Let's assume that in OP's example both 24 word seed phrases and the additional 24 word passphrase were all generated in the usual manner when generating BIP39 seed phrases and all provide 256 bits of entropy.

In such a case, then the two wallets will be exactly as difficult to brute force. When a BIP39 wallet is generated from a seed phrase, your seed phrase and a salt compromised of the word "mnemonic" concatenated with your passphrase are fed in to 2048 rounds of HMAC-SHA512. If you do not use a passphrase, your salt is simply the word "mnemonic" on its own. Either way, the process leads to the same 2048 rounds of HMAC-SHA512, and so there is no discernible difference in the time it takes to generate a wallet from a seed phrase with no passphrase when compared to a seed phrase with a passphrase.

So in OP's example, either I am brute forcing a 24 word seed phrase on its own, or I know the seed phrase and I am brute forcing a 24 word seed phrase being used as a passphrase. Either way, the difficulty is the same.

The difference would come when considering the checksum. Seed phrases have checksums. A 24 word seed phrase has an 8 bit checksum, meaning that on average only 1 out of every 256 random selection of 24 words will result in a valid seed phrase. This means that when brute forcing a 24 word seed phrase from scratch, 255 out of every 256 combinations can be discarded by checking the checksum and without having to run through the computationally expensive hashing and key derivation functions. With passphrases there is no such checksum, and so for every passphrase an attacker would need to run through these functions to derive the wallet.

If the attacker knew your passphrase was a valid 24 word seed phrase on its own, then nothing changes. They can still discard 255 out of every 256 possibilities based on an invalid checksum. If, however, your passphrase was simply 24 entirely random words from the BIP39 list which paid no attention to checksums, then brute forcing this would be 256 times more difficult than brute forcing a valid seed phrase. (Not quite exactly 256 times more difficult since calculating the checksum isn't instantaneous, but very close.)

It's worth pointing out that this is entirely academical and both scenarios are completely impossible before the death of the sun.

So because they point out that a custodial wallet is custodial, that custodial wallet attempted frivolous legal action because they didn't like someone pointing out that they are custodial?

What incredibly scummy and shady behavior, but unfortunately anyone who is already using a custodial wallet is unlikely to swayed by said behavior.

I do agree it would have been easier to just stick to xprvs/xpubs and then specify derivation path/script type/etc. separately in order to generate the correct type of addresses, which is exactly what Core is doing with descriptors. It would avoid scenarios like this one where you have to convert Zprvs from Electrum to xprvs in order to import them in to Core.

As specified in BIP86, Taproot should use xprvs/xpubs, but there is nothing stopping software using zprvs/zpubs for Taproot. Although given that Taproot addresses can be key path or script path, then the whole Z/z separation for script hash/pubkey hash falls apart.

---

Would you mind editing your post to fix your misquote?

---

This is a common misconception. xprvs/xpubs are defined in BIP32, which says nothing about what type of addresses they should be used to generate. They are simply extended keys, and can be used for any address type, which is exactly what Bitcoin Core does. You are obviously right in saying that a lot of software treats xprvs/xpubs as meaning legacy addresses, but this is not strictly correct.

As I've linked to above, BIP86 uses xprvs/xpubs for Taproot, not zprvs/zpubs as you suggest.

Electrum actually correctly uses sats/vbyte, but labels it as sats/byte.

An issue was opened about this years ago: https://github.com/spesmilo/electrum/issues/6961. Unfortunately the devs haven't got round to fixing it.

This is not correct. Blocks can be up to 4 MB of actual disk space, with average sizes around 1.5-2.5 MB. They have a maximum size of 4,000,000 weight units, which is the same as 1 MvB.

The non-witness parts of segwit transactions are still counted the standard way, with 1 byte taking up 4 weight units. It is only the witness part of the transactions which costs 1 weight unit per byte, not the entire segwit transaction.

In addition to what has been said above, the simplest solution is that the vast majority of people should ignore sats/byte and only pay attention to sats/vbyte. This is the only number that matters when considering the priority of your transaction.

Block space is measured in either vbytes or weight units. 4 weight units = 1 vbyte. A block's maximum size is 4,000,000 weight units, which is 1 MvB. Miners priortize transactions paying the higher fee per vbyte, since this allows them to earn the most fees from finding a block. It is your fee in sats/vbyte which determines your transaction's position within the mempool.

Some outdated wallets and block explorers still use sats/byte, despite this figure not being accurate since segwit was activated nearly 6 years ago. I would avoid such services.

Google is easily the worst offender, but Microsoft isn't exactly far behind. Part of the problem is that most people interact with Microsoft via their OS, which can therefore monitor everything that happens on that device. Here's a post I made a few years ago about Windows 10: https://bitcointalk.org/index.php?topic=5190776.msg52685703#msg52685703

By all accounts, Windows 11 is even worse, and I'm sure future OSs from Microsoft will be no different.

Thankfully, it is very easy to avoid Microsoft. Just pick a Linux distro of your choice and you are pretty much done. Since you should already be using privacy respecting browsers, search engines, etc., as I mentioned above to avoid Google, then you will also be avoiding Microsoft.

Guns don't kill people, but a T-shirt will make you trans.

They don't need to. As I pointed out earlier in this thread:


If you are able to recover everything to a brand new device, then that means Ledger and their third party buddies are storing everything needed to fully recover your wallet. This means not just the encrypted shards, but the decryption key as well.

Further, all three of your encrypted shards and their decryption key must first pass from your hardware wallet to your computer, and then all be sent out from your computer to these third parties, and then again in the reverse direction. You are exposing everything needed to steal your coins to the same risks as any other hot wallet.

For Ledger's shard, yes. But your KYC data will also be stored with the other two third party companies as well, in order for them to release their shard if needed:

So there will be three companies holding your KYC data, duplicated across an unknown number of servers in an unknown number of locations with unknown security protocols and an unknown number of people with digital or physical access. Just like every other KYC, it will only be a matter of time before your information is leaked/hacked/shared/sold.

It's the exact opposite, in fact. They say that you can use Ledger Recover with a brand new device:

You can always open an account with another bank which has a less draconian view of crypto, or trade with cash. Although as Pmalek rightly points out, any transfers to your bank account come from other individuals, not from Bisq.

That's because almost all other cryptocurrencies are trash. I use Bisq mainly for fiat pairs.

Imagine getting rid of your Ledger because you are worried about a seed extraction vulnerability, and buying another hardware wallet with a proven seed extraction vulnerability which is also happily cooperating with government sponsored blockchain analysis.

Yes. If you have made a low fee transaction which is not opted in to RBF, then you have to wait for it to be evicted from mempools before you can replace it. If it is never evicted, you can never replace it (until full RBF becomes widespread enough).

Also correct, unless he can replace it via full RBF.

The obvious solution is just to enable RBF on all your transactions.

We discussed exactly this over three years ago when this vulnerability was first demonstrated: https://bitcointalk.org/index.php?topic=5222188.msg53803392#msg53803392

Three years on, and nothing has changed. Their website still makes no mention of the vulnerability. Their new documentation and set up guides are still lacking in any and all information. Nowhere in their "First Steps" or "Trezor 101" are passphrases mentioned at all. If you head in the "Security" section to find a page on passphrases, you'll find it still makes no mention whatsoever of the vulnerability and makes frankly dangerous statements such as calling a passphrase "an extra word" and a graphic showing the passphrase "Martha". If your seed phrase is compromised by this attack, a passphrase of a single word will provide no protection whatsoever and will be bruteforced in a matter of minutes.

They've got their priorities straight though - long before you reach that (completely inadequate) page on passphrases, in the "Trezor Basics" section you get a nice page on how to dox yourself via their built-in KYC trading platform Invity, and a nice page on how to invite blockchain analysis companies to spy on you via their partnership with Wasabi.

You don't need to have a high technical knowledge in order to avoid blockchain analysis and mass surveillance, just pass your coins through a good mixer or coinjoin with JoinMarket or Whirlpool.

And neither do you have to be a scammer, hacker, or doing anything in the least bit suspicious in order to want to protect your privacy. The vast majority of people who use such privacy services are simply ordinary people who do not wish governments, businesses, ad agencies, marketers, and a huge number of other third parties tracking everything that they do. Keeping your financial activities private is just basic security and common sense.

Businesses simply cannot be trusted. Profits trump everything else, always.

It's been obvious for years that you cannot trust any centralized exchange, and that they will scam you, lock accounts, seize funds, gamble your coins, and go bankrupt. It should now be obvious to everyone that you cannot trust hardware wallet manufacturers either. From unfixable bugs, to support for government mandated KYC via AOPP, to directly funding blockchain analysis and spying on their users, to handing your seed phrases to third parties and making it vulnerable to government subpoenas.

The solution is run your own node, trade via Bisq, and as you point out use your own airgapped encrypted cold storage which does not rely on third parties being honest.

It doesn't solve it, as the attacker will still have your seed phrase. It mitigates against your coins being stolen if and only if you use a long and random passphrase, but we also know that most people use incredibly weak passphrases.

Two issues with that approach.

First of all, such non-KYC centralized exchanges can freeze your account and demand KYC from you at any time and without warning. If you don't comply, then they simply seize everything in your account. This has happened plenty of times in the past with a variety of exchanges. Hoping you simply don't get asked for KYC is not a safe move. Secondly, these exchanges absolutely still track everything you do. You might not have completed KYC, but you will almost certainly link your bank account, which is more than enough information for the exchange to identify exactly who you are, gather data on your activities, and share that data with third parties.

A better approach is to use a real DEX such as Bisq, where it is impossible for them to freeze accounts, cannot ask for KYC whatsoever, and keep no record of your bank details or other fiat payment method.

Which would also be the same situation if someone compromised your seed phrase via Ledger Recover.

Only if you opt in to it. If you are smart and don't opt in to it, then an attacker would need physical access to your device to opt in to it on your behalf, and then compromise and decrypt your shares. At this point, breaking the Trezor device as demonstrated will probably be easier.

Also true, but again, couldn't Trezor just do the same thing on their device?

The only point I am making is that swapping one flawed hardware device for another flawed hardware device isn't exactly a smart move. Either find an open source hardware wallet which is permanently airgapped and never connects to a computer, or as you say (and my personal preference) used airgapped encrypted cold storage.

Millions of years.

Yes, but this is an almost trivial amount to brute force, and can be done in under an hour. 24!, on the other hand, is impossible.

Regardless, if the security of your set up relies on someone not being able to descramble your words after they have found them, you are doing a lot of things very wrong. I would never recommend scrambling a seed phrase. The most likely outcome is not some added security, but that you are unable to recover your back up.

Seed phrases can be extracted from Trezor devices, with another exploit being demonstrated in just the last 24 hours (https://www.youtube.com/watch?v=50eiA-75NMY), not to mention Trezor's support of censorship and government blacklists. I would never use either a Ledger or a Trezor device.

That's fine, and if that is the best option available to you given your risk model, then obviously use that. But saying that face to face trading is worse for privacy than a CEX is just factually incorrect.

If I trade with someone face to face for cash, the most they find out about me is the address I sent the bitcoin from. Since that bitcoin will have been mixed or otherwise anonymized, that tells them exactly nothing about me.

Centralized exchanges, on the other hand, track everything that you do. They know your name, address, phone number, email, occupation, income, SSN, tax details, and so on. They know your bank accounts and credit cards. Every deposit you make is analyzed via blockchain analysis companies. Every withdrawal you make is tracked to see where it goes. They use that information to link all your addresses and wallets together, and see how and when you spend your money. They link all of that to your real identity. They keep track of every trade you've made, every IP address you've used, every device you access their platform with. They use your IP addresses and device fingerprints to track your movements across the internet and other websites. They build an enormous profile on you, and then sell and share that information to a variety of third parties.

The two are not even comparable. To say a physical trade is worse for privacy than a centralized exchange is insanity.