The use of cryptosteel and other hardware to back up private keys or seeds?

[keithers]

Hey guys I have a question...I wasn't sure which section to post this into.   I had a question about Cryptosteel and other physical hardware products that are used to physically back up private keys and or seeds.

I was looking at the Cryptosteel.  They say on their website that you only need the first four letters of each word from your private seed.   Here is my question...just off the top of my head I can think of various words that have the same starting 4 letter combinations...

For example:

BOUN:
bounce
bouncer
bounces
bounty
bounties

BEGI:
begin
beginner
begins
beginners

SLAM:
slams
slammer
slammers
slamming


Those were just random 4 letter beginnings to words that came to mind when I was writing this thread.   If you are using physical hardware to backup a seed, how would you differentiate the words if you had to restore a wallet from a seed backup only having the first 4 letters of each word especially since the words don't ever make a logical sentence? 

[pooya87]

your examples are bad because you are practically using the same word. but i get your point. and to make sure just take a look at some of the "Seed Word Lists" out there for different seed BIPs and see if what you say is true. you can write a simple script to check the strings too.

here is an example from electrum: https://github.com/spesmilo/electrum/blob/master/lib/wordlist/english.txt
you see there are not 2 words sharing the same first 4 letters

edit:
i was curious too so i wrote this:
just put the seeds in a .txt file called seeds on your desktop and run it. it returns nothing for electrum seeds

Code:

using System;
using System.IO;

namespace SeedCheck
{
    class Program
    {
        static void Main(string[] args)
        {
            string seedPath = Environment.GetFolderPath(Environment.SpecialFolder.Desktop);
            string[] words = File.ReadAllLines(seedPath + @"\seed.txt");

            foreach (var word in words)
            {
                string first4 = (word.Length >= 4) ? word.Substring(0, 4) : word;
                foreach (var w in words)
                {
                    string first4_2 = (w.Length >= 4) ? w.Substring(0, 4) : w;
                    if (first4_2 == first4 && word != w)
                    {
                        Console.WriteLine(w);
                    }
                }
            }

            Console.ReadLine();
        }
    }
}

[keithers]

your examples are bad because you are practically using the same word. but i get your point. and to make sure just take a look at some of the "Seed Word Lists" out there for different seed BIPs and see if what you say is true. you can write a simple script to check the strings too.

here is an example from electrum: https://github.com/spesmilo/electrum/blob/master/lib/wordlist/english.txt
you see there are not 2 words sharing the same first 4 letters

Thanks for your response. Yeah some of my examples are bad but they were the first ones that came to my head when I was posting the thread.   Im embarrassed to say, I don't have the slightest clue how to write a script

I looked at the link you sent, are those all the possible words that could be in a valid seed? I thought that could be any word in the English language, but I didn't know.

I see "begin" on that list, does that mean "beginner" and "beginners" could not be a seed word?  The only reason I'm asking is because every wallet that I have seen automatically generates the seed for you at the start of wallet, you don't manually choose your seed, you know what I mean?

[keithers]

Thanks for checking with that script, even though it goes right over my head

How about:

ORIG:

It could be

Origin
Origins
Original
Originals

I know that is basically two words with 4 variations, but do you see where it could get a little dicey dealing with a 24 word backup?

[pooya87]

Thanks for your response. Yeah some of my examples are bad but they were the first ones that came to my head when I was posting the thread.   Im embarrassed to say, I don't have the slightest clue how to write a script

i was curious myself so i wrote a quick console app in Visual Studio using C# and tested it. you can see it in my edit of my previous comment.

I looked at the link you sent, are those all the possible words that could be in a valid seed? I thought that could be any word in the English language, but I didn't know.

I see "begin" on that list, does that mean "beginner" and "beginners" could not be a seed word?  The only reason I'm asking is because every wallet that I have seen automatically generates the seed for you at the start of wallet, you don't manually choose your seed, you know what I mean?

yes that link are all the possible words for electrum (may be different for other clients though) and no, it can't be any word.
there are fixed number of words (2048 here) to reach the desired entropy and these words should follow certain rules. i am not sure what they are, for that you need to read the relative BIP.
read this for example: https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#Wordlist the section b) of it actually answers your question

[keithers]

Thanks for your response. Yeah some of my examples are bad but they were the first ones that came to my head when I was posting the thread.   Im embarrassed to say, I don't have the slightest clue how to write a script

i was curious myself so i wrote a quick console app in Visual Studio using C# and tested it. you can see it in my edit of my previous comment.

I looked at the link you sent, are those all the possible words that could be in a valid seed? I thought that could be any word in the English language, but I didn't know.

I see "begin" on that list, does that mean "beginner" and "beginners" could not be a seed word?  The only reason I'm asking is because every wallet that I have seen automatically generates the seed for you at the start of wallet, you don't manually choose your seed, you know what I mean?

yes that link are all the possible words for electrum (may be different for other clients though) and no, it can't be any word.
there are fixed number of words (2048 here) to reach the desired entropy and these words should follow certain rules. i am not sure what they are, for that you need to read the relative BIP.
read this for example: https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#Wordlist the section b) of it actually answers your question

Thank you, I really appreciate it, I didn't know where to look to find any answers, and I didn't want to be screwed if I accidentally lose or get my paper destroyed somehow.

[mnmnmn]

When you create your wallet, you don't come up with the recovery words yourself.

You use a wallet creation program that generates a long private key, and then also gives you a list of words from which the wallet's private key can be generated. This list of words is chosen from a larger global set of words, but not the whole english language. The global set of words is chosen carefully so that none of them begin with the same 4 letters. Therefore, you only need the first 4 letters of a word to figure out which one it is in the list.

Sidenote: Note that ORDER MATTERS, so you don't just need the list of words, you need to know the correct order.

[keithers]

When you create your wallet, you don't come up with the recovery words yourself.

You use a wallet creation program that generates a long private key, and then also gives you a list of words from which the wallet's private key can be generated. This list of words is chosen from a larger global set of words, but not the whole english language. The global set of words is chosen carefully so that none of them begin with the same 4 letters. Therefore, you only need the first 4 letters of a word to figure out which one it is in the list.

Sidenote: Note that ORDER MATTERS, so you don't just need the list of words, you need to know the correct order.

Yes, I realize that you don't come up with the set of words yourself, that was why I was bringing up a concern that I had until Pooya87 addressed it.   My concern was if you stored the 1st 4 letters of a bunch of words that all had different combinations of words that could stem from those first 4 letters, how would you know (if you didn't remember), which word was actually on your seed.

Pooya87 posted a link to the masterlist, that I did not know was available and then he wrote a script testing this to prove it's accuracy.

Thanks again Pooya87

[keithers]

I also had a hard time figuring out which cryptosteel model that I needed to use, and their website doesn't do that well on the description of each model, so I found this on the internet and I think it would be helpful for anyone who is considering purchasing one.

The prices have obviously gone way up since this review, but at least it has a description of what each model is:


http://imgur.com/a/sxqiJ

[Bramen]

The point OP raises renders Cryptosteel useless, and is actually very dangerous since it gives false sense of security.

If you store only the first four letters of a word, it doesn't matter if the word list doesn't have multiple words starting with the same four letters if you don't remember what the rest of the letters are! When you recover your wallet, you don't get to pick from a list of words, you have to type the entire word in.

For example, if your Cryptosteel has "mate" as a word, you would not know if the word you need to enter into the recovery query is indeed just "mate", or a longer one like "material", "maternal" or "materiel". unless you remember it. But if you remember it, there's no point to Cryptosteel. Such uncertainty would be OK if it was just one word and you could try all iterations, but if you have twenty words which all may have different endings, you're screwed.

I hope I'm missing something. I've looked at Cryptosteel before and love the concept and the dedication to quality, but it sounds like a disaster waiting to happen when you think about it in detail.

[keithers]

The point OP raises renders Cryptosteel useless, and is actually very dangerous since it gives false sense of security.

If you store only the first four letters of a word, it doesn't matter if the word list doesn't have multiple words starting with the same four letters if you don't remember what the rest of the letters are! When you recover your wallet, you don't get to pick from a list of words, you have to type the entire word in.

For example, if your Cryptosteel has "mate" as a word, you would not know if the word you need to enter into the recovery query is indeed just "mate", or a longer one like "material", "maternal" or "materiel". unless you remember it. But if you remember it, there's no point to Cryptosteel. Such uncertainty would be OK if it was just one word and you could try all iterations, but if you have twenty words which all may have different endings, you're screwed.

I hope I'm missing something. I've looked at Cryptosteel before and love the concept and the dedication to quality, but it sounds like a disaster waiting to happen when you think about it in detail.

@ Bramen....this is what I thought exactly, but Pooya above wrote and tested a script to prove that it actually works.   I had the same exact thinking as you, which is why I raised the question, but there are only a certain number of words in the BIP39 wallet seeds.  So all the different variations that you are talking about wouldn't be on that list.  My initial thought was that the words in the seed could be any word from the English language, but that isn't the case

So If "material" is one of the words in the list, "maternal" is not on the BIP39 list of eligible seed words. 

[Bramen]

The point OP raises renders Cryptosteel useless, and is actually very dangerous since it gives false sense of security.

If you store only the first four letters of a word, it doesn't matter if the word list doesn't have multiple words starting with the same four letters if you don't remember what the rest of the letters are! When you recover your wallet, you don't get to pick from a list of words, you have to type the entire word in.

For example, if your Cryptosteel has "mate" as a word, you would not know if the word you need to enter into the recovery query is indeed just "mate", or a longer one like "material", "maternal" or "materiel". unless you remember it. But if you remember it, there's no point to Cryptosteel. Such uncertainty would be OK if it was just one word and you could try all iterations, but if you have twenty words which all may have different endings, you're screwed.

I hope I'm missing something. I've looked at Cryptosteel before and love the concept and the dedication to quality, but it sounds like a disaster waiting to happen when you think about it in detail.

@ Bramen....this is what I thought exactly, but Pooya above wrote and tested a script to prove that it actually works.   I had the same exact thinking as you, which is why I raised the question, but there are only a certain number of words in the BIP39 wallet seeds.  So all the different variations that you are talking about wouldn't be on that list.  My initial thought was that the words in the seed could be any word from the English language, but that isn't the case

So If "material" is one of the words in the list, "maternal" is not on the BIP39 list of eligible seed words.  

Ok, so in my example, if I don't remember which version of "mate" I should use, I can just download the word list and check which version to use as there's only one word on the list which starts with "mate"? That makes sense.

But this means users would need to know that such a word list exists in the first place. As others, I thought the word list was vastly larger than mere 2048 words. How many people using Cryptosteel know of such word lists, and where to find them? In any case, it is quite a big PITA - but probably something you'll do if you have dozens of BTC in your wallet to be recovered

But if I download the word list in ten years, will it be the same as today? Will different versions of software have different word lists? Or do I need to print out the 2048 words storing it with Cryptosteel along with a USB stick of the software, again defeating at least part of the purpose of Cryptosteel (indestructible).

[DannyHamilton]

But if I download the word list in ten years, will it be the same as today? Or do I need to print out the 2048 words storing it with Cryptosteel, again defeating at least part of the purpose of Cryptosteel (indestructible).

If you upgrade to a newer version of the software that has a different wordlist, then it won't matter whether you have the original words, or only the first 4 letters of the original words.  Either way, your words are no longer accurate for the new wordlist.  You'll need to find an old version of the software and figure out how to get it to run on the newer hardware and newer operating system.

[Bramen]

But if I download the word list in ten years, will it be the same as today? Or do I need to print out the 2048 words storing it with Cryptosteel, again defeating at least part of the purpose of Cryptosteel (indestructible).

If you upgrade to a newer version of the software that has a different wordlist, then it won't matter whether you have the original words, or only the first 4 letters of the original words.  Either way, your words are no longer accurate for the new wordlist.  You'll need to find an old version of the software and figure out how to get it to run on the newer hardware and newer operating system.

Very good point, occurred to me as well, so you'd have to store a USB stick with the software.. So looks like Cryptosteel and similar products are at best a novelty, at worst a disaster waiting to happen if used as the backup of last resort.

Ledger, Trezor and Raspberry Pi sound like much better options.

[bitart]

The point OP raises renders Cryptosteel useless, and is actually very dangerous since it gives false sense of security.

If you store only the first four letters of a word, it doesn't matter if the word list doesn't have multiple words starting with the same four letters if you don't remember what the rest of the letters are! When you recover your wallet, you don't get to pick from a list of words, you have to type the entire word in.

For example, if your Cryptosteel has "mate" as a word, you would not know if the word you need to enter into the recovery query is indeed just "mate", or a longer one like "material", "maternal" or "materiel". unless you remember it. But if you remember it, there's no point to Cryptosteel. Such uncertainty would be OK if it was just one word and you could try all iterations, but if you have twenty words which all may have different endings, you're screwed.

I hope I'm missing something. I've looked at Cryptosteel before and love the concept and the dedication to quality, but it sounds like a disaster waiting to happen when you think about it in detail.

@ Bramen....this is what I thought exactly, but Pooya above wrote and tested a script to prove that it actually works.   I had the same exact thinking as you, which is why I raised the question, but there are only a certain number of words in the BIP39 wallet seeds.  So all the different variations that you are talking about wouldn't be on that list.  My initial thought was that the words in the seed could be any word from the English language, but that isn't the case

So If "material" is one of the words in the list, "maternal" is not on the BIP39 list of eligible seed words.  

Ok, so in my example, if I don't remember which version of "mate" I should use, I can just download the word list and check which version to use as there's only one word on the list which starts with "mate"? That makes sense.

But this means users would need to know that such a word list exists in the first place. As others, I thought the word list was vastly larger than mere 2048 words. How many people using Cryptosteel know of such word lists, and where to find them? In any case, it is quite a big PITA - but probably something you'll do if you have dozens of BTC in your wallet to be recovered

But if I download the word list in ten years, will it be the same as today? Will different versions of software have different word lists? Or do I need to print out the 2048 words storing it with Cryptosteel along with a USB stick of the software, again defeating at least part of the purpose of Cryptosteel (indestructible).

So if you use only the first 4 letters to determine a word, you need to know the list of the possible words too.
If you use it for bitcoin, it's fine, because you can search for that 2048 words in the future as well, but what if someone tries to use it for different crypto, which has less popularity, and uses different words...
It seems Cryptosteel works only with bitcoin...
I was thinking about to get the words engraved into a little piece of steel, but if you bring it to someone to have it engraved, and that someone knows that it could be a possible seed word list, your bitcoins are over... So you need to buy a cheap hand engraving tool and get the job done by yourself to be 100% secure, it seems...

[Bramen]

I was thinking about to get the words engraved into a little piece of steel, but if you bring it to someone to have it engraved, and that someone knows that it could be a possible seed word list, your bitcoins are over... So you need to buy a cheap hand engraving tool and get the job done by yourself to be 100% secure, it seems...

If you only give the list of words, but not the order, it would be much harder to guess. Throw in some extra words from the word list and you should be protected against someone trying guess the order with brute force on a home PC (someone want to do the math?).

Making your own is definitely the safest option, and would be a cool project.

But that doesn't help if the word list may change between software versions.

[izzotlas]

simple solutions to recover from scratch without anything else
1st use one cryptosteel with the first four letters of each word of your seed and n cryptosteels for the dictionary.
2nd http://www.dymo.com/en-US/ind-embossing-aluminum-labels-1-2-in
3rd https://www.zamro.de/product/D7367/schlagbuchstabensatz-sh-sh-6mm-27-teilig

[keithers]

But if I download the word list in ten years, will it be the same as today? Or do I need to print out the 2048 words storing it with Cryptosteel, again defeating at least part of the purpose of Cryptosteel (indestructible).

If you upgrade to a newer version of the software that has a different wordlist, then it won't matter whether you have the original words, or only the first 4 letters of the original words.  Either way, your words are no longer accurate for the new wordlist.  You'll need to find an old version of the software and figure out how to get it to run on the newer hardware and newer operating system.

That's a good question...I know no one has a crystal ball, but is the wordlist anticipated to change in the future?  It does seem like you need to print out the 2048 words as well...we would need tombstones and 9 point font for those lol.  Anyone want to start a kickstarter...lol

[keithers]

But if I download the word list in ten years, will it be the same as today? Or do I need to print out the 2048 words storing it with Cryptosteel, again defeating at least part of the purpose of Cryptosteel (indestructible).

If you upgrade to a newer version of the software that has a different wordlist, then it won't matter whether you have the original words, or only the first 4 letters of the original words.  Either way, your words are no longer accurate for the new wordlist.  You'll need to find an old version of the software and figure out how to get it to run on the newer hardware and newer operating system.

Very good point, occurred to me as well, so you'd have to store a USB stick with the software.. So looks like Cryptosteel and similar products are at best a novelty, at worst a disaster waiting to happen if used as the backup of last resort.

Ledger, Trezor and Raspberry Pi sound like much better options.

Trezor and Ledger are a cold storage hardware wallets (obviously)...the cryptosteel Mix was made to work in correlation with Trezor and Ledger as backups for your Trezor and Ledger...not as replacements...

[InfiniteQuant]

Thanks for all the answer in this post since I was dealing with the same questions today .....