Passphrase with seed

[XMRseed]

Hello,

i´m fairly new into Bitcoin but have now a hardware wallet with a 24-word seed. Seed is stored securely. Now i´d like to add an additional passphrase to my seed and move my funds from the seed-only account to the seed-passphrase account.

Now to the passphrase: Is six english words with 4 characters chosen from an English dictionary secure enough for the passphrase?
I thought about 4-characters words because i want the passphrase not only to write down but to use a Cryptosteel/Billfodl type of metal device to store it. With those devices i could put six words in a row and leave the other rows empty.
 
Or should i create 6 random words with a BIP39 mnemonic converter offline and use those as a passphrase? Then i would have to engrave them into metal which i think is more complicated than using a Cryptosteel device. Passphrase will be stored in a different place as the 24-word seed.

Thank you in advance for your advice!

[1714823206]

1714823206

[1714823206]

1714823206

[jackg]

I have and would recommend using another seed as the password (the first 4 to 6 words will work just fine).

Is there a reason you only wanted 6 character words from a dictionary? If you use a 5 or 6 character word base you'll include quite a lot more if you go down that route.

[XMRseed]

Is there a reason you only wanted 6 character words from a dictionary? If you use a 5 or 6 character word base you'll include quite a lot more if you go down that route.

My idea was to take six 4-character words from a dictionary "randomly" picked by me so that i can put them in a Cryptosteel/Billfodl in one row.
That would be easier to memorize for me than to create a 6-word-seed and use the first 4 letters of each word. 
If the words are also not from the 2048-word list it would be easier for my heirs to find out that it is a passphrase and not a seed.

Alternatively i could use just four or five seed words as long as they don't have more than 24 characters together and fill the rest of the row of the Cryptosteel with blank tiles. Is a mnemonic code converter used with TOR browser in an offline TAILS Linux system on a USB-stick safe enough?

[jackg]

Ahh yeah I'd suggest the 4 words of 4-6 characters...

If you can verify the download of the iso before it's run then you will be fine running tails on a machine with a generator, unless you can devise a way to use an unbiased dice with the standard list.

[XMRseed]

If you can verify the download of the iso before it's run then you will be fine running tails on a machine with a generator, unless you can devise a way to use an unbiased dice with the standard list.

OK, thank you!
My TAILS system is sometimes online. But i have 2 Ledger devices and will create the seed on the one i don't use.

[jackg]

As long as it shows on the device and not on the screen then you're good!

[HCP]

I'm not really sold on the idea of using dictionary words for a passphrase, tbh. While it's true you are generating a "24 char" passphrase, you're limiting the effective search space to 26^24 (or 52^24, if you use some uppercase as well)... and, in actual fact, because you're using dictionary words... it's more like 150000^6 (there are only around 150,000 four letter words in the english language)! That is a pretty small number... relatively speaking

Compared with using a random mix of lowercase, uppercase, numbers and symbols... in which case the search space would be 86^24

It's the same with using the first 6 words from a generated seed mnemonic... you're really lowering the search space to just 2048^6.

[pooya87]

the passphrase used in BIP-39 is not meant for security (although it could add a tiny bit of security to it). if it were then it should have used a much safer key derivation function with a much higher iteration (basically cost). the purpose of this passphrase is to let you create some sort of hidden set of keys that could be derived from the same mnemonic for plausible deniability.

if you want to secure your mnemonic then encrypt it using AES-256.

[o_e_l_e_o]

if it were then it should have used a much safer key derivation function with a much higher iteration (basically cost).

Maybe it should have, but we are stuck with what we have. If OP is dead set on having a 24 character passphrase, then as HCP has said, 24 random characters will be many orders of magnitude more secure than 6 four letter words.

I'm going to question HCP's maths here though. There are only somewhere in the region of 170,000 words in the entire English language. The internet tells me there are less than 5000 four letter words. 5000^6 is ten times smaller than 2048^7 - in other words, not very secure. You need to either pick more words or use random characters.

in which case the search space would be 86^24

Why 86? I thought passphrases were compatible with the full printable ASCII character set, which is 95 characters.

[XMRseed]

Hello, i know there would be safer passphrases and on the Ledger Nano X you can enter maximum 100 characters but my set up is this:

24-Word-Seed "written" on Cryptosteel and deposited in a secure place and memorized in my head.
Now i want to add a passphrase "written" in Cryptosteel , deposit that in another secure place and also memorize it in my head.
To memorize it it can not be so difficult and to fit it in a Cryptosteel it should have not more than 24 characters.

If the seed would be found, how much time would i have before the passphrase could be brute forced if?

1. I would generate a seed and would take the first five words as the passphrase ( I would create multiple seeds and take the words from the one
that have maximum 24 characters. )

2. I pick myself randomly six 4-character words from the 2048-word-list and use them as my passphrase.

I have heard that you can mess up security exponentially with playing with the features but i also want to be able to retrieve my coins and not lock myself out.

Many thanks for your help!

[HCP]

I have heard that you can mess up security exponentially with playing with the features but i also want to be able to retrieve my coins and not lock myself out.

Yes... and that is what I was alluding too... by "abusing" these functions and using them for things they were not designed for, you can adversely affect the overall security of your setup.

Without getting into the complicated maths, you're effectively reducing your security to that of a "simple brainwallet" by using dictionary words as your passphrase, should your seed become compromised.

I'm going to question HCP's maths here though. There are only somewhere in the region of 170,000 words in the entire English language. The internet tells me there are less than 5000 four letter words. 5000^6 is ten times smaller than 2048^7 - in other words, not very secure. You need to either pick more words or use random characters.

Really? "Wikipedia" seems to think we have ~500,000... https://en.wikipedia.org/wiki/List_of_dictionaries_by_number_of_words
Websters is apparently at ~470,000...

And this website seems to think we have nearly 150,000 "4 letter words": https://www.thefreedictionary.com/4-letter-words.htm

I don't know for sure, but either way... it's not a "big" number (relatively speaking)... so it's still not a "Good Idea"™

Why 86? I thought passphrases were compatible with the full printable ASCII character set, which is 95 characters.

I will admit that this was a completeeducated guess tho... my "napkin" math was 52 chars + 10 numbers + ? symbols... I thought it would be around 20-25 symbols... apparently there are more

[XMRseed]

All right,
i will dig deeper in the matter and find out how to create a good memorizable passphrase, maybe with lower or upper case letters.
I´ll return here for further questions.

[o_e_l_e_o]

Really? "Wikipedia" seems to think we have ~500,000... https://en.wikipedia.org/wiki/List_of_dictionaries_by_number_of_words

The English language Wiktionary contains thousands of entries which are not words. Look for example at its list of "English nouns": https://en.wiktionary.org/wiki/Category:English_nouns. The Oxford English Dictionary has 171,476 entries.

If you assume at least one of the letters has to be either a vowel or "y", there are only 6*26*26*26 = 105,456 possible combinations, so there is no way there are 150,000 four letter words. There are 4994 four letter words in the Linux dictionary file: https://www.quora.com/How-many-4-letter-words-exist-in-English/answer/Nick-Gorbikoff

1. I would generate a seed and would take the first five words as the passphrase

2048^5, which is 3.6*10¹⁶

2. I pick myself randomly six 4-character words from the 2048-word-list and use them as my passphrase.

There are only 442 four character words in BIP39, so this would be 442^6 which is 7.5*10¹⁵

Assuming 5000 four letter words, picking 6 randomly is 1.6*10²²
Picking 24 random single case letters is 9.1*10³³
Picking 24 random lower or upper case letters is 1.5*10⁴¹

So of all the "picking words" options, picking from a full dictionary rather than from BIP39 is a better option, but random characters (even just letters are no numbers or symbols) is better still.

[pooya87]

find out how to create a good memorizable passphrase,

technically if a password is strong you shouldn't be able to memorize it because it would be very random and it is hard to make any association between each character of the password in your head to be able to remember them. keep in mind that you have to remember it after a long time like a couple of years not just for a couple of days.
an example of a strong password (16 char long):

Code:

as:}4S_9s.V:j2rK

[HCP]

The English language Wiktionary contains thousands of entries which are not words. Look for example at its list of "English nouns": https://en.wiktionary.org/wiki/Category:English_nouns. The Oxford English Dictionary has 171,476 entries.

Well there you go then... another reason not to trust anything on Wikipedia

So of all the "picking words" options, picking from a full dictionary rather than from BIP39 is a better option, but random characters (even just letters are no numbers or symbols) is better still.

Bad maths aside... this was kind of the point of my post... using dictionary words is not a great idea for creating (short) passwords. By choosing only "6" words, you are, effectively^[1], creating a 6 character password (albeit with a much larger "alphabet"... ~5000 "chars")...

and I think we'd both agree that that is a "Bad Idea"™



[1] not exactly the same, but in the realm of these large numbers it's fairly simliar...

[XMRseed]

Hello,

so i have decided to do it this way:

I diced six words from the BIP-39 word list with this method:
https://github.com/taelfrinn/Bip39-diceware

I have read that six words are largely sufficient for passphrase security here and that
it would take two milleniums to brute-force it even with the most sophisticated attack:
https://coldbit.com/can-bip-39-passphrase-be-cracked/

24-word-mnemonic and passphrase will be engraved in metal and stored at two separate secure locations.

Could you please give me your short thoughts if this is secure
and if the statements about cracking times on the Coldbit website are accurate?

Thank You!

[nc50lc]

Could you please give me your short thoughts if this is secure

That's secure enough, the passphrase is random, though you could've used a wildcard non-BIP39 word.
A very random seed phase alone is safe against "ClassD attacks" (as the link described), what more that you've added a 6-word passphrase.
(I know, in case the seed phrase leaked :D)

and if the statements about cracking times on the Coldbit website are accurate?

I have read that six words are largely sufficient for passphrase security here and that
it would take two milleniums to brute-force it even with the most sophisticated attack

It's calculated based from the total number of possible combinations against the total power of the attacker.
So they are talking about "bruteforce" attacks and it's accurate in an approximate way.

Here's one of their example (expanded):
6-words from BIP39 word list entropy: 2048^6 = 73,786,976,294,838,206,464
Class D attacker's power 1,000,000,000 H/s
One millennium in seconds: 31,557,600,000

Then do a simple Division:
73,786,976,294,838,206,464 ÷ 1,000,000,000 H/s = 73,786,976,294.838206464
73,786,976,294.838206464 ÷ 31,557,600,000 seconds = 2.3381681843625055918067280148047 millennium

take note that it's based from PBKDF2-HMAC-SHA512 as the article described to check if the passphrase will derived the correct seed,
but it takes more effort than that to check each of the candidate seed's private keys/addresses

[XMRseed]

OK, great, thank you!

[math09183]

Never forget this: https://xkcd.com/936/

BTW "random" passwords like "n*Yb9LEAj$" are simpler to crack than expected 95^numberOfCharacters.

[keychainX]

Hello,

so i have decided to do it this way:

I diced six words from the BIP-39 word list with this method:
https://github.com/taelfrinn/Bip39-diceware

I have read that six words are largely sufficient for passphrase security here and that
it would take two milleniums to brute-force it even with the most sophisticated attack:
https://coldbit.com/can-bip-39-passphrase-be-cracked/

24-word-mnemonic and passphrase will be engraved in metal and stored at two separate secure locations.

Could you please give me your short thoughts if this is secure
and if the statements about cracking times on the Coldbit website are accurate?

Thank You!

Hackers first rule is to check words from rockyou.txt or bip39, to be completely sure use words not in a dictionary, like slang and make them long. Like DangYallFoolsNigga has a smaller chance of being open than using any public wordlist combination. Remember computer power is increasing so you might find your uncrackable password easy to open in a few years.

Coldbit website will probably downgrade the time each month.