[ESHOP launched] Trezor: Bitcoin hardware wallet

[jackbox]

Is it possible to use Electrum+Trezor if the Trezor device was set up through https://mytrezor.com? Wallet schould be the same as on mytrezor.com.

Yes, exactly the same. Just set up as new wallet, not restore. It will get the master public key from the Trezor and you are good to go. I use mine with Electrum 2 and it was setup on myTrezor website.

[Erdogan]

Question: How many different passphrases does Trezor support?

over 9000

no, wait

all of them!

How hard are the passphrases to crack compared to bip38? I know there is some type of key lengthening....

I'm mostly curious how hard short passwords are to crack if you have the seed.

That'd be interesting to know, yes.

I know one thing: on each bruteforce attempt you have to query the utxo set to see if there are funds, because there's no other way to know wether or not you have found the correct passphrase. In fact you also have to check wether there address has been used in the past (and now has 0 balance so it's not in the utxo set any more) and/or query a couple more addresses in case the first one was left untouched. That alone should slow things down quite a bit.

The passphrase has to be entered via the pc, and there is no concealment from a rogue pc pin-cod style.

[cypherdoc]

So you can have infinite and separated set of addresses at your own disposal based on the passphrase while having one single private key in the form of the seed? That's neat. Thank you.

That's not quite right. There's one mnemonic, that's the 24 word string. Combined with any (or no) passphrase, the mnemonic gets turned into the seed, and then the root private key. Each passphrase you use with the same mnemonic will generate a different root private key.

what's the correct way to visualize this?  a tree with the root privkey at the top and a new branch extending downwards for each passphrase in a hierarchical tree?

[cypherdoc]

why do we trust the Electrum server more than mytrezor.com server when it comes to tracking addresses used?

[Lincoln6Echo]

Is it possible to use Electrum+Trezor if the Trezor device was set up through https://mytrezor.com? Wallet schould be the same as on mytrezor.com.

Yes, exactly the same. Just set up as new wallet, not restore. It will get the master public key from the Trezor and you are good to go. I use mine with Electrum 2 and it was setup on myTrezor website.

So to use the existing wallet from trezor.com I have to choose:

What do you want to do:
-create new wallet

wallet type:
- Hardware wallet

right? Is there something else to consider?

[klondike_bar]

So you can have infinite and separated set of addresses at your own disposal based on the passphrase while having one single private key in the form of the seed? That's neat. Thank you.

That's not quite right. There's one mnemonic, that's the 24 word string. Combined with any (or no) passphrase, the mnemonic gets turned into the seed, and then the root private key. Each passphrase you use with the same mnemonic will generate a different root private key.

what's the correct way to visualize this?  a tree with the root privkey at the top and a new branch extending downwards for each passphrase in a hierarchical tree?

picture it like bitcoin mining almost. The 24-word seed is like the list of transactions. The password (25th word of the seed) is like a nonce - any value will work, and can create millions of possibilities.

[jackbox]

Is it possible to use Electrum+Trezor if the Trezor device was set up through https://mytrezor.com? Wallet schould be the same as on mytrezor.com.

Yes, exactly the same. Just set up as new wallet, not restore. It will get the master public key from the Trezor and you are good to go. I use mine with Electrum 2 and it was setup on myTrezor website.

So to use the existing wallet from trezor.com I have to choose:

What do you want to do:
-create new wallet

wallet type:
- Hardware wallet

right? Is there something else to consider?

Yes, if there is a selection button click Trezor and it will query the Trezor for the public master key and that will be save under the wallet name you previously gave it when you said new wallet. If you start Electrum without the Trezor connected it will say error, watch only mode. If you want to send just plug in the Trezor before starting the send transaction and it will ask for your PIN (if you have one) and then sign the transaction. Easy and works well.

[molecular]

Question: How many different passphrases does Trezor support?

over 9000

no, wait

all of them!

How hard are the passphrases to crack compared to bip38? I know there is some type of key lengthening....

I'm mostly curious how hard short passwords are to crack if you have the seed.

That'd be interesting to know, yes.

I know one thing: on each bruteforce attempt you have to query the utxo set to see if there are funds, because there's no other way to know wether or not you have found the correct passphrase. In fact you also have to check wether there address has been used in the past (and now has 0 balance so it's not in the utxo set any more) and/or query a couple more addresses in case the first one was left untouched. That alone should slow things down quite a bit.

The passphrase has to be entered via the pc, and there is no concealment from a rogue pc pin-cod style.

That's a different attack.

The question was how long would it take (in relation to passphrase length) to bruteforce the passphrase if someone finds your paper seed backup.

[jackbox]

Question: How many different passphrases does Trezor support?

over 9000

no, wait

all of them!

How hard are the passphrases to crack compared to bip38? I know there is some type of key lengthening....

I'm mostly curious how hard short passwords are to crack if you have the seed.

That'd be interesting to know, yes.

I know one thing: on each bruteforce attempt you have to query the utxo set to see if there are funds, because there's no other way to know wether or not you have found the correct passphrase. In fact you also have to check wether there address has been used in the past (and now has 0 balance so it's not in the utxo set any more) and/or query a couple more addresses in case the first one was left untouched. That alone should slow things down quite a bit.

The passphrase has to be entered via the pc, and there is no concealment from a rogue pc pin-cod style.

That's a different attack.

The question was how long would it take (in relation to passphrase length) to bruteforce the passphrase if someone finds your paper seed backup.

That would depend on the length and complexity of the password and if anything about it was known to the attacker. With a strong password it could take thousands of years. Once quantum computers are mainstream it could possibly be brute forced within minutes but by then Bitcoin protocol would have changed to a quantum alogorithm.

[cypherdoc]

So you can have infinite and separated set of addresses at your own disposal based on the passphrase while having one single private key in the form of the seed? That's neat. Thank you.

That's not quite right. There's one mnemonic, that's the 24 word string. Combined with any (or no) passphrase, the mnemonic gets turned into the seed, and then the root private key. Each passphrase you use with the same mnemonic will generate a different root private key.

what's the correct way to visualize this?  a tree with the root privkey at the top and a new branch extending downwards for each passphrase in a hierarchical tree?

picture it like bitcoin mining almost. The 24-word seed is like the list of transactions. The password (25th word of the seed) is like a nonce - any value will work, and can create millions of possibilities.

isn't each passphrase generated set of addresses a separate branch of the HD tree?  however, it sounds like no further sub-branches can be built under each branch?

[jackbox]

So you can have infinite and separated set of addresses at your own disposal based on the passphrase while having one single private key in the form of the seed? That's neat. Thank you.

That's not quite right. There's one mnemonic, that's the 24 word string. Combined with any (or no) passphrase, the mnemonic gets turned into the seed, and then the root private key. Each passphrase you use with the same mnemonic will generate a different root private key.

what's the correct way to visualize this?  a tree with the root privkey at the top and a new branch extending downwards for each passphrase in a hierarchical tree?

picture it like bitcoin mining almost. The 24-word seed is like the list of transactions. The password (25th word of the seed) is like a nonce - any value will work, and can create millions of possibilities.

isn't each passphrase generated set of addresses a separate branch of the HD tree?  however, it sounds like no further sub-branches can be built under each branch?

Each password with any given seed will generate a completely new master public and private keys. Think of it as a completely new tree.

[molecular]

Question: How many different passphrases does Trezor support?

over 9000

no, wait

all of them!

How hard are the passphrases to crack compared to bip38? I know there is some type of key lengthening....

I'm mostly curious how hard short passwords are to crack if you have the seed.

That'd be interesting to know, yes.

I know one thing: on each bruteforce attempt you have to query the utxo set to see if there are funds, because there's no other way to know wether or not you have found the correct passphrase. In fact you also have to check wether there address has been used in the past (and now has 0 balance so it's not in the utxo set any more) and/or query a couple more addresses in case the first one was left untouched. That alone should slow things down quite a bit.

The passphrase has to be entered via the pc, and there is no concealment from a rogue pc pin-cod style.

That's a different attack.

The question was how long would it take (in relation to passphrase length) to bruteforce the passphrase if someone finds your paper seed backup.

That would depend on the length and complexity of the password and if anything about it was known to the attacker. With a strong password it could take thousands of years. Once quantum computers are mainstream it could possibly be brute forced within minutes but by then Bitcoin protocol would have changed to a quantum alogorithm.

Let me rephrase the question then: how long would it take on commodity hardware worth 10,000$ to guess an 8-letter (uppercase, lowercase plus 10 special characters) with known seed words?

[windpath]

Let me rephrase the question then: how long would it take on commodity hardware worth 10,000$ to guess an 8-letter (uppercase, lowercase plus 10 special characters) with known seed words?

Assuming:
 
Test 2 billion keys per second, which a single high-performance computer might approximately manage.

94 Possible characters:

numbers (10 different ones: 0-9)
letters (52 different ones: A-Z and a-z)
special characters (32 different ones)

Fixed 8 char password (TREZOR pass is not fixed length)

= 94 ^8 possible combinations or 60,956,894,000,000,000,000,000

about 35 days, given our assumptions...

Major caveat: Every time you generate a possible solution you have to test it and check the balances for the given seed + the 8 letter pass phrase, if your doing this on a TREZOR it would take.. well, tens of thousands of years. If you wrote a special program that had the seed pre loaded and just tested the passwords and retrieved the balance for say the first 10 addresses from the master private key it would take hundreds if not thousands of years...

Edit: TL:DR; It really comes down to how many keys you can test (i.e. check for balance) a second, and the answer is not nearly as many as you could generate. It's simply not feasible.

[tl121]

why do we trust the Electrum server more than mytrezor.com server when it comes to tracking addresses used?

You don't have to.  You can run your own Electrum server on your premises.

https://github.com/spesmilo/electrum-server/blob/master/HOWTO.md

[chmod755]

My Trezor still works great - I'm using it with GreenBits now, however the cable that comes with the Trezor stopped working after just a few days.

[molecular]

If you find masterpub key (which can be done if you monitor the good things before getting hands on seed) you just need to match key, and not test balance.

Good point, but: if you can monitor the trezor you can probably also monitor the keyboard, so no need to bruteforce.

[keithers]

what is up with the mytrezor page having captchas now?  Is that normal?   Today is the first time I have seen that...

[kkurtmann]

what is up with the mytrezor page having captchas now?  Is that normal?   Today is the first time I have seen that...

no captcha for me on mytezor.com.

slush pool site has had captchas for a long time though.

[jackbox]

what is up with the mytrezor page having captchas now?  Is that normal?   Today is the first time I have seen that...

I never encounted a captcha on the mytrezor.com site.

[stick]

what is up with the mytrezor page having captchas now?  Is that normal?   Today is the first time I have seen that...

Captchas come from Cloudflare. Your request might come from an IP range that is somehow suspicious (e.g. the might have been a DDoS attack in the past ...)