Electrum: Urgent question on seed phrase and pass phrase

[o_e_l_e_o]

True, the existing bitcoin wallet crackers such as hashcat and btcrecover, do not support this kind of recovery with seed phrase input at this time,

btcrecover does support brute forcing passphrases if you have the valid seed phrase, for both BIP39 and Electrum wallets. You can also do it with an address database looking for any used addresses if you don't know the master public key or any of the receiving addresses within the passphrased wallet. There are some basic instructions here: https://btcrecover.readthedocs.io/en/latest/TUTORIAL/#bip-39-passphrases-electrum-extra-words. There are also some example commands available here: https://btcrecover.readthedocs.io/en/latest/Usage_Examples/basic_password_recoveries/#bip39-passphrase-protected-wallets-electrum-extra-words

I don't think Electrum limits the length of the passphrase.

That is correct. Hardware wallets such as Trezor and Ledger both have a character limit on passphrases (50 and 100 characters respectively last I checked), but Electrum sets no limit, so the only limit would be the input limit for HMAC-SHA512 (or, in reality, how long a passphrase your computer can handle before it freezes).

[1715056167]

1715056167

[1715056167]

1715056167

[Coin-Keeper]

Oeleo said:

That is correct. Hardware wallets such as Trezor and Ledger both have a character limit on passphrases (50 and 100 characters respectively last I checked), but Electrum sets no limit, so the only limit would be the input limit for HMAC-SHA512 (or, in reality, how long a passphrase your computer can handle before it freezes).

Realistically there is no difference between 50 characters and unlimited in the real world.  If you saw the 40 digit passphrases I use with my Trezors you would have to acknowledge there is no way in hell to brute force them even with the imaginary Quantum machine of tomorrow.

With a 40 character passphrase and Segwit (bc1) mathematics it takes a pretty hefty computer about 30 seconds to generate a new wallet.

[pooya87]

Realistically there is no difference between 50 characters and unlimited in the real world.  If you saw the 40 digit passphrases I use with my Trezors you would have to acknowledge there is no way in hell to brute force them even with the imaginary Quantum machine of tomorrow.

Length alone is not the reason why it can not be realistically brute forced. The reason is the entropy that passphrase provides. For example if you use a known or popular phrase such as from a popular poem then you may not actually having any extra security.

For example "the quick brown fox jumps over the lazy dog" is 43 characters yet it would take a second to brute force this.

With a 40 character passphrase and Segwit (bc1) mathematics it takes a pretty hefty computer about 30 seconds to generate a new wallet.

There must be something wrong with your computer or the code you used to test this because the length of the passphrase is not going to add any extra time.
The passphrase (used as PBKDF2 salt) is only affecting the first HMACSHA512 and with 52 byte length the HMACSHA512 under the hood performs the same exact operations as for a 12 byte salt length (no passphrase) simply because it is smaller than SHA512 block size which is 128 byte. (Salt is "mnemonic" + passphrase + 4 byte block number).

[DireWolfM14]

Your seed is designed to allow the user to access the coins with the seed only in the case of 2FA.

Yeah, if your seed ends up in google search results, 2FA will do nothing to protect your funds.  A passphrase can be set up with along with a 2FA wallet, and just like above, that would help somewhat.

If your passphrase is long and random enough, there is very little chance someone would ever be able to be able to bruteforce it. I don't think Electrum limits the length of the passphrase. If it is long enough, then it would be equivalent to be bruteforcing without any prior information.

I don't think Electrum has a limit to the length of an extension, but some hardware wallets do.  Trezor has a limit of about 50 characters, so if you want to add an extension to a Bip39 seed phrase and want it compatible with hardware wallets, that'll be a limiting factor.

[ranochigo]

I don't think Electrum has a limit to the length of an extension, but some hardware wallets do.  Trezor has a limit of about 50 characters, so if you want to add an extension to a Bip39 seed phrase and want it compatible with hardware wallets, that'll be a limiting factor.

You should never use a seed generated through anything other than the HW wallet itself if you're primarily using it on a hardware wallet. That is a non-issue as you probably wouldn't want to expose your seed (and passphrase) to an Electrum instance while using Trezor.

[o_e_l_e_o]

Realistically there is no difference between 50 characters and unlimited in the real world.

If you are drawing from the full set of 95 ASCII characters, and your password is truly random, then you only need 21 characters to have more entropy than both a BIP39 or Electrum 12 word seed phrase, and 39 characters to have more entropy than a BIP39 24 word seed phrase. The problem is that the majority of people (unlike you, by the sounds of things) don't do this, will limit themselves to letters, maybe numbers, maybe a few symbols, and most passphrases are based around words or phrases, and so the entropy of them are greatly reduced.

[hosseinimr93]

If you are drawing from the full set of 95 ASCII characters, and your password is truly random, then you only need 21 characters to have more entropy than both a BIP39 or Electrum 12 word seed phrase,

Correct me if I'm wrong, please. Perhaps, I am missing something here.

A 12-word seed phrase can produce 2¹²⁸ = 3.40 *10³⁸ bits of entropy.
For producing more entropy using ASCII characters, we need 20 characters, not 21.

20 ASCII characters can produce 95²⁰ = 3.58 * 10³⁹ bits of entropy.

[o_e_l_e_o]

-snip-

Electrum 12 word seed phrases have 132 bits of entropy, not 128 bits like BIP39 seed phrases. I was using 21 characters as a "catch-all" for both Electrum and BIP39 seed phrases, since we are on the Electrum sub-board. You are also correct, however, and if considering only BIP39 12 word seed phrases, then 20 characters are sufficient.

then you only need 21 characters to have more entropy than both a BIP39 or Electrum 12 word seed phrase, and 39 characters to have more entropy than a BIP39 24 word seed phrase.

[hosseinimr93]

Electrum 12 word seed phrases have 132 bits of entropy, not 128 bits like BIP39 seed phrases.

Thanks for the information. I didn't know this.
But, why 132 bits of entropy? Don't we have any checksum?

Each word generates 11 bits of entropy. Since we have 12 words, we have 11*12=132 bits of entropy. Am I Right?
If there are 132 bits of entropy, any series of 12 words should be a valid seed phrase.

Why isn't the seed phrase shown in the following image valid?

[o_e_l_e_o]

But, why 132 bits of entropy? Don't we have any checksum?

Electrum seed phrases do not include a checksum in the same way as BIP39 seed phrases. Rather, Electrum generates a 12 word seed phrase, hashes it, and checks if the first 8-12 bits of the hash match the correct version number (01 for legacy, 100 for segwit, 101 for 2FA). If the version number is correct, then the seed phrase is displayed to the user. If the version number is incorrect, then the entropy is increased by 1 and the new seed phrase is hashed and checked as above, until a seed phrase with the correct version number is found.

For this reason, there is no checksum encoded in the words themselves, and so the phrase has 12*11 = 132 bits of entropy, but at the same time, since the hash of the phrase has to meet certain criteria, then not every seed phrase is valid. This is also how Electrum will automatically identify whether one of its own seed phrases is legacy, segwit, or 2FA, and not ask for any derivation paths like it would when restoring BIP39 seed phrases, since each seed phrase already encodes the type of wallet it is used to generate.

You can read more about the process here: https://electrum.readthedocs.io/en/latest/seedphrase.html

[DireWolfM14]

I don't think Electrum has a limit to the length of an extension, but some hardware wallets do.  Trezor has a limit of about 50 characters, so if you want to add an extension to a Bip39 seed phrase and want it compatible with hardware wallets, that'll be a limiting factor.

You should never use a seed generated through anything other than the HW wallet itself if you're primarily using it on a hardware wallet. That is a non-issue as you probably wouldn't want to expose your seed (and passphrase) to an Electrum instance while using Trezor.

That wasn't a recommendation, merely an observation.  Generally I agree with you, however there are ways to safely and securely create a Bip39 seed phrase on an offline machine that can be used with Electrum or a hardware wallet.  Many here have warned about using Ian Coleman's Bip39 tool, siting the concern that a browser doesn't provide enough entropy.  However, the Bip39 tool does provide the option of entering your own entropy, and /dev/urandom can be used create a HEX string with the desired entropy.

Please correct me if I'm wrong, but I don't see that as any less secure than allowing a hardware wallet to generate a seed.

[ranochigo]

That wasn't a recommendation, merely an observation.  Generally I agree with you, however there are ways to safely and securely create a Bip39 seed phrase on an offline machine that can be used with Electrum or a hardware wallet.  Many here have warned about using Ian Coleman's Bip39 tool, siting the concern that a browser doesn't provide enough entropy.  However, the Bip39 tool does provide the option of entering your own entropy, and /dev/urandom can be used create a HEX string with the desired entropy.

Please correct me if I'm wrong, but I don't see that as any less secure than allowing a hardware wallet to generate a seed.

I never really recommend people to generate seeds outside of their hardware wallets. If you're using a hardware wallet, the seeds should be generated within the hardware wallet which is a completely isolated environment with little risks of it getting compromised. Most people are often unable to properly create a truly isolated and sanitized environment and that makes this a pretty bad idea.

If you are thinking of creating your own seed outside of your hardware wallet, then you might be better off not spending a hundred bucks on a hardware wallet and instead just use an air-gapped wallet. Having a seed generated on an offline computer pretty much guarantees that the seed is only as secure as how you've generated the seed in the first place.

[o_e_l_e_o]

Please correct me if I'm wrong, but I don't see that as any less secure than allowing a hardware wallet to generate a seed.

I agree with ranochigo. If done perfectly, then yes, a seed generated using /dev/urandom or fair and random coin flips on a clean airgapped and encrypted device is going to be just as secure as a seed phrase generated on a hardware wallet (perhaps even more so if your hardware wallet is not fully open source). The issue is the level of complexity in doing that. Almost everyone can plug in a hardware wallet, follow the easily laid out instructions, and generate a seed phrase securely, whereas even fairly tech savvy people can mess up when trying to create an airgapped device and generate a seed phrase themselves. If you don't trust the seed phrase that the hardware wallet has generated for you, then why are you trusting the hardware wallet at all? If you want to generate your own seed phrase, then you might as well just set up an Electrum cold wallet or similar.

I use both hardware wallets and airgapped and paper wallets with seed phrases I have generated myself, but I spent a long time testing my set up to be sure I was happy with the security of the seed phrases I was generating.