Bitcoin Forum

There are a few numbers of crypto wallets today, from Trust wallet to Math wallet and atomic but I want to ask why some wallets have 12 words recovery seed and some have 14 and more?


Also is higher the number the better with security? I read somewhere that if you can get 6 out of 12 recovery seed you may be able to get the rest, is this true? I just want to know how far wallet security can go.

Seed phrase can be 12, 15, 18, 21 or 24 words (less than 12 words is not secure). 12 and 24 words seed phrases are mostly generated on wallet. 12 word seed phrase has 128 bits of entropy which is secure enough just like bitcoin private key. 24 words seed phrases have 256 bits of entropy, but yet having 128 bit of security.

A seed phrase including 14 words isn't standard.

The more words the seed phrase includes, the more difficult it's to brute-force the seed phrase.
But you don't really increase your security if you increase the number of the words from 12. A seed phrase including 12 words provides the same amount of entropy as a private key and that's enough.

Adding to what Charles-Tim said,
   if the phrase contained 12 random words, the phrase would have 132 bits of security, so the actual security of a 12-word BIP39 mnemonic phrase is 128 bits as regards a Bitcoin private key security too. That's why some experts consider using only 12 words.

A bitcoin private key is 256 bits, to make up that bit you would need about 24 words to equal that and that's why some experts also consider to use 24.

So either 12 or 24, they all same bit of security as Bitcoin private key which is 128.




If you read this thread https://bitcointalk.org/index.php?topic=5205380.0, you will get some answers about 12/24 seed phrase security. Even if someone knows the 6 words of your phrase they will only end up importing a different wallet unless they have full access of your whole phrase.

So as you have been already told that the standard practice for wallet using the BIP-39 standard the seed phrases are 12 words or 24 mnemonic entropy and it's secure.The word list contains total 2048 words from which they are derived by the wallets but if you say about extra security then you can use passphrase along with your 12 or 24 word seed phrase but remember to safely store both of them on offline storage as without it you cannot access your funds.

Now if you say that you know only 6 words out of 12 then I would say it's near to impossible brute force and crack the rest of words because there are lot of possible combinations as you are missing 6 words out of it.See this  answer  (https://bitcoin.stackexchange.com/questions/42559/recovering-a-hd-wallet-from-a-partial-seed-phrase) where only one word is missing and we have so many possibilities so you are wrong on this part I would say.

This is why the standard practice is 12 words long with full security and really hard to brute force that will take some years to crack it and the small word can easily be brute forced out of the list of 2048 but still there are lot of combinations to them.

There are many posts on the forum that explain how demanding (or rather expensive and time-consuming) everything that exceeds 4 words is - because @o_e_l_e_o explained it in one of his posts on the example of seed where someone needed about 30 hours for 4 words with note that he did not do it with his computer. Only 5 words would extend that same procedure to even 7 years.


Also from the same thread, one interesting fact when it comes to 12 word seeds.

There are not many possibilities if there's only 1 word missing. Considering the checksum, with only one word missing, there are 128 possibilities on average.
Even if we don't consider the checksum, there are only 2048 possibilities and the seed phrase would be brute-forced in a very very short time.  

There should be an equilibrium between security and ease of use (convenience) so that users feel comfortable playing around with the system. When you add more security to your system, it makes it too heavy and complex, which in itself may lead to unexpected errors and hard-to-find vulnerabilities. In other words, complex systems are not only inconvenient but also very hard to maintain. Twenty-four-word seeds are undoubtedly more resistant to random attempts of brute forcing, but at the same time, it is sometimes a tough task to back them up properly. Moreover, the private keys produced from such lengthy seed phrases can't provide more than 128 bits of security, which makes the whole idea of using very long keys less attractive. Twelve-word seeds are shorter, easier to back up, or even memorize (I don't say you should try to memorize them, but it is good to have such an option). In other words, while short seed phrases are more vulnerable to brute force, they generate private keys of the same length and, at the same time, are more convenient when compared to heavy seeds.

They are just words, I do not think 24 words should be difficult to backup. But in case you have the backups already in different locations, and you want to memorize it, 12 words would easily be memorized than 24 words. But it not a good option to memorize seed phrase, but I understood your point, if provided, it should just be the 4th backup, but not depending on it.

That is true.

About brute force. 12 word seed phrase is secure enough, that is what we should just point to.

Also in a 12 or 24 word seed phrase, if only one word is missing, it would take the same time to brute force it. It would take the same time to brute force the same number of missing words while having more missing words, it become more impossible for brute force.

So if anyone thinks he has 24 word seed phrase and attacker got hold of 22 words from it, the time required to brute force the two missing words would be the same time for 2 missing words in a 12 word seed phrase.

As 12 word seed phrase is secure enough just as we see it from Lucius post, the point of going for 24 word seed phrase that has just 128 bits of security is not necessary. 24 word seed phrase makes brute force more impossible, but no significance in reality if compared with 12 word seed phrases.

If you miss 1 word in a 24 word seed phrase, there would be 8 possibilities for the missing word on average.
If you miss 1 word in a 12 word seed phrase, there would be 128 possibilities for the missing word on average.  
So, finding the missing word in the 12 word seed phrase takes a longer time.

To expand on hosseinimr93's answer above:

The computational expensive part of brute forcing a seed phrase is turning that seed phrase in to the first address in the first account to check if it matches a known address or to check for history. This involves 2048 rounds of HMAC-SHA512 to produce the root seed, followed by another round to produce the master keys and chain code, followed by several more rounds to work down the derivation path m/84'/0'/0'/0/0 or similar, followed then by elliptic curve multiplication to produce a public key, then three SHA256s and one RIPEMD160s and a conversion to Base58 to produce an address, and potentially then looking that address up to check for history.

Conversely, rejecting a seed phrase with an invalid checksum is as simple as performing a single SHA256.

With a 24 word seed phrase with one missing word, on average I can reject 2,040 possibilities with a single SHA256, meaning I have to perform the additional steps outlined above 8 times.
With a 12 word seed phrase with one missing word, on average I can reject 1,920 possibilities with a single SHA256, meaning I have to perform the additional steps outlined above 128 times.

That's just a random suggestion,
For someone to successfully hack or guess it, they would need to not only guess all the words but in the right order. “A 12-word seed phrase has a possible combination of
while a 24-word version has even more combinations,” says TrustWallet, an Ethereum and crypto wallet provider.
So its nearly impossible to guess a word combination which is more than 3, even if the guess words are correct, the chances of arranging them orderly is 0.9%/100. every word you miss takes you to a different new created wallet entirely

It's because most wallet use 12 words seed phrase and 24 words. Actually, I have 24 words seed phrase and it is much harder to know the exact words before your wallet will be compromised because as you can see in the previous post that a 12 word seed phrase have a lot of combination and a wallet seed phrase must be in order to be able to access the wallet. If you are not sure then try something else like creating a dummy wallet then try different words for the last word and see if it can access different wallet so yeah if you don't have all 12 words then you won't be able to access the exact wallet you wanted to access .

Maybe I've misunderstood, but it reads to me like you're saying that a 12-word seed offers equivalent security (~128 bits) to that of the individual addresses generated from it, and that therefore, longer seeds are overkill.

Isn't that reasoning a little shaky? I mean, the seed is used to generate a unique sequence of addresses [1], no? Putting aside the increased hassle of longer seeds, isn't it desirable for it to be harder to recover the sequence than it is to brute-force a single address?

[1] Technically, it's more like a tree than a sequence, but that's not germane.

In Elliptic Curves the key's security is half the key size and since bitcoin key sizes are 256 bit that makes the security 128 bits.
The security of an entropy is equal its length, which means a 128-bit entropy is providing 128 bit of security.

No because security is defined by the weakest link not the strongest. Meaning if the key itself has 128-bit security, it won't matter if it were created randomly or deterministically using a much bigger entropy. The key still provides the same security level.

It is very easy to descramble a 12 word seed phrase in which all the words are known, and this can be done in under an hour on even a modest home computer. A 24 word scrambled seed phrase, however, will be impossible to unscramble.

If an attacker was going to try to brute force your seed phrase, then sure, a longer seed phrase makes it more difficult for them. But as pooya says, the individual keys will always have 128 bits of security, so an attacker whose best attack is simple brute forcing will obviously choose to target this instead.

In the beginners section it's better to explain when you're correcting someone, otherwise it's useless for the main users of the section.
So CMIIW but as far as I understand, it's because we will get 8 bits of checksum for a 24 words mnemonic seed, instead of 4 bits for a 12 words seed, since we need to divide the entropy of the seed (256 bits for a 24 words seed, 128 bits for a 12 words one) by 32 according to BIP39 (https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki)
2^8 = 256
It means only 2048 / 256 = 8 words among the 2048 possible are valid for a 24 words mnemonic seed instead of 2048 / 2^4 = 128 for a 12 words one.

I don't know the statistics but a non-empty address hardly contains more than 5% of total wallet funds on average IMO.

Correct. Although perhaps an easier way of thinking about it is that given there is only ever one checksum which will fit the given entropy, and for a 24 word seed the last word contains 3 bits of entropy (11 bits of data minus 8 bits of checksum), then since 2³ = 8, there are 8 possible words. For a 12 word seed the last word contains 7 bits of entropy (11 bits of data minus 4 bits of checksum), and 2⁷ = 128 possible words.

But now you are assuming additional knowledge, such as that an attacker knows which addresses are derived from the same seed phrase, that there is no passphrase in use, and what the derivation path being used is. Don't forget as well that as I said above (https://bitcointalk.org/index.php?topic=5415329.msg61041261#msg61041261), turning a valid seed phrase in to an address to check for funds is computationally expensive, and so brute forcing x number of seed phrases takes significantly more computing power and time than brute forcing the same number of individual private keys, even more so if for each seed phrase you want to start checking additional derivation paths.

I understand it will cost more ressources and time to attack a seed with the same entropy as a private key, than to attack an address but by doing that the attacker will only get less than 5% of the wallet funds on average at the end. So as long as it costs less than 20x times the cost of an attack on an address, it might be worth it even if the "investment" is higher.

The wallet seed numbers is determine how the wallet been secure from hack, which i have come across in difference wallet with difference phase seed to saved as a back up, if the device used to saved the wallet get corrupt, damage or stolen, it can be able to restore the wallet back to another new device, which was advantage of this seed of a thing, in order words, they are difference numbers of seeds that determine how strong the wallet are, which is 12, 14, 18, 21 or 24 and anything less than 12 words is not secure, which is 12 phase words has 128 bits of entropy, while 24 Phase words has 256 bits of entropy as it already rated in numbers capacity.

A small correction:
Number of words in a seed phrase following BIP39 standards must be divisible by 3.
So, a BIP39 seed phrase can't include 14 words. It must include 3, 6, 9, 12, 15, 18, 21 or 24 words.

Maybe I'm being less clear than I think I am, or the point I'm making is more confusing than I think it is, because I'm not sure why you're explaining that. I mean, my critique of Charles-Tim's quote depends on me already knowing that, doesn't it? My point was that seeds that offer higher security levels than the individual keys they generate are useful because they're protecting multiple keys.

Yep, when you're combining cryptographic primitives, that's exactly right. But, in this case there's a causal relationship that makes things a little more subtle.

If you had, let's say, a 64-bit seed that you deterministically generated 256-bit private keys from, then the security of the latter is confined by the entropy of the former. But that confinement doesn't work the same way in the opposite direction. I'm flipping two things at once here, so keep your wits about you, but in the reverse situation, with a 256-bit seed being used to generate 64-bit private keys (with the top 192 bits set to 0, for example) the smaller 64-bit private keys don't reduce the security of the seed all the way down to their level.

In some sense, the seed "contains" the private keys that it generates, and viewed through that lens, the following example amounts to a very similar thing, even if it looks unrelated at first glance:

Imagine you have a file, listing the locations of secret military bases encoded as 64-bit coordinates (32-bit longitude, 32-bit latitude). Even though this file contains only a sequence of (sensitive) 64-bit values, that shouldn't decide what security level is chosen to protect its contents. It wouldn't make sense to argue that encrypting it with anything more than a 64-bit key is technically unnecessary.

But it doesn't matter how many keys you generate from a seed, they all have the same security. Meaning if you generate 1 key using a 12 word seed it has the same security as the 100th key you generate from the same seed.

The seed will have its 256-bit security (assuming 256 bit were generated and used) but the key will still have only 64 bits of security, not more.

That's a bad example because encryption is different and irrelevant in this context. When encrypting something, the message is not the deciding factor in choosing the algorithm, security level and key size.
But when deriving a key, the key size (or better say security level) itself is a deciding factor in choosing the entropy size.

We're clearly talking past each other. You seem to think that I'm saying that the stronger the seed is, the stronger the generated keys will be. That's obviously wrong and it's not what I'm saying.

What I'm saying is that it doesn't make sense to choose a seed strength based on the security level of private keys. It makes sense to say "128 bits is enough security for my needs, that's why I use 12-word seeds". It doesn't make sense to say "I use 12-word seeds because private keys have 128 bits of security". You see what I'm saying?

The two things have different jobs. The security level of a private key protects a single satoshi balance. The security level of a seed protects every private key in your wallet. The idea that the seed can't make use of more than 128 bits of security is wrong.

No it's not. It's an excellent example that exposes the flawed reasoning I'm talking about perfectly. :P