Bitcoin Forum

This is because, if electrum software was hacked or if people somehow figure out how electrum was randomizing its seeds, you would maybe be safer if you had some extra custom words.


If you agree, how many extra custom words should you add to your seed?

Yes, the extra word will change the seed produced from your seed phrase.

For the number of words... I think something considered as a "strong password" is the best option.
You don't necessarily have to use actual words since it's not actually extra words but a "passphrase" (not your wallet's password),
so a single 13th 'word' like Au%73t61BH!w6g4d82Edqwdqj#jhd633t is good enough.

You don't need to figure out anything, Electrum is 100% open source. All it takes is to look at the code to see what RNG it is using and how.

The bigger concern is keeping a backup of that extra word(s). The more random and long they are the more you increase the chance of mistake. But considering that brute forcing the extra word is rather expensive it doesn't need to be too long. Not to mention that the actual security is provide by the entropy used in the seed phrase not the extra word.

No electrum would still have access to your private keys so you would not be safe just because you extended the seed.

If the Electrum dev team decided to implant a malicious code into their wallet, I doubt that the Bip39 passphrase would secure your funds.  The most practical way to scam people would be to extract their master private key, not the seed phrase, or simply implant a script that sends all the funds in the wallet to the scammer's address.

The Bip39 passphrase is not completely without a use-case for desktop wallets; i.e. it can be used to create a new wallet without creating a completely new seed phrase.

I wouldn't use any custom words to replace standard electrum words.
There is a good reason why someone made system like this, as a balance of security and usability, so making more complications and inventing wheel again is not needed and can result is losing of funds.
However, it's not a bad idea to use one more passphrases, for example that would be a good idea if you have two kids and you want them to have your Bitcoin inheritance.
Give them each same seed words, and each of them should have a different passphrase, so they can split inheritance.

You are correct, replacing words in the seed phrase is not recommended.  In fact, it's very likely that would break the checksum of the seed phrase (whether electrum or bip39.)  But, I think the OP is referring to the seed extension (Bip39 passphrase,) not the seed itself.

We got contradicting replies in this thread probably because of OP's obscure use of the word "hack".

But I think the first part "if electrum software was hacked" should be based from the other concern,
which is the seed phrase-generation being compromised (e.g. reproducible or made from weak entropy) which will made it possible to reproduce Electrum seed phrases.

I though so because OP's earlier topic is about Electrum cold storage setup (link (https://bitcointalk.org/index.php?topic=5413199.0)) and as we know it, his seed phrase and wallet are created/stored air-gap.
That should made "his Electrum wallet being hacked" the least of his concern, but "the software being hacked" with compromised entropy/seed phrase generation.

Technically you would change the word-list first and then create your seed phrase not after it. Electrum works with different word-lists with custom number of words instead of the fixed 2048 ones. That means as long as you also keep the word-list you can recreate your wallet (and its checksum will be correct).

P.S. as you pointed out, I also don't think this is what OP had in mind though.

custom word list isn't required to restore the wallet from seed. you only need it to create the seed.

for example you can restore from the seed below that is created using this wordlist (https://bitcoinelectrum.com/english-alpha-numeric.txt):

If Electrum was hacked, whether through phishing or through a random number generator flaw, then extra words will not save your bacon, since they will also be keylogged and phoned home.

How can this be possible? Please correct me if am wrong but if the random number generator is flawed isn't all the attacker can do is to regenerate the twelve words of the seed? How can he know the passphrase you set manually (not generated by the flawed rng)?
Actually, this particular case shows how important the custom word is to secure your coins.
If the wallet is fake or have some malicious code (ie. keylogged) then that's a different matter.

No, you are right. If the attack which is happening is limited to only a malicious RNG spitting out predetermined entropy and therefore a predetermined seed phrase, but you use a long, complex, and random passphrase, then your coins will still be safe.

However, this depends on the wallet file actually using the long, complex, and random passphrase that you enter properly. If someone has released malicious software which is generating predetermined seed phrases, then chances are they have also taken steps to mean that if you do use a passphrase they can still steal your coins. This might mean that any passphrase you enter is simply ignored, or maybe that the wallet only uses the very first character of any passphrase you enter, so it still generates a fresh wallet but one that is trivially easy to brute force.

Andreas Antonopoulos talked about a passphrase of 6-8 random English words as a secure way of extending the seed in one of his videos. So even with standard dictionary words, it's strong enough if there are plenty of words.