How long to crack 24 word phrase if you know all 24 words out of order?

[pooya87]

The reason I don't like this is that it removes one of the main benefits of a seed phrase, which is that it is human readable, easy to write down accurately, easy to check for mistakes, and easy to error correct should you have a few smudged characters or a lost word or two. You lose all this if encrypt it, and should probably be using a printer to print it out rather than hand write it which adds another layer of risk.

No, you don't lose it. When you encrypt a 128-bit entropy for example, you end up with 128-bit encrypted data if you don't use IV. You can easily convert that to a human readable format, like with already available algorithm such as BIP39.
As an example you can check out BIP38 where we encrypt the 256-bit private key and get 256-bit result which we encode using base58. Just replace the last step with BIP39. You can even use a BIP39 library/tool that takes entropy.

[1714259933]

1714259933

[1714259933]

1714259933

[1714259933]

1714259933

[1714259933]

1714259933

[1714259933]

1714259933

[1714259933]

1714259933

[o_e_l_e_o]

So when you use this, what are you encrypting? The actual words of the seed phrase, or the binary representation?

I would argue that manually converting an encrypted seed phrase in to another set of BIP39 words is overly complicated for the majority of users. Some may well try to do it manually which creates the risk for error, and using a BIP39 tool could have unpredictable results as it tries to "fix" the incorrect checksum at the end or truncates some of the data you enter.

It would be better if there was a standardized way of doing this similar to BIP38. In the meantime I prefer to use methods which are standardized, such as multi-sig or passphrases.

[pooya87]

So when you use this, what are you encrypting? The actual words of the seed phrase, or the binary representation?

The binary, just like BIP38. In fact that is why I used that example above. If I do anything else the length could be arbitrary and encoding becomes slightly more complicated.

I would argue that manually converting an encrypted seed phrase in to another set of BIP39 words is overly complicated for the majority of users. Some may well try to do it manually which creates the risk for error, and using a BIP39 tool could have unpredictable results as it tries to "fix" the incorrect checksum at the end or truncates some of the data you enter.

It would be better if there was a standardized way of doing this similar to BIP38. In the meantime I prefer to use methods which are standardized, such as multi-sig or passphrases.

No arguments there. My method requires some knowledge of programming since there isn't any implementations of it as far as I know but it is pretty simple to do.
I really hope someone comes up with a BIP38 like proposal for mnemonics to standardize it (at least to some extent).

[alwaysmyn]

I also scrambled my 24 seedphrase and added 1 word to make it more difficult  saved it on my emails and other places less secured. I am confident that no one will be able to guess it including me. And that's the reason why I wrote down the sequence like a code and made it into an NFT so it have a record in blockchain and will never be lost. So when the time comes that I want to access my assets, I will just search for my NFT in opensea (contains the code) and then run through my email for my scrambled seed phrase then I'm good to go. Anyone wants to tell me what's the risk?

[o_e_l_e_o]

Anyone wants to tell me what's the risk?

• Your email provider going defunct, blocking your account, deleting your data, suffering a server failure, suffering malware, or any other reason which could result in loss of your scrambled seed phrase back up.
• Forgetting your additional word if it isn't also backed up.
• Not remembering your method, how to find your code, how to interpret your code, etc.
• Making a mistake in how you set up your code, so even if you find it you cannot unscramble your seed phrase.
• Someone who has hacked your email figuring out your scheme and stealing your coins.
• OpenSea is centralized. If OpenSea goes down (as it has in the past) then do you know how to extract the necessary information from the blockchain to access your code?

[Cricktor]

...

As o_e_l_e_o points out, I stopped counting single points of failure, you rely on too many parts that you have no control of. Despite that, have you actually verified that you can recreate your mnemonic words properly?

Keep it simple and you less likely shoot yourself into your foot. There's so much that could go wrong in your scheme...

[Fivestar4everMVP]

When I first read the question op asked,  I was just about to comment and say that it should take maybe 24 hours at most,  but reading the comments really made me amazed,  I am still finding it difficult to believe that it is actually impossible to get a correct order of 24 word seed phrase wrongly arranged,  maybe I personally would have to try this with a new wallet as an experiment for myself.

Anyone wants to tell me what's the risk?

What If your email gets hacked?
What if for some reason, you lost access to your email?
What if opensea goes down in the future?
Or maybe gets hacked?
It is not my prayer for you,  but what If sudden death happens,  how will your family have access to your scrambled 24 word seed phrase,  how will they know how to unscramble it so they can gain access to the funds.?
How will they know theres an NFT you kept on opensea that holds the key to your funds?
(except you are going to show them this things).

[o_e_l_e_o]

maybe I personally would have to try this with a new wallet as an experiment for myself.

Feel free, but you won't get very far.

You can figure out why just by looking at the math without having to run any simulations yourself. You have 24 scrambled words. For the 1st word, you can pick any of the 24. For the second word, there are 23 words left to pick from. For the third word, there are 22 words left to pick from. For the fourth word, 21 words left. And so on. 24*23*22*21*......*3*2*1. Also known as 24!. This gives you the following number:

Code:

620,448,401,733,239,439,360,000

How many possibilities can your computer try in a second? A few million? Let's say a billion to be generous? The number above divided by a billion a second, 60 seconds in a minute, 60 minutes in an hour, 24 hours in a day, 365 days in a year, comes out to just short of 20 million years.

[Pmalek]

<Snip>

You did all those things and yet you managed to create a setup that is much less secure than taking a pen and a piece of paper and writing down 24 words nicely and in correct order. Was it worth it?

It's better to use simple and offline storage options and methods that have been working flawlessly for years. You now rely on several centralized services that have to stay online and operational until it's time for you or a successor to recover those coins.

[goldkingcoiner]

However,  if you know the location  of some of those words it would be easier (maybe possible) to brute force it. Because the difficulty increases exponentially

With good hardware, btcrecover will descramble a 12 word BIP39 seed phrase in an hour: https://btcrecover.readthedocs.io/en/latest/Usage_Examples/2020-05-02_Descrambling_a_12_word_seed/Example_Descrambling_a_12_word_seed/. Although not exactly the same due to the checksum, lets assume that if you know 12 out of the 24 words then you could descramble the remaining 12 words in roughly the same amount of time.

If you don't know the position of 13 words instead of 12, then there are 13x as many combinations to try, so that would take roughly 13 hours.
For 14 words, 7 days.
For 15 words, 16 weeks.
For 16 words, 5 years.
For 17 words, 85 years.
For 18 words, 1500 years.

No point calculating beyond that really.

Not with quantum computers. I assume we won't need to wait 1500 years for the next generation computer to be developed.

Still, at current present technology levels we do not even need to talk about whether or not its possible to crack it because theoretically it is possible but its just technically impossible. Which to humans is almost exactly the same as literally impossible.

Also it bears reminding that by the time we have quantum computers powerful enough to do the entire cracking in minutes or hours or even days, at that point in the future we will have already upgraded the security where even quantum computers cannot crack it.

Its just a simple matter of adding more words.

[o_e_l_e_o]

Not with quantum computers. I assume we won't need to wait 1500 years for the next generation computer to be developed.

Quantum computers are not a magical bullet that can instantly solve any problem. They provide an exponential speed up to attempts to solve the ECDLP, and this is the main way they would be used to attack bitcoin. They provide a much smaller speed up to any hash functions, which is the limiting step in attempting to unscramble a seed phrase, since you must use a SHA256 to calculate the checksum, followed by 2048 rounds of SHA512 to generate the seed number, followed by several more rounds of SHA512 to work down the derivation path and generate the necessary addresses to check for funds. They will be able to speed the process up, sure, but they are unlikely to make unscrambling 18 words any less unfeasible for the average person.

Its just a simple matter of adding more words.

The security of your wallet should never depend on there being enough words in your seed phrase so that an adversary with access to all the words cannot unscramble them, but rather on an adversary never having access to your seed phrase in the first place. I would never scramble the words in a seed phrase to begin with, for the exact reasons highlighted above - if you mess up then wave goodbye to all your coins.

[doomguy]

However,  if you know the location  of some of those words it would be easier (maybe possible) to brute force it. Because the difficulty increases exponentially

With good hardware, btcrecover will descramble a 12 word BIP39 seed phrase in an hour: https://btcrecover.readthedocs.io/en/latest/Usage_Examples/2020-05-02_Descrambling_a_12_word_seed/Example_Descrambling_a_12_word_seed/. Although not exactly the same due to the checksum, lets assume that if you know 12 out of the 24 words then you could descramble the remaining 12 words in roughly the same amount of time.

If you don't know the position of 13 words instead of 12, then there are 13x as many combinations to try, so that would take roughly 13 hours.
For 14 words, 7 days.
For 15 words, 16 weeks.
For 16 words, 5 years.
For 17 words, 85 years.
For 18 words, 1500 years.

No point calculating beyond that really.

Sorry to take back an old post, but i'm really curious about that thing.

when you say "For 18 words, 1500 years", you mean to just generate ALL possible combinations, right??

if my secret/mnemonic phrase is:

"cat15 cat2 cat3 cat4 cat5 cat6 cat18 cat8 cat9 cat10 cat11 cat12 cat1 cat14 cat7 cat13 cat16 cat17"

and my script generate that exact sequence as the 4th result, is it not the same ??
have i found it in some seconds?

and what about the "last" word, you call CHECKSUM, in my case "cat17".
it is not just a word "cat17" ??

[Pmalek]

when you say "For 18 words, 1500 years", you mean to just generate ALL possible combinations, right??

if my secret/mnemonic phrase is:

"cat15 cat2 cat3 cat4 cat5 cat6 cat18 cat8 cat9 cat10 cat11 cat12 cat1 cat14 cat7 cat13 cat16 cat17"

and my script generate that exact sequence as the 4th result, is it not the same ??
have i found it in some seconds?

Yes, in theory you could find the right combination with the first attempt as soon as you begin brute forcing the seed phrase. But the chances of you doing that are so small that it's not worth trying. It could also take thousands of years. Knowing all words (but not the order) significantly makes the task easier.

I am not a mathematician, so someone who knows will drop by to mention how much easier. Not knowing any of your words is an impossible brute forcing task though. But if you are only missing the order and have powerful machines, I think it's double within a few years of brute forcing. This is just my amateurish guess.

[ranochigo]

Sorry to take back an old post, but i'm really curious about that thing.

when you say "For 18 words, 1500 years", you mean to just generate ALL possible combinations, right??

if my secret/mnemonic phrase is:

"cat15 cat2 cat3 cat4 cat5 cat6 cat18 cat8 cat9 cat10 cat11 cat12 cat1 cat14 cat7 cat13 cat16 cat17"

and my script generate that exact sequence as the 4th result, is it not the same ??
have i found it in some seconds?

On average, to crack a key, you should assume that you need to exhaust the search space. If you average out every cracking attempt, then you will find that you should only find them when you're nearing the end of the search space and it should follow an exponential distribution. Hence, it is exceeding rare for you to find the actual key within 4 seconds.

and what about the "last" word, you call CHECKSUM, in my case "cat17".
it is not just a word "cat17" ??

It is a word. But that word has to be selected such that it has a relation to the rest of the words. Hence, if you were to swap cat15 and cat2, any software would recognize it as being invalid.

[o_e_l_e_o]

when you say "For 18 words, 1500 years", you mean to just generate ALL possible combinations, right??

Based on the benchmark provided by btcrecover, that would be to exhaust 50% of the search space, which is the average amount of the space you would need to search to reach the desired combination.

and my script generate that exact sequence as the 4th result, is it not the same ??
have i found it in some seconds?

Yes. But it is equally likely that you find it in the 4th result or that you find it in the 4th last result after searching 99.9999....% of combinations.

and what about the "last" word, you call CHECKSUM, in my case "cat17".
it is not just a word "cat17" ??

That word encodes 11 bits of data. Of those bits of data, some of them represent a checksum. For a 12 word seed phrase, 4 bits are a checksum. For a 24 word seed phrase, it is 8 bits.

On average, to crack a key, you should assume that you need to exhaust the search space. If you average out every cracking attempt, then you will find that you should only find them when you're nearing the end of the search space and it should follow an exponential distribution.

That's not right, On average you need to exhaust half the search space. There is a 50% chance you find it in the first half, and a 50% chance you find it in the second half.

[FatFork]

and my script generate that exact sequence as the 4th result, is it not the same ??
have i found it in some seconds?

Yes, it is possible for your script to find a valid sequence in just a few seconds, but what are the chances of that happening?

[Kryptowerk]

Even if you have the 24 words to guess from?

Still quite unfeasible:

https://bitcoin.stackexchange.com/questions/92540/bruteforcing-a-seed-with-24-words-of-a-unknown-order

That's crazy and tbh "intuitively" I wouldn't have thought it's not possible if you have access to some strong (cloud/super) computing system.
What I really like about this question: it goes to show how INSANELY ASTRONOMICALLY impossible it is, to brute force a 24 word seedphrase if no word is known. If I am not mistaken, we have a wordlist of 2048 words? - That's 2,96^79 combinations, a number 79 digits long!
(nothing new, I know, but still, was fun to remember this)

[doomguy]

Thanks to: Pmalek, ranochigo, o_e_l_e_o  and FatFork

So my thoughts were right. 

[o_e_l_e_o]

That's 2,96^79 combinations, a number 79 digits long!

The number you are looking for there is 2.96*10⁷⁹, rather than 2.96⁷⁹.

That number is not quite right, however. It is the same number as 2048²⁴ or 2²⁶⁴. However, not all 24 word combinations are valid seed phrases due to the checksum. With the checksum being 8 bits long, it means only one out of every 256 seed phrases on average is valid. This means the total number of valid 24 word seed phrases is 2²⁵⁶, which is 1.16*10⁷⁷.

So my thoughts were right. 

It's the same as anything else. My password for this forum might be Y}tz3Wd[^DkxY\2>5p$6. While it is theoretically possible someone could guess that on the first guess, in reality no one would ever be able to brute force that password.

[Kryptowerk]

That's 2,96^79 combinations, a number 79 digits long!

The number you are looking for there is 2.96*10⁷⁹, rather than 2.96⁷⁹.

That number is not quite right, however. It is the same number as 2048²⁴ or 2²⁶⁴. However, not all 24 word combinations are valid seed phrases due to the checksum. With the checksum being 8 bits long, it means only one out of every 256 seed phrases on average is valid. This means the total number of valid 24 word seed phrases is 2²⁵⁶, which is 1.16*10⁷⁷.

Ah yes, rookie mistake, of course it's 2.96 x 10^79. Thanks for the correction!
Your explanation for why it's actually 2^256 is quite clear - however to brute force we would still need to go for the full 2^264 route since we cannot know if a phrase would result in a valid checksum, correct? Or are there any ways to determine in advance which combinations to avoid checking at all?