21 word seed got exposed, is it bad ?

[simplyred]

i got 24 word seed for my ledger nano s. And i split it up on two papers.

21 words on one paper and 3 words on the other one.

Lets say my 21 word paper would be exposed. Would it be hard for the persona that has this 21 word seed to crack the wallet ?

thanks

[1715293851]

1715293851

[dimasinteger]

Not sure! but I would still move my wallet to a different one just to feel safe!
but If I were you, I would do 18 or 20 for paper and the rest for my brain

[jackg]

i got 24 word seed for my ledger nano s. And i split it up on two papers.

21 words on one paper and 3 words on the other one.

Lets say my 21 word paper would be exposed. Would it be hard for the persona that has this 21 word seed to crack the wallet ?

thanks

No. It'd be fairly easy (if they could work out what it was of course).

Your best bet would be to go with 12 words and then the other 12 words (if you input them the wrong way, it'll be rejected by the ledger nano anyway.

[simplyred]

Im just thinking, lets say there are 5000 words, then it would take long time to get these 3 right word in the right order, no ?

[HCP]

i got 24 word seed for my ledger nano s. And i split it up on two papers.

21 words on one paper and 3 words on the other one.

Lets say my 21 word paper would be exposed. Would it be hard for the persona that has this 21 word seed to crack the wallet ?

It depends on whether or not the order is known... for instance, if the attacker knew that they had words 1-21 or 4-24 (ie. the first 21 or the last 21 words) and were simply trying to find the missing 3 words... then the number of possible combinations would only be:

2048 * 2048 * 2048 = 8,589,934,592

Which really isn't a lot at all... and a simple script would crack that in minutes.

However, if the attacker had no clue as to the position of the missing words... ie. you'd taken 3 words from position 3, 17 and 23, but there was no indication of position/order of words on the paper (ie. they're not numbered)... then things become a lot more complicated. The number of combinations the attacker would need to test increases by several orders of magnitude and it would require a lot more work. It's possible the time required would extend to hours or days or years. I'm not not sure of the actual math... possibly something like:

(2048 * 24) * (2048 * 24) * (2048 * 24) = 118,747,260,000,000+ combinations (note, I'm very tired, so this math is probably really wrong )

Having said that... if you knew that your 21 words had been compromised, you should immediately generate a new seed and move all coins from the old wallet to the new one and then "burn" the old wallet/seed...

Im just thinking, lets say there are 5000 words, then it would take long time to get these 3 right word in the right order, no ?

There are 2048 words for BIP39 seeds: https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt

[bob123]

Lets say my 21 word paper would be exposed. Would it be hard for the persona that has this 21 word seed to crack the wallet ?

If the position of these words is known, then yes. Definetely crackable. Within a short timeframe.

However, if the attacker had no clue as to the position of the missing words... ie. you'd taken 3 words from position 3, 17 and 23, but there was no indication of position/order of words on the paper (ie. they're not numbered)... then things become a lot more complicated. The number of combinations the attacker would need to test increases by several orders of magnitude and it would require a lot more work. It's possible the time required would extend to hours or days or years. I'm not not sure of the actual math... possibly something like:

(2048 * 24) * (2048 * 24) * (2048 * 24) = 118,747,260,000,000+ combinations (note, I'm very tired, so this math is probably really wrong )

If an attacker had 3 (out of 24) words without knowing any particular spot/order the amount of combinations would be:

Amount of 'iterations' when choosing 3 position out of 24 to guess (24 choose 3) = 2024 (without any order of these 3 words) -> (2024 * 3!) = 12 144 (considering all possible orders)

Now for each of these iteration you need to check 21 positions with 2048 words (2048²¹) = 3,45087317 * 10⁶⁹ combinations.

To sum it up: 12 144 * 3,45087317 * 10⁶⁹ = 4,19074038 × 10⁷³ would be the amount of combination.
Thats just slightly below the 2,96427748 × 10⁷⁹ combinations from the full 24 words. Still considered safe.



Just saw its mentioned the other way around 

With 21 out of 24 words known you have 2024 possibilities to chose the position of the word -> multiplied with 3! ->  12 144 combinations to check.

Now each of those combinations has 2048³ possibilities to get 'filled' -> 2048³ * 12 144 = 104 316 165 685 248 combinations an attacker had to check.


I would say this is definetely possible to crack.
If you aren't sure whether your seed got compromised (or if you are sure it got somehow lost/compromised) you should create a new wallet/seed ASAP.

[cellard]

It's specially bruteforceable because seeds use common words which means brute forcing software has an easy time with that since they use dictionary attacks. If you were using weird words that don't exist including special characters, then 3 of these "words" would be a pain in the ass for bruteforcing software.

If I depended on a seed I would definitely split it in two, but an attacker will easily realize that you are splitting a seed when he finds out random words here and there, and he will just join them, so keep them separated with different passwords if you are storing them digitally.

[Vladv26]

Any information about the wallet could help a hacker to crack your wallet, I doesn't really matter if it is one word or a number. Also you have have now exposed publicly that you phrase is compose out of 24 words so if the hacker finds your ip he could know you made a post on this forum about your wallet and finds out what exactly to look for.

I recommend you to move all your coins to another wallet that is not related at all with your old wallet(email, password, any words). This should be safe enough.

[simplyred]

Any information about the wallet could help a hacker to crack your wallet, I doesn't really matter if it is one word or a number. Also you have have now exposed publicly that you phrase is compose out of 24 words so if the hacker finds your ip he could know you made a post on this forum about your wallet and finds out what exactly to look for.

Its writen on a paper, its a seed that i wrote down on a paper. and it is possible that a person saw it, but i am not that sure. but i have already moved my coins so its ok.

thanks everyone for the answers.

[simplyred]

but the thing is i just cant see how it would be easy to find some 3 word in the exact right order. That would be so many possibilities.

[bob123]

I doesn't really matter if it is one word or a number.

It does matter whether its a word or a number. This determines the searching space and therefore the amount of time you have to invest to crack that wallet.

Also you have have now exposed publicly that you phrase is compose out of 24 words

Most modern wallets use either a 12 or 24 word seed. Thats not an information which is hidden anyway.

so if the hacker finds your ip he could know you made a post on this forum about your wallet and finds out what exactly to look for.

For huge amounts thats true. But the average joe with a few btc shouldn't care too much about such targeted attacks.
It would be way more lucrative to just steal cryptos with malware.

[HCP]

but the thing is i just cant see how it would be easy to find some 3 word in the exact right order. That would be so many possibilities.

Because, as previously explained, the word list is known: https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt

There are only 2048 words in this list... so the total number of combinations is "only": 2048 * 2048 * 2048 = 8,589,934,592 combinations.

While that might look like a large number (and it is, if you're attempting to test them manually), computers are particularly good at doing repetitive things quite fast... a simple python script can generate all of those combinations in a matter of hours (if not minutes)

Additionally, not ALL combinations are actually valid seeds, the last word is a form of "checksum"... so the number of VALID seeds is actually a LOT less than the total number of combinations... for instance, I ran a script I use for finding missing seed words... I stopped it after it had tested a little over 500,000 combinations (in about 3 or 4 minutes)... it had only found 1960 valid combinations.

The real time consuming part is actually converting these seeds to addresses and checking if they have any BTC value (or match a known address)... It would no doubt take days to check all combinations for a match when trying to find the missing 3 words... but it would certainly be doable in a "reasonable" amount of time.

However, if the order/position of the words is not known, the difficulty increases by a significant amount... as the number of combinations that need to be checked increases by orders of magnitude.

[boy130]

Did they see the words in the correct order, and do they have a copy of the words to hand? If so, your wallet is probably screwed. If it was just a visual exposure, where a person saw the words but didn't take the time to memorize them, then I would say you're are almost certainly safe. Just in case though, you should move your coins to another wallet, better to be safe than sorry.

[tokexchain]

i got 24 word seed for my ledger nano s. And i split it up on two papers.

21 words on one paper and 3 words on the other one.

Lets say my 21 word paper would be exposed. Would it be hard for the persona that has this 21 word seed to crack the wallet ?

thanks

Yes is the simple answer, the remaining three words out of the eighteen could be dictionary brute force attacked, it is not a hard task and would be easier and faster than cracking some missing characters in a private key. If you have been exposed, move to a new wallet at once.

[bob123]

the remaining three words out of the eighteen could be dictionary brute force attacked

Its 3 out of 24.

it is not a hard task and would be easier and faster than cracking some missing characters in a private key.

3 words (with a character set of 2048) conforms 8.589.934.592 possibilities.
Where 3 missing characters of a private key (with a char set of 16, assuming hex represantation) conforms to 4.096 possibilities.

So, no it would NOT be easier to crack a few words in a seed than a few chars in a priv key.

[McPhillipX]

Still, I'd consider just not using that address anymore and have peace of mind.

[HCP]

My "old" Core i5-3570K with 8Gigs (and a bunch of stuff running on it ) was able to generate and test approximately 500,000 seeds in around 4 or 5 minutes... Call it 100K combinations/minute... By my calculations, it would take me around 60 days to generate and test all the missing 3 word combinations if testing 24x7... Not exactly an "instant" hack... but certainly doable for a determined hacker.

Also, I'm sure better hardware and a better optimised script/program than my hacked together and unoptimised Python script would probably be able to bring that total time down.

[btccrusher]

I'm giving you option C. Make it in three-piece of paper, keep the middle one in extremely safe place. (Try remembering the middle phase). But it's always better to move your funds after compromising any keys/passes or anything that can be harmful to your finance.

[signalbitbot]

My advice, write down 24 words and encrypt everything with a password (aes++++). Password in the brain.

[cydrix]

i got 24 word seed for my ledger nano s. And i split it up on two papers.

21 words on one paper and 3 words on the other one.

Lets say my 21 word paper would be exposed. Would it be hard for the persona that has this 21 word seed to crack the wallet ?

thanks

Everything could happen in an instant it's your choice isn't it? If you rather leave it be or be paranoid and make sure your money is safe.
My advice relocate all your money in another wallet and make a new one in your ledger wallet just to make safe. I know you will lose money from relocating all your money because of fees but would you rather lose all your money in an instant.

Based on the comments The odds are in your side though you should be calm and pick what's best for you if you think my advice is not worth it then ignore me and pick whatever means necessary.

[imjustagirl]

No, it would not. 3 missing seed words are recoverable, however the attacker would need to at least know some of your wallet addresses in order for it to work 100 %.  The more information an attacker has, the more chances he has to be able to break it. If you are not sure on the best way to back up this information, just input an extra word into your seed (just remember which one it is). Scrambling to find which word is fake and which ones are real, now that's a challenge I hardly think anyone could solve.

[bob123]

No, it would not. 3 missing seed words are recoverable, however the attacker would need to at least know some of your wallet addresses in order for it to work 100 %. 

Actually an attacker woulnd not need to know an address from this wallet.
An attacker could easily just derive the priv-/pub- keypairs from each valid seed (using the most common derivation paths), and then check (e.g. via API) for unspent outputs.
Knowing an address of the wallet does increase the speed of this attack. But its definetely not necessary to perform such an 'attack'.

[posi]

With my understand is good to expose your wallet seed because recovery seeds is like your best friend and it the only thing you need to maintain the safety or recover of your coins.

[jackg]

With my understand is good to expose your wallet seed because recovery seeds is like your best friend and it the only thing you need to maintain the safety or recover of your coins.

What? Exposing your wallet seed is the worst thing you could do with a wallet that you are using as the person it is exposed to will have access to everything in your wallet.

Unless you mean exposing the seed in order to be able to write it down somewhere and not publicly exposing it OP is referring to).

[posi]

With my understand is good to expose your wallet seed because recovery seeds is like your best friend and it the only thing you need to maintain the safety or recover of your coins.

What? Exposing your wallet seed is the worst thing you could do with a wallet that you are using as the person it is exposed to will have access to everything in your wallet.

Unless you mean exposing the seed in order to be able to write it down somewhere and not publicly exposing it OP is referring to).

The OP was actually referring to wallet recovery seed and he asked if 21 out 24 get exposed, is it possible for anyone to crack remain 3 and my own answer is yes because some people totally good in doing the cracking and guessing thing.

[jackg]

With my understand is good to expose your wallet seed because recovery seeds is like your best friend and it the only thing you need to maintain the safety or recover of your coins.

What? Exposing your wallet seed is the worst thing you could do with a wallet that you are using as the person it is exposed to will have access to everything in your wallet.

Unless you mean exposing the seed in order to be able to write it down somewhere and not publicly exposing it OP is referring to).

The OP was actually referring to wallet recovery seed and he asked if 21 out 24 get exposed, is it possible for anyone to crack remain 3 and my own answer is yes because some people totally good in doing the cracking and guessing thing.

If you look at the first few replies, you'd see that I understood this. And HCP and a few other users added calculations to how easy it'd be. Their calculations are an optimistic approach as it'll be much easier possibility wise as there are an even fewer number of sets than were estimated by them.