Brute Force And Seed Phrase Security Questions

[jerry0]

So i know brute force means like you try all the combinations..


1. But its a computer entering each one etc over and over right?  And not like a person doing it manually right?  Now with brute force, is it a program that does it or is it a computer?




Now the electrum seed is 12 words.  The nano ledger is 24 words.  I know other wallets have 12 as well and others have 24 in general




2. If say someone has all the words for each electrum and nano ledger s... is your seed basically compromised even if one doesn't know the order of each one?  I gotta assume electrum could easily be done by manually typing each word and combination right?  But with the nano ledger s, a lot more time but thats probably done in days?  And its a program that will brute force it?  Thus you see on the computer and it would auto type all the words and enter each time... then rinse and repeat?  Or is that not how brute force works?




3. How many words being exposed for electrum and nano ledger s would you consider your seed a bit compromised?  Obviously if you give 1-2 words out for electrum or nano ledger s... that is still very safe right?  But obviously electrum is not as safe because less words.  If someone has your first 6 words of electrum or the last 6 words... how long would it take to brute force that?  What about ledger with 12 words... say someone found one half of your 24 word seed?



4. Order is much less important than the words right?  Like is it better to have exposed 6 words of your 24 word seed as oppose to having say 3 words straight of your 24 word seed?




5.  I always felt the 12 word seed in electrum wasn't safe because I thought hey only 12 words and the word list is only over 2000 words or so.  I thought to myself, well imagine I just go to recovery seed in electrum and just trial and error all the words... surely I would make one hit ... but this is basically impossible right?  Because ppl I assume with brute force program could type the combinations of words for them in electrum?  Thus imagine it type each manually by looking at the word list while it would be doing the same but machine doing it and faster... is that right?  I thought well if it keeps entering words... wouldn't it eventually find a match?  Or is there a period where after you type in say 50 combinations and it doesn't work... it can't enter more words until a certain time period?  Like imagine you try to log into your email account with password and you are wrong three times then it won't let you log in for another hour or so etc... but no issue like that with brute force? 

[1715102732]

1715102732

[1715102732]

1715102732

[1715102732]

1715102732

[1715102732]

1715102732

[jerry0]

Another thing.  But all wallets like nano ledger, electrum, armory, coinomi, use the same word list right?  Well what about wallets like myetherwallet, waves, and other types of wallets?  I can't imagine its all the same word list right?  So theres a separate word list for different wallets?  Then again i know most of those wallets might not even have wallets and use my ether wallet right?  But is there is so many wallets generated... how could someone even attempting say ten thousand different combinations not even generate a hit?



Surely someone has found crypto this way right?  I mean i dont know exactly how many combinations there are... but its not like okay you need to hit exactly one of these combinations... theres so many combinations of seed words.



Also does anyone have a clue how many seeds are generated in total for electrum or nano ledger s?  I thought with so many wallets out there... even if you brute force... how could you not hit one of them... or is my logic incorrect here?  Its not like okay I can try it only few times then it locks and you can't try anymore like when you attempt too many passwords for your email if you are wrong.

[OROBTC]

...

I think we're good on defense vs. Brute Force attacks, even with the 12 seed word wallets.  That works out to some 2048^12 word combinations (a comfortably large number).  

https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt

Yes, the word order is very important!

I would just add here, FYI everyone, that the words can be "re-used" within that seed, that is, I once generated a 12 word seed, and one of the words was used TWICE.



EDIT: I will leave most of your questions for those more advanced than I am in the technical aspects of wallets & seeds.

[nc50lc]

1. But its a computer entering each one etc over and over right?  And not like a person doing it manually right?  Now with brute force, is it a program that does it or is it a computer?

Technically, a person manually typing random seed phrases is also considered "bruteforce".
Wiki: Brute-force.

2. If say someone has all the words for each electrum and nano ledger s... is your seed basically compromised even if one doesn't know the order of each one?

If that happened, it's only a matter of time before 'the one who has the jumbled words' find the correct order.
12-words have about half a billion combinations that a typical computer can do in minutes/hours using BTCRecover (given that he knows one of the wallet's addresses).
24-words can stretch the time a lot longer but getting the correct order once all of the words got compromised is still inevitable.

3. How many words being exposed for electrum and nano ledger s would you consider your seed a bit compromised?  Obviously if you give 1-2 words out for electrum or nano ledger s... that is still very safe right?  But obviously electrum is not as safe because less words.  If someone has your first 6 words of electrum or the last 6 words... how long would it take to brute force that?  What about ledger with 12 words... say someone found one half of your 24 word seed?

12-words is indeed less secure than 24 but that doesn't make it unsecure.
If the attacker if bruteforcing the words than the "entropy", then just base it from the number of possible permutations;
like for example, 6 out of 12 words was compromised: 2048^6 = 73,786,976,294,838,206,464 which still a lot for a regular computer but you can consider it compromised.
For leaked 1 or 2 words, I can tell that it's not enough to be compromised.

4. Order is much less important than the words right?  Like is it better to have exposed 6 words of your 24 word seed as oppose to having say 3 words straight of your 24 word seed?

Hmm, when it comes with exposing only a portion of the seed phrase, the attacker would never know if it's the correct order or straight.
I think, normally, an attacker will try to fill the missing words at the end or start first thus a seed phrase in a random order is much safer IMO.

5.  I always felt the 12 word seed in electrum wasn't safe because I thought hey only 12 words and the word list is only over 2000 words or so.  I thought to myself, well imagine I just go to recovery seed in electrum and just trial and error all the words... surely I would make one hit ... but this is basically impossible right?

As said by the above post, there too many combinations for a 12-word seed to be considered unsecure.
2048^12 is equal to 5,444,517,870,735,015,415,413,993,718,908,291,383,296 combinations.
I doesn't look much (that's why BIP39 wasn't implemented in Bitcoin Core) but the number is still impossible to bruteforce with the current supercomputers.

Surely someone has found crypto this way right?  I mean i dont know exactly how many combinations there are... but its not like okay you need to hit exactly one of these combinations... theres so many combinations of seed words.

So far, there's none, if you can find some article or news about a seed-phrase collision, it's an FUD.

[pooya87]

3. How many words being exposed for electrum and nano ledger s would you consider your seed a bit compromised?  Obviously if you give 1-2 words out for electrum or nano ledger s... that is still very safe right?  But obviously electrum is not as safe because less words.  If someone has your first 6 words of electrum or the last 6 words... how long would it take to brute force that?  What about ledger with 12 words... say someone found one half of your 24 word seed?

12-words is indeed less secure than 24 but that doesn't make it unsecure.
If the attacker if bruteforcing the words than the "entropy", then just base it from the number of possible permutations;
like for example, 6 out of 12 words was compromised: 2048^6 = 73,786,976,294,838,206,464 which still a lot for a regular computer but you can consider it compromised.
For leaked 1 or 2 words, I can tell that it's not enough to be compromised.

keep in mind that while this is theoretically correct, realistically the situation can be very different. if a portion of your seed phrase is leaked it is reasonable to assume the entirety of it could also leak because there is something seriously wrong with your security! so in a situation where you know some number of words of your seed phrase is leaked you must create a new wallet and transfer all your funds to that one.

[bob123]

So i know brute force means like you try all the combinations..
1. But its a computer entering each one etc over and over right?  And not like a person doing it manually right?  Now with brute force, is it a program that does it or is it a computer?

 
Theoretically, both is called bruteforcing.
But if you'd want to try to bruteforce a mnemonic (or a password or whatever), i'd recommend you use a computer for that.

~snip~

Your 12 word mnemonic is secure.
4-5 words can be bruteforced quite easily currently. But you shouldn't think about it, since you shouldn't expose any words of your mnemonic at all.

Better keep it completely secure than to think about how many words you could expose and still be safe.

[o_e_l_e_o]

12-words have about half a billion combinations that a typical computer can do in minutes/hours using BTCRecover (given that he knows one of the wallet's addresses).
24-words can stretch the time a lot longer but getting the correct order once all of the words got compromised is still inevitable.

I think that's a little misleading.

12! is indeed half a billion, and could be brute forced in a few hours, as you say.
However, 24! is over 1 quadrillion times bigger than that.

Even if 12! could be brute forced in a single second, 24! would take over 41 million years.

I still wouldn't feel at all comfortable knowing that all 24 words of my seed phrase had been leaked, and I would still move all my coins to a new wallet as soon as possible, but practically speaking, they would still be safe for all intents and purposes.

4-5 words can be bruteforced quite easily currently.

Again, I don't think that's quite accurate.

This person bruteforced 4 words: https://medium.com/@johncantrell97/how-i-checked-over-1-trillion-mnemonics-in-30-hours-to-win-a-bitcoin-635fe051a752
On his own computer it would have taken him 25 years. By spending $350 renting cloud computing he was able to do it in 30 hours. If you make that 5 words, rather than 4, then it would have cost him $350*2048 = $716,800 and would have taken him 30 hours*2048 = ~7 years.

I think 4 words is the limit of what could be called "easily" brute forced (and even then, it's not that easy). 5 words is potentially possibly, but only with a significant amount of time, money, and resources.

[jerry0]

So i know brute force means like you try all the combinations..
1. But its a computer entering each one etc over and over right?  And not like a person doing it manually right?  Now with brute force, is it a program that does it or is it a computer?

 
Theoretically, both is called bruteforcing.
But if you'd want to try to bruteforce a mnemonic (or a password or whatever), i'd recommend you use a computer for that.

~snip~

Your 12 word mnemonic is secure.
4-5 words can be bruteforced quite easily currently. But you shouldn't think about it, since you shouldn't expose any words of your mnemonic at all.

Better keep it completely secure than to think about how many words you could expose and still be safe.

Well if you do it manually, you are basically typing it yourself which is time consuming... but when a computer does it... can someone explain how that works?  So you would see on the screen... it typing those word combinations and pressing enter each time... then move on to the next word etc?  You can do this with a computer you have or you need to buy special equipment for it?

[jerry0]

I think 4 words is the limit of what could be called "easily" brute forced (and even then, it's not that easy). 5 words is potentially possibly, but only with a significant amount of time, money, and resources.



You mean out of twelve words right?  So how much is limit for the twenty four word seed?



Well my thoughts are with just a twelve word seed... if you keep entering different combinations... why would it be hard to hit just one?  Because its not like okay theres 9999999999999999 combinations and you need to hit exactly one.  I mean theres tons of addresses out there so its like how could you not hit one.. does that make sense with my logic?  I mean with all the possible combination of seeds... does anyone know what percentage of them contain btc?  Like imagine you hit a twelve word phrase but then it shows 0 btc... but you hit the phrase correctly right?  But if you enter wrong seed, it shows error?

[o_e_l_e_o]

but when a computer does it... can someone explain how that works?

It creates a combination, checks that it is valid, and if it is then goes through the process of turning that combination of words in to usually either a master public key which it can compare against one you have entered, or in to an address which it compare against one you have entered or the blockchain for any previous transactions.

So you would see on the screen... it typing those word combinations and pressing enter each time... then move on to the next word etc?

I mean, you could write a program to do this if you wanted, but given that it could likely check tens of thousands combinations a second, then there really is no point.

You mean out of twelve words right?  So how much is limit for the twenty four word seed?

The same. If you are missing 4 words then there are 2048⁴ possible combinations, regardless of how many total words there.

I mean theres tons of addresses out there so its like how could you not hit one

Because there are this many possible valid 12 word seeds:
340,282,366,920,938,463,463,374,607,431,768,211,456

And there only approximately 30 million bitcoin addresses with balance on them. Divide those two numbers and you get a roughly 1 in 11 million trillion trillion chance of finding a collision. (Now, this is not quite accurate since any seed can generate potentially billions of addresses, but you get the idea.)

[jerry0]

but when a computer does it... can someone explain how that works?

It creates a combination, checks that it is valid, and if it is then goes through the process of turning that combination of words in to usually either a master public key which it can compare against one you have entered, or in to an address which it compare against one you have entered or the blockchain for any previous transactions.

So you would see on the screen... it typing those word combinations and pressing enter each time... then move on to the next word etc?

I mean, you could write a program to do this if you wanted, but given that it could likely check tens of thousands combinations a second, then there really is no point.

You mean out of twelve words right?  So how much is limit for the twenty four word seed?

The same. If you are missing 4 words then there are 2048⁴ possible combinations, regardless of how many total words there.

I mean theres tons of addresses out there so its like how could you not hit one

Because there are this many possible valid 12 word seeds:
340,282,366,920,938,463,463,374,607,431,768,211,456

And there only approximately 30 million bitcoin addresses with balance on them. Divide those two numbers and you get a roughly 1 in 11 million trillion trillion chance of finding a collision. (Now, this is not quite accurate since any seed can generate potentially billions of addresses, but you get the idea.)

I had no idea there was this much seeds possible out of just 12 word seeds.  But how do you know there is 30 million bitcoin addresses with balance on them?  Where did you find this information out?


So you telling me on average, one address has around 0.6 btc in each wallet?  That seems way too high don't you think?  Obviously there are wallets with say 1000 btc in it and some with much less etc... but isn't like 95% of bitcoin addresses contain 1 or less btc and its more like 80% contain 0.5 btc or less or something like that?


Well take a look at those combinations.  I do know that a seed that repeat itself.  So you telling me some seeds would include seeds that repeat itself more than twice?  Here is the issue though.  Wouldn't that mean with all those combinations... then say the word is OVER.  I'm not sure if OVER is a word in the word list or not. So wouldn't OVER written 12 or 24 times be a possible seed?  Imagine when someone generates a seed with their nano ledger s or electrum... ley say it was electrum... and the seed was like



Over Over Dog Over Over Over Over Over Over Over Over Over


First off... this is possible for electrum or nano ledger s to generate this seed right?  Because if so, wouldn't you not want this seed since it repeats itself every word except Dog? 


Like if you know about seeds and generate a new seed and a word shows up say 6 times in a 24 word seed... surely you would reject it?  I mean I certainly wouldn't want a seed that repeats itself this many times right?


So with all those combinations of just 12 word seeds, what percentage of them uses the same word once?  Twice?  Three times?  Imagine 6 times?  Surely you wouldn't feel safe with that seed right?

[o_e_l_e_o]

But how do you know there is 30 million bitcoin addresses with balance on them?  Where did you find this information out?

Loyce has generated a list of all addresses with a balance from Blockchair's data dumps. There are 30 million entries. See: List of all Bitcoin addresses with a balance

So you telling me some seeds would include seeds that repeat itself more than twice?

Yes. There is no rule against words being repeated.

then say the word is OVER.  I'm not sure if OVER is a word in the word list or not. So wouldn't OVER written 12 or 24 times be a possible seed?

The word "over" is indeed in the BIP39 list. However, the word over repeated 12 times is not a valid seed phrase, because the final word of each BIP39 phrase contains a checksum within it, and the checksum would be incorrect in this case. However, the phrase

Code:

over over over over over over over over over over over ostrich

Is perfectly valid. Or if you want to go with 24 words, the valid phrase would be:

Code:

over over over over over over over over over over over over over over over over over over over over over over over nothing

First off... this is possible for electrum or nano ledger s to generate this seed right?  Because if so, wouldn't you not want this seed since it repeats itself every word except Dog?

Yes, it is entirely possible to generate this seed phrase. I do agree though, that if my wallet generated a seed phrase with 11 repeating words, I'd probably create another one.

[jerry0]

But how do you know there is 30 million bitcoin addresses with balance on them?  Where did you find this information out?

Loyce has generated a list of all addresses with a balance from Blockchair's data dumps. There are 30 million entries. See: List of all Bitcoin addresses with a balance

So you telling me some seeds would include seeds that repeat itself more than twice?

Yes. There is no rule against words being repeated.

then say the word is OVER.  I'm not sure if OVER is a word in the word list or not. So wouldn't OVER written 12 or 24 times be a possible seed?

The word "over" is indeed in the BIP39 list. However, the word over repeated 12 times is not a valid seed phrase, because the final word of each BIP39 phrase contains a checksum within it, and the checksum would be incorrect in this case. However, the phrase

Code:

over over over over over over over over over over over ostrich

Is perfectly valid. Or if you want to go with 24 words, the valid phrase would be:

Code:

over over over over over over over over over over over over over over over over over over over over over over over nothing

First off... this is possible for electrum or nano ledger s to generate this seed right?  Because if so, wouldn't you not want this seed since it repeats itself every word except Dog?

Yes, it is entirely possible to generate this seed phrase. I do agree though, that if my wallet generated a seed phrase with 11 repeating words, I'd probably create another one.

Okay didn't know there were that much addresses with a balance.

Okay so OVER is a word... again i had no idea it was or not... but you say having OVER written like this


over over over over over over over over over over over ostrich

over over over over over over over over over over over over over over over over over over over over over over over nothing




Is actually valid... that is crazy.  But if it was someone who just created a wallet, wouldn't they probably not think that much of it though... but it looks weird?


I gotta assume ppl who when they got their seed... if it repeated once or twice, they probably get a new seed? 


Well im surprised how someone can't just hit a 12 word seed then... I would thought it wouldn't take that much time to hit even one.  But you sure nobody has found a balance this way though?  I have to assume some do but its only if they got a portion of the seed?  I mean if someone found a bitcoin address this way, wouldn't it be not safe for them to say hey i found a working seed though?

[pooya87]

You mean out of twelve words right?  So how much is limit for the twenty four word seed?

The same. If you are missing 4 words then there are 2048⁴ possible combinations, regardless of how many total words there.

speed-wise recovering a missing word in a 24-word mnemonic should have a slight edge over smaller number of words such as 12 because there is far less number of collisions in 8-bit checksum than there is in 4.

Is actually valid... that is crazy.  But if it was someone who just created a wallet, wouldn't they probably not think that much of it though... but it looks weird?

if someone did create such a mnemonic they should doubt the correctness of the RNG that their wallet is using because this type of distribution in the entropy is highly unlikely if the bits were generated randomly.

Well im surprised how someone can't just hit a 12 word seed then... I would thought it wouldn't take that much time to hit even one.

it could help if you stopped thinking about finding X number of words and think in terms of the entropy size these words represent. a 12-word mnemonic represents 128 bits of entropy and that is why it is not possible to randomly find one with balance in it.

[HCP]

If it makes a difference... your "over over over over over over over over over over over ostrich" 12 word seed mnemonic is actually just an encoding of 132 bits (128 bits entropy + 4 bits checksum):

Code:

100111011111001110111110011101111100111011111001110111110011101111100111011111001110111110011101111100111011111001110111110011100111

Just because something looks "simple" to you when shown as some english words, does not mean that the underlying entropy is low. That's kind of the entire point of seed mnemonics. They're meant to allow humans to easily process (and "store") ridiculously large entropy values while minimising the chances for error.

Would you rather attempt to write down (and verify):

Code:

define stamp mistake episode suit need crop drop submit syrup swing approve

or

Code:

001110011001101010001110001101111010010111111101100100010010011110001100111110100001101111011000000110111001011101110000000001010110

[jerry0]

Okay just to confirm, so if someone were to try to brute force and say the seed they wrote down is incorrect... it would show an error right such as this seed is not correct? 


As oppose to it just opening and showing no balance?


Still... how is it possible that a seed can't be brute forced if there are so many addresses out there and so many wallets?  Example with electrum and nano ledger s, waves, myetherwallet, bitcore and all of those?  But are the word seed list for those other wallets like waves and myetherwallet the same as for electrum/nano ledger s?

[Pmalek]

Still... how is it possible that a seed can't be brute forced if there are so many addresses out there and so many wallets?  Example with electrum and nano ledger s, waves, myetherwallet, bitcore and all of those?  But are the word seed list for those other wallets like waves and myetherwallet the same as for electrum/nano ledger s?

An Electrum seed is not the same as a Ledger Nano S generated seed. Ledger generates BIP39 seeds, Electrum doesn't. They have their own standard, however, Electrum also uses the same wordlist as other BIP39 seeds. Just by looking at a 12-word seed, you wouldn't be able to distinguish a Ledger from an Electrum-generated seed.

Any words that belong to the BIP39 words list will generate a wallet with addresses. You can try it yourself. Open your Electrum > click on standard wallet  > click on I already have a seed > open the options menu and tick the BIP39 options. Now enter any sequence of 12 words and click on next. Electrum will generate a wallet based on your entries. 

[o_e_l_e_o]

Okay just to confirm, so if someone were to try to brute force and say the seed they wrote down is incorrect... it would show an error right such as this seed is not correct?

BIP39 seed phrases have a checksum built in to them. If you have the incorrect words, then with a 12 word seed phrase there is a 1 in 16 chance on average of having a correct checksum by pure luck. With a 24 word seed phrase, there is a 1 in 256 chance on average of having the correct checksum by pure luck. Most wallets would not let you proceed with an invalid checksum, but some like Electrum will simply tell you the checksum is invalid but still allow you to generate a wallet using that seed phrase. Note that a seed phrase with an incorrect checksum will generate a different wallet when compared to the same seed phrase with the correct checksum (or the same seed phrase with a different incorrect checksum).

Still... how is it possible that a seed can't be brute forced if there are so many addresses out there and so many wallets?

Because a 12 word seed phrase encodes 128 bits of entropy. This is the same security as any given bitcoin private key. The reason people can't just randomly guess seed phrases is the same reason people can't just randomly guess private keys - the human race would be extinct before you even searched a tiny fraction of a millionth of a percent of all the possibilities.

[Cazemiro]

But how do you know there is 30 million bitcoin addresses with balance on them?  Where did you find this information out?

Loyce has generated a list of all addresses with a balance from Blockchair's data dumps. There are 30 million entries. See: List of all Bitcoin addresses with a balance

So you telling me some seeds would include seeds that repeat itself more than twice?

Yes. There is no rule against words being repeated.

then say the word is OVER.  I'm not sure if OVER is a word in the word list or not. So wouldn't OVER written 12 or 24 times be a possible seed?

The word "over" is indeed in the BIP39 list. However, the word over repeated 12 times is not a valid seed phrase, because the final word of each BIP39 phrase contains a checksum within it, and the checksum would be incorrect in this case. However, the phrase

Code:

over over over over over over over over over over over ostrich

Is perfectly valid. Or if you want to go with 24 words, the valid phrase would be:

Code:

over over over over over over over over over over over over over over over over over over over over over over over nothing

First off... this is possible for electrum or nano ledger s to generate this seed right?  Because if so, wouldn't you not want this seed since it repeats itself every word except Dog?

Yes, it is entirely possible to generate this seed phrase. I do agree though, that if my wallet generated a seed phrase with 11 repeating words, I'd probably create another one.

Okay didn't know there were that much addresses with a balance.

Okay so OVER is a word... again i had no idea it was or not... but you say having OVER written like this


over over over over over over over over over over over ostrich

over over over over over over over over over over over over over over over over over over over over over over over nothing




Is actually valid... that is crazy.  But if it was someone who just created a wallet, wouldn't they probably not think that much of it though... but it looks weird?


I gotta assume ppl who when they got their seed... if it repeated once or twice, they probably get a new seed? 


Well im surprised how someone can't just hit a 12 word seed then... I would thought it wouldn't take that much time to hit even one.  But you sure nobody has found a balance this way though?  I have to assume some do but its only if they got a portion of the seed?  I mean if someone found a bitcoin address this way, wouldn't it be not safe for them to say hey i found a working seed though?

Only for education purpose, it's possible to create a seed with only one word.

Example:
action action action action action action action action action action action action

And have a lot of similar cases.
 
Using the word action and the site iancoleman, the time to crack is only 65 years, in this case not so secure...
https://iancoleman.io/bip39/

Answering your question, is 100% safe the Mnemonic Code.

[pooya87]

Only for education purpose, it's possible to create a seed with only one word.
Example:
action action action action action action action action action action action action

And have a lot of similar cases.
Using the word action and the site iancoleman, the time to crack is only 65 years, in this case not so secure...

If you manually create a mnemonic like this, then it is no longer a "seed" but a brainwallet and it is not safe at all because there is no randomness in the entropy that was used at all.
The time it takes to crack it is also in seconds not years because all it takes is someone trying all the combinations of 2048 words where all words are the same (check 2048 seed phrases in total).