Question about wallet seed in numbers

[KiaKia]

There are a few numbers of crypto wallets today, from Trust wallet to Math wallet and atomic but I want to ask why some wallets have 12 words recovery seed and some have 14 and more?


Also is higher the number the better with security? I read somewhere that if you can get 6 out of 12 recovery seed you may be able to get the rest, is this true? I just want to know how far wallet security can go.

[Charles-Tim]

Seed phrase can be 12, 15, 18, 21 or 24 words (less than 12 words is not secure). 12 and 24 words seed phrases are mostly generated on wallet. 12 word seed phrase has 128 bits of entropy which is secure enough just like bitcoin private key. 24 words seed phrases have 256 bits of entropy, but yet having 128 bit of security.

[hosseinimr93]

but I want to ask why some wallets have 12 words recovery seed and some have 14 and more?

A seed phrase including 14 words isn't standard.

Also is higher the number the better with security?

The more words the seed phrase includes, the more difficult it's to brute-force the seed phrase.
But you don't really increase your security if you increase the number of the words from 12. A seed phrase including 12 words provides the same amount of entropy as a private key and that's enough.

[Detritus]

Adding to what Charles-Tim said,
   if the phrase contained 12 random words, the phrase would have 132 bits of security, so the actual security of a 12-word BIP39 mnemonic phrase is 128 bits as regards a Bitcoin private key security too. That's why some experts consider using only 12 words.

A bitcoin private key is 256 bits, to make up that bit you would need about 24 words to equal that and that's why some experts also consider to use 24.

So either 12 or 24, they all same bit of security as Bitcoin private key which is 128.

Also is higher the number the better with security? I read somewhere that if you can get 6 out of 12 recovery seed you may be able to get the rest, is this true? I just want to know how far wallet security can go.

If you read this thread https://bitcointalk.org/index.php?topic=5205380.0, you will get some answers about 12/24 seed phrase security. Even if someone knows the 6 words of your phrase they will only end up importing a different wallet unless they have full access of your whole phrase.

[aysg76]

There are a few numbers of crypto wallets today, from Trust wallet to Math wallet and atomic but I want to ask why some wallets have 12 words recovery seed and some have 14 and more?


Also is higher the number the better with security? I read somewhere that if you can get 6 out of 12 recovery seed you may be able to get the rest, is this true? I just want to know how far wallet security can go.

So as you have been already told that the standard practice for wallet using the BIP-39 standard the seed phrases are 12 words or 24 mnemonic entropy and it's secure.The word list contains total 2048 words from which they are derived by the wallets but if you say about extra security then you can use passphrase along with your 12 or 24 word seed phrase but remember to safely store both of them on offline storage as without it you cannot access your funds.

Now if you say that you know only 6 words out of 12 then I would say it's near to impossible brute force and crack the rest of words because there are lot of possible combinations as you are missing 6 words out of it.See this answer where only one word is missing and we have so many possibilities so you are wrong on this part I would say.

About brute forcing seed phrase. On a computer, 4 words can be brute forced in some minutes, while 5 words can be brute forced in some hours. 6 words shouldn't take more than 2 or more days. I have not practically tested this before though. As long as an attacker has the remaining words correctly and not scattered or disarranged, brute forcing it is possible.

This is why the standard practice is 12 words long with full security and really hard to brute force that will take some years to crack it and the small word can easily be brute forced out of the list of 2048 but still there are lot of combinations to them.

[Lucius]

Now if you say that you know only 6 words out of 12 then I would say it's near to impossible brute force and crack the rest of words because there are lot of possible combinations as you are missing 6 words out of it.See this answer where only one word is missing and we have so many possibilities so you are wrong on this part I would say.

There are many posts on the forum that explain how demanding (or rather expensive and time-consuming) everything that exceeds 4 words is - because @o_e_l_e_o explained it in one of his posts on the example of seed where someone needed about 30 hours for 4 words with note that he did not do it with his computer. Only 5 words would extend that same procedure to even 7 years.

This person bruteforced 4 words: https://medium.com/@johncantrell97/how-i-checked-over-1-trillion-mnemonics-in-30-hours-to-win-a-bitcoin-635fe051a752
On his own computer it would have taken him 25 years. By spending $350 renting cloud computing he was able to do it in 30 hours. If you make that 5 words, rather than 4, then it would have cost him $350*2048 = $716,800 and would have taken him 30 hours*2048 = ~7 years.

I think 4 words is the limit of what could be called "easily" brute forced (and even then, it's not that easy). 5 words is potentially possibly, but only with a significant amount of time, money, and resources.

Also from the same thread, one interesting fact when it comes to 12 word seeds.

Because there are this many possible valid 12 word seeds:
340,282,366,920,938,463,463,374,607,431,768,211,456

And there only approximately 30 million bitcoin addresses with balance on them. Divide those two numbers and you get a roughly 1 in 11 million trillion trillion chance of finding a collision. (Now, this is not quite accurate since any seed can generate potentially billions of addresses, but you get the idea.)

[hosseinimr93]

See this answer where only one word is missing and we have so many possibilities so you are wrong on this part I would say.

There are not many possibilities if there's only 1 word missing. Considering the checksum, with only one word missing, there are 128 possibilities on average.
Even if we don't consider the checksum, there are only 2048 possibilities and the seed phrase would be brute-forced in a very very short time.  

[witcher_sense]

<…>
Also is higher the number the better with security? I read somewhere that if you can get 6 out of 12 recovery seed you may be able to get the rest, is this true? I just want to know how far wallet security can go.

There should be an equilibrium between security and ease of use (convenience) so that users feel comfortable playing around with the system. When you add more security to your system, it makes it too heavy and complex, which in itself may lead to unexpected errors and hard-to-find vulnerabilities. In other words, complex systems are not only inconvenient but also very hard to maintain. Twenty-four-word seeds are undoubtedly more resistant to random attempts of brute forcing, but at the same time, it is sometimes a tough task to back them up properly. Moreover, the private keys produced from such lengthy seed phrases can't provide more than 128 bits of security, which makes the whole idea of using very long keys less attractive. Twelve-word seeds are shorter, easier to back up, or even memorize (I don't say you should try to memorize them, but it is good to have such an option). In other words, while short seed phrases are more vulnerable to brute force, they generate private keys of the same length and, at the same time, are more convenient when compared to heavy seeds.

[Charles-Tim]

Twenty-four-word seeds are undoubtedly more resistant to random attempts of brute forcing, but at the same time, it is sometimes a tough task to back them up properly.

They are just words, I do not think 24 words should be difficult to backup. But in case you have the backups already in different locations, and you want to memorize it, 12 words would easily be memorized than 24 words. But it not a good option to memorize seed phrase, but I understood your point, if provided, it should just be the 4th backup, but not depending on it.

Moreover, the private keys produced from such lengthy seed phrases can't provide more than 128 bits of security, which makes the whole idea of using very long keys less attractive.

That is true.

About brute force. 12 word seed phrase is secure enough, that is what we should just point to.

Also in a 12 or 24 word seed phrase, if only one word is missing, it would take the same time to brute force it. It would take the same time to brute force the same number of missing words while having more missing words, it become more impossible for brute force.

So if anyone thinks he has 24 word seed phrase and attacker got hold of 22 words from it, the time required to brute force the two missing words would be the same time for 2 missing words in a 12 word seed phrase.

As 12 word seed phrase is secure enough just as we see it from Lucius post, the point of going for 24 word seed phrase that has just 128 bits of security is not necessary. 24 word seed phrase makes brute force more impossible, but no significance in reality if compared with 12 word seed phrases.

[hosseinimr93]

Also in a 12 or 24 word seed phrase, if only one word is missing, it would take the same time to brute force it.

If you miss 1 word in a 24 word seed phrase, there would be 8 possibilities for the missing word on average.
If you miss 1 word in a 12 word seed phrase, there would be 128 possibilities for the missing word on average.  
So, finding the missing word in the 12 word seed phrase takes a longer time.

[o_e_l_e_o]

To expand on hosseinimr93's answer above:

The computational expensive part of brute forcing a seed phrase is turning that seed phrase in to the first address in the first account to check if it matches a known address or to check for history. This involves 2048 rounds of HMAC-SHA512 to produce the root seed, followed by another round to produce the master keys and chain code, followed by several more rounds to work down the derivation path m/84'/0'/0'/0/0 or similar, followed then by elliptic curve multiplication to produce a public key, then three SHA256s and one RIPEMD160s and a conversion to Base58 to produce an address, and potentially then looking that address up to check for history.

Conversely, rejecting a seed phrase with an invalid checksum is as simple as performing a single SHA256.

With a 24 word seed phrase with one missing word, on average I can reject 2,040 possibilities with a single SHA256, meaning I have to perform the additional steps outlined above 8 times.
With a 12 word seed phrase with one missing word, on average I can reject 1,920 possibilities with a single SHA256, meaning I have to perform the additional steps outlined above 128 times.

[Ever-young]

I read somewhere that if you can get 6 out of 12 recovery seed you may be able to get the rest, is this true? I just want to know how far wallet security can go.

That's just a random suggestion,
For someone to successfully hack or guess it, they would need to not only guess all the words but in the right order. “A 12-word seed phrase has a possible combination of

340,282,366,920,938,463,463,374,607,431,768,211,456

while a 24-word version has even more combinations,” says TrustWallet, an Ethereum and crypto wallet provider.
So its nearly impossible to guess a word combination which is more than 3, even if the guess words are correct, the chances of arranging them orderly is 0.9%/100. every word you miss takes you to a different new created wallet entirely

[nakamura12]

It's because most wallet use 12 words seed phrase and 24 words. Actually, I have 24 words seed phrase and it is much harder to know the exact words before your wallet will be compromised because as you can see in the previous post that a 12 word seed phrase have a lot of combination and a wallet seed phrase must be in order to be able to access the wallet. If you are not sure then try something else like creating a dummy wallet then try different words for the last word and see if it can access different wallet so yeah if you don't have all 12 words then you won't be able to access the exact wallet you wanted to access .

[PowerGlove]

12 word seed phrase has 128 bits of entropy which is secure enough just like bitcoin private key. 24 words seed phrases have 256 bits of entropy, but yet having 128 bit of security.

Maybe I've misunderstood, but it reads to me like you're saying that a 12-word seed offers equivalent security (~128 bits) to that of the individual addresses generated from it, and that therefore, longer seeds are overkill.

Isn't that reasoning a little shaky? I mean, the seed is used to generate a unique sequence of addresses [1], no? Putting aside the increased hassle of longer seeds, isn't it desirable for it to be harder to recover the sequence than it is to brute-force a single address?

[1] Technically, it's more like a tree than a sequence, but that's not germane.

[pooya87]

Maybe I've misunderstood, but it reads to me like you're saying that a 12-word seed offers equivalent security (~128 bits) to that of the individual addresses generated from it, and that therefore, longer seeds are overkill.

In Elliptic Curves the key's security is half the key size and since bitcoin key sizes are 256 bit that makes the security 128 bits.
The security of an entropy is equal its length, which means a 128-bit entropy is providing 128 bit of security.

Isn't that reasoning a little shaky? I mean, the seed is used to generate a unique sequence of addresses [1], no? Putting aside the increased hassle of longer seeds, isn't it desirable for it to be harder to recover the sequence than it is to brute-force a single address?

No because security is defined by the weakest link not the strongest. Meaning if the key itself has 128-bit security, it won't matter if it were created randomly or deterministically using a much bigger entropy. The key still provides the same security level.

[o_e_l_e_o]

even if the guess words are correct, the chances of arranging them orderly is 0.9%/100.

It is very easy to descramble a 12 word seed phrase in which all the words are known, and this can be done in under an hour on even a modest home computer. A 24 word scrambled seed phrase, however, will be impossible to unscramble.

Putting aside the increased hassle of longer seeds, isn't it desirable for it to be harder to recover the sequence than it is to brute-force a single address?

If an attacker was going to try to brute force your seed phrase, then sure, a longer seed phrase makes it more difficult for them. But as pooya says, the individual keys will always have 128 bits of security, so an attacker whose best attack is simple brute forcing will obviously choose to target this instead.

[Saint-loup]

Also in a 12 or 24 word seed phrase, if only one word is missing, it would take the same time to brute force it.

If you miss 1 word in a 24 word seed phrase, there would be 8 possibilities for the missing word on average.
If you miss 1 word in a 12 word seed phrase, there would be 128 possibilities for the missing word on average.  
So, finding the missing word in the 12 word seed phrase takes a longer time.

In the beginners section it's better to explain when you're correcting someone, otherwise it's useless for the main users of the section.
So CMIIW but as far as I understand, it's because we will get 8 bits of checksum for a 24 words mnemonic seed, instead of 4 bits for a 12 words seed, since we need to divide the entropy of the seed (256 bits for a 24 words seed, 128 bits for a 12 words one) by 32 according to BIP39
2^8 = 256
It means only 2048 / 256 = 8 words among the 2048 possible are valid for a 24 words mnemonic seed instead of 2048 / 2^4 = 128 for a 12 words one.

If an attacker was going to try to brute force your seed phrase, then sure, a longer seed phrase makes it more difficult for them. But as pooya says, the individual keys will always have 128 bits of security, so an attacker whose best attack is simple brute forcing will obviously choose to target this instead.

I don't know the statistics but a non-empty address hardly contains more than 5% of total wallet funds on average IMO.

[o_e_l_e_o]

It means only 2048 / 256 = 8 words among the 2048 possible are valid for a 24 words mnemonic seed instead of 2048 / 2^4 = 128 for a 12 words one.

Correct. Although perhaps an easier way of thinking about it is that given there is only ever one checksum which will fit the given entropy, and for a 24 word seed the last word contains 3 bits of entropy (11 bits of data minus 8 bits of checksum), then since 2³ = 8, there are 8 possible words. For a 12 word seed the last word contains 7 bits of entropy (11 bits of data minus 4 bits of checksum), and 2⁷ = 128 possible words.

I don't know the statistics but a non-empty address hardly contains more than 5% of total wallet funds on average IMO.

But now you are assuming additional knowledge, such as that an attacker knows which addresses are derived from the same seed phrase, that there is no passphrase in use, and what the derivation path being used is. Don't forget as well that as I said above, turning a valid seed phrase in to an address to check for funds is computationally expensive, and so brute forcing x number of seed phrases takes significantly more computing power and time than brute forcing the same number of individual private keys, even more so if for each seed phrase you want to start checking additional derivation paths.

[Saint-loup]

I don't know the statistics but a non-empty address hardly contains more than 5% of total wallet funds on average IMO.

But now you are assuming additional knowledge, such as that an attacker knows which addresses are derived from the same seed phrase, that there is no passphrase in use, and what the derivation path being used is. Don't forget as well that as I said above, turning a valid seed phrase in to an address to check for funds is computationally expensive, and so brute forcing x number of seed phrases takes significantly more computing power and time than brute forcing the same number of individual private keys, even more so if for each seed phrase you want to start checking additional derivation paths.

I understand it will cost more ressources and time to attack a seed with the same entropy as a private key, than to attack an address but by doing that the attacker will only get less than 5% of the wallet funds on average at the end. So as long as it costs less than 20x times the cost of an attack on an address, it might be worth it even if the "investment" is higher.

[RiverBoy]

The wallet seed numbers is determine how the wallet been secure from hack, which i have come across in difference wallet with difference phase seed to saved as a back up, if the device used to saved the wallet get corrupt, damage or stolen, it can be able to restore the wallet back to another new device, which was advantage of this seed of a thing, in order words, they are difference numbers of seeds that determine how strong the wallet are, which is 12, 14, 18, 21 or 24 and anything less than 12 words is not secure, which is 12 phase words has 128 bits of entropy, while 24 Phase words has 256 bits of entropy as it already rated in numbers capacity.