Good idea to salt?

Is it general good practice to salt your Electrum seed with for example your e-mail address in the seed extension? Kind of like WarpWallet does?

As long as your seed is hidden somewhere safe and the extension word is not written, that should be okay but for better security, I don't suggest using info that can easily be obtained such as birth date, first name, email address, state of residence etc.

A salt should be somewhat random. So definitely not an email address (which is guessable in like 5 to 10 trials).

Anyways, the math behind the seed words is 'sufficient' (more than safe). You don't really need an additional salt for security reasons.

While it doesn't harm you in any way (except maybe for the case where you don't find / forget your salt and cant recover your wallet), it doesn't increase the security of your wallet.

It can add plausible deniability, but security-wise it is not necessary.

Quote from: bob123 on November 26, 2018, 04:17:23 PM

While it doesn't harm you in any way (except maybe for the case where you don't find / forget your salt and cant recover your wallet), it doesn't increase the security of your wallet.

It can add plausible deniability, but security-wise it is not necessary.

As bob123 has pointed out, the maths of the seed words is currently more than sufficient to prevent the seed mnemonic from being brute forced in the first place. So, "salting" is not really necessary from that perspective... But in my opinion, it does offer an increase in security... for one particular scenario.

By adding such a "salt", it means that even if your seed mnemonic is compromised (for instance, your home is burgled and the thief takes the physical backup of your seed mnemonic) your wallet is still "secure", as without the necessary seed mnemonic extension they will be unable to access your 'actual' wallet. It's like 2FA for your seed mnemonic

Of course, it should go without saying, that the security will only be as good as the passphrase that you use Wink

The idea was, that an attacker might rainbow-table the N shortest (as in number of characters) seeds. Like WarpWallet, the e-mail salt would mitigate any such broad attack which isn't specifically aimed at a particular person.

Quote from: Teubwel on November 27, 2018, 09:36:46 AM

The idea was, that an attacker might rainbow-table the N shortest (as in number of characters) seeds.

Rainbow tables can't be applied in this case.

There are no 'shortest' seeds. Seeds are randomly chosen.
12 word seeds have an entropy of ~~121~~ 124 bits (last 7 4 bits are a checksum) and 24 word seeds have an entropy of ~~253~~ 248 bits (last 11 8 bits are a checksum).

Rainbow tables can be used when looking for passwords by having large dictionaries with the initial password and the correct hash being stored together.
In case of finding hashes, you simply search the dictionary for this hash to find the corresponding password.

But since seeds (which are represented by 12-/24- word mnemonic codes) are random, there is no attack surface using rainbow tables.

Edited for correctness

Quote from: bob123 on November 27, 2018, 12:31:37 PM

12 word seeds have an entropy of 121 bits (last 7 bits are a checksum) and 24 word seeds have an entropy of 253 bits (last 11 bits are a checksum).

According to BIP39 12 word seeds have an entropy of 128 bits (last 4 bits are a checksum) and 24 word seeds have an entropy of 256 bits (last 8 bits are a checksum).

Quote from: igor72 on November 27, 2018, 07:01:41 PM

Quote from: bob123 on November 27, 2018, 12:31:37 PM

12 word seeds have an entropy of 121 bits (last 7 bits are a checksum) and 24 word seeds have an entropy of 253 bits (last 11 bits are a checksum).

According to BIP39 12 word seeds have an entropy of 128 bits (last 4 bits are a checksum) and 24 word seeds have an entropy of 256 bits (last 8 bits are a checksum).

You are right, thanks for pointing it out!

Not that i have only assumed 7 (instead of 4) and 11 (instead of 8 ) bit checksum, i have also made a very embarrassing mistake (256 - 11 = 253) Roll Eyes

Your math still is not correct...

Quote from: bob123 on November 27, 2018, 12:31:37 PM

There are no 'shortest' seeds. Seeds are randomly chosen.
12 word seeds have an entropy of ~~121~~ 124 bits (last 7 4 bits are a checksum) and 24 word seeds have an entropy of ~~253~~ 248 bits (last 11 8 bits are a checksum).

Edited for correctness

12 word seeds have an entropy of 128 bits... they have 4 bits ADDED as a checksum... making them 132 bits long... 12 words * 11 bits = 132 bits.

The table provided in the BIP39 docs show it all:

Quote from: https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#generating-the-mnemonic

The following table describes the relation between the initial entropy length (ENT), the checksum length (CS) and the length of the generated mnemonic sentence (MS) in words.

CS = ENT / 32
MS = (ENT + CS) / 11

| ENT | CS | ENT+CS | MS |
+-------+----+--------+------+
| 128 | 4 | 132 | 12 |
| 160 | 5 | 165 | 15 |
| 192 | 6 | 198 | 18 |
| 224 | 7 | 231 | 21 |
| 256 | 8 | 264 | 24 |

electrum doesn't use bip39. the security of the electrum seed is explained here: http://docs.electrum.org/en/latest/seedphrase.html#security-implications . i honestly don't understand that math.