How long to crack 24 word phrase if you know all 24 words out of order?

[Trader Steve]

I am curious to know the actual difficulty/cost/time involved to put a 24 word seed phrase in the correct order if you have the 24 words but not the correct order? I can see that there are 24^24 number of combinations but what does that translate into difficulty/time/cost?

[1713562569]

1713562569

[1713562569]

1713562569

[1713562569]

1713562569

[1713562569]

1713562569

[1713562569]

1713562569

[1713562569]

1713562569

[Trader Steve]

The 128 to 256 bits of entropy and the checksum which will add 4 to 8 more bits (depending on the number of bits of entropy) that result to seed phrase generation are secure and safe and makimg seed phrase  brute force impossible.

Even if you have the 24 words to guess from?

[PawGo]

I am curious to know the actual difficulty/cost/time involved to put a 24 word seed phrase in the correct order if you have the 24 words but not the correct order? I can see that there are 24^24 number of combinations but what does that translate into difficulty/time/cost?

It is not 24^24 but 24! (=24*23*22*...*2*1).
Think about it that way:
on first position you may have any of 24 words
on second position any word from 23 left
on third position any word from 22 left...

I have prepared something like that in my program: https://github.com/PawelGorny/lostword
Check worker 'PERMUTATION_CHECK'.
Anyway with 24 words..... it is a lot of work.

[suchmoon]

The 128 to 256 bits of entropy and the checksum which will add 4 to 8 more bits (depending on the number of bits of entropy) that result to seed phrase generation are secure and safe and makimg seed phrase  brute force impossible.

That's not what the OP is asking.

Even if you have the 24 words to guess from?

Still quite unfeasible:

https://bitcoin.stackexchange.com/questions/92540/bruteforcing-a-seed-with-24-words-of-a-unknown-order

[Trader Steve]

Thank you! Very fascinating!

[BitMaxz]

I think it all depends on your hardware speed like on btcrecover.py on cracking password, encrypted key, or seed phrase.

They have a list of hardware performance both CPU and GPU you can find it here https://btcrecover.readthedocs.io/en/latest/GPU_Acceleration/
Based on that chart GPU is much faster than CPU.

[PawGo]

Of course, many depends on hardware. But:
1) we talk about the most pessimistic scenario (checking all the possibilities) - if you have luck, you may get correct result after one second
2) you may increase instantaneous speed of your calculations, but still you will process only a small fraction of all permutations during your life (or until Sun die).

[bitmover]

Even if you have the 24 words to guess from?

Still quite unfeasible:

https://bitcoin.stackexchange.com/questions/92540/bruteforcing-a-seed-with-24-words-of-a-unknown-order

Cryptography is really impressive.

This depends a little bit if all words are independent. If yes the will be 24! = 620.448.401.733.239.439.360.000 permutations of the words. Assuming that you computer can check 1 billion permutations per second (which is is way too optimistic as this would assume that a signature / public key could be computed within one clock cycle which he can't) this would mean that your computer still would need 620.448.401.733.239 seconds which is 19674289 (19.6 million) years as the absolut minor / lower bound. This estimation however does not take into account technological breakthroughs in computing hardware which could very well happen in that time frame (:

19 million years. I am impressed,  because at first when I read the topic I thought it was possible.

I am curious to know the actual difficulty/cost/time involved to put a 24 word seed phrase in the correct order if you have the 24 words but not the correct order? I can see that there are 24^24 number of combinations but what does that translate into difficulty/time/cost?

However,  if you know the location  of some of those words it would be easier (maybe possible) to brute force it. Because the difficulty increases exponentially

[o_e_l_e_o]

However,  if you know the location  of some of those words it would be easier (maybe possible) to brute force it. Because the difficulty increases exponentially

With good hardware, btcrecover will descramble a 12 word BIP39 seed phrase in an hour: https://btcrecover.readthedocs.io/en/latest/Usage_Examples/2020-05-02_Descrambling_a_12_word_seed/Example_Descrambling_a_12_word_seed/. Although not exactly the same due to the checksum, lets assume that if you know 12 out of the 24 words then you could descramble the remaining 12 words in roughly the same amount of time.

If you don't know the position of 13 words instead of 12, then there are 13x as many combinations to try, so that would take roughly 13 hours.
For 14 words, 7 days.
For 15 words, 16 weeks.
For 16 words, 5 years.
For 17 words, 85 years.
For 18 words, 1500 years.

No point calculating beyond that really.

[suchmoon]

19 million years. I am impressed,  because at first when I read the topic I thought it was possible.

It's also based on a very generous assumption about performance (1 billion permutations per second) so probably a lot more than 19 million years. Extrapolating o_e_l_e_o's example takes us into billions of years.

OTOH perhaps some very resourceful entity (a government, or Jeff Bezos) could potentially use millions of supercomputers and do it e.g. in 1 year... the question is - to what end? It's a very narrow use case, doesn't break Bitcoin protocol, and how many wallets are there that could be hacked this way and would justify the likely cost of $trillions?

At any rate, I wouldn't advise scrambling the words as a safety measure, tempting as it may be due to the above. The focus should be on keeping the seed physically secure and easy for the owner to recover.

[pooya87]

With good hardware, btcrecover will descramble a 12 word BIP39 seed phrase in an hour:

To be clear the "good hardware" in this context for this duration means a 48-core cloud computing server not a regular good hardware PC. With a PC with the best CPU you would get a couple of hours, possibly 5 or 6.
That's for BIP39 mnemonic, but for Electrum it should take a lot less by a factor of about 12.

[PawGo]

If you don't know the position of 13 words instead of 12, then there are 13x as many combinations to try, so that would take roughly 13 hours.
For 14 words, 7 days.
For 15 words, 16 weeks.
For 16 words, 5 years.
For 17 words, 85 years.
For 18 words, 1500 years.

To be clear the "good hardware" in this context for this duration means a 48-core cloud computing server not a regular good hardware PC. With a PC with the best CPU you would get a couple of hours, possibly 5 or 6.
That's for BIP39 mnemonic, but for Electrum it should take a lot less by a factor of about 12.

Exactly. That's why I am not a big fan of providing exact data and saying "I will take 7 days". It will take 7 days on one specific computer, while on other it would take 6 days or 8 days. If Google or Amazon would like to use their datacenters and their hardware, maybe it would take 5 minutes.
The point is to understand how difficulty (time estimation) changes when we change length of seed - they say size does not matter, but we clearly see the longer the better  

[o_e_l_e_o]

At any rate, I wouldn't advise scrambling the words as a safety measure, tempting as it may be due to the above. The focus should be on keeping the seed physically secure and easy for the owner to recover.

Yeah, this. If you cannot be sure that the safe location you have chosen to secure your seed phrase will remain safe, then your options are either to find a new location, or use one of the standard procedures for adding additional security to your wallet, such as:

• Use a multi-sig which requires compromising multiple seed phrases to steal your coins
• Add one or more additional passphrases to access the majority of your coins
• Encrypt your seed phrase

In all scenarios, the additional information you need (other seed phrases, passphrases, decryption key) should also be backed up on paper and stored in one or more separate safe locations. Whenever people try to roll their own security by scrambling words, applying some sort of home made cipher, etc., it commonly leads to them forgetting what they've done and losing access to their coins.

The point it to understand how difficulty (time estimation) changes when we change length of seed - they say size does not matter, but we clearly see the longer the better  

Well, I wouldn't necessarily agree with that conclusion. There is no good reason to scramble your seed phrase, and I would go as far as saying that you shouldn't be storing in a way which means scrambling is even a possibility. You shouldn't be aiming for a longer seed phrase because it is more difficult to unscramble - you should be focusing on keeping your seed phrase safe.

[pooya87]

That's why I am not a big fan of providing exact data and saying "I will take 7 days". It will take 7 days on one specific computer, while on other it would take 6 days or 8 days.

In the context of "whether jumbled n-word seed is safe" you are correct but generally speaking stats like this are very useful but as long as they are reported with full details that includes the word count, derivation path, extra word (passphrase) length, and finally the hardware specs.
That way if you are trying to recover a similar case you could have some idea about how long it could take. Which is why I added the specs used in calculation above.

[Kakmakr]

OP, Thanks man... this discussion has blown my mind, because I would have thought it would be much easier, if you know the 24 words. Now, I can re-design my strategy to "hide" my seed words in plain sight. (I have a method to store it in plain sight, but with a template to decipher it)

I do this, so that my family would be able to get to my bitcoins when I am gone. They know the answers to my questions and they have the template, so I can make it easier for them now. 

19 million years.... Who would have guessed that.   

[o_e_l_e_o]

Now, I can re-design my strategy to "hide" my seed words in plain sight.

Are you sure? We've just discussed above that 24 scrambled words essentially means your coins are lost forever. Are you sure you want to go scrambling your words? Are you sure you (or your family) will be able to successfully unscramble them?

We have seen countless examples on this forum of people who have come up with their own custom back up methods, including scrambled words, split up words, home made ciphers, etc. and permanently lost access to their coins because they can't remember what they did or how to reverse it. I always caution against any such home-made scheme. As I said in my previous post in this thread, far better to choose an established standard such as multi-sig or encryption.

[DaveF]

I vaguely remember someone trying to put together a list of books that have all the seed words in them. So in theory you could keep a copy on a shelf with other books and it does not look out of place.
All you would need at that point was a way to distinguish which was #1 and #2 and so on. But this goes back YEARS and people were pointing out ways it could go wrong.

IIRC other then a dictionary they could not find one. I never really followed it as it seemed pointless and convoluted. Have to see if I can dig it up.

As @o_e_l_e_o said, stick with what works. Even if you do want to think a bit outside the box when doing it. https://bitcointalk.org/index.php?topic=5363596.0

-Dave

[pooya87]

I vaguely remember someone trying to put together a list of books that have all the seed words in them. So in theory you could keep a copy on a shelf with other books and it does not look out of place.
All you would need at that point was a way to distinguish which was #1 and #2 and so on. But this goes back YEARS and people were pointing out ways it could go wrong.

Reinventing the wheel in cryptography is never a good idea for non experts, instead everyone should stick to the already available options. My favorite is always to encrypt the data (plain text mnemonic) using AES256 which is a very strong encryption algorithm, or at the very least the extension word of BIP39 could be used.

[o_e_l_e_o]

My favorite is always to encrypt the data (plain text mnemonic) using AES256 which is a very strong encryption algorithm

The reason I don't like this is that it removes one of the main benefits of a seed phrase, which is that it is human readable, easy to write down accurately, easy to check for mistakes, and easy to error correct should you have a few smudged characters or a lost word or two. You lose all this if encrypt it, and should probably be using a printer to print it out rather than hand write it which adds another layer of risk.

I'm not saying don't use encryption, but the reasons I've given above are why I prefer to add an additional passphrase or use a multi-sig set up rather than encrypting my seed phrase. Passphrases have the added benefit of plausible deniability, while multi-sig has the added benefit of not needing to use a single device (and therefore a single point of failure) to recover the wallet.

[DaveF]

... and should probably be using a printer to print it out rather than hand write it which adds another layer of risk....

And use GOOD waterproof paper stored properly.
https://bitcointalk.org/index.php?topic=5296179.0
Using cheap paper, and putting it in a location that can be subject to "stuff" can lead to loss of funds decades down the road.

If you are doing 'short term' cold storage it's one thing.
Planning to give to the grandkids, when you don't have your own kids yet is another.

Just something to think about.

-Dave