12 vs 24 seed word trade-offs?

[flame0562]

Hello everyone,
There is a question that often came to my mind but I never much asked around, so I'm hoping some of you can give me feedback/opinion.
I was wondering what the security trade-offs are between 12 word vs 24 seed words are? I personally like using 12 seed words since you can also memorize them yourself more easily, but I was wondering if the less entropy/randomness of such a seed would be a problem vs the 24 variant?
I see that wallets still offer support for 12 word seed, even some of them let you generate them (making me think they are still very secure to this day).

So in essence my question would be:
Am I doing something horribly wrong by using 12 word seeds and not the 24 word one, not realising risks I could be exposing myself to? (I will add that I do use a password on top of these words as well)

Thanks for your time, hope to get some insights from you all.

[1714158363]

1714158363

[1714158363]

1714158363

[hosseinimr93]

A 12 word seed phrase is enough.
A 12 word BIP39 seed phrase provides 128 bits of entropy. Since a private key provides the same amount of entropy, with increasing the number of words to more than 12, you don't really increase your security.
Keep your 12 word seed phrase safe and don't worry.

[pooya87]

Simple answer is no, because if there were anything wrong with a 12 word mnemonic the popular wallets (like Electrum) wouldn't have created it by default.

But as it was explained since bitcoin private keys have 128-bit security level using a 128-bit entropy is enough.

I personally like using 12 seed words since you can also memorize them yourself more easily,

Memorizing the seed phrase is a pretty bad idea because memory is not the most reliable thing specially in long run. Imagine 10 years from now, you won't be able to quite remember all the words specially since seed phrase is not something you deal with every day. It is just for recovery which is a one time thing.

(I will add that I do use a password on top of these words as well)

You should keep a physical backup of both the seed phrase and the passphrase to make sure you can always regain access to your funds in the future otherwise they could be lost forever.

[LoyceV]

Am I doing something horribly wrong by using 12 word seeds and not the 24 word one, not realising risks I could be exposing myself to?

No

With 24 words, you can create Split mnemonic cards. Example:

Code:

Card 1: weapon diet kick XXXX XXXX still XXXX welcome address hedgehog XXXX travel circle XXXX XXXX XXXX behave slush tree salute age hawk learn XXXX
Card 2: weapon diet XXXX fine drill XXXX work welcome address hedgehog duty travel XXXX ozone game load XXXX XXXX XXXX XXXX XXXX hawk learn amount
Card 3: XXXX XXXX kick fine drill still work XXXX XXXX XXXX duty XXXX circle ozone game load behave slush tree salute age XXXX XXXX amount

According to Ian Coleman's site, it takes a few million years to brute-force the 8 missing words if you have only one card. With 12 words, you'd miss only 4 words and that's much easier to brute-force.

[crwth]

Even with 12 or 24 seed words, it's okay. What's important to take note of is that you need to keep it safe and secure.

Some important things to take note of

• Do not use any service that asks anything remotely near to your seed phrase
• Do not store it digitally

[flame0562]

Simple answer is no, because if there were anything wrong with a 12 word mnemonic the popular wallets (like Electrum) wouldn't have created it by default.

But as it was explained since bitcoin private keys have 128-bit security level using a 128-bit entropy is enough.

I personally like using 12 seed words since you can also memorize them yourself more easily,

Memorizing the seed phrase is a pretty bad idea because memory is not the most reliable thing specially in long run. Imagine 10 years from now, you won't be able to quite remember all the words specially since seed phrase is not something you deal with every day. It is just for recovery which is a one time thing.

(I will add that I do use a password on top of these words as well)

You should keep a physical backup of both the seed phrase and the passphrase to make sure you can always regain access to your funds in the future otherwise they could be lost forever.

Thanks to everyone for the input. When I spoke about the memorizing part, I meant it for the edge-case purpose of crossing a border or just taking your money away with you in your head until you reach a safer place.
Yes, I do have physical copies of it too indeed, our memory is not reliable.

I also had a look online and found this video which has some interesting takes too: https://youtu.be/2hrXeuYOelM
So yeah. Seems like so far doing physical backups of seedwords and passphrases is good enough for the cold storage.

[bitmover]

As far as I have experienced, all multicurrency wallets I have seen use 24 words seed. Ledger and Coinomi are examples.

Bitcoin only wallets usually have only 12 words seed.

So, I guess 24 words may fit better for multicurrency wallets? Something related to derivation I would say. But I am not expert  just sharing my experience.

[n0nce]

As far as I have experienced, all multicurrency wallets I have seen use 24 words seed. Ledger and Coinomi are examples.

Bitcoin only wallets usually have only 12 words seed.

So, I guess 24 words may fit better for multicurrency wallets? Something related to derivation I would say. But I am not expert  just sharing my experience.

That should be a purely coincidental correlation.

https://learnmeabitcoin.com/technical/hd-wallets explains nicely how keys are derived from a seed in hierarchical deterministic (HD) wallets.

I don't have a lot of experience with altcoin wallets, but I use a lot of 24-word Bitcoin-only wallets; pretty sure that most coins work with both types of seed phrases.

[nc50lc]

So, I guess 24 words may fit better for multicurrency wallets? Something related to derivation I would say. But I am not expert  just sharing my experience.

If we're talking about BIP39 seed phrase, there's little to no difference between Bitcoin and Altcoin derivation from the seed.
The sure difference in the derivation path is the "coin" index but the whole process is the same as long as it's a standard implementation of BIP39.

Example: In m/purpose'/coin'/account'/chain/address_index , when getting the "Child extended private key" at the 'coin' level,
Bitcoin will use "0" and "60" for Ethereum so it'll derive a different child extended prvKey per coin, but the algorithm used is the same, so same security.
The difference in security of derivation paths can differ by the use of "hardened derivation" (with ') but that's not defined by the number of words.

[pooya87]

As far as I have experienced, all multicurrency wallets I have seen use 24 words seed. Ledger and Coinomi are examples.

Bitcoin only wallets usually have only 12 words seed.

So, I guess 24 words may fit better for multicurrency wallets? Something related to derivation I would say. But I am not expert  just sharing my experience.

In case of the closed source Coinomi wallet there is a good chance that they chose the bigger 24 version so that the corresponding entropy is 256-bit, in which case when they send it back to their servers it doesn't look suspicious if someone decides to sniff the traffic and the packets it is sending out. It would look like a regular hash after all.

[Pmalek]

I will add that I do use a password on top of these words as well.

You are using an extension to your seed, also called a passphrase. The passphrase should be stored separately from your 12-word seed. In case a thief successfully finds the hiding spot of the recovery phrase, they shouldn't get the second essential element to recover your coins (your passphrase).

The passphrase losses its purpose if its written down on the same piece of paper, for example. It's like having a safe where you store all your valuables, but the combination is glued to the door. 

As far as I have experienced, all multicurrency wallets I have seen use 24 words seed. Ledger and Coinomi are examples.

Bitcoin only wallets usually have only 12 words seed.

Unless I am wrong, the Trezor T generates 12-word seeds by default. Since it supports altcoins, you can consider it a multicurrency wallet as well. You can also make it generate 24-word seeds, but you need a separate software for that. I had to google it because I forgot its name. It's a command line client called trezorctl.   

[o_e_l_e_o]

Am I doing something horribly wrong by using 12 word seeds and not the 24 word one, not realising risks I could be exposing myself to? (I will add that I do use a password on top of these words as well)

The biggest risk you are exposing yourself to here is relying on your memory to back up your seed phrase.

Note that "password" and "passphrase" are commonly used to refer to two different things. Password is generally used to refer to the password you would use to unlock your wallet software, while passphrase is used to refer to the seed extension or additional phrase which is combined with your seed phrase to derive your wallets. If you lose the password to unlock your wallet, you can recover that wallet from your seed phrase and passphrase. If you lose your passphrase (and don't have a back up), then your wallet is lost forever (just as if you had lost your seed phrase).

A 12 word BIP39 seed phrase provides 128 bits of entropy. Since a private key provides the same amount of entropy, with increasing the number of words to more than 12, you don't really increase your security.

Private keys provide 128 bits of security, not 128 bits of entropy. The entropy of a private key will depend on how it was generated.

I'd point out that BIP32 recommends using 256 bits of entropy (i.e. a 24 word seed phrase):

Generate a seed byte sequence S of a chosen length (between 128 and 512 bits; 256 bits is advised) from a (P)RNG.

[m2017]

A 12 word seed phrase is enough.
A 12 word BIP39 seed phrase provides 128 bits of entropy. Since a private key provides the same amount of entropy, with increasing the number of words to more than 12, you don't really increase your security.
Keep your 12 word seed phrase safe and don't worry.

If 12 words is enough for security, then why waste ink writing 24 words? 12 words take up less space on a physical storage medium, be it paper, cardboard or metal. It is easier to store and hide, because it takes up less space. Recording is still half the trouble. More trouble comes when you enter 24 words on a new wallet every time. So it turns out that from the point of view of the user in terms of practicality, 12 words are better.

I have another question: if 12 words are enough, then why were 24 words created? Shouldn't that provide some sort of benefit?

[o_e_l_e_o]

If 12 words is enough for security, then why waste ink writing 24 words?

Because 24 words are more secure than 12.

I have another question: if 12 words are enough, then why were 24 words created?

12 and 24 word seed phrases were created at the same time with the publication of BIP39, which you can see here: https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#generating-the-mnemonic. But BIP32, which predates BIP39, recommends 256 bits be used as a seed, which equates to a 24 word seed phrase.

[BlackHatCoiner]

If 12 words is enough for security, then why waste ink writing 24 words?

Checksum. With 256 bits of entropy, the closest greater number with divisor=11 is 264, and therefore you have 264 - 256 = 8 bits of checksum. Provided that you've lost some words, brute forcing is easier, because it can skip more expensive processes. With 8 bits of checksum, it means that only 1 in 2⁸ = 256 seed phrases is valid.

With 128 bits of entropy, as in the case with 12-words long phrases, the closest greater number with divisor=11 is 132, and therefore there are 132 - 128 = 4 bits of checksum. This means 1 in 2⁴ = 16 seed phrases is valid. Therefore, brute forcing such phrase would take about 2^8-4 = 16 times more time.

That's one reason. I can't think of anything else for the time they were proposing this. I don't think split mnemonic cards (which is posted by LoyceV above) was taken into consideration at that time.

[m2017]

Thank you o_e_l_e_o and BlackHatCoiner for your clarifications, but as it happens, the more we learn, the more questions we have. I'm sorry, but I have to ask a few more questions.

If 12 words is enough for security, then why waste ink writing 24 words?

Because 24 words are more secure than 12.

OK, but is it possible to express this in conditional percentages? How many percent is 24 words safer than 12 words? To have an idea of the degree of their difference, if we talk about security.


"The mnemonic must encode entropy in a multiple of 32 bits. With more entropy security is improved but the sentence length increases. We refer to the initial entropy length as ENT. The allowed size of ENT is 128-256 bits."
Source link: https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#generating-the-mnemonic

What will be the consequences of the fact that the length increases? (Underlined in the highlighted text above).
 

If 12 words is enough for security, then why waste ink writing 24 words?

Checksum. With 256 bits of entropy, the closest greater number with divisor=11 is 264, and therefore you have 264 - 256 = 8 bits of checksum. Provided that you've lost some words, brute forcing is easier, because it can skip more expensive processes. With 8 bits of checksum, it means that only 1 in 2⁸ = 256 seed phrases is valid.

With 128 bits of entropy, as in the case with 12-words long phrases, the closest greater number with divisor=11 is 132, and therefore there are 132 - 128 = 4 bits of checksum. This means 1 in 2⁴ = 16 seed phrases is valid. Therefore, brute forcing such phrase would take about 2^8-4 = 16 times more time.

That's one reason. I can't think of anything else for the time they were proposing this. I don't think split mnemonic cards (which is posted by LoyceV above) was taken into consideration at that time.

Let me see, if I understand correctly from the above, then bruteforcing  24-words is easier than 12-words? This is true? But then it contradicts that 24-words is safer. Or am I confusing something?

[hosseinimr93]

OK, but is it possible to express this in conditional percentages? How many percent is 24 words safer than 12 words? To have an idea of the degree of their difference, if we talk about security.

The entropy provided by the 24 word BIP39 seed phrase is 2¹²⁸ times the entropy provided by the 12 word BIP39 seed phrase.

Let me see, if I understand correctly from the above, then bruteforcing  24-words is easier than 12-words? This is true? But then it contradicts that 24-words is safer. Or am I confusing something?

You didn't understand BlackHatCoiner correctly.
If you lose the same number of words in a 12 word seed phrase and a 24 seed phrase, brute-forcing the 24 word seed phrase would be easier.

Let's say you have 23 words of a 24 word seed phrase and 11 words of 12 word seed phrase.
On average, there would be 8 possibilities for the missing word of the 24 word seed phrase and 128 possibilities for the missing word of the 12 word seed phrase.

If you miss the whole seed phrase, the number of possible combinations in the 24 word seed phrase would be much higher.

[o_e_l_e_o]

What will be the consequences of the fact that the length increases? (Underlined in the highlighted text above).

Every additional 3 words brings an addition 32 bits of entropy, meaning there are 2³² more possibilities. 2³² is in the region of 4.3 billion, so there are 4.3 billion more possible 15 word seed phrases than there are 12 word seed phrase. As hosseinimr93 correctly states above, there will be 2¹²⁸ times more valid 24 word seed phrases than 12 word seed phrases. This is approximately 340 billion billion billion billion times.

Let me see, if I understand correctly from the above, then bruteforcing  24-words is easier than 12-words? This is true? But then it contradicts that 24-words is safer. Or am I confusing something?

The more words you have, the easier it is to brute force missing words (provided you are comparing the same number of missing words). Missing 1 word from a 24 word seed phrase is easier to brute force than missing 1 word from a 12 word seed phrase (although both are still trivially easy to do). Once you get beyond 4 words for any seed length then it becomes prohibitively expensive.

[BlackHatCoiner]

OK, but is it possible to express this in conditional percentages? How many percent is 24 words safer than 12 words? To have an idea of the degree of their difference, if we talk about security.

The total valid 24-words long seed phrases are 2²⁵⁶. The total valid 12-words long seed phrases are 2¹²⁸. As said, this means that there are 2¹²⁸ times more 24-words long seed phrases, than 12-words long ones. If someone spent some computational effort to brute force for a specific 12-words long seed phrase with no clues, he ought to spend about 340 undecillion (10³⁶) times the same effort to find a 24-words long seed phrase.

Let me see, if I understand correctly from the above, then bruteforcing  24-wordss is easier than 12-wordss? This is true? But then it contradicts that 24-wordss is safer. Or am I confusing something?

If you've lost 12 words from both, then yeah. Even practically infeasible to succeed, it's still 16 times easier to brute force the 24-words long phrase. However, if you cut one more word from the 24-words long phrase, and you're left with 11 words, you have 13 * 11 = 143 missing bits. Provided that only 1 in 2⁸ phrases is valid, there can be 2¹⁴³ / 2⁸ = 2¹³⁵ valid phrases, which are 2¹³⁵ / 2¹²⁸ = 2⁷ = 128 times more than the valid 12-words long phrases. Cut one more word, and make the total combinations 2¹⁸ = 262,144 more than the total valid 12-words long phrases. You get the idea.