3 seed words + passphrase

[alexkrypto]

I want to ask what is the dangerous of creating a seed phrase that generate 3 words only + passphrase (strong password 18 characters)? Is it safe? Is it possible to lose the funds this way? If yes, how?

The idea is, people just need to memorise 3 words + passphrase (of their choice) (strong password) rather than worrying that the (seed phrase 12 or 24 words) is stolen or lost. Any reason why this cannot be practical or recommended?

I understand that seed phrase can easily be guessed by a hacker but then he needs to be able to crack the 18 characters (combination of lower, upper case, number, special characters such as * ? >< !@#}|_-&^%$)

[1715408287]

1715408287

[1715408287]

1715408287

[1715408287]

1715408287

[1715408287]

1715408287

[pooya87]

these "words" are actually representing the "entropy" that is used to generate the individual private keys. so unless you can come up with a way to generate the same level of security entropy (at least 128-bits) using 3 words, it won't work.

The idea is, people just need to memorise 3 words + passphrase (of their choice) (strong password) rather than worrying that the (seed phrase 12 or 24 words) is stolen or lost. Any reason why this cannot be practical or recommended?

are you really suggesting that memorizing 3 words + something like

Code:

J\{m^"<Aw2ATdn)V96

is easier than memorizing this:

Code:

legal winner thank year wave sausage worth useful legal winner thank yellow

i'm not convinced!

[alexkrypto]

these "words" are actually representing the "entropy" that is used to generate the individual private keys. so unless you can come up with a way to generate the same level of security entropy (at least 128-bits) using 3 words, it won't work.


You can do it using https://iancoleman.io/bip39/ and i understand you wont achieve 128 bits, this is where the passphrase with strong password is extremely important.

are you really suggesting that memorizing 3 words + something like

Code:

J\{m^"<Aw2ATdn)V96

is easier than memorizing this:

Code:

legal winner thank year wave sausage worth useful legal winner thank yellow

i'm not convinced!

No, i am not suggesting to create your password like this. you can create something like !Went>P@r!$&be$tmem0ryev_r

Something that you can create that reflect to your experience and easy to remember and hard to crack

[pooya87]

Something that you can create that reflect to your experience and easy to remember and hard to crack

then that's another problem. almost always, these two can not be achieved together.
people aren't known to be able to create strong passwords. to be able to remember their passwords they always end up with weak ones that could be guessed in most cases.
and if the password were strong (truly random) then it can't be memorized over long term. they still have to write it down so that they won't forget it (after like in a year), and if they are writing it down then why not use the method that is already tested and is considered safe meaning BIp-39?

[odolvlobo]

"!Went>P@r!$&be$tmem0ryev_r" is a good password, but a 12-word or 24-word random seed is more secure. As @pooya87 stated, a password must be weakened in order to be memorizable. Your idea may work for you, but it cannot be recommended for general use.

[NeuroticFish]

and if the password were strong (truly random) then it can't be memorized over long term. they still have to write it down so that they won't forget it (after like in a year)

Actually everything has to be written down - seed words and password - even if it's something very simple.

I've seen cases when people got a stroke and forgot even to walk and of course even their kids' names (!).
One has to think / plan for long term and what I've said can happen because of a car or motorcycle crash too, so it's not age related.

worrying that the (seed phrase 12 or 24 words) is stolen or lost

You can keep the seed written onto paper buried between many other useful and / or useless papers. Most people will not know what's that and what to use it for.
Or you can write here and there onto the pages of a book your seed words.
I mean that a seed has to be written down and it's not too difficult to hide in plain sight.

[hatshepsut93]

No, i am not suggesting to create your password like this. you can create something like !Went>P@r!$&be$tmem0ryev_r

Something that you can create that reflect to your experience and easy to remember and hard to crack

And how is it easy to remember? If it's some sort of substitution scheme, like replacing O with 0, then it's easy to crack, if it's truly random (which can only be generated by some rng and not human mind), then it's really hard to memorize and you will forget it unless your repeat it multiple times per day every single day.

Compared to that, mnemonic seeds have guaranteed sufficient entropy and they are easy to remember because our brains are good at remembering natural words in sequences.

[Darker45]

and if the password were strong (truly random) then it can't be memorized over long term. they still have to write it down so that they won't forget it (after like in a year)

Actually everything has to be written down - seed words and password - even if it's something very simple.

I've seen cases when people got a stroke and forgot even to walk and of course even their kids' names (!).
One has to think / plan for long term and what I've said can happen because of a car or motorcycle crash too, so it's not age related.

If this, then would your suggestion at the bottom still stand?

worrying that the (seed phrase 12 or 24 words) is stolen or lost

You can keep the seed written onto paper buried between many other useful and / or useless papers. Most people will not know what's that and what to use it for.
Or you can write here and there onto the pages of a book your seed words.
I mean that a seed has to be written down and it's not too difficult to hide in plain sight.

I have to admit that it came to me a number of times how quite hard it is to be your own bank, especially if you have tens of BTC. I have a little amount myself and created a total of three copies of my seed words and I can only remember the hiding place of a single copy. I cannot remember where I kept the other two, must be somewhere in the pages of one of my books or under files of old papers. If this tiny box I'm living in right now will catch fire while I am away-- God forbid-- I will lose everything of it. And I also don't deem it safe to keep a copy in my wallet.

If my memory serves me right, I think even Andreas Antonopoulos himself ironically mentioned in an interview that he's got a copy of his seed words written on a piece of paper and kept in a bank's storage.

[Pumuckel21]

No, i am not suggesting to create your password like this. you can create something like !Went>P@r!$&be$tmem0ryev_r

Something that you can create that reflect to your experience and easy to remember and hard to crack

And how is it easy to remember? If it's some sort of substitution scheme, like replacing O with 0, then it's easy to crack, if it's truly random (which can only be generated by some rng and not human mind), then it's really hard to memorize and you will forget it unless your repeat it multiple times per day every single day.

Compared to that, mnemonic seeds have guaranteed sufficient entropy and they are easy to remember because our brains are good at remembering natural words in sequences.

I am totally with you by this point. So I do think that passphrases are much easier to memorize for the human brain than some kind of random generate password with a combination of numbers and letters.

[NeuroticFish]

I have to admit that it came to me a number of times how quite hard it is to be your own bank, especially if you have tens of BTC.

I am on the same page, I don't have a huge problem yet with my private keys, there's no life changing amount to hide 

I have a little amount myself and created a total of three copies of my seed words and I can only remember the hiding place of a single copy. I cannot remember where I kept the other two, must be somewhere in the pages of one of my books or under files of old papers. If this tiny box I'm living in right now will catch fire while I am away-- God forbid-- I will lose everything of it. And I also don't deem it safe to keep a copy in my wallet.

If my memory serves me right, I think even Andreas Antonopoulos himself ironically mentioned in an interview that he's got a copy of his seed words written on a piece of paper and kept in a bank's storage.

Bank's storage can be a valid place since it may be opened only by you or with your death certificate, afaik.
But back at hiding in plain sight: somebody from the family also needs to know where to look, obviously. Preferably somebody who doesn't know much about computers and bitcoin. (So yes, the suggestion still stands.)

And about catching fire, well.. I see it the same as burglars coming in (so this makes crypto steel useless) : backup at somebody else. And this backup can be made in a way only you can understand it - sealed envelope with a "letter" in a specific format to a password protected USB stick... it's up to one's ingenuity. If Bitcoin gets to 100k-500k a piece I will give it a bigger thought. 

[joniboini]

So I do think that passphrases are much easier to memorize for the human brain than some kind of random generate password with a combination of numbers and letters.

You are not suggested to do that. Make a backup (as secure as possible) and don't rely on memory. There are dozens of stories where people forget what's their password or seed and lost their coins.

[dothebeats]

No, i am not suggesting to create your password like this. you can create something like !Went>P@r!$&be$tmem0ryev_r

Something that you can create that reflect to your experience and easy to remember and hard to crack

Ngl. leet speak paired with symbols and everything is actually a good password maker, but humans aren't really good at creating good passwords that are secure enough to keep them safe from hacks. Also, the 12-word seed IMO is easier to keep/hide in plain sight, and more robust and secure rather than a 3-word, 1-phrase combo that you're suggesting of.

Some people keep their 12-word seed in a rather unconventional yet witty way. Let's use these words for example:

Code:

there wake tomorrow carry cold since lose open practice road shame witch 

"There used to be some sort of blabbering around town. Wake, my child, as he often say to his daughter. Tomorrow, we shall feast with the gods! Carry these cloth round town and try to sell them in the market. Cold feet is attributed to being afraid or nervous of the current situation. Since 1971, the gold standard was no longer in effect. Lose something important and you'll never feel the same again. Open-air stadiums are preferable during viral outbreaks. Practice makes perfect, or so they say. Road trips are fun with your friends and family! Shame that I didn't have the last piece of beef. Witch hunting was a popular activity back in the Victorian era.

I for one tried to do this and left the text somewhere inside a book and used it as my bookmark for sometime. It works, it's secure, and no one will ever get interested on it due to its nonsensical phrases and purely unconnected sentences.

[AakZaki]

I have to admit that it came to me a number of times how quite hard it is to be your own bank, especially if you have tens of BTC. I have a little amount myself and created a total of three copies of my seed words and I can only remember the hiding place of a single copy. I cannot remember where I kept the other two, must be somewhere in the pages of one of my books or under files of old papers. If this tiny box I'm living in right now will catch fire while I am away-- God forbid-- I will lose everything of it. And I also don't deem it safe to keep a copy in my wallet.

If my memory serves me right, I think even Andreas Antonopoulos himself ironically mentioned in an interview that he's got a copy of his seed words written on a piece of paper and kept in a bank's storage.

Having a lot of BTC and being a bank for yourself is very difficult, Must be more vigilant and pay attention to the security and confidentiality of the documents that we keep in a place that has been provided. Divide documents in 3 copies must know each place that will be used as storage, not to forget that it is very dangerous if found by someone else. instead of having to keep several copies in your own place, it is better to save in a safer bank deposit and only you open it or there is another power of attorney to open the document besides you.

[alexkrypto]

Something that you can create that reflect to your experience and easy to remember and hard to crack

then that's another problem. almost always, these two can not be achieved together.
people aren't known to be able to create strong passwords. to be able to remember their passwords they always end up with weak ones that could be guessed in most cases.
and if the password were strong (truly random) then it can't be memorized over long term. they still have to write it down so that they won't forget it (after like in a year), and if they are writing it down then why not use the method that is already tested and is considered safe meaning BIp-39?

They can be achieved. I already gave you an example. I can also give you another example like !Went>P@r!S-Be$tMem0ryEv_r

Go check http://rumkin.com/tools/password/passchk.php

You will see,such password achieve more than 128 bits.


Well, the problem with BIP39 is actually many:

1- losing it
2- confiscating it by government
3- robbed by nagger
4- forgetting where you stored seed phrase
5- not easy to cross board and can be confiscated by airport police officers.
6- extracted by hackers if they get access to your hardware wallet for a few minutes https://blog.kraken.com/post/3662/kraken-identifies-critical-flaw-in-trezor-hardware-wallets/
7- Government seize your hardware wallet and extract your seed phrase. So easy to extract your seed https://donjon.ledger.com/Unfixable-Key-Extraction-Attack-on-Trezor/

I am not referring to Trezor only but also Ledger can have the same issue in the future.

Now, do you understand why seed phrase is extremely dangerous?

[alexkrypto]

No, i am not suggesting to create your password like this. you can create something like !Went>P@r!$&be$tmem0ryev_r

Something that you can create that reflect to your experience and easy to remember and hard to crack

And how is it easy to remember? If it's some sort of substitution scheme, like replacing O with 0, then it's easy to crack, if it's truly random (which can only be generated by some rng and not human mind), then it's really hard to memorize and you will forget it unless your repeat it multiple times per day every single day.

Compared to that, mnemonic seeds have guaranteed sufficient entropy and they are easy to remember because our brains are good at remembering natural words in sequences.

Don't you think it is easy to remember such password !Went>P@r!S-Be$tMem0ryEv_r

Well, you're right and wrong at the same time.

Right if you were referring to a traditional way of accessing "username" & "password" on servers, and the hackers can sense your way of creating password is like this.

But with Crypto, it is a different story. First, the hacker needs:

1- to figure out that the public key on blockchain belongs to YOU.
2- then he needs to figure out whether the public key was created based on BIP39 or legacy way (private key only per each public key).
3- then need to know that your way of creating passwords is like this.

You REALLY think it is easier to remember 12 random words (in order) THAN creating a strong password of your choice???

In terms of guaranteed sufficient entropy, you can your own and test it on http://rumkin.com/tools/password/passchk.php

Test for example, !Went>P@r!S-Be$tMem0ryEv_r

[alexkrypto]

"!Went>P@r!$&be$tmem0ryev_r" is a good password, but a 12-word or 24-word random seed is more secure. As @pooya87 stated, a password must be weakened in order to be memorizable. Your idea may work for you, but it cannot be recommended for general use.

That's not true.

!Went>P@r!S-Be$tMem0ryEv_r     is more secure than 12-word random seed

[ranochigo]

They can be achieved. I already gave you an example. I can also give you another example like !Went>P@r!S-Be$tMem0ryEv_r

Go check http://rumkin.com/tools/password/passchk.php

You can. Depending on your method of generating it, it could take a reasonably long time for you to crack it.

Now, do you understand why seed phrase is extremely dangerous?

I highly doubt anyone wold be able to memorize such a confusing passphrase accurately over long periods of time without confusing which of the letters are changed.

BIP39 is actually very useful in terms of the properties that it has. The range of words allows easy correction of the seeds, there is a built in checksum with the seed, it doesn't have to rely on the user's judgement to make a secure password. I bet if people are actually forced to create their own passphrase this way, I would see loads of people asking how to bruteforce their passphrase because they cannot figure out which symbols they inserted. What you've described is basically brainwallet which has been cracked thoroughly and isn't recommended for use. It could be more secure it being salted and it would take a much longer time to bruteforce.

You can certainly keep a passphrase this way, I wouldn't recommend it but it's definitely quite safe if you choose a secure way to generate your private/public keypair.

[alexkrypto]

[/quote]

Bank's storage can be a valid place since it may be opened only by you or with your death certificate, afaik.

[/quote]

I thought the whole point of Bitcoin is be your own bank. If you have to store your seed in a bank storage, what is the point of having Bitcoin in the first place?

[joniboini]

I for one tried to do this and left the text somewhere inside a book and used it as my bookmark for sometime. It works, it's secure, and no one will ever get interested on it due to its nonsensical phrases and purely unconnected sentences.

That's a nice trick. Did that a few times myself but there's still a risk that you can forget you ever do it if you got a stroke or whatever. I think it's nearly impossible to completely eliminate this risk, so making multiple secure backups (and the way you encode it) is always needed.

Btw stop doing multiple posts in a row, it broke forum rules.

[pawanjain]

these "words" are actually representing the "entropy" that is used to generate the individual private keys. so unless you can come up with a way to generate the same level of security entropy (at least 128-bits) using 3 words, it won't work.


You can do it using https://iancoleman.io/bip39/ and i understand you wont achieve 128 bits, this is where the passphrase with strong password is extremely important.

are you really suggesting that memorizing 3 words + something like

Code:

J\{m^"<Aw2ATdn)V96

is easier than memorizing this:

Code:

legal winner thank year wave sausage worth useful legal winner thank yellow

i'm not convinced!

No, i am not suggesting to create your password like this. you can create something like !Went>P@r!$&be$tmem0ryev_r

Something that you can create that reflect to your experience and easy to remember and hard to crack

To be really honest, even that would be easily guessed since
!c@nwr!t3l!k3th!5f0r3v3r

It is predictable. A nerd wont take longer to crack your seed phrase if he digs up a little.
The current seed phrase though works like a charm since it maintains higher security with the given entropy.