Given the first 15 words out of 24, can a hacker crack the wallet?

[lyw123]

I am currently using a highly complex method to store a set of 24 mnemonic words. Decoding the mnemonic requires 20 minutes.

I am considering why not use a simpler approach?
For example, writing down 15 words on papers, and storing the remaining 9 words on an encrypted USB drives and online emails. Certainly, both the paper documents and electronic file should be kept with multiple copies.

Question: Given the first 15 words out of 24, can a hacker crack the wallet?

I ask chatGPT, and it say that is secure. However, considering that AI models often give unreliable information, it would be better to seek advice from friends on this website. Thanks!

Adding passphrase is better, and some message is obtained here https://blog.trezor.io/is-your-passphrase-strong-enough-d687f44c63af
The official Trezor website has calculated the security length of a passphrase. It states that a passphrase containing characters from 0-9, a-z, A-Z is considered secure with a length of 10 characters. With 62^10 possible combinations, this is equivalent to approximately 5.41 words, or 2048^5.41.

[1714509772]

1714509772

[1714509772]

1714509772

[1714509772]

1714509772

[1714509772]

1714509772

[Bitcoin Smith]

Question: Given the first 15 words out of 24, can a hacker crack the wallet?

Still unlikely possible to brute force the remaining 9 seed words out 24, but technically the entropy dropped from 256 to 99 bits.

If the seeds are BIP39 then there are 2048 sets of words.

So, to calculate the number of calculations required to brute force a 9-word seed phrase, you would raise 2048 to the power of 9 which is 2048^9 = 5.44 x 10^27 combinations needs to be done, still it will take.

Now if you have a super computer which can do one billion combinations per second

(5.44 x 10^27) ÷ (1,000,000,000) = 5.44 x 10^18 seconds

(5.44 x 10^18 seconds) ÷ (60 seconds/minute * 60 minutes/hour * 24 hours/day * 365 days/year) = 1.72 x 10^10 years

So, it would take approximately 1.72 x 10^10 or 17 billion years to brute force a 9-word seed phrase with 1 billion combinations per second.

[lyw123]

Still unlikely possible to brute force the remaining 9 seed words out 24, but technically the entropy dropped from 256 to 99 bits.

If the seeds are BIP39 then there are 2048 sets of words.

So, to calculate the number of calculations required to brute force a 9-word seed phrase, you would raise 2048 to the power of 9 which is 2048^9 = 5.44 x 10^27 combinations needs to be done, still it will take.

Now if you have a super computer which can do one billion combinations per second

(5.44 x 10^27) ÷ (1,000,000,000) = 5.44 x 10^18 seconds

(5.44 x 10^18 seconds) ÷ (60 seconds/minute * 60 minutes/hour * 24 hours/day * 365 days/year) = 1.72 x 10^10 years

So, it would take approximately 1.72 x 10^10 or 17 billion years to brute force a 9-word seed phrase with 1 billion combinations per second.

The 24th word should not be included (it is a checksum word with only 8 possible choices). This still makes it impossible to crack. If a 30-character passphrase is added (using 0-9, a-z, A-Z), with 15 characters written on paper and the other 15 encrypted in an electronic file, it becomes even more secure.

If the 24-word mnemonic has been used before, then the blockchain will contain BTC transaction records. In that case, a hacker can first crack the remaining 9 words (by checking if the generated wallet has transaction records) and then attempt to crack the passphrase. However, if the 24-word mnemonic has never been used individually, then the hacker would need to crack both the remaining 9 words and the passphrase simultaneously. Is my understanding correct?

[tenant48]

Trying to invent your own Seed storage methods will virtually guarantee that you will lose access to your funds in the future. Write down your 24 words on paper and keep copies in different places. If you want to additionally protect your 24 words with a passphrase, then 30 characters is overkill. Check out the article, which says that a passphrase of 10 - 12 characters is more than enough.

[Bitcoin Smith]

The 24th word should not be included (it is a checksum word with only 8 possible choices).

You can say that only if you found the first 23 words of the recovery seeds and the remaining last word is just one from the potential 8 special words, but the checksum is actually derived from the remaining all the words in the seed that is 23, so I guess it also should be included in the calculation if you successfully want to crack the 24 word seeds.

Which is explained in detail here : https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki

then the hacker would need to crack both the remaining 9 words and the passphrase simultaneously. Is my understanding correct?

Yes, correct. But cracking the 12 or 24 words itself not possible, then the 30 character passphrase just an additional layer of protection and effectively additional entropy.

[lyw123]

Trying to invent your own Seed storage methods will virtually guarantee that you will lose access to your funds in the future. Write down your 24 words on paper and keep copies in different places. If you want to additionally protect your 24 words with a passphrase, then 30 characters is overkill. Check out the article, which says that a passphrase of 10 - 12 characters is more than enough.

Your advice is very insightful. I am simply ignorant, which leads to fear, and fear leads to excessive complexity.

then the hacker would need to crack both the remaining 9 words and the passphrase simultaneously. Is my understanding correct?

Yes, correct. But cracking the 12 or 24 words itself not possible, then the 30 character passphrase just an additional layer of protection and effectively additional entropy.

Thank you for your response. My plan is as follows: Write down 12 words of 24 and an 18-character passphrase (including 0-9, a-z, A-Z) on papers. Additionally, encrypt another 12 words into different electronic files with different keys, to prevent single point of failure. Multiple backups for each part and store them in different locations.

If there are any security risks, please tell me. I appreciate it much. Thank everyone!

[hosseinimr93]

Still unlikely possible to brute force the remaining 9 seed words out 24, but technically the entropy dropped from 256 to 99 bits.

If the last 9 words of a 24 word BIP39 seed phrase are missing, the entropy would decrease to 91 bits, not 99 bits. The last 8 bits are checksum and are a function of the first 256 bits.

So, to calculate the number of calculations required to brute force a 9-word seed phrase, you would raise 2048 to the power of 9 which is 2048^9 = 5.44 x 10^27 combinations needs to be done, still it will take.

The number of possible combinations would be 2⁹¹ which equals to 2.48 * 10²⁷.
If we don't consider the checksum, the entropy would be 2⁹⁹ or 2048⁹ which equals to 6.34 * 10²⁹. You made a mistake in your calculation.

[pooya87]

If there are any security risks, please tell me. I appreciate it much. Thank everyone!

The main problem is the methods you use which can make things complicated and possibly lead to problems when you want to recover your mnemonic from the complicated backup.
For example you said "encrypt the other 12 words", what algorithm are you going to use? AES? Will you use a KDF like BIP38 to derive the password used in AES? Will you use it correctly and will it be reproducible? Will you remember how you did it so that you can recover your mnemonic in the future?
You see when you come up with your own algorithm, unlike BIP38 I mentioned, it won't be standardized so a lot of details about it could be weak, buggy or not-reproducible.

[nc50lc]

I am considering why not use a simpler approach?
For example, writing down 15 words on papers, and storing the remaining 9 words on an encrypted USB drives and online emails. Certainly, both the paper documents and electronic file should be kept with multiple copies.
-snip-
Question: Given the first 15 words out of 24, can a hacker crack the wallet?

Go for the simpler method, but why not 12 words out of 24?
mnemonic with 9 missing words is quite safe, but 12 missing is safer.

It can also provide you potential deniability if you can generate valid first 12 words or 12 last words when used stand-alone.
Creating a 24-word seed phrase with one half part valid has a good chance but getting both two parts as separate valid seed phrase may be low.
You may need a script to generate the latter. (can anyone provide the numbers if the latter if possible?)

For safety/deniability, fund each part with low amount so even if one got hacked, the attacker may think that it's the actual contents of the compromised seed phrase
so he wont be looking for your emails or flash drives for the other part.
On the other hand, Attackers will likely think that it has another part hidden if the seed phrase is only 15-words or invalid.

The main issue here is if you forget that it should be combined.

[lyw123]

The main problem is the methods you use which can make things complicated and possibly lead to problems when you want to recover your mnemonic from the complicated backup.
For example you said "encrypt the other 12 words", what algorithm are you going to use? AES? Will you use a KDF like BIP38 to derive the password used in AES? Will you use it correctly and will it be reproducible? Will you remember how you did it so that you can recover your mnemonic in the future?
You see when you come up with your own algorithm, unlike BIP38 I mentioned, it won't be standardized so a lot of details about it could be weak, buggy or not-reproducible.

My current knowledge is very limited. I plan to directly use WinRAR and 7-Zip for encryption, utilizing the AES256 algorithm. Regarding it must be reproducible, there are a few considerations as follows:

(1) For electronically stored files on the network, use strong passwords (>40 characters) and prepare password explanations. The passwords will primarily come from things or names that I am very familiar with but others are not, such as the names of childhood playmates, and so on! Most these things and names are unknown to my colleagues as well.

(2) I have purchased a few high-level encrypted USB drives, including two fingerprint USB drives. The seller claims that these encrypted USB drives cannot be cracked. Therefore, relatively weak passwords (~20 characters) can be used for the electronic files stored on these drives. If a hacker-level thief were to steal these USB drives, they would not have the ability to crack them immediately. Then I have time to send out the coins.

(3) The last line of defense is hardware wallets. As long as the hardware wallet continues to function properly, it remains secure.

[lyw123]

Go for the simpler method, but why not 12 words out of 24?
mnemonic with 9 missing words is quite safe, but 12 missing is safer.

That is Ok, too.

For safety/deniability, fund each part with low amount so even if one got hacked, the attacker may think that it's the actual contents of the compromised seed phrase
so he wont be looking for your emails or flash drives for the other part.
On the other hand, Attackers will likely think that it has another part hidden if the seed phrase is only 15-words or invalid.

Your consideration is reasonable.
However, another possibility to consider is as follows: For example, I use a 24-word mnemonic (BIP39) and an 18-character passphrase. I handwrite 12 of the words and the passphrase. If I use a wallet that solely relies on these 24 words, it will leave a transaction record on the blockchain. Hackers can potentially crack the handwritten 12 words first by examining the transaction records,  and then proceed to crack the remaining passphrase. If I have never used a wallet exclusively with those 24 words before, the hacker would have to simultaneously crack the handwritten 12 words and the passphrase. Is that correct?

[nc50lc]

However, another possibility to consider is as follows: For example, I use a 24-word mnemonic (BIP39) and an 18-character passphrase. I handwrite 12 of the words and the passphrase. If I use a wallet that solely relies on these 24 words, it will leave a transaction record on the blockchain. Hackers can potentially crack the handwritten 12 words first by examining the transaction records,  and then proceed to crack the remaining passphrase.

I'm not aware of any vulnerability that'll compromise the mnemonic from a transaction record in the blockchain.
Can you link me where this is based? TIA.

The closest I know is if you've compromised one of your private key and its parent's extended public key pair, that parent extended private key can be computed from those.
However, it wont affect the master private key or anything behind it like the mnemonic or seed if it used hardened derivation (default) to derive the compromised extended key.
So the wallet that used the 24-word plus passphrase wont be affected even if the wallet that used the same 24-words without the passphrase is compromised.
But still recommended to send to a new one if that happened no matter how strong the passphrase is.

[LoyceMobile]

I am simply ignorant, which leads to fear, and fear leads to excessive complexity.

I've seen more topics from people who lost access to their funds, than people who had their seed phrase physically compromised. Don't take irrational decisions based on fear.

[lyw123]

However, another possibility to consider is as follows: For example, I use a 24-word mnemonic (BIP39) and an 18-character passphrase. I handwrite 12 of the words and the passphrase. If I use a wallet that solely relies on these 24 words, it will leave a transaction record on the blockchain. Hackers can potentially crack the handwritten 12 words first by examining the transaction records,  and then proceed to crack the remaining passphrase.

I'm not aware of any vulnerability that'll compromise the mnemonic from a transaction record in the blockchain.
Can you link me where this is based? TIA.

The closest I know is if you've compromised one of your private key and its parent's extended public key pair, that parent extended private key can be computed from those.
However, it wont affect the master private key or anything behind it like the mnemonic or seed if it used hardened derivation (default) to derive the compromised extended key.
So the wallet that used the 24-word plus passphrase wont be affected even if the wallet that used the same 24-words without the passphrase is compromised.
But still recommended to send to a new one if that happened no matter how strong the passphrase is.

I'm sorry, I know very little about blockchain. Thank you for your help.

[lyw123]

I am simply ignorant, which leads to fear, and fear leads to excessive complexity.

I've seen more topics from people who lost access to their funds, than people who had their seed phrase physically compromised. Don't take irrational decisions based on fear.

Last year, I didn't even know what a passphrase was. I came up with a complicated method to store my mnemonic phrases, which I improved at least ten times to enhance its reliability, and it took me two months to do so. It was really foolish. The current method seems much simpler. The main issue now is the possibility of being unable to access the encrypted files. I have prepared different solutions to prevent this problem.

[o_e_l_e_o]

You may need a script to generate the latter. (can anyone provide the numbers if the latter if possible?)

Let's see.

You can generate a 12 word seed phrase with a valid checksum and use that as the first 132 bits of entropy for your 24 word seed phrase. Concatenate another 124 bits of entropy, and then calculate the 8 bit checksum to give yourself a valid 24 word seed phrase. Take the last 12 words of this seed phrase. Given 12 words have a 4 bit checksum, then there is a 1/16 chance that this checksum is valid. So it won't take long at all to bruteforce a valid combination.

Here's one I just made in just a few minutes:

Code:

pupil magic fun throw lecture sunset pizza fashion helmet couch auto impact despair height humor impose near plunge clever abstract swing laundry scheme acquire

Both the first 12 words and the last 12 words are valid seed phrases on their own:

Code:

pupil magic fun throw lecture sunset pizza fashion helmet couch auto impact
despair height humor impose near plunge clever abstract swing laundry scheme acquire

As I said to OP in another thread, his back up scheme is not great. He is planning to have some words written down, some words stored electronically, a variety of different encryption techniques, a variety of different passwords (are these being backed up too? Where? Or are you relying on memory? (Which is even worse!)), and more. It is far too complicated, and he runs a significant risk of failing to recover from his back ups and inadvertently locking himself out of his own wallets.

If you want to avoid a single point of failure, then you should use a standardized and tried-and-tested method for doing so, such as multi-sig or passphrases.

[un_rank]

I am currently using a highly complex method to store a set of 24 mnemonic words. Decoding the mnemonic requires 20 minutes.

I am considering why not use a simpler approach?

If you really want to use a simpler approach then simply write down the seedphrase on paper and store that, as a contingency have more than one back up sites.

If you really want to complicate it, then add a passphrase or use a multi sig wallet and store that separately. These are tried and tested methods and they allow you to easily recover it when you need to. Do not over complicate the process.

- Jay -

[nc50lc]

You may need a script to generate the latter. (can anyone provide the numbers if the latter if possible?)

Let's see.

You can generate a 12 word seed phrase with a valid checksum and use that as the first 132 bits of entropy for your 24 word seed phrase. Concatenate another 124 bits of entropy, and then calculate the 8 bit checksum to give yourself a valid 24 word seed phrase. Take the last 12 words of this seed phrase. Given 12 words have a 4 bit checksum, then there is a 1/16 chance that this checksum is valid. So it won't take long at all to bruteforce a valid combination.

Here's one I just made in just a few minutes:

Code:

pupil magic fun throw lecture sunset pizza fashion helmet couch auto impact despair height humor impose near plunge clever abstract swing laundry scheme acquire

Nice, thanks for sparing the time.

So it's faster than I anticipated, I was thinking of generating the whole 24-words from a 256-bit entropy in one go.
Pre-generating the valid first half and filling the rest is one nice trick to minimize the search space for a valid whole (24-words) and last half (12-word) checksum.

[lyw123]

You may need a script to generate the latter. (can anyone provide the numbers if the latter if possible?)

Let's see.

You can generate a 12 word seed phrase with a valid checksum and use that as the first 132 bits of entropy for your 24 word seed phrase. Concatenate another 124 bits of entropy, and then calculate the 8 bit checksum to give yourself a valid 24 word seed phrase. Take the last 12 words of this seed phrase. Given 12 words have a 4 bit checksum, then there is a 1/16 chance that this checksum is valid. So it won't take long at all to bruteforce a valid combination.

Here's one I just made in just a few minutes:

Code:

pupil magic fun throw lecture sunset pizza fashion helmet couch auto impact despair height humor impose near plunge clever abstract swing laundry scheme acquire

Both the first 12 words and the last 12 words are valid seed phrases on their own:

Code:

pupil magic fun throw lecture sunset pizza fashion helmet couch auto impact
despair height humor impose near plunge clever abstract swing laundry scheme acquire

This method is very deceptive. The first 12 words and the last 12 words are all valid wallets. And then store them separately in different places? (different houses, even different cities?) To improve reliability, it is advisable to consider adding this scheme.

As I said to OP in another thread, his back up scheme is not great. He is planning to have some words written down, some words stored electronically, a variety of different encryption techniques, a variety of different passwords (are these being backed up too? Where? Or are you relying on memory? (Which is even worse!)), and more. It is far too complicated, and he runs a significant risk of failing to recover from his back ups and inadvertently locking himself out of his own wallets.

The file is encrypted with WinRAR and 7-Zip. To ensure that encrypted electronic files can be opened, I have done the following works:
(1) For electronically stored files on the network, use strong passwords (>40 characters) and prepare password explanations. The passwords will primarily come from things or names that I am very familiar with but others are not, such as the names of childhood playmates, and so on! Every encrypted file must have a password explanation.  So passwords will only relying on memory and password explanation. I test this method for a long time, and it is very reliable.

(2) I have purchased a few high-level encrypted USB drives, including two fingerprint USB drives. The seller claims that these encrypted USB drives cannot be cracked. Therefore, relatively weak passwords (~20 characters) can be used for the electronic files stored on these drives. Also, every encrypted file must have a password explanation.

(3) The last line of defense is hardware wallets. As long as the hardware wallet continues to function properly, it remains secure.

(4) Check whether the encrypted files can be opened normally once a year. If not, transfer funds through a hardware wallet immediately.

[o_e_l_e_o]

The file is encrypted with WinRAR and 7-Zip. To ensure that encrypted electronic files can be opened, I have done the following works:

Have you personally reviewed the code of 7zip to ensure there are no flaws in its encryption algorithms?
Did you take steps to mitigate against known vulnerabilities such as this one: https://nitter.cz/3lbios/status/1087848040583626753?
Did you make sure to build the app yourself from the source code you reviewed to ensure you haven't downloaded a fake or malicious one?
How to you plan to do any of that for WinRAR given that it isn't even open source?
Did you only encrypt your data on a permanently airgapped device with a clean OS?
Did you make sure to delete all the temporary files it creates in the archiving process, and then write over those sections of your computer's memory with junk data?
Did you make sure to delete the unencrypted text file you would have first stored on your computer before encrypting it, and then write over that section of your computer's memory with junk data?

So passwords will only relying on memory and password explanation. I test this method for a long time, and it is very reliable.

It isn't reliable. Here are 100 million reasons not to rely on your memory: https://bitcointalk.org/index.php?topic=5402270.msg60342177#msg60342177

I have purchased a few high-level encrypted USB drives, including two fingerprint USB drives.

Biometrics, especially fingerprints, can be very easily bypassed, even on high end 3D ultrasonic fingerprint scanners such as those on the latest flagship phones - https://bitcointalk.org/index.php?topic=5281976.msg55391797#msg55391797. It will be trivially easy to fool a basic USB fingerprint scanner.

The seller claims that these encrypted USB drives cannot be cracked.

Do they also have a bridge to sell you? People will say anything to sell their product. How do you plan to verify this claim?

Check whether the encrypted files can be opened normally once a year. If not, transfer funds through a hardware wallet immediately.

Will you only be decrypting them them on a permanently airgapped device? Will you be writing over the sections of the computer's memory which held those unencrypted files after you are done?

There is a reason that everyone here and every good wallet tells you to write down your seed phrase and store it offline. If you want to ignore all that advice and do your own thing then obviously we can't stop you, but you greatly increase the risk of loss.