A copy of the wallet file + the wallet password, if any.
or
- 12 word seed phrase + the "seed extension words" (aka "passphrase"), if any.


To be able to send bitcoins from, or recover, a "2fa" wallet... a person would need:

- The wallet file + the wallet password, if any + Google Authenticator 2FA code
or
- 12 word seed phrase + the "seed extension words" (aka "passphrase"), if any.


Note that in both instances, as long as someone has the 12 word seed phrase + the "seed extension words"/passphrase (if used), then the wallet can be fully recovered and coins accessed... regardless of any wallet encryption passwords or 2fa.

So, if no seed extension/passphrase is used, then the 12 word seed phrase is all that is required for recovery and full access.


In the case of 2fa wallets, if you lose the 2fa device for whatever reason (ie. phone is wiped/broken/lost etc)... then if you don't have a backup of the 2fa "secret key", then the only guaranteed way to recover is using the 12 word seed (+ seed extension words). Note that while some users have had success in the past contacting TrustedCoin from the email address they originally used to sign up for the 2fa wallet and were able to get their 2fa key reset, this should NOT be counted on as a recovery method, as there is no guarantee that TrustedCoin will do so again in the future.

In any scenario that your system is compromised and the attacker gains access to your 12 word seed phrase, it is safe to assume they can also gain access to your extension words, because you had a serious security flaw in your setup.
2FA in this case may not help you either since the same security flaws may be exploited to gain access to your 2FA also or your seed backup.

But in case that only your seed phrase is compromised and not the extension words, the attacker has to brute force those words and it could be possible depending on the entropy those extra words provided. For example simple known words (like password123) will not provide any security but a random and long passphrase could (like J7}mn3V-xy1x)

My vote on this is that you avoid 2FA requiring third party assistance to move coins.  Not knowing what the future holds I believe its better to maintain 100% self custody of your coins.  Electrum using two computers, with one being cold/air gap is quite secure.  By far the easiest for new users is to simply buy a hardware wallet.  A Trezor one is about 50 dollars and will keep your SEED from ever being discovered by malware of any kind.  Very easy!  Connect the dots simplicity with either Electrum or the Trezor-Suite.  Regardless of which way you choose to go, make sure to employ a "passphrase" of complex length.  By passphrase I mean extended words (they don't have to be words at all just digits, characters, etc....).  Mine are 20+ digits ---- > do it regardless of which hardware wallet you buy.  Don't believe the hype that "our chip" cannot be hacked to get to the SEED.  If you use a STRONG passphrase you could hand them your SEED and still sleep well at night (of course you wouldn't).

I get the sense that the OP has confused his "password" with "passphrase," and I'm not sure that that jackg's warning was understood.  Needless to say the funds need to be moved regardless of whether they're hidden behind a passphrase or not.  The sooner the funds get moved the better.

As for the 2FA, I recommend you avoid it.  The fee they charge (which allow you 20 transaction per fee paid) are more than the cost of quality hardware wallet.

While I'm here I figure I'll take a stab at explaining the difference between "password" and "passphrase" as far as Electrum wallets are conserned:

On the screen shot below is how you create a password to encrypt the wallet file.  The password will be needed to open the file, and send bitcoin.  This is not to be confused with a "passphrase."  The password will NOT protect your funds if the seed phrase has been compromised.
https://i.ibb.co/5Gdx4W3/04.png

To create a bip39 "passphrase," or as it's referred to by Electrum, a "seed extension" you have to create (or enter) it by selecting the "options" button on the seed entry dialogue box:
https://i.ibb.co/TYVNc8P/01.png

https://i.ibb.co/8sF0BSH/02.png

The seed extension, or "passphrase" can be one or more words, a strong random password with letters, numbers, and symbols, or a combination.  This will change the HD wallet's addresses from those that are generated by the seed phrase alone.  If you have set a passphrase and your seed phrase is compromised your funds will be safe, although I wouldn't consider them safe for long.  Consider it as an additional safety measure to help buy you some time in case your seed does get compromised.
https://i.ibb.co/rdq8fr2/03.png

---

ETA:  Remember that the passphrase is as important to secure as the seed phrase.  If a passphrase is set, it will be required to restore the wallet in the future.  Just like the seed phrase, if the passphrase is lost, so are the funds.

But now somebody can brute-force the extended words of the seed phrase. True, the existing bitcoin wallet crackers such as hashcat and btcrecover, do not support this kind of recovery with seed phrase input at this time, but a) the seed phrase can always be sold on the darknet, and b) it could end up with someone who has a custom tool for solving this kind of stuff.

The last thing you want to happen to you is having your seed phrase end up on Google Search. It is NOT safe to continue using it, not even with additional password or 2FA. I recommend moving all your funds out immediately before they get stolen.

Not a big fan of TrustedCoin but that isn't true. You're still maintaining 100% custody of your coins with 2FA since it is a 2-of-3 multisig and you hold 2 of the keys while they hold a single key. They cannot do anything without your approval but you can spend the coins as and when you wish, provided that you have access to your seeds. I'd argue that 2FA provides a marginal increase in security and I agree that an airgap setup would be vastly more secure than 2FA.
Your seed is designed to allow the user to access the coins with the seed only in the case of 2FA.

It depends on the passphrase. If your passphrase is long and random enough, there is very little chance someone would ever be able to be able to bruteforce it. I don't think Electrum limits the length of the passphrase. If it is long enough, then it would be equivalent to be bruteforcing without any prior information.

btcrecover does support brute forcing passphrases if you have the valid seed phrase, for both BIP39 and Electrum wallets. You can also do it with an address database looking for any used addresses if you don't know the master public key or any of the receiving addresses within the passphrased wallet. There are some basic instructions here: https://btcrecover.readthedocs.io/en/latest/TUTORIAL/#bip-39-passphrases-electrum-extra-words. There are also some example commands available here: https://btcrecover.readthedocs.io/en/latest/Usage_Examples/basic_password_recoveries/#bip39-passphrase-protected-wallets-electrum-extra-words

That is correct. Hardware wallets such as Trezor and Ledger both have a character limit on passphrases (50 and 100 characters respectively last I checked), but Electrum sets no limit, so the only limit would be the input limit for HMAC-SHA512 (or, in reality, how long a passphrase your computer can handle before it freezes).

Realistically there is no difference between 50 characters and unlimited in the real world.  If you saw the 40 digit passphrases I use with my Trezors you would have to acknowledge there is no way in hell to brute force them even with the imaginary Quantum machine of tomorrow.

With a 40 character passphrase and Segwit (bc1) mathematics it takes a pretty hefty computer about 30 seconds to generate a new wallet.

Length alone is not the reason why it can not be realistically brute forced. The reason is the entropy that passphrase provides. For example if you use a known or popular phrase such as from a popular poem then you may not actually having any extra security.

For example "the quick brown fox jumps over the lazy dog (https://en.wikipedia.org/wiki/The_quick_brown_fox_jumps_over_the_lazy_dog)" is 43 characters yet it would take a second to brute force this.

There must be something wrong with your computer or the code you used to test this because the length of the passphrase is not going to add any extra time.
The passphrase (used as PBKDF2 salt) is only affecting the first HMACSHA512 and with 52 byte length the HMACSHA512 under the hood performs the same exact operations as for a 12 byte salt length (no passphrase) simply because it is smaller than SHA512 block size which is 128 byte. (Salt is "mnemonic" + passphrase + 4 byte block number).

Yeah, if your seed ends up in google search results, 2FA will do nothing to protect your funds.  A passphrase can be set up with along with a 2FA wallet, and just like above, that would help somewhat.


I don't think Electrum has a limit to the length of an extension, but some hardware wallets do.  Trezor has a limit of about 50 characters, so if you want to add an extension to a Bip39 seed phrase and want it compatible with hardware wallets, that'll be a limiting factor.

You should never use a seed generated through anything other than the HW wallet itself if you're primarily using it on a hardware wallet. That is a non-issue as you probably wouldn't want to expose your seed (and passphrase) to an Electrum instance while using Trezor.

If you are drawing from the full set of 95 ASCII characters, and your password is truly random, then you only need 21 characters to have more entropy than both a BIP39 or Electrum 12 word seed phrase, and 39 characters to have more entropy than a BIP39 24 word seed phrase. The problem is that the majority of people (unlike you, by the sounds of things) don't do this, will limit themselves to letters, maybe numbers, maybe a few symbols, and most passphrases are based around words or phrases, and so the entropy of them are greatly reduced.

Correct me if I'm wrong, please. Perhaps, I am missing something here.

A 12-word seed phrase can produce 2¹²⁸ = 3.40 *10³⁸ bits of entropy.
For producing more entropy using ASCII characters, we need 20 characters, not 21.

20 ASCII characters can produce 95²⁰ = 3.58 * 10³⁹ bits of entropy.

Electrum 12 word seed phrases have 132 bits of entropy, not 128 bits like BIP39 seed phrases. I was using 21 characters as a "catch-all" for both Electrum and BIP39 seed phrases, since we are on the Electrum sub-board. You are also correct, however, and if considering only BIP39 12 word seed phrases, then 20 characters are sufficient.

Thanks for the information. I didn't know this.
But, why 132 bits of entropy? Don't we have any checksum?

Each word generates 11 bits of entropy. Since we have 12 words, we have 11*12=132 bits of entropy. Am I Right?
If there are 132 bits of entropy, any series of 12 words should be a valid seed phrase.

Why isn't the seed phrase shown in the following image valid?

https://i.imgur.com/d4KG3QR.jpg

Electrum seed phrases do not include a checksum in the same way as BIP39 seed phrases. Rather, Electrum generates a 12 word seed phrase, hashes it, and checks if the first 8-12 bits of the hash match the correct version number (01 for legacy, 100 for segwit, 101 for 2FA). If the version number is correct, then the seed phrase is displayed to the user. If the version number is incorrect, then the entropy is increased by 1 and the new seed phrase is hashed and checked as above, until a seed phrase with the correct version number is found.

For this reason, there is no checksum encoded in the words themselves, and so the phrase has 12*11 = 132 bits of entropy, but at the same time, since the hash of the phrase has to meet certain criteria, then not every seed phrase is valid. This is also how Electrum will automatically identify whether one of its own seed phrases is legacy, segwit, or 2FA, and not ask for any derivation paths like it would when restoring BIP39 seed phrases, since each seed phrase already encodes the type of wallet it is used to generate.

You can read more about the process here: https://electrum.readthedocs.io/en/latest/seedphrase.html

That wasn't a recommendation, merely an observation.  Generally I agree with you, however there are ways to safely and securely create a Bip39 seed phrase on an offline machine that can be used with Electrum or a hardware wallet.  Many here have warned about using Ian Coleman's Bip39 tool, siting the concern that a browser doesn't provide enough entropy.  However, the Bip39 tool does provide the option of entering your own entropy, and /dev/urandom can be used create a HEX string with the desired entropy.

Please correct me if I'm wrong, but I don't see that as any less secure than allowing a hardware wallet to generate a seed.

I never really recommend people to generate seeds outside of their hardware wallets. If you're using a hardware wallet, the seeds should be generated within the hardware wallet which is a completely isolated environment with little risks of it getting compromised. Most people are often unable to properly create a truly isolated and sanitized environment and that makes this a pretty bad idea.

If you are thinking of creating your own seed outside of your hardware wallet, then you might be better off not spending a hundred bucks on a hardware wallet and instead just use an air-gapped wallet. Having a seed generated on an offline computer pretty much guarantees that the seed is only as secure as how you've generated the seed in the first place.

I agree with ranochigo. If done perfectly, then yes, a seed generated using /dev/urandom or fair and random coin flips on a clean airgapped and encrypted device is going to be just as secure as a seed phrase generated on a hardware wallet (perhaps even more so if your hardware wallet is not fully open source). The issue is the level of complexity in doing that. Almost everyone can plug in a hardware wallet, follow the easily laid out instructions, and generate a seed phrase securely, whereas even fairly tech savvy people can mess up when trying to create an airgapped device and generate a seed phrase themselves. If you don't trust the seed phrase that the hardware wallet has generated for you, then why are you trusting the hardware wallet at all? If you want to generate your own seed phrase, then you might as well just set up an Electrum cold wallet or similar.

I use both hardware wallets and airgapped and paper wallets with seed phrases I have generated myself, but I spent a long time testing my set up to be sure I was happy with the security of the seed phrases I was generating.