That's probably your issue there. If you take a look at a variety of proprietary stainless steel back up products, the good ones are usually much thicker than this.

Coldbit - https://coldbit.com/product/coldbit-steel/ - 4mm
Cryptoetch - https://cryptoetch.com/ - 5mm
Cryptotag - https://cryptotag.io/ - 6mm

You can always make your own by screwing a second stainless steel plate on to the one which has your words stamped/etched on it, obviously obscuring the words, and then affixing a tamper evident sticker across the two plates, or drilling holes in at least 2 opposite corners and passing through tamper evident wire seals or something similar.

Depends on what you mean by "safer". If you mean that you don't trust your wallet to generate truly random entropy, then the method I would suggest would be flipping a coin 128 times. However, you still need to calculate the checksum, so will need to input your entropy in to some software since you cannot do that by hand, and you will still need to turn the resulting 132 bit number in to a seed phrase, which is prone to error if you are doing it manually, and you will still need to import that seed phrase in to some wallet software to generate private keys and addresses.

Time to be completely pedantic, but actually it's around 1 in 2¹²¹, rather than 1 in 2¹²⁸.

We know there are 2048 possible 12 word seed phrases which repeat the same word 12 times. Of these, we know that only 128 will have a valid checksum, since the checksum has 2⁴ = 16 possibilities. (Note that this is an average. I've not actually tested every seed phrase to see if we end up with exactly 128 valid ones.) So you have 128 (2⁷) possible seed phrases out of 2¹²⁸. 2¹²⁸/2⁷ = 2¹²¹.

Not that any of that matters. They are equally impossible.

Almost certainly.

Almost certainly not.

If we take the address 1BURNbitcoinBURNbitcoinBURP3vqZJo as an example, working backwards along the process all we can say that is generated from a RIPEMD-160 hash output of 01FB0C820F0995E24AAD95DB98BA96BA28F4AD66. To work out the private key we would first have to reverse RIPEMD-160, then reverse SHA-256, then solved the DLP to get the private key. Alternatively, we would just need to brute force trillions upon trillion upon trillions of private keys until we stumbled on to a collision. Both are so incredibly unlikely as to be safely considered impossible.

Now there's a nice idea, although the usual caveats with Electrum would apply - if you create a single signed transaction spending all your change outputs and send it via your Electrum server to the central server running this service, then which server you are using can link all your change outputs.

Your suggestion doesn't really solve the problem though. Either I have dust which is too small to send without combining it with another input, in which case I would still have to do that and compromise my privacy to send to this new service, or my dust is large enough to send on its own, in which case I can just do that but send it to a mixer or instant exchanger or something similar. I don't see the use case for a service where I have to send my dust, as I'm either losing my privacy or losing my coins (or both) to use it.

I've spoken before about Peter Todd's Dust B Gone proposal, which would do exactly as you are describing but without the requirement to first compromise your privacy by sending him your dust. Unfortunately, the demand for such a service would be too small that the anonymity set of people using it would also be too small to be useful.

Hardware wallets are not durable and should not be treated as such. They will fail quickly at mildly deranged temperatures, susceptible to water or even excess humidity, impact, crush, they will fail over time, or even might just have a faulty component and will fail randomly at any moment. Putting it in a fireproof box is an incomplete solution to only one of these issues.

Hardware wallets are designed for easily and securely interacting with your private keys, not for durability. If you want durable long term storage, then the answer is to inscribe your seed words on some stainless steel or similar. You can also mitigate all these issues by having at least two back ups (even just simple paper back ups) in two separate physical locations.

Even if you naively believe Google are a completely benevolent company and dont exist for the sole purpose of harvesting your data and making profit from selling that data, do you also believe the same about every single one of their employees? What about every employee of every third party that they farm out their services to, or works for them, or provides their services, or hosts their servers, or repairs their hardware, and so on. There is a huge list of unknown people whom you need to trust when you start storing anything with third parties. It's a very risky position to be in.

Sure, but that risk needs to be informed. Many people incorrectly believe Google is completely safe and impervious to hacks, leaks, bugs, or vulnerabilities, and so may choose to store their seed phrase in their email or something similar because they wrongly think it is safe. If you are aware of how risky it is and choose to do it anyway, well, that's a different story.

Sure, but any seed phrase with the same word 12 times in a row will not have been generated randomly but rather chosen manually, and any seed phrase chosen manually will be highly insecure.

You should never manually generate a seed phrase. If you want your seed phrase to be BIP39 compatible, then the words must come from the set wordlist of 2048 words.

A pointless task. Your seed phrase with more words or a bigger wordlist might be harder for someone to brute force compared to a standard seed phrase, but no one can brute force a standard seed phrase anyway. The resulting wallet and private keys it generates will not be any more secure.

Even after everything discussed in this thread, you still decide to go ahead and do it? We'll, here's hoping you only committed a small amount of bitcoin, since if anything happens with Google or your receiving email provider, or they discontinue the service, or even just a minor bug, your coins are lost forever.

If you really wanted to irreversibly lock up some coins, then just sign a timelocked transaction to yourself and delete the relevant private key. Still a stupid thing to do, but far far safer than trusting an unknown number of intermediary third parties.

Why do you say this? There is nothing inherently wrong with repeated words in seed phrases, and there is absolutely nothing in the code to prevent words being repeated in seed phrases. Assuming your seed phrase is generated truly randomly, then you have around a 1 in 31 chance of a 12 word seed phrase naturally containing the same word twice, and you have around a 1 in 8 chance for a 24 word seed phrase.

Sure, if your seed phrase contains the same word 4+ times, then it is probably because you have manually picked the words, but any seed phrase with manually chosen words will have very poor security.

There is no way to broadcast a transaction today which will be scheduled to be mined at a future date. I suppose you could set up some software to broadcast a transaction for you at a set date, but then you run the risk of the software not working, or the computer dying, or going offline, or anything else, which you wouldn't be around to fix. The best thing you can do is to sign a transaction today which cannot be mined until a set date, and then share it (or where to find it) with a third party for them to broadcast in the event you can't.

I can make a transaction moving all my coins to your wallet, and say that it cannot be mined before block 800,000. I can then either store it my safe, knowing that as the inheritor of my estate you'll be able to access it after I die, or I can send you the signed transaction to keep yourself, knowing that it cannot yet be mined. At some point before block 800,000, if I'm still alive, I can either simply open my safe, destroy the transaction, and replace it with a new one which cannot be broadcast until block 900,000, or (if you already have the signed transaction), I can move all my coins to a new address to invalidate the transaction you are holding, and then send you a new one timelocked to block 900,000.

No, you can't.

The final word in every seed phrase contains a checksum. If the checksum is not correct then usually the software you are using will not accept the seed phrase. By randomly picking words, you only have a 1 in 16 chance of selecting a word with the correct checksum for a 12 word seed phrase. This falls to 1 in 256 for a 24 word seed phrase.

But more importantly, selecting words yourself is a terrible way to generate a wallet, will massively decrease your security, and could easily lead to loss of funds. Don't do it.

Some address which start with a 3 are nested segwit addresses. Segwit moves part of the transaction data (the witness) to a separate section and counts it differently when calculating the weight of the transaction. Since these transactions now have a lower weight, they will pay a lower fee. Addresses which start with bc1 are native segwit addresses and will reduce the fee even further.

That's one option, sure. An easier option without having to buy a specific device will to be use a permanently airgapped computer running a clean install of an open source reputable Linux distro of your choice with full disk encryption. Lots of people would recommend Tails for such a purpose, with handily comes bundled with Electrum. If you only want to store your wallet on paper after you have generated an address on Tails, then you can just shut it down once you've backed up your seed phrase on paper. If you want to continue to access your wallet on Tails to use as a cold wallet, then you'll need to enable persistent storage.

If paper wallets aren't for you that's totally fine, but some people (myself included) use them, and if used properly they are one of the most secure ways you can store your coins. I don't think the term "paper wallet" still necessarily refers to the classical paper wallet of a single private key printed on a piece of paper. I have a number of wallets I would consider paper wallets as they are only stored on paper and nowhere electronic/digital, but those paper wallets are standard BIP39 seed phrases which I will recover to an airgapped device as and when I want to spend from them.

What the...? People actually use this? Take literally every piece of information and document about themselves, enough for an attacker to completely empty all their financial accounts and open huge amounts of credit in their name and take over every single account they have ever opened anywhere, and store all that in a single location with a company which were found to be storing passwords in plaintext for more than a decade. Wow.

Well, you would double check the timelocked transaction after signing it. If it turns out you signed it for 1,000,000 years in the future by mistake, then you can just delete it and create another one.

Yeah, I would only ever use timelocked transactions to potentially move some funds to someone else I wanted to inherit them in the event of my death/incapacitation. I would still have access to the relevant private keys, so could move the coins to invalidate the timelocked transaction and then generate a new one if needed.

Because the combination of a Zpub plus any one individual private key is enough to derive the Zprv and all the associated individual private keys.

Correct.

Mostly correct. There is a hypothetical security risk in the scenario described above where you have accidentally leaked a private key, and there is the also the concern that if someone can recreate your watch only wallet and see how much bitcoin you own, that they may target you specifically for further attacks.

Why not just etch/engrave your words rather than stamping them? You can get an etching pen for 5 bucks on Amazon or a local hardware store, or just go old school and get a scrap sharp piece of similar metal. No issues with bending or deforming the plate, but you just need to make sure your writing is clear and legible.

What metal are you using? Make sure it is both thick enough and not a malleable metal. Stainless steel and titanium are good choices.

I suppose the issue with computing it on each click is if your tool is being used by someone with an incomplete understanding of seed phrases and their checksums. For example, someone who selects 24 words but gets fed up half way through and just copies the first 12 words, not realising the checksum will be invalid. Or maybe someone who enters 132 bits of entropy, your tool computing the checksum and turns it in to a 13th word, and they just copy the first 12. I would have thought a "Compute checksum" button which is greyed out unless the user has entered exactly 128 bits or 256 bits of entropy would be less prone to errors.

Yes. Uncompressed WIF keys start with 5 and should only generate uncompressed legacy addresses. You can use them to generate other addresses, but these address will be non-standard and it will be very difficult to successfully spend any coins sent to such addresses.

You can use uncompressed private keys to generate both uncompressed and compressed public keys. Similarly, you can use compressed private keys to generate both uncompressed and compressed public keys.

You can use the latest version of bitaddress from here: https://github.com/pointbiz/bitaddress.org
Download, verify, and run offline.
Enter your compressed or uncompressed WIF key in the box under "Wallet Details", and it will show you both your compressed and uncompressed private keys, public keys, and addresses.

Sure, but as you say, almost everyone buying a hardware wallet is going to be unfamiliar with the exact design of the seal being used. Any documents put inside the box showing what the seal should look like or linking to a webpage showing what the seal should look like can also be manipulated by an attacker.

This is a good idea. Are there any hardware wallet providers which do this? Although it still doesn't stop an attacker who can print their own tamper proof seals from intercepting your package, manipulating your hardware wallet, and then immediately printing and attaching an identical seal.

Sure, but you didn't pick up 20 bitcoin for nothing in 2017 like you could back in 2010. If someone claimed they had bought $400,000 worth of bitcoin but had no paper trail, then I agree that would be very suspicious and would likely lead to an IRS audit.

I'm obviously no expert in money laundering, but if you are looking to launder amounts of $50-200 million as is being discussed here, then head overseas. You can buy citizenship in a number of countries for tiny fractions of that sum, countries which have very loose tax laws or very corrupt and bribeable officials. There are tax haven countries and off shore companies which launder huge sums for below 20% in fees or taxes. Hell, most of the big banks around the world are complicit in money laundering, and perfectly legal companies such as Amazon and Starbucks manipulate the system to pay tiny percentages in taxes all the time.

Leaking a single private key would only allow an attacker to use that private key and the corresponding master public key to derive a single master private key. In the case of a multi-sig wallet, funds would still be safe since the attacker would only have one master private key, and not the threshold number of master private keys. For the coins to be at risk, OP would have to leak multiple private keys derived from different master private keys, which is very unlikely if his multi-sig wallets are all stored separately (as they should be) and he takes reasonable security precautions.

---

Throughout this thread, people are using Zpub and zpub interchangeably. They are not the same thing. zpubs are for P2WPKH addresses, Zpubs are for P2WSH addresses. See here for more info: https://github.com/satoshilabs/slips/blob/master/slip-0132.md