Randomly picking 24 words from the BIP39 wordlist

[jiamijiang]

What are the chances of generating a valid seed phrase (or 24 mnemonic words) from the BIP39 wordlist of 2048 words?

I know the last word is a checksum generated from the first 23 words, but there's got to some % chance you correctly guess a valid working seed phrase just from manually randomly picking out 24 words...

[1714130960]

1714130960

[1714130960]

1714130960

[1714130960]

1714130960

[hosseinimr93]

If you pick 24 words randomly, the probability of having a seed phrase which passes the checksum would be 1 in 256. For the last word, 8 out of the 2048 words would produce a valid seed phrase.

I know the last word is a checksum generated from the first 23 words,

The checksum isn't the last word. In a 24 word BIP39 seed phrase, the last 8 bits are the checksum. The first 3 bits of the last word are chosen randomly.

[o_e_l_e_o]

Each word encodes 11 bits of data. As hosseinimr93 has pointed out, for a 24 word seed phrase the checksum is 8 bits. This means the final word has 3 bits which are not checksum, which gives 2³ = 8 possible combinations. For each of these 8 combinations, there will be exactly one correct checksum, meaning there will be 8 valid final words for any given 23 words.

For a 12 word phrase which has 4 bits of checksum, there will be 2⁷ = 128 possible valid final words.

And of course, I have to ask, why are you manually picking words to create a seed phrase? Such a process leaves you with a very insecure seed phrase and liable to have all your coins stolen.

[dkbit98]

What are the chances of generating a valid seed phrase (or 24 mnemonic words) from the BIP39 wordlist of 2048 words?

There are websites that allow you to pick whatever 23 mnemonic words you want from BIP39 wordlist, and then last word is calculated to create everything correctly.
I wouldn't recommend anyone to do this because our brain and thinking is total disaster in term of creating anything random.
One of the websites I saw before is called seedpicker, but do your own research and read the guide before using it:
https://seedpicker.net/calculator/last-word.html

[NeuroticFish]

I wouldn't recommend anyone to do this because our brain and thinking is total disaster in term of creating anything random.

Exactly. One would pick some nice words, one could pick the words alphabetically, one may not know / care that those words can exist multiple times in a seed...

If somebody has issues with the seed generated by his wallet (works he doesn't know nor want for some reason), a better way is to simply generate 1-2 more wallets until the words are good enough. The result is that the seed is still much better than the one the user would have been picking by himself word by word.

[Husires]

Your chances are only about 0.4% but if you do not trust how words are chosen by your wallet software, it is better to use another software.

If you are very skeptical and have no programming skills it is best to use a dice, coin, piece of paper and then extract the results using: https://github.com/taelfrinn/Bip39-diceware

It is much better than relying on the human brain that is based on searching for similar things than generating random words.

[jiamijiang]

Thanks to all for the response.

I was just curious on behalf of those that don't trust wallet software and wanted to be hardcore about it.

[hosseinimr93]

I was just curious on behalf of those that don't trust wallet software and wanted to be hardcore about it.

If a wallet or the tool you use for generating the seed phrase is open-source and the code has been reviewed, there's nothing to worry about.
If you still want to generate the seed phrase yourself for any reason, it would better to generate a random number and convert that to a seed phrase instead of directly going the word list.

[odolvlobo]

Thanks to all for the response.
I was just curious on behalf of those that don't trust wallet software and wanted to be hardcore about it.

It is not easy to generate a bip-39 phrase without software because a SHA-256 hash is required. However, many wallets will allow you to use an invalid phrase, so simply picking 12 (or 24) random words is a viable method, but it is not as safe.

This page describes in simple terms how it is done: https://medium.com/coinmonks/mnemonic-generation-bip39-simply-explained-e9ac18db9477

[larry_vw_1955]

there will be 8 valid final words for any given 23 words.

is that good or bad?

For a 12 word phrase which has 4 bits of checksum, there will be 2⁷ = 128 possible valid final words.

that really doesn't seem ideal. it makes me wonder about this whole checksum thing and if it's really all that important or just a gimmick.

i guess the argument against checksums is if you store your seedphrase correctly there should be no need for error correction and I do tend to agree. can't write down 11 words? then you got bigger problems. such as not caring enough about your money.

[hosseinimr93]

that really doesn't seem ideal. it makes me wonder about this whole checksum thing and if it's really all that important or just a gimmick.

Are you saying it's bad that there would be 128 possibilities for the last word? What's the problem with that?

can't write down 11 words?

I don't see any reason for not writing the 12th word. But if you have written down 11 words and don't have the 12th word for any reason, it can be easily brute-forced and there wouldn't be a big problem.

[Pmalek]

If a wallet or the tool you use for generating the seed phrase is open-source and the code has been reviewed, there's nothing to worry about.

That depends on the quality of the people reviewing the software and all other community members and their abilities to spot vulnerabilities in a piece of code. And also how long it will take them to do it. 1 day, 1 month, 1 year, 10 years.... A vulnerability that gets discovered and patched in a day is totally different from something that's out there publicly for a year, for example.

Here is a good article that mentions a few interesting points:
https://thehackernews.com/2022/11/last-years-open-source-tomorrows.html

Finding open source vulnerabilities is typically done by the maintainers of the open source project, users, auditors, or external security researchers. But despite these great code-archaeologists helping secure our world, the community still struggles to find security flaws.

On average, it takes over 800 days to discover a security flaw in open source projects. For instance, the infamous Log4shell (CVE-2021-44228) vulnerability was undiscovered for a whopping 2649 days.

The analysis shows that 74% of security flaws are actually undiscovered for at least one year! Java and Ruby seem to have the most challenges here, as it takes the community more than 1000 days to find and disclose vulnerabilities.

[o_e_l_e_o]

is that good or bad?

I wouldn't say it is either. It's just how the checksum works.

that really doesn't seem ideal. it makes me wonder about this whole checksum thing and if it's really all that important or just a gimmick.

That's because we are considering it backwards here. There are only 128 possible words if you are picking them manually. Since the last word of a 12 word seed phrase also contains 7 bits of entropy, then when generated properly there is exactly one word which provides the correct checksum for the provided entropy.

And yes, it is important. If you don't have a checksum and import an incorrect seed phrase, then you have no idea you have imported an incorrect seed phrase. You could spend weeks or months trying to brute force a passphrase which doesn't exist, or searching weird and wonderful derivation paths, or who knows what else, trying to hunt down your wallet. With a checksum, you know immediately one of your words is wrong and can immediately narrow down your search significantly. Not to mention that brute forcing an incorrect seed phrase is also quicker with a checksum since you do not have to derive addresses and check them for balance for all the invalid phrases.

[larry_vw_1955]

Are you saying it's bad that there would be 128 possibilities for the last word? What's the problem with that?

if there's only 128 possibilities for the last word then what's the point of having one since it is easily guessed. easily brute forced.

can't write down 11 words?

I don't see any reason for not writing the 12th word. But if you have written down 11 words and don't have the 12th word for any reason, it can be easily brute-forced and there wouldn't be a big problem.

why not just write down your seed words twice in a row on the same piece of paper. double the security. no checksum needed.

And yes, it is important. If you don't have a checksum and import an incorrect seed phrase, then you have no idea you have imported an incorrect seed phrase. You could spend weeks or months trying to brute force a passphrase which doesn't exist, or searching weird and wonderful derivation paths, or who knows what else, trying to hunt down your wallet. With a checksum, you know immediately one of your words is wrong and can immediately narrow down your search significantly. Not to mention that brute forcing an incorrect seed phrase is also quicker with a checksum since you do not have to derive addresses and check them for balance for all the invalid phrases.

I think the checksum idea is a badly implemented one. Sha256 is good for checksums why? I think bech32 has a more robust checksum thing going on but I found it impossible to find a good explanation of that made much sense.

Also the whole concept of a checksum embedded into your seed phrase is questionable since someone could write down a wrong seed phrase and the software could just correct it for them and they would never even know they were entering something wrong. i guess?

also well i could go on but you get the idea.

[odolvlobo]

if there's only 128 possibilities for the last word then what's the point of having one since it is easily guessed. easily brute forced.

First of all. It is not just a missing last word that has 128 possibilities. Every word has 128 possibilities if it is missing, assuming that no others are also wrong or missing.

I think the checksum idea is a badly implemented one. Sha256 is good for checksums why? I think bech32 has a more robust checksum thing going on but I found it impossible to find a good explanation of that made much sense.

Bech32 does have better error detection, but that doesn't make BIP-39's error detection bad and SHA-256 is an appropriate choice for a checksum.

Also the whole concept of a checksum embedded into your seed phrase is questionable since someone could write down a wrong seed phrase and the software could just correct it for them and they would never even know they were entering something wrong. i guess?

Embedding a checksum may not be the best solution, but it is better than nothing. Also, your assumption that the software can correct a seed phrase is wrong. The software does not have enough information and would have to resort to brute force search. And that would only be practical if you know which words are wrong or missing.

[larry_vw_1955]

First of all. It is not just a missing last word that has 128 possibilities. Every word has 128 possibilities if it is missing, assuming that no others are also wrong or missing.

ok.

Bech32 does have better error detection, but that doesn't make BIP-39's error detection bad and SHA-256 is an appropriate choice for a checksum.

why? why is sha-256 an appropriate choice for a checksum? it was not designed for that purpose. all it has the ability to do is detect errors but not correct them right? so how is that appropriate? not being able to correct a certain minimal number of errors. it can do zero in that regard.

Embedding a checksum may not be the best solution, but it is better than nothing. Also, your assumption that the software can correct a seed phrase is wrong. The software does not have enough information and would have to resort to brute force search. And that would only be practical if you know which words are wrong or missing.

which brings us back to the original question of why not just write down your seed phrase two times and ditch the checksum altogether. Because this checksum thing can't fix things if there were too many mistakes made like writing words in the wrong order and leaving a few of them out. You would be SOL. has anyone here ever been in the situation where they needed this checksum or else all their funds were lost?  that seems like such a remote possibility as to not even be worried about happening.

you could even require a valid seed phrase to be 46 words long by just duplicating the original 23 word phrase. then the last 23 words would be your checksum for the first 23 words. and they could detect AND fix errors. 

[hosseinimr93]

Because this checksum thing can't fix things if there were too many mistakes made like writing words in the wrong order and leaving a few of them out.

Your expectations from checksum are too high.
Checksum only helps detect errors. Checksum isn't supposed to eliminate the errors or correct them. You should always double check or triple check your seed phrase after writing it down to make sure there is no error.

[PrimeNumber7]

I was just curious on behalf of those that don't trust wallet software and wanted to be hardcore about it.

In general, I would say that you probably are not going to be better off "manually" selecting your seed. Many who attempt to generate a seed outside of a computer program will adopt a procedure that is not truly random and will generate a seed that is vulnerable to theft.

Further, in order to spend your coin, you will need to use some software that is used to generate and sign a transaction.

[odolvlobo]

Bech32 does have better error detection, but that doesn't make BIP-39's error detection bad and SHA-256 is an appropriate choice for a checksum.

why? why is sha-256 an appropriate choice for a checksum? it was not designed for that purpose. all it has the ability to do is detect errors but not correct them right? so how is that appropriate? not being able to correct a certain minimal number of errors. it can do zero in that regard.

The purpose of a SHA-256 hash is to detect corruption of the data. It is a checksum. If you don't agree, then what is its purpose?

you could even require a valid seed phrase to be 46 words long by just duplicating the original 23 word phrase. then the last 23 words would be your checksum for the first 23 words. and they could detect AND fix errors.  

You are contradicting yourself. Your 46-word phrase would detect an error, but it could not fix it because if the duplicates don't match, you don't know which one is wrong. So, it is no better than the BIP-39 checksum.

[larry_vw_1955]

The purpose of a SHA-256 hash is to detect corruption of the data. It is a checksum. If you don't agree, then what is its purpose?

you could even require a valid seed phrase to be 46 words long by just duplicating the original 23 word phrase. then the last 23 words would be your checksum for the first 23 words. and they could detect AND fix errors.  

You are contradicting yourself. Your 46-word phrase would detect an error, but it could not fix it because if the duplicates don't match, you don't know which one is wrong. So, it is no better than the BIP-39 checksum.

For example, lets say the seed phrase is hotel obvious agent lecture gadget evil jealous keen fragile before damp clarify


Now what I do is write it twice:

hotel obvious agent lecture gadget evil jealous keen fragile before damp clarify
hotel obvious agent lecture gadget evil jealous keen fragile before damp clarify

I then compare them. I see they are the same. no mistakes were made. we know that with 100% certainty. No need for any checksum. The eyes are good enough. Now lets say I was not paying attention and wrote it down like this:

hotel obvious agent lecture gadget evil jealous keen fragile before damp clarify
hotel obvious agent lecture gadget jealous before fragile damp clarify

I made some serious errors but its very easy to compare and fix. Try that with sha256 and see how long it takes you, if you can even fix it at all.