What exactly happens when you change bitcoin core passphrase

[ghost-blade]

Hey guys,

I recently come across some posts asking about whether you bitcoins are safe after you changed your passphrase of the bitcoin core software, given that someone may have access to your old wallet.dat and passphrase.

Well the answer is yes, your bitcoins are completely safe if you do the following:

1) Request a new address after you changed the passphrase

2) Send all your balances to this new address.

The reasons are simple. your old wallet.dat and passphrase will give thieves your private keys to your account, which can help them hack all your balances in your old addresses. But since you changed your passphrase, your new address pool will be related to your new .dat and passphrase, which is irrelevant to the old address pool. That's why people who have access to your old wallet.dat and passphrase will never be able to steal your coins.

For those interested in how bitcoin core handle this, refer to wallet.cpp, line 454, where the Encrypt method actually create a new key pool for users and render the old addresses useless.

[1713566532]

1713566532

[1713566532]

1713566532

[jackg]

Aren't the new wallets hd?
Meaning you'd also need a new wallet.dat while youre at it.

HD stands for hierarchical deterministic wallets and it's how addresses are generated and recovered from after a backup.



This is true for non HD wallets though.

[KingZee]

Hey guys,

I recently come across some posts asking about whether you bitcoins are safe after you changed your passphrase of the bitcoin core software, given that someone may have access to your old wallet.dat and passphrase.

Well the answer is yes, your bitcoins are completely safe if you do the following:

1) Request a new address after you changed the passphrase

2) Send all your balances to this new address.

The reasons are simple. your old wallet.dat and passphrase will give thieves your private keys to your account, which can help them hack all your balances in your old addresses. But since you changed your passphrase, your new address pool will be related to your new .dat and passphrase, which is irrelevant to the old address pool. That's why people who have access to your old wallet.dat and passphrase will never be able to steal your coins.

For those interested in how bitcoin core handle this, refer to wallet.cpp, line 454, where the Encrypt method actually create a new key pool for users and render the old addresses useless.

Are you sure about this? Isn't the passphrase just a layer of security on top of the seed/mnemonic? Unless changing the passphrase changes the seed, all your wallet addresses can still easily be generated through the default bitcore derivation path.

[AdolfinWolf]

Are you sure about this? Isn't the passphrase just a layer of security on top of the seed/mnemonic? Unless changing the passphrase changes the seed, all your wallet addresses can still easily be generated through the default bitcore derivation path.

I'm pretty sure that this is indeed the case.

It marks all of the keys in the keypool as used (non-HD wallets) or generates a new master key (HD wallets). Individual addresses could still have a balance that could be stolen from the old backup, though.

That a change of password generates a new master private key and thus a set of private keys that can't be generated in/from the old wallet(backup).

EDIT; see answers below. This is only the case if your wallet was never encrypted in the first place..?

[jackg]

@adolfin, I guess that means you can only really use the receive tab and nothing else. As the addresses will show up in the address tab and make everything quite confusing. Surely making a new wallet is a better approach. It also makes syncing a bit faster.

[Pmalek]

achow101 talked about this in a thread back in 2017. This is how he explained it:

The wallet.dat contains your private keys. When you change your password, the private keys you have already used stay in the wallet so that you can spend your Bitcoin. However the look-ahead keypool is refreshed so that any new addresses you request after the password change are not in the old wallet with the old private keys. This means that if you don't spend your Bitcoin after you change your password, anyone with a copy of the original wallet with the old password can still steal your Bitcoin if they have the old password.

Note also the reply by OmegaStarScream who says to make a new wallet file and not just generate a new address.

You didn't mention the wallet used here, some of them generate different addresses and still keep the private keys in one wallet.dat file. Again, If you think that someone have access to your old wallet.dat file + he might be able to get the password you should make a new wallet file (and not a new address only) with a new password and send everything there instead of just changing the password.

Simple steps to follow (whatever wallet you are using):

1. Install Mycelium in your android.
2. Run your wallet (from PC) and send all funds to your Mycelium.
3. Remove the old wallet and create a new one
4. Send from Mycelium to your new generated wallet on PC.

[Thirdspace]

That a change of password generates a new master private key and thus a set of private keys that can't be generated in/from the old wallet(backup).

While Core allows the user to export its HD key, the wallet still has to be backed-up relatively frequently whenever the password is changed. It does seem more of a hassle to manage the wallet.dat.

That is untrue. The seed does not change when the password is changed. It is only changed when the wallet is first encrypted.

isn't a "master private key" the same as a "wallet seed"?
but what AdolfinWolf said is the opposite of achow101's statement above
so perhaps the password changing thing works effectively only on a non-HD wallet

achow101 talked about this in a thread back in 2017. This is how he explained it:

The wallet.dat contains your private keys. When you change your password, the private keys you have already used stay in the wallet so that you can spend your Bitcoin. However the look-ahead keypool is refreshed so that any new addresses you request after the password change are not in the old wallet with the old private keys. This means that if you don't spend your Bitcoin after you change your password, anyone with a copy of the original wallet with the old password can still steal your Bitcoin if they have the old password.

I'm not quite sure but I think achow101 was referring to non-HD wallet in his post that you quoted

[Abdussamad]

It marks all of the keys in the keypool as used (non-HD wallets) or generates a new master key (HD wallets). Individual addresses could still have a balance that could be stolen from the old backup, though.

That a change of password generates a new master private key and thus a set of private keys that can't be generated in/from the old wallet(backup).

It doesn't though: https://bitcoin.stackexchange.com/a/12438/5273

When you set a password for the very first time it changes the master private key and adds new keypairs derived from the new key to the keypool. Old keypairs derived from the old xprv are not deleted though. IDK whether it continues to use those or not.

[jackg]

@thirdspace, no.

Firstly bitcoin core has no seed.

In your context, a seed is  mnomic phrase it’s the representation of  any,bee, a master private key is the seed plus a derivation path. In terms of wallets like electrum, bitcoin seeds represent a 128 bit number, something has to be added to make them closer to the 256 bit master private key they need to become.

[achow101]

The reasons are simple. your old wallet.dat and passphrase will give thieves your private keys to your account, which can help them hack all your balances in your old addresses. But since you changed your passphrase, your new address pool will be related to your new .dat and passphrase, which is irrelevant to the old address pool. That's why people who have access to your old wallet.dat and passphrase will never be able to steal your coins.

This is completely wrong. If you think your wallet has been stolen and the passphrase is known, move your coins to a completely new wallet immediately. The HD seed is not regenerated when the passphrase is changed. Any new address that you use will be generated from the same seed in the compromised wallet.

For those interested in how bitcoin core handle this, refer to wallet.cpp, line 454, where the Encrypt method actually create a new key pool for users and render the old addresses useless.

Encrypt generates a new seed, but encrypt is not what is done when the passphrase is changed. Instead ChangeWalletPassphrase is used which does not do anything to the keypool or to the HD seed.

achow101 talked about this in a thread back in 2017. This is how he explained it:

The wallet.dat contains your private keys. When you change your password, the private keys you have already used stay in the wallet so that you can spend your Bitcoin. However the look-ahead keypool is refreshed so that any new addresses you request after the password change are not in the old wallet with the old private keys. This means that if you don't spend your Bitcoin after you change your password, anyone with a copy of the original wallet with the old password can still steal your Bitcoin if they have the old password.

This applies to non-HD wallets.

isn't a "master private key" the same as a "wallet seed"?

Firstly bitcoin core has no seed.

In your context, a seed is  mnomic phrase it’s the representation of  any,bee, a master private key is the seed plus a derivation path. In terms of wallets like electrum, bitcoin seeds represent a 128 bit number, something has to be added to make them closer to the 256 bit master private key they need to become.

No (as answer to both the question and as a statement that the provided answer is wrong).

There are three things typically involved in modern HD wallets. There is a mnemonic, a HD seed, and the master private key. The mnemonic us a set of human readable words which can be transformed into a large number, typically by hashing. The HD seed is a large number (between 128 and 512 bits) which serves as initial entropy for the master private key. The master private key is the hash of the seed using HMAC-SHA512. So mnemonics become HD seeds, and HD seeds become the master private key. A wallet can omit the mnemonic and just have a seed and master private key. It can also omit both the mnemonic and the seed and just have the master private key.

What Bitcoin Core has is a seed. It only stores the seed and generates the master private key when necessary. When an unencrypted wallet is encrypted, a new seed will be generated. When the password for an encrypted wallet is changed, nothing changes except for the password. Not even the encryption keys change, only the password changes, which then changes how the encryption key is encrypted. So the same encryption keys are still used to encrypt the same private keys and HD seed. No new seed is generated and the keypool is not regenerated.

[ghost-blade]

The reasons are simple. your old wallet.dat and passphrase will give thieves your private keys to your account, which can help them hack all your balances in your old addresses. But since you changed your passphrase, your new address pool will be related to your new .dat and passphrase, which is irrelevant to the old address pool. That's why people who have access to your old wallet.dat and passphrase will never be able to steal your coins.

This is completely wrong. If you think your wallet has been stolen and the passphrase is known, move your coins to a completely new wallet immediately. The HD seed is not regenerated when the passphrase is changed. Any new address that you use will be generated from the same seed in the compromised wallet.

For those interested in how bitcoin core handle this, refer to wallet.cpp, line 454, where the Encrypt method actually create a new key pool for users and render the old addresses useless.

Encrypt generates a new seed, but encrypt is not what is done when the passphrase is changed. Instead ChangeWalletPassphrase is used which does not do anything to the keypool or to the HD seed.

achow101 talked about this in a thread back in 2017. This is how he explained it:

The wallet.dat contains your private keys. When you change your password, the private keys you have already used stay in the wallet so that you can spend your Bitcoin. However the look-ahead keypool is refreshed so that any new addresses you request after the password change are not in the old wallet with the old private keys. This means that if you don't spend your Bitcoin after you change your password, anyone with a copy of the original wallet with the old password can still steal your Bitcoin if they have the old password.

This applies to non-HD wallets.

isn't a "master private key" the same as a "wallet seed"?

Firstly bitcoin core has no seed.

In your context, a seed is  mnomic phrase it’s the representation of  any,bee, a master private key is the seed plus a derivation path. In terms of wallets like electrum, bitcoin seeds represent a 128 bit number, something has to be added to make them closer to the 256 bit master private key they need to become.

No (as answer to both the question and as a statement that the provided answer is wrong).

There are three things typically involved in modern HD wallets. There is a mnemonic, a HD seed, and the master private key. The mnemonic us a set of human readable words which can be transformed into a large number, typically by hashing. The HD seed is a large number (between 128 and 512 bits) which serves as initial entropy for the master private key. The master private key is the hash of the seed using HMAC-SHA512. So mnemonics become HD seeds, and HD seeds become the master private key. A wallet can omit the mnemonic and just have a seed and master private key. It can also omit both the mnemonic and the seed and just have the master private key.

What Bitcoin Core has is a seed. It only stores the seed and generates the master private key when necessary. When an unencrypted wallet is encrypted, a new seed will be generated. When the password for an encrypted wallet is changed, nothing changes except for the password. Not even the encryption keys change, only the password changes, which then changes how the encryption key is encrypted. So the same encryption keys are still used to encrypt the same private keys and HD seed. No new seed is generated and the keypool is not regenerated.

The one who is completely wrong is you. Encrypt will use newkeypool() which will completely abandon your old addresses. Also the changepassphrase is what uses the Encrypt method and of course everyone know it is the changepassphrase that is being called when you change passphrase.

[achow101]

The one who is completely wrong is you.

This is a strange hill to die on... the code is not wrong.

Encrypt will use newkeypool() which will completely abandon your old addresses.

My point is that ChangeWalletPassphrase() does not use the Encrypt() function. It is already widely known that setting a passphrase (i.e. calling Encrypt()) will generate a new HD seed and a new keypool. That's not what is being discussed.

Also the changepassphrase is what uses the Encrypt method and of course everyone know it is the changepassphrase that is being called when you change passphrase.

Are we looking at the same code? ChangeWalletPassphrase() does not and, AFAIK, has never, called the Encrypt() function which generates a new seed and keypool. In fact, that function isn't even named Encrypt(), it's EncryptWallet(). EncryptWallet() does call NewKeyPool() and GenerateNewSeed(). But ChangeWalletPassphrase() calls crypter.Encrypt() which only encrypts a provided key. It does not do anything else to the wallet. Perhaps you are confusing that function (CCrypter::Encrypt) for the wallet's EncryptWallet() function (CWallet::EncryptWallet()). They are two different things that have different purposes.

[AdolfinWolf]

It marks all of the keys in the keypool as used (non-HD wallets) or generates a new master key (HD wallets). Individual addresses could still have a balance that could be stolen from the old backup, though.

That a change of password generates a new master private key and thus a set of private keys that can't be generated in/from the old wallet(backup).

It doesn't though: https://bitcoin.stackexchange.com/a/12438/5273

When you set a password for the very first time it changes the master private key and adds new keypairs derived from the new key to the keypool. Old keypairs derived from the old xprv are not deleted though. IDK whether it continues to use those or not.

I stand corrected.