BIP39 vs Electrum Mnemonic seed

[witcher_sense]

So, if an address appears on public, for example, bc1q00msv0lt4hhaks47yy2d26kg269r0r06vnccsp, how do we know that address is not standard generated?

or how to know the address is used BIP39 or electrum seed?

Address contains neither sensitive data nor the information about the approach that was employed to create it in the first place. Addresses are designed to be publicly revealed, otherwise it would be impossible to make transactions on the blockchain. You can't even convert a bitcoin address back to a public key (that is also considered relatively safe to share on the Internet), which makes it an impossible task to extract private keys directly from addresses. However, in the case of insecurely generated bitcoin wallet, an attacker doesn't need to break your address to guess your private key. He already knows that you used an insecure password when created your wallet, otherwise he wouldn't spend time and resources trying to brute force it. The first thing he will do is gather all your personal information available on the Internet such as your name, occupation, pet name, etc and he will use it to guess a custom seed phrase. You will be surprised when you find out how many people use personal information for passwords.

[1714260341]

1714260341

[1714260341]

1714260341

[Sarah Azhari]

So, if an address appears on public, for example, bc1q00msv0lt4hhaks47yy2d26kg269r0r06vnccsp, how do we know that address is not standard generated?

or how to know the address is used BIP39 or electrum seed?

Address contains neither sensitive data nor the information about the approach that was employed to create it in the first place. Addresses are designed to be publicly revealed, otherwise it would be impossible to make transactions on the blockchain. You can't even convert a bitcoin address back to a public key (that is also considered relatively safe to share on the Internet), which makes it an impossible task to extract private keys directly from addresses. However, in the case of insecurely generated bitcoin wallet, an attacker doesn't need to break your address to guess your private key. He already knows that you used an insecure password when created your wallet, otherwise he wouldn't spend time and resources trying to brute force it. The first thing he will do is gather all your personal information available on the Internet such as your name, occupation, pet name, etc and he will use it to guess a custom seed phrase. You will be surprised when you find out how many people use personal information for passwords.

so while we are still anonymous and No one knows who we are, none of the data on the internet, IP, phone number, SSN and etc, we are safe to use a brain wallet with an Air gap device with never connected to the Internet. Because on electrum we can create an address by 1 letter/number when ticking BIP39 Seed.

[Saint-loup]

Electrum is unique, it's different from the BIP39 seed, in electrum I can create an address with a custom seed like " Sarah Azhari" and get the address "bc1quql5me288nquwhjr432wakq949quwszzg4h588", it's different on BIP39 wallet, when I write that custom seed, I received "Sarah not in the wordlist, did you mean arch?"



so, is it dangerous when still keep an address; "bc1quql5me288nquwhjr432wakq949quwszzg4h588"?. because it's not normally seed, or maybe safe if only keep the private key?.

That's not a good behavior from Electrum, I would call that a bug. Because it allows people to use non-BIP39 seeds while thinking they are using true BIP39 ones. It's dangerous for you to use a seed like that, because if Electrum fixes this bug in its next versions, you won't be able to access your funds anymore. You will need to find an older version able to run on your current environment, if you are able to remember it was a bug from a former version at least.

[o_e_l_e_o]

so while we are still anonymous and No one knows who we are, none of the data on the internet, IP, phone number, SSN and etc, we are safe to use a brain wallet with an Air gap device with never connected to the Internet.

Absolutely not.

It is not the manner in which you use a brain wallet which makes it inherently unsafe (although using any wallet in an unsafe manner is a risk), but rather it is the very concept of a brain wallet which is unsafe. Humans are not random. Humans cannot be random. Even if you think you are being random, you aren't. Coming up with your own password, passphrase, seed phrase, whatever, in order to generate a wallet, will absolutely result in a wallet with less entropy than you think or that you want. There is a reason that all good wallets generate seed phrases randomly and all good password managers generate passwords randomly. Anything you come up with yourself will not be secure.

All it takes is someone else to come up with the same string as you did, and all your coins are lost, regardless of if you used an airgapped device or not. Using a string of a single number or word, or even a string of words from a book, movie, song, etc., will almost certainly result in your coins being stolen. There are dozens of bots out there continually watching entire databases of addresses composed of hundreds of thousands of brain wallets, just waiting to steal any coins sent to them.

That's not a good behavior from Electrum, I would call that a bug.

It is not a bug, but rather intended behavior: https://github.com/spesmilo/electrum/issues/6860

[Sarah Azhari]

you won't be able to access your funds anymore. You will need to find an older version able to run on your current environment, if you are able to remember it was a bug from a former version at least.

If it's true, I don't need to find the older version, because I still can access my fund when I keep also the private key beside brain seed.

so while we are still anonymous and No one knows who we are, none of the data on the internet, IP, phone number, SSN and etc, we are safe to use a brain wallet with an Air gap device with never connected to the Internet.

Absolutely not.

It is not the manner in which you use a brain wallet which makes it inherently unsafe (although using any wallet in an unsafe manner is a risk), but rather it is the very concept of a brain wallet which is unsafe. Humans are not random. Humans cannot be random. Even if you think you are being random, you aren't. Coming up with your own password, passphrase, seed phrase, whatever, in order to generate a wallet, will absolutely result in a wallet with less entropy than you think or that you want. There is a reason that all good wallets generate seed phrases randomly and all good password managers generate passwords randomly. Anything you come up with yourself will not be secure.

All it takes is someone else to come up with the same string as you did, and all your coins are lost, regardless of if you used an airgapped device or not. Using a string of a single number or word, or even a string of words from a book, movie, song, etc., will almost certainly result in your coins being stolen. There are dozens of bots out there continually watching entire databases of addresses composed of hundreds of thousands of brain wallets, just waiting to steal any coins sent to them.

Noted it.

I never used the human brain to store my fund.
All of the case above is just an experiment.

[o_e_l_e_o]

If it's true, I don't need to find the older version, because I still can access my fund when I keep also the private key beside brain seed.

Then there is no point in using a brain wallet at all. If you are going to back up your private keys on paper, then backing up the string you used to generate those private keys alongside them provides zero additional redundancy or protection. And so in that case, it is far preferable to use a piece of software like Bitcoin Core to generate a random private key in a cryptographically secure way and back that key up, instead of using a very insecure brain wallet method to generate a key.

All of the case above is just an experiment.

Sure, but generating wallets and private keys is not something which should be experimented with. There are provably secure ways of generating wallets and keys, which all good wallets will use. And if you don't trust any software, then you can flip a coin to generate physical entropy. Anything method or scheme you come up with yourself will almost certainly have huge vulnerabilities.

[Saint-loup]

That's not a good behavior from Electrum, I would call that a bug.

It is not a bug, but rather intended behavior: https://github.com/spesmilo/electrum/issues/6860

I don't agree with that, because here Electrum doesn't say at least that it's not a BIP39 seed. It just says it's a BIP39 seed using a wordlist unknown from them : "BIP 39 (unknown wordlist)".
While only 2 words are used, which can't encode an entropy between 128 and 256bits with 11bits words, in addition to carrying a critically low and dangerous entropy for a seed.

The mnemonic must encode entropy in a multiple of 32 bits. With more entropy security is improved but the sentence length increases. We refer to the initial entropy length as ENT. The allowed size of ENT is 128-256 bits.
[...]
these concatenated bits are split into groups of 11 bits, each encoding a number from 0-2047, serving as an index into a wordlist.

https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki

Moreover BIP39 requires to issue a warning if the checksum is wrong, this message isn't a warning message and doesn't talk about the checksum.

Although using a mnemonic not generated by the algorithm described in "Generating the mnemonic" section is possible, this is not advised and software must compute a checksum for the mnemonic sentence using a wordlist and issue a warning if it is invalid.

https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki

[o_e_l_e_o]

I don't agree with that, because here Electrum doesn't say at least that it's not a BIP39 seed. It just says it's a BIP39 seed using a wordlist unknown from them : "BIP 39 (unknown wordlist)".

One of the flaws with BIP39 is that it requires a known wordlist. Another flaw is that if you do not know the wordlist being used then you do not know whether or not what is being entered is a valid BIP39 seed phrase or whether it has a valid checksum. Electrum only displays "BIP39 (unknown wordlist)" if the user manually checks the "BIP39 seed" box. Electrum is assuming the user knows what kind of seed they are using. Electrum is not able to say "This is not a BIP39 seed" because it could very well be a BIP39 seed using a different wordlist.

This is not the fault of Electrum. It is the fault of BIP39, which Electrum is supporting as best as possible given these flaws.

Moreover BIP39 requires to issue a warning if the checksum is wrong, this message isn't a warning message and doesn't talk about the checksum.

As above. If you enter words from the common English BIP39 word list, then Electrum will indeed show you an invalid checksum warning. But if you enter words not on this wordlist, Electrum (or indeed, any software) is not able to tell you whether or not your checksum is invalid because it does not know the wordlist you are using. This is a flaw in BIP39, not Electrum.

[Saint-loup]

I don't agree with that, because here Electrum doesn't say at least that it's not a BIP39 seed. It just says it's a BIP39 seed using a wordlist unknown from them : "BIP 39 (unknown wordlist)".

One of the flaws with BIP39 is that it requires a known wordlist. Another flaw is that if you do not know the wordlist being used then you do not know whether or not what is being entered is a valid BIP39 seed phrase or whether it has a valid checksum. Electrum only displays "BIP39 (unknown wordlist)" if the user manually checks the "BIP39 seed" box. Electrum is assuming the user knows what kind of seed they are using. Electrum is not able to say "This is not a BIP39 seed" because it could very well be a BIP39 seed using a different wordlist.

This is not the fault of Electrum. It is the fault of BIP39, which Electrum is supporting as best as possible given these flaws.

Moreover BIP39 requires to issue a warning if the checksum is wrong, this message isn't a warning message and doesn't talk about the checksum.

As above. If you enter words from the common English BIP39 word list, then Electrum will indeed show you an invalid checksum warning. But if you enter words not on this wordlist, Electrum (or indeed, any software) is not able to tell you whether or not your checksum is invalid because it does not know the wordlist you are using. This is a flaw in BIP39, not Electrum.

There are certainly flaws in BIP39 but could you tell us how a 2 words seed could have an entropy between 128bits and 256 bits, with words encoding 11 bits each, as BIP39 is requiring? You don't need to know if a wordlist has been used and which one it could be, neither to compute a checksum when it's mathematically not possible to meet the basic requirements of BIP39. Then the software shouldn't say it's a BIP39 seed, but should undeceive the users if they think it is one. In the same way, you should avoid to tell in the Beginners & Help section that a 2 words seed could very well be a BIP39 seed using a different wordlist, because it's very misleading and dangerous, as the entropy would be critically low even if those words belong to 2 different languages.

[o_e_l_e_o]

You don't need to know if a wordlist has been used and which one it could be, neither to compute a checksum when it's mathematically not possible to meet the basic requirements of BIP39. Then the software shouldn't say it's a BIP39 seed, but should undeceive the users if they think it is one.

Feel free to open an issue on GitHub if you think this should be changed. I don't think it should though, for the reasons I've given below.

In the same way, you should avoid to tell in the Beginners & Help section that a 2 words seed could very well be a BIP39 seed using a different wordlist

I never said any such thing. I have been very clear in my replies in this thread that generating your own seed phrase or wallet as OP has suggested is highly insecure.

This part of Electrum which allows you to recover non-standard seed phrase, is exactly that - a recovery tool. At no point does Electrum generate insecure seed phrases, nor even allow you to generate BIP39 seed phrases at all, valid or otherwise. There is no telling what errors or bugs other poorly coded wallets have implemented, and it is not Electrum's responsibility to police them, especially for a seed phrase system it doesn't use and in fact recommends against using. The whole point of Electrum allowing you to proceed with invalid checksums, unknown wordlists, wrong number of words, etc., is to allow people to attempt to recover such invalid seed phrases which other bad wallets have generated, or that they themselves have manually generated badly.

[Saint-loup]

In the same way, you should avoid to tell in the Beginners & Help section that a 2 words seed could very well be a BIP39 seed using a different wordlist

I never said any such thing. I have been very clear in my replies in this thread that generating your own seed phrase or wallet as OP has suggested is highly insecure.

This part of Electrum which allows you to recover non-standard seed phrase, is exactly that - a recovery tool. At no point does Electrum generate insecure seed phrases, nor even allow you to generate BIP39 seed phrases at all, valid or otherwise. There is no telling what errors or bugs other poorly coded wallets have implemented, and it is not Electrum's responsibility to police them, especially for a seed phrase system it doesn't use and in fact recommends against using. The whole point of Electrum allowing you to proceed with invalid checksums, unknown wordlists, wrong number of words, etc., is to allow people to attempt to recover such invalid seed phrases which other bad wallets have generated, or that they themselves have manually generated badly.

You are maybe right, they maybe see this "feature" as a so called "recovery tool" but unfortunately it's not written anywhere in the messages displayed and they are not ashamed to call "BIP39" any random string with any random characters. The warning message below the text box doesn't talk about their lax "recovery" policy, it just talks about their own safety standard and version number system.
After undergoing a long attack that made many victims, they could be more cautious of their users, especially the less educated ones IMO.
It's nice to be able to create a mnemonic seed with a huge entropy with only few words, but without any warnings it could lead to the opposite as in the case above.

Warning: BIP39 seeds can be imported in Electrum, so that users can access funds locked in other wallets. However, we do not generate BIP39 seeds, because they do not meet our safety standard. BIP39 seeds do not include a version number, which compromises compatibility with future software. We do not guarantee that BIP39 imports will always be supported in Electrum.

[BlackBoss_]

There is no way you can tell if a seed is BIP39 or Electrum simply by looking at it, if they are both using the same wordlist. You simply have to try to import the seed phrase and see if it has an valid/invalid BIP39 checksum or a valid/invalid Electrum version number.

Importing can lead to successful import or failed import.

Could you share how do I know what seed word is for checksum and what words in mnemonic seed are not for checksum, please.

I read article and watch video that it's stupid idea to split mnemonic seed to different parts because it is bad if one of parts have word for checksum that is useless for wallet recovery.

Like if I have a full mnemonic seed, how do I know what word is for checksum?

[pooya87]

Could you share how do I know what seed word is for checksum and what words in mnemonic seed are not for checksum, please.

In Electrum mnemonics, there is no specific part that contains the checksum. The whole combination also acts as a checksum (HMACSHA512 hash of the mnemonic should have a certain starting bits).
In BIP39 mnemonics the last world contains the checksum. Depending on the number of words it can be smaller (4 bits for 12 words to 8 bits for 24 words and each word is always 11 bits).

[Saint-loup]

I read article and watch video that it's stupid idea to split mnemonic seed to different parts because it is bad if one of parts have word for checksum that is useless for wallet recovery.

What do you call a word for checksum that is useless for wallet recovery precisely? All words are needed to recover a wallet actually, so you won't get the same master key if you use a seed without its checksum even if the wallet accepts it like Electrum does. All words are used by the PBKDF2 function to generate the seed. So you will need to compute it again if the checksum is missing. In addition, there is no canonical BIP39 seed with words fully used as checksum because binary seeds must have a multiple of 32 bit seize and the longest checksum is 8bits (for a 256bits seed) while words are 11bits long.
https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki

Do you have links of those articles and videos btw? Because they are mistaken if they are telling that.

[o_e_l_e_o]

but unfortunately it's not written anywhere in the messages displayed and they are not ashamed to call "BIP39" any random string with any random characters.

Because without knowing the wordlist, they have no way of knowing if a random string with any random characters is an incorrectly generated BIP39 seed phrase. They only ever call a phrase BIP39 after the user has checked the box indicating that they are entering a BIP39 phrase.

If I say "Here is a BIP39 seed phrase" and then enter some random string, Electrum (or any other software) has absolutely no way of saying "This is not a BIP39 seed phrase". All it can do is take me at my word, and tell me that it doesn't know the specifics of my BIP39 seed phrase, since I could be using any wordlist or any non-standard implementation. Plenty of other software already generates what they call BIP39 seed phrases which do not follow the standard. Iancoleman, for example, lets users generate seed phrases with only 3 words.

[Saint-loup]

but unfortunately it's not written anywhere in the messages displayed and they are not ashamed to call "BIP39" any random string with any random characters.

Because without knowing the wordlist, they have no way of knowing if a random string with any random characters is an incorrectly generated BIP39 seed phrase. They only ever call a phrase BIP39 after the user has checked the box indicating that they are entering a BIP39 phrase.

If I say "Here is a BIP39 seed phrase" and then enter some random string, Electrum (or any other software) has absolutely no way of saying "This is not a BIP39 seed phrase". All it can do is take me at my word, and tell me that it doesn't know the specifics of my BIP39 seed phrase, since I could be using any wordlist or any non-standard implementation. Plenty of other software already generates what they call BIP39 seed phrases which do not follow the standard. Iancoleman, for example, lets users generate seed phrases with only 3 words.

All it can do is to take me at my word ? No if it can't verify it can just say it hasn't been able to verify if it's a BIP39 seed or not, or it can just say nothing about it. Bitcoin is a new technology for most people on Earth, they need to be helped, accompanied and educated, not confused because of ego conflicts between devs. I hope being wrong but I wonder if this mention is here by accident, or because it's a way of showing that BIP39 is/could be crap.

[o_e_l_e_o]

I wouldn't call it an ego conflict, simply conflicting standards. It reminds me of this: https://xkcd.com/927/

I do agree things should be kept as simple as possible, but if someone is already in the situation in which they are trying to recover a non-standard or invalid BIP39 seed phrase using an unknown wordlist, then they have already failed at keeping things as simple as possible. As I mentioned above, this feature in Electrum is a recovery tool for people who have already over-complicated things with such non-standard seed phrases. If you keep things simple by installing Electrum and generating a new seed phrase for your wallet, then you will never interact with this feature at all.

[Saint-loup]

I wouldn't call it an ego conflict, simply conflicting standards. It reminds me of this: https://xkcd.com/927/

I do agree things should be kept as simple as possible, but if someone is already in the situation in which they are trying to recover a non-standard or invalid BIP39 seed phrase using an unknown wordlist, then they have already failed at keeping things as simple as possible. As I mentioned above, this feature in Electrum is a recovery tool for people who have already over-complicated things with such non-standard seed phrases. If you keep things simple by installing Electrum and generating a new seed phrase for your wallet, then you will never interact with this feature at all.

They couldn't fail to keep things as simple as possible, as you say, if softwares like Electrum were not allowing to do this kind of things without displaying serious warnings, in the first place. If someone wants to rob a layman he just needs to advise him to use a first and last name as a seed in Electrum like Sarah Azhari is doing, to lead him to get a very weak seed, easy to hack by him. Bitcoin should be safe to use for everybody.

[ICYNOTE2023]

what do you thing about 12 mnemonic and only remember 7 words?
is there possible to recovery?

[FatFork]

what do you thing about 12 mnemonic and only remember 7 words?
is there possible to recovery?

No. The BIP39 mnemonic dictionary contains 2048 words. This means that there are about 3.6x10^16 possible combinations for your 12-word mnemonic seed, even if you know the right order of those 7 known words. It gets even crazier if you don't know the word order at all. Trying to brute force those 5 missing words? Forget about it! It's flat-out impossible.