Can I use a 12 word seed extension and store it separately?

[o_e_l_e_o]

But the possibility of making a mistake when using 12 new words is, of course, greater than when using just one or two.

But one or two is not secure.

If you want the same amount of security, then the alternative to using a 12 word seed phrase as your passphrase is using some other string which has approximately 128 bits of entropy. If you draw from the full ASCII set of 95 printable characters, then you need 20 characters. Your passphrase, then, might look something like one of these:

Code:

@&!1Q~h{Wy)m=FG9ZP"f
l~]Oj6%Mn=cd7Xo(`CW`
}ZOr5}Uls?Rbt#A6+s3>

It is going to be far easier to copy down something like that incorrectly or enter it incorrectly than it will be to copy down or enter a 12 word seed phrase incorrectly, even if the seed phrase is far longer.

[BlackHatCoiner]

Seed extension phrases are a good idea... but you do need to be aware of the potential pitfalls.

Would you like to explain me why they're a good idea? For the average user at least, I find it pretty useless and as you said, it brings potential pitfalls. You're leaving the users to use a password that may be predictable, to... Enhance their security? It's already infeasible to brute force.

The only reason that I'd ever use a passphrase is if I had a hardware wallet. It keeps the seed phrase into it, but the password is obviously not kept; it's being asked every time you want to open your wallet.

[hosseinimr93]

Would you like to explain me why they're a good idea? For the average user at least, I find it pretty useless and as you said, it brings potential pitfalls.

If you use a passphrase in the right way, they aren't really useless.
A passphrase isn't used for reducing the chance of successfully being brute-forced. As you rightly said, 128 bits of entropy is more than enough.

Let's say I have written my seed phrase on a paper and the paper is stolen. The thief can't steal my fund without the passphrase.
Using a passphrase has its own downsides. But it has advantages too.

[o_e_l_e_o]

Would you like to explain me why they're a good idea?

• It provides an easy way to split your back up in to two - one piece of paper with your seed phrase, and one piece of paper with your passphrase, stored in separate locations.
• It provides plausible deniability, as you can turn over your seed phrase and any coins protected by it, while keeping the coins in the passphrased wallet safe and the very existence of the passphrased wallet secret.
• You can use multiple passphrases with the same seed phrase to further improve the security I described above. You can even create multiple decoy passphrases, all holding small amounts of coins you can hand over to an attacker.
• It provides a very easy way to create multiple different wallets, which can improve your privacy by keeping coins received from different places entirely separate with no risk of accidentally combining them in the same transaction. I know this can also be done with derivation paths, but using passphrases provides two advantages over derivation paths - additional security, as described above, and you can use passphrases which remind you which wallet is which. For example, If I use 5 different derivation paths, I might forget which derivation path is for which purpose, but if I use the passphrase 4j!SALARY'5#, then I know immediately what that wallet is for.

[HCP]

to... Enhance their security? It's already infeasible to brute force.

As o_e_l_e_o has mentioned, it adds another layer to the "physical" security of your seed backup... If someone were to get hold of your 12/24 word seed, they might find a small amount of coins in the "base" account, but would be unable to access anything that was protected by a passphrase (assuming that your passphrase is not co-located with the seed backup... which obviously it should not be)

Additionally, attempting to bruteforce passphrases is actually quite time consuming because of the methods used (ie. every passphrase generates a "valid" wallet, so you need to go through many "costly" derivations to derive and then check addresses)

And... If you happen to be using a Trezor ONE, it's pretty much required to prevent total loss in the event that the device is physically compromised. ie. it is stolen or lost.

[o_e_l_e_o]

If someone were to get hold of your 12/24 word seed, they might find a small amount of coins in the "base" account, but would be unable to access anything that was protected by a passphrase (assuming that your passphrase is not co-located with the seed backup... which obviously it should not be)

It's more than just preventing access though. More importantly, provided you haven't made any obvious links on the blockchain or revealed the existence of the passphrased wallet in another manner, then an attacker can not even prove that one or more passphrased wallets even exist. It's like using hidden volumes when encrypting data - it's not only that the attacker can't access the data/wallets, it's that they don't even know there are additional data/wallets there to be accessed in the first place.

This obviously depends on you keeping the existence of your passphrased wallet(s) secret. If an attacker sees 90% of the coins move out of your main wallet to a new address, and then not move from that new address for months or years, then that's a dead give-away that you still have control of them and have simply moved them to a different wallet for safer keeping.

[HCP]

It's more than just preventing access though.

Of course... I was just trying to show an additional benefit to complement the rather exhaustive list that you had already shown.

Granted, they're not necessarily for "everyone"... but I still think they're a good idea and that the benefits outweigh and additional "complexity"

[Pmalek]

One could protect his passphrase in plain sight. Let's say this is your Electrum seed > https://en.bitcoin.it/w/images/en/6/60/Mnemonic-seed-still-life.jpg.
You could use the first, second, or any number of letters to create your passphrase. Naturally, you are relying on your memory not to forget which letters you used.

You would get something like this: WCPFSODCRAIC iorehperogie 

I am not sure how reliable sites like https://howsecureismypassword.net/ are (don't enter a real password into in no matter what), but it says it would take 15 octillion years to crack it.

[BlackHatCoiner]

I am not sure how reliable sites like https://howsecureismypassword.net/ are (don't enter a real password into in no matter what), but it says it would take 15 octillion years to crack it.

Note that these years are probably referred to just hashing preimages until you've found a hash collision or the original password. But, if you went through the same procedure including the PBKDF2 rounds and the HMAC-SHA256/512 calculations it'd take much more time.

You would get something like this: WCPFSODCRAIC iorehperogie

While it's very long, it could be predicted. I'd advice you to use randomly generated passwords such as "N(s<qzGNHa>Cy>7)". The attacker's only option to steal your money would be by brute forcing, besides the $5 wrench attack. You can't predict this and thus, he'd have to go through pure brute forcing which is meaningless.

[o_e_l_e_o]

Definitely the multisig wallet would be better than  single-sig one,

Well, it depends on what aspect of the wallet you are considering when you say "better". Multi-sig is likely going to be more secure than a single sig wallet, even one with a passphrase. However, to back up a multi-sig wallet properly you need to store the other xpubs along with each seed phrase, meaning if someone finds one of your back ups they can view the entire contents of your wallet. This is obviously not the case if someone finds one of your back ups in a single-sig-with-passphrase set up, as they can neither view your passphrased wallets or even know that they exist. Multi-sig also provides no plausible deniability.

I suppose you could combine multi-sig with additional passphrases, but at some point, you risk making things so complicated that you would struggle to recover your coins in an emergency.

[BlackHatCoiner]

I was considering the aspect of the trust to developer(s)/team(s) that have  responsibility  for wallet. Multisig would help to safe  my funds if the security design pertaining to particular wallet were failed somehow.

If your wallet software failed to generate properly a multi-sig wallet, what makes you think that it won't happen to a single-sig too? I'm not sure that I'm following you.

[xenon131]

I was considering the aspect of the trust to developer(s)/team(s) that have  responsibility  for wallet. Multisig would help to safe  my funds if the security design pertaining to particular wallet were failed somehow.

If your wallet software failed to generate properly a multi-sig wallet, what makes you think that it won't happen to a single-sig too? I'm not sure that I'm following you.

 The latter  happen

[BlackHatCoiner]

Well, let me consider the hypothetical situation when one of the wallet has backdoor that give the adversary  chance to steel my fund.

In this hypothetical scenario, you're the owner of your funds; you don't divide your bitcoins' possession with someone else. If that's true, then you'll need to sign from both public keys. If you choose a wallet software to sign from both, you won't avoid the assumed backdoor. If you sign from different wallets, then the possibilities for funds' loss drop.

However, isn't that a really complicated way to pretend that you're safe? If you have a wallet that contains malicious functions, you shouldn't even consider to use it for transactions. Not to mention that you'll lose your privacy, because theoretically the thief could access your master public keys.

[xenon131]

If you have a wallet that contains malicious functions, you shouldn't even consider to use it for transactions.

100% correct

[o_e_l_e_o]

If your wallet software failed to generate properly a multi-sig wallet, what makes you think that it won't happen to a single-sig too? I'm not sure that I'm following you.

Think about the malicious Electrum version which was stealing coins. If your wallet was multi-sig instead, then it would not have been able to steal the coins. Even if it was multi-sig with two malicious Electrum wallets, it would require you to manually transfer the partially signed malicious transaction between your two devices, which would be highly unlikely to happen unless you really weren't paying attention. Only if it was a variant of the malwaee which uploaded private keys to a server instead of making a transaction, and you updated both versions of Electrum to this malicious version, would your coins still have been stolen in a multi-sig set up.

Using different hardware and software for all parts of your multi-sig provides even more security against one of your wallets being attacked or malicious.