12-word seed vs 24-word seed? This seems pretty interesting

[Z-tight]

If you read the article, its written that guy won a prize of 30$ for breaking this 12-word seed. From this prize money one can see the difficulty level of this task.

$30 is dust, which does not prove any difficulty. If you read this thread from the beginning, you will understand that it is not a difficult task to crack and arrange a scrambled 12-word seed phrase when given the actual 12 words, it is an impossible task when you don't have the words at all; so the message is just don't give out your seed phrase, it does not matter if it is in the wright or wrong order, if you give it out many people can quickly crack and arrange it correctly.

[1714497310]

1714497310

[Aikidoka]

If you read the article, its written that guy won a prize of 30$ for breaking this 12-word seed. From this prize money one can see the difficulty level of this task.

$30 is dust, which does not prove any difficulty. If you read this thread from the beginning, you will understand that it is not a difficult task to crack and arrange a scrambled 12-word seed phrase when given the actual 12 words, it is an impossible task when you don't have the words at all; so the message is just don't give out your seed phrase, it does not matter if it is in the wright or wrong order, if you give it out many people can quickly crack and arrange it correctly.

The moral of the story is to never put any of the words from your seed phrase at any risk online (whether scrambled or not= you will get hacked and lose your funds).
 
If you write it down on a piece of paper and have one or two backups in different and secure places, you can avoid the risk of getting hacked online and the only way you'll lose your funds if someone physically get access to those papers where you stored your seed phrase.

[jeraldskie11]

If you write it down on a piece of paper and have one or two backups in different and secure places, you can avoid the risk of getting hacked online and the only way you'll lose your funds if someone physically get access to those papers where you stored your seed phrase.

There is no point in saving or writing down your seed phrase on a piece of paper in out of order because it will just make it difficult to unlock your wallet. In my opinion, the significance of this experiment is that a seed phrase of 12 words is more vulnerable than a seed phrase of 24 words. But, as I previously stated, I believe this experiment is pointless because no one will keep their seed phrase out of order.

Considering this thing, exposing your Bitcoin address with a large amount of Bitcoin within can be hacked which is why Bitcoin mixer was created, how much more if you show your scrambled seed phrase.

[Z-tight]

exposing your Bitcoin address with a large amount of Bitcoin within can be hacked which is why Bitcoin mixer was created,

Exposing your BTC address that has a large amount of BTC can make you a target, but it does not mean you'll be hacked, you'll be hacked if you have very bad operational security, and that's whether you expose an address connected to your identity or not. If you use a hardware wallet or an air-gapped computer to store your funds, and then you also have great opsec, you won't be hacked even if you expose an address belonging to you or connected to your identity, but never expose yourself in that way because a $5 wrench attack can happen to you .

[NotATether]

So you're saying if I post my 12 seed words online, someone can steal my Bitcoins? What's next, if I post the details for my bank but scramble my PIN, someone can steal my euros too?

To be fair, even the android phone in your pocket can go through all possible combinations of your PIN and unscramble it, if the hackers can't just social engineer the bank into logging you in in the first place. 

What's your source of crypto news? I know it won't be one as it shouldn't be but usually, what website(s) do you visit? Your opinion on this task matters because you are a highly valued, knowledgeable member

I tend not to care whatsoever about what these sites class as "news". If you look at the landing page of CoinTelegraph, CoinIdol, etc. on any given day, the top stories are about price speculation, a whole bunch of shitcoins I don't care about, a whole bunch of centralized exchanges or platforms I don't care about, various celebrities or influences I don't care about, clickbait trash like the article being discussed here, and so on. The amount of actual news on these sites is somewhere between zero and none.

What I do care about is bitcoin's development and new advances, and for that I read the bitcoin-dev mailing list, the lightning-dev mailing list, and any relevant discussions on GitHub. I would also recommend the newsletter from https://bitcoinops.org/.

Exactly. I guess trash talk is more marketable and gets more clicks than informative discourse, so that's probably why most sites do what they do.

On the other hand, times are not exactly rosy for digital media empires these days (Buzzfeed trouble, and VICE about to go bust).

[LoyceV]

To be fair, even the android phone in your pocket can go through all possible combinations of your PIN and unscramble it, if the hackers can't just social engineer the bank into logging you in in the first place.  

Good luck with that, I don't do banking on my phone (for this exact reason). It's weird to see banks now just cover increasing amounts of losses because they're pushing "convenience" instead of security. And that's another reason why I like Bitcoin: at least I can choose my own security. If "your" money from your bank account is gone, you have to prove you didn't do it. If your Bitcoins are gone, at least you know it's your own fault.

Update (I don't want to go further off-topic in a new post):

Major banking theft via online is very hard to get reimbursement from your bank.

Here, bank fraud is often covered. Banks prefer to pay the damages to keep their customers (and just raise their annual fees).

[philipma1957]

To be fair, even the android phone in your pocket can go through all possible combinations of your PIN and unscramble it, if the hackers can't just social engineer the bank into logging you in in the first place.  

Good luck with that, I don't do banking on my phone (for this exact reason). It's weird to see banks now just cover increasing amounts of losses because they're pushing "convenience" instead of security. And that's another reason why I like Bitcoin: at least I can choose my own security. If "your" money from your bank account is gone, you have to prove you didn't do it. If your Bitcoins are gone, at least you know it's your own fault.

Major banking theft via online is very hard to get reimbursement from your bank.

edit finishing my point: a major cc theft is protected and fairly easy to fix.



The reason is ⅔ of cc users pay huge interest so banks encourage cc use.

[Lucius]

Spammy, trash "news" site posts clickbait!? I'm shocked!

Well, I would say that Cointelegraph is not the best website out there, nor the most reliable one but I wouldn't call it spammy trash news website. What's your source of crypto news? I know it won't be one as it shouldn't be but usually, what website(s) do you visit? Your opinion on this task matters because you are a highly valued, knowledgeable member

I also don't have a good opinion of that news source because they used to pay people to spam links on this forum, and I've honestly avoided them ever since. There are certainly many better sources out there, although everyone probably has their favorite when it comes to cryptocurrency news. One of the better sources that deals with slightly more serious topics (although that's just my subjective assessment) -> BM

[Wind_FURY]

There are people who think that its okay to not completely hide your seeds if you remember the way they are ordered but this small experiment makes it pretty clear that one should be more cautious.

No one should consider scrambling their seeds as a way of keeping it away from Intruders, you can forget the actual order and can lose your bitcoins, especially if it's a 24 word seed phrase.

The essence of back ups is the safety of the location which should be as covert as possible to evade detection. If one location does not prove enough then one should consider using more than one location with a multi sig wallet and storing them differently. One getting compromised does not result in loss of funds.

An additional seedphrase which you can store separately is also a good alternative to scrambling the seed phrase.

For BIP-39 compliant wallets, adding a "25th word", which is actually a secret passphrase, in your seed would increase the security of your wallet exceedingly. Make it alpha-numeric, and with symbols included. Plus if a hacker gets your seed words, he/she would have access to a different wallet/address space than the wallet with the added "25th word", with the address space where your Bitcoin is HODLed.

[Wronsk]

it's a shame that electrum doesn't offer 24 word seeds by default, I know it's possible by entering commands in the console but I'm afraid of compromising security, or doing something stupid, it's a bit off topic but do you know if they have an update planned?

[paid2]

it's a shame that electrum doesn't offer 24 word seeds by default, I know it's possible by entering commands in the console but I'm afraid of compromising security, or doing something stupid, it's a bit off topic but do you know if they have an update planned?

I am not aware about a potential update from Electrum's dev team

But on linux you can just go with the following command :

Code:

electrum --offline make_seed --nbits=256

I don't see any security risk regarding to this one, if you trust your computer and OS, and do it offline ; everything should be fine

[Zoomic]

What's your source of crypto news? I know it won't be one as it shouldn't be but usually, what website(s) do you visit? Your opinion on this task matters because you are a highly valued, knowledgeable member

I tend not to care whatsoever about what these sites class as "news". If you look at the landing page of CoinTelegraph, CoinIdol, etc. on any given day, the top stories are about price speculation, a whole bunch of shitcoins I don't care about, a whole bunch of centralized exchanges or platforms I don't care about, various celebrities or influences I don't care about, clickbait trash like the article being discussed here, and so on. The amount of actual news on these sites is somewhere between zero and none.

What I do care about is bitcoin's development and new advances, and for that I read the bitcoin-dev mailing list, the lightning-dev mailing list, and any relevant discussions on GitHub. I would also recommend the newsletter from https://bitcoinops.org/.

o_e_l_e_o

You have programmed your mind for bitcoin and privacy, every other shits doesn't matter to you and that is the best to do. There are alot of distractions .

Op, people only experiment and scramble seed phrase with zero or few Sats. No one experiments with seed bearing 10's to 100's of BTC. So, it is just a fantazied and dramatically executed idea to have a blog post.

[hZti]

In my opinion it does not matter if you use 12 word or 24 word seed phrases. IF your seed words get leaked you have an issue no matter what amount of words you have used.

It's weird to see banks now just cover increasing amounts of losses because they're pushing "convenience" instead of security.

Thats just basic economics and the result of the business calculations of the bank. Even if it is weird that they intentionally weaken their security it is just that every business will require to spend money in order to then earn money. So this stolen money is simply a "weird" business expense for the banks. The will then calculate their fees exactly so they will have like 5% or something return on that business expense.

[Wrathofcoins]

I have to say also the 25 minutes who take maybe are a wrong calculation, because what if he was "lucky" to find the order on 25 minute, but you need to make more and more tries to find out the average time, not only one disorded seed.

Asides of that like a few guys says above, this its not related to BTC or cryptocoins, its all about basic maths and calcus, we know from a long time ago what time or how much tries do you need to solve that.

And obviusly a 24 words can be more safe in that case, but also, we can still go up, why not 36/48/72 etc. No sense

Its like a send a photo of one key of my house to a locksmith, well yes he can make a "fast" copy, and open my house......

[o_e_l_e_o]

I have to say also the 25 minutes who take maybe are a wrong calculation, because what if he was "lucky" to find the order on 25 minute, but you need to make more and more tries to find out the average time, not only one disorded seed.

It's actually pretty accurate.

On my home hardware attempting to descramble a seed phrase from 12 known words, I can test around 115k possibilities a second. 12! / 115,000 = 70 minutes. Given that on average you need to attempt 50% of the possibilities to find the correct one, the average for me to descramble a seed phrase is 35 minutes.

But yes, your other points are correct. It is a pointless scenario because the security of your coins should never rest on an attacker having access to your seed phrase but being unable to descramble it.

[Synchronice]

it's a shame that electrum doesn't offer 24 word seeds by default, I know it's possible by entering commands in the console but I'm afraid of compromising security, or doing something stupid, it's a bit off topic but do you know if they have an update planned?

To be honest, if you don't reveal your seed in an ordered way, then you can absolutely feel very secure by 12-word seed alone. You don't actually need 24-word seed.

In my opinion it does not matter if you use 12 word or 24 word seed phrases. IF your seed words get leaked you have an issue no matter what amount of words you have used.

If seed phrase gets leaked in an unordered way, then it can be a problem in case of 12-word seed but not for a 24-word seed. This is proven in that article.

I have to say also the 25 minutes who take maybe are a wrong calculation, because what if he was "lucky" to find the order on 25 minute, but you need to make more and more tries to find out the average time, not only one disorded seed.

Okay, create a wallet with 12-word seed, post phrases in unordered way and I'll honestly tell you how long it takes for me to crack that. Others can join the experiment too, or if you trust, I'll do this experiment myself, put phrases in list randomizer on random.org (if you have better idea, message me) and post the result.

[NotATether]

Now that I'm programming seed phrase generation, at the end of the day, the number of words doesn't really matter, because it's all hashed down via HMAC-512 into a 256-bit master private key (the other 256 bits on the right are the chain code, but that's not really relevant here), so if anyone can crack ECC used in private keys, it's game over for seed phrases unless another keypair-generating method is introduced earlier.