How long to crack 24 word phrase if you know all 24 words out of order?

[hosseinimr93]

Your explanation for why it's actually 2^256 is quite clear - however to brute force we would still need to go for the full 2^264 route since we cannot know if a phrase would result in a valid checksum, correct?

It's true that you will need to check all the 2^264 combinations to see if they pass the checksum, but take note that you won't need to generate address from all those combinations.
You will need to generate address from 2^256 combinations.

Generating address from the seed phrase is much more expensive than just checking the checksum.

[1714505836]

1714505836

[1714505836]

1714505836

[1714505836]

1714505836

[1714505836]

1714505836

[1714505836]

1714505836

[o_e_l_e_o]

however to brute force we would still need to go for the full 2^264 route since we cannot know if a phrase would result in a valid checksum, correct?

You would still have to calculate the checksum for all 2²⁶⁴ combinations, which simply involves a single SHA256. After checking the checksum you will be able to immediately exclude 255 out of every 256 seed phrases (on average).

For the one seed phrase which does pass the checksum, you must then perform 2048 rounds of HMAC-SHA512 to calculate the root seed number, then various more rounds of HMAC-SHA512 alongside elliptic curve multiplications and additions to work down the derivation path, then three SHA256s, one RIPEMD160, and a Base58 conversion to turn that final public key in to an address to check to see if it matches the one you are looking for.

This is obviously far more resource intensive and time consuming that performing a single SHA256 in order to calculate the checksum.

[doomguy]

It's the same as anything else. My password for this forum might be Y}tz3Wd[^DkxY\2>5p$6. While it is theoretically possible someone could guess that on the first guess, in reality no one would ever be able to brute force that password.

Even if i think (and i know) that You are a Master, here, and you know the subject a lot better than me, i don't think it is really "the same".

Your password for this forum could be even a bit smaller, BUT i don't even know if you are using Uppercase or Numbers or Special, if you are using "real" words or as this case you are using random all togheter

A "secret phrase" is made by Words, and I (we) know the words, and I (we) know there are NO numbers, NO special characters, NO uppercase...
Yes, obviously is very hard to find but i think it is a good way to start the search.

Last thing... i don't think there are "money" inside your password, to push me a bruteforce that 

[o_e_l_e_o]

Your password for this forum could be even a bit smaller, BUT i don't even know if you are using Uppercase or Numbers or Special, if you are using "real" words or as this case you are using random all togheter

A "secret phrase" is made by Words, and I (we) know the words, and I (we) know there are NO numbers, NO special characters, NO uppercase...

So, I very deliberately chose a password with 20 random characters drawn from uppercase, lowercase, numbers, and symbols, for my example.

There are 95 printable ASCII characters. 20 such characters gives 20⁹⁵ combinations, which is 3.58*10³⁹. This is the smallest number of characters needed to produce a password at least as strong as a 12 word seed phrase, which has 2¹²⁸ combinations, which is 3.40*10³⁸.

So even if you don't know if my password is using real words, or dates, or patterns, or numbers, or symbols, or upper or lower case, or whatever, and you have to brute force every possible combination, that password is still roughly as secure as a 12 word seed phrase, even when you know the full word list.

[doomguy]

i generated 93.000.000 unique 24 words addresses on those days, and keep going....
maybe i will find something...

[o_e_l_e_o]

maybe i will find something...

A large electricity bill? Some burnt out hardware?

Given somewhere around 50,000,000 addresses which have ever been used, checking 93,000,000 million in a week means you'll only have to keep going for another trillion trillion trillion trillion years to have a 0.000000000002% of stumbling across one of those addresses! Let's hope that address isn't one of the empty ones!

[Cricktor]

<snip>

I wonder what you expect to achieve. It's your decission based on a wrong moral compass to continue to waste energy and your time.

The beauty of unimaginably large numbers, math in general and cryptography in particular is that it's highly highly unlikely that you will succeed to steal others coins. But keep on doing and the time and effort you waste will probably keep you from doing other stupid things.

[doomguy]

<snip>

I wonder what you expect to achieve. It's your decission based on a wrong moral compass to continue to waste energy and your time.

maybe... maybe no...
the pc fan does not even go fast

i'm about to 200.000.000 unique, keep going...

EDIT
Cricktor and o_e_l_e_o you are absolutly right, but i read it about in a different way

what i mean.... it is RANDOM, i can never ever find a right wallet in 20 years like i can find some good wallets in some weeks


EDIT2
after 500.000.000 unique 24 words ( and also 400.000.000 unique 12 words) addresses tested i found a very very good one!!!

[keychainX]

I am curious to know the actual difficulty/cost/time involved to put a 24 word seed phrase in the correct order if you have the 24 words but not the correct order? I can see that there are 24^24 number of combinations but what does that translate into difficulty/time/cost?

Not possible today.

We have a custom script for 12 word seed which can crack any combination in 30 days using GPUs

13 words would take 2-3 years, 14 words 100+ years.

So 24 words out of question today

You would also need to know the address

/KX

[o_e_l_e_o]

We have a custom script for 12 word seed which can crack any combination in 30 days using GPUs

Your script is very slow, if that's the case. My computer at home can descramble 12 words in around an hour using btcrecover.

You would also need to know the address

Or just use an address database to check for any funded address.

[hellishgoblin234]

How about if I have the wallet address?

Also, if we account that we can use the checksum hack to further reduce the keyspace by 256?

We would have !24 possibilities \ 256 **minus any improvement gained from having the wallet?

Just brainstorming.

[Cricktor]

...

You first have to work through at worst all 24! (equals 620,448,401,733,239,439,360,000) possibilities to arrange the 24 words to decide if your tried arrangements yield a valid checksum. If yes, you can go through the address derivation process to compare if your known address is among a certain derivation path or range of it.

Going through the whole process to derive addresses based on common derivation paths is computationally expensive because you have to go through a 2048 rounds of PBKDF2 to get to the master private key from which you go further on.

But to perform statistically at least half of 620,448,401,733,239,439,360,000 arrangements and computing SHA-256 alone to only validate a correct checksum doesn't look achievable within centuries or more (I'll leave it to your own calculation to estimate a needed timeframe, not to speak of needed amount of energy to perform such a brute-force attack). Doable for half the words, unfeasible for 24 words of unknown arrangement.