12 word vs 24 word seeds

[cellard]

Does anyone have the exact numbers of how much protection you get using a 24 word seed vs using the conventional default standard that shows up automatically when you create a wallet in Electrum?

It's still not clear to me that you can trust this type of wallet, that could be bruteforced and then all of your keys are compromised forever as long as you keep creating them on that wallet. It still seems safer to use a wallet.dat file. I want to see the math.

[1715152548]

1715152548

[1715152548]

1715152548

[NeuroticFish]

Does anyone have the exact numbers of how much protection you get using a 24 word seed vs using the conventional default standard that shows up automatically when you create a wallet in Electrum?

It's still not clear to me that you can trust this type of wallet, that could be bruteforced and then all of your keys are compromised forever as long as you keep creating them on that wallet. It still seems safer to use a wallet.dat file. I want to see the math.

From what I know, they are safe enough against brute force, some numbers should be on reddit. They say that for 12-word Electrum seed it would be needed about 10¹² years.
And from this point I think that 24 words is just extra hassle. Maybe it would even help more to add your favorite word as custom word, but I am no specialist.

[cellard]

Does anyone have the exact numbers of how much protection you get using a 24 word seed vs using the conventional default standard that shows up automatically when you create a wallet in Electrum?

It's still not clear to me that you can trust this type of wallet, that could be bruteforced and then all of your keys are compromised forever as long as you keep creating them on that wallet. It still seems safer to use a wallet.dat file. I want to see the math.

From what I know, they are safe enough against brute force, some numbers should be on reddit. They say that for 12-word Electrum seed it would be needed about 10¹² years.
And from this point I think that 24 words is just extra hassle. Maybe it would even help more to add your favorite word as custom word, but I am no specialist.

What about key derivation. What are the chances that one could derive a seed by taking control of a public master key and something else? I've heard some concerns along the lines about key derivation which is why I just would avoid seed-based wallets altogether and would focus on the classic wallet.dat format but I haven't studied the details, I have just heard conflicting opinions.

As far as 24 being too much of a hassle.. well I doubt you can trust your memory to memorize 12 words for the long term, so would need to type the seed somewhere, so if you are going to type 12 words you might as well type 24.

[NeuroticFish]

What about key derivation. What are the chances that one could derive a seed by taking control of a public master key and something else? I've heard some concerns along the lines about key derivation which is why I just would avoid seed-based wallets altogether and would focus on the classic wallet.dat format but I haven't studied the details, I have just heard conflicting opinions.

I will leave this for smarter people than me

As far as 24 being too much of a hassle.. well I doubt you can trust your memory to memorize 12 words for the long term, so would need to type the seed somewhere, so if you are going to type 12 words you might as well type 24.

It depends on the way of storing the seed. The fact that many would just write the seed as it is somewhere (paper, file, whatever) it doesn't mean it's the best method. Some may memorize it like some sort of poetry, some may save it by making certain signs in a book or text (I've read that somewhere a few years ago, not making it up). The methods can vary and more words may indeed make it more hassle (while adding a favorite word would not need to even save it!)

[jackg]

As a side point to this, is a 24 word seed harder to brute force than a private key? What about a 12 word seed? Or my 11 word seed are they harder than a private key brute force or easier?

If you want security, get two twelve words seeds and use them in the same wallet for a multi sit. It’s sloghtly more secure that way, if you have another device though, use that.

[HCP]

Does anyone have the exact numbers of how much protection you get using a 24 word seed vs using the conventional default standard that shows up automatically when you create a wallet in Electrum?

It's still not clear to me that you can trust this type of wallet, that could be bruteforced and then all of your keys are compromised forever as long as you keep creating them on that wallet. It still seems safer to use a wallet.dat file. I want to see the math.

You realise that the wallet.dat system used by Bitcoin Core works pretty much the same way as an Electrum wallet when creating the wallet right? Both types of wallet start by doing the exact same thing... that is, they generate a very large random number ("entropy")... this is used as the "seed". The seed is then used to create a "master private key" (aka "xprv"), from which all the child keys are then derived.

The only difference is that with the Bitcoin Core wallet.dat system, you don't get to see the seed in any form, it is hidden within the wallet file... all your backups are done by making backup copies of the wallet.dat file itself.

The BIP39 "seed mnemonic" (aka 12/24 words) is really just a "backup mechanism"... you don't pick 12 words, and generate the wallet seed from that... you generate the wallet seed (the "entropy"), then convert that to 12 words to make it easier and less error prone for users to write it down safely.

As for the difference between 12 and 24 words... for a BIP39 wallet (not Electrum)... a 12 word seed has 128 bits of Entropy (+4 bit checksum)... a 24 word seed has 256 bits of Entropy (+8 bit checksum):

The following table describes the relation between the initial entropy length (ENT), the checksum length (CS) and the length of the generated mnemonic sentence (MS) in words.

CS = ENT / 32
MS = (ENT + CS) / 11

|  ENT  | CS | ENT+CS |  MS  |
+-------+----+--------+------+
|  128  |  4 |   132  |  12  |
|  160  |  5 |   165  |  15  |
|  192  |  6 |   198  |  18  |
|  224  |  7 |   231  |  21  |
|  256  |  8 |   264  |  24  |

There have been MULTIPLE threads on the math involved in bruteforcing BIP39 seeds... start here: https://www.google.com/search?q=bip39+brute+force


As for the Electrum math... you can read it in the Electrum docs here: http://docs.electrum.org/en/latest/seedphrase.html#security-implications

Apparently a 12 word Electrum seed has ~135 bits of entropy. So, theoretically, it is slightly stronger than a standard 12 word BIP39 seed.

[pooya87]

long story short when you use the minimum number of seed words (12 words) you are generating a master "key" which has the same strength as when you generate 1 private "key" and that strength is 128. so using more words and gaining more strength is not really making a difference if you consider 12 words weak then you are  considering bitcoin private keys weak.
(secp256k1 curve is a 256 bit curve with 128 bit strength. read SEC 2: Recommended Elliptic Curve Domain Parameters; Table 1)

What about key derivation. What are the chances that one could derive a seed by taking control of a public master key and something else?

as far as i know if you are not using hardened key (which most wallets are using them) it is possible to find the master private key by having master public key and 1 private key.

[bob123]

What about key derivation. What are the chances that one could derive a seed by taking control of a public master key and something else? I've heard some concerns along the lines about key derivation which is why I just would avoid seed-based wallets altogether and would focus on the classic wallet.dat format but I haven't studied the details, I have just heard conflicting opinions.

If a malicious actor knows the master public key (xpub) and one derived private key (child private key), he is able to derive all private keys (in the same derivation path (if using hardened); without hardened i believe he will be able to derive ALL private keys).

That's the only risk associated with using HD wallets.

[Lucius]

Does anyone have the exact numbers of how much protection you get using a 24 word seed vs using the conventional default standard that shows up automatically when you create a wallet in Electrum?

It's still not clear to me that you can trust this type of wallet, that could be bruteforced and then all of your keys are compromised forever as long as you keep creating them on that wallet. It still seems safer to use a wallet.dat file. I want to see the math.

Actually there is no problem with 12 word or 24 word seed (at least for now), therefore every assumption that is related with concerned that this is not safe has no real strongholds. The real problem is the way in which people kept that seed as backup, and therein lies the real danger.

For me my 24 words hardware wallet seed is something I consider pretty safe, although there are people who even consider HW as an unsafe way of storing cryptocurrency. Fortunately I'm not so paranoid, security is available to all of us - but it should be understood and applied.

[Master1781]

On a side note, you can increase the oroginal 12 word seed with the "extend the seed with custom words" option. So you can add more 12 words or symbols, numbers, etc, by yourself, and the Electrum wallet would have the same entropy (or more) than a 24-word seed.

[Abdussamad]

the difference is impossible to even more impossible. the default 12 word seed has 135 bits of entropy.

having said that you can generate a custom size seed with the make_seed command line option. this is available on linux and maybe macosx (windows wrapper doesn't allow interaction on the CLI):

Code:

electrum make_seed --nbits=256

The above will give you a 24 word seed.

[Effingham Hoofnagle]

Does anyone have the exact numbers of how much protection you get using a 24 word seed vs using the conventional default standard that shows up automatically when you create a wallet in Electrum?

It's still not clear to me that you can trust this type of wallet, that could be bruteforced and then all of your keys are compromised forever as long as you keep creating them on that wallet. It still seems safer to use a wallet.dat file. I want to see the math.

Here's the basics. Using the 2048 word BIP39 list, each word represents 11 bits of entropy (2**11 = 2048). So a 12 word phrase has 132 bits of entropy, and therefore a 24 word phrase has 264 bits of entropy.

Looking at a 12 word phrase, that means there are 2**132 possible combinations = 5.444 x 10**39 possibilities.
A 24 word phrase has 2**256 possibililties, or 1.158 x 10**77

If you want to go the distance on this analysis, you can do the math as to how long either would take, assuming some # of guesses/second.

Either should give you comfort.

If you want to consider phrases other than 12 or 24 words, as long as you're using the BIP39 list just remember: #bits of entropy = #words * 11
and number of possible phrases = 2**(#bits of entropy)