Given the first 15 words out of 24, can a hacker crack the wallet?

[lyw123]

The file is encrypted with WinRAR and 7-Zip. To ensure that encrypted electronic files can be opened, I have done the following works:

Have you personally reviewed the code of 7zip to ensure there are no flaws in its encryption algorithms?
Did you take steps to mitigate against known vulnerabilities such as this one: https://nitter.cz/3lbios/status/1087848040583626753?
Did you make sure to build the app yourself from the source code you reviewed to ensure you haven't downloaded a fake or malicious one?
How to you plan to do any of that for WinRAR given that it isn't even open source?
Did you only encrypt your data on a permanently airgapped device with a clean OS?
Did you make sure to delete all the temporary files it creates in the archiving process, and then write over those sections of your computer's memory with junk data?
Did you make sure to delete the unencrypted text file you would have first stored on your computer before encrypting it, and then write over that section of your computer's memory with junk data?

I know nearly nothing about 7-zip and winrar. Even if the electronic file is leaked, hackers only know part of the wallet data.
The encryption of all files is done on offline computers. The file is temporarily stored on a USB flash drive, and the data on the USB flash drive will be cleared using the software DiskGenius. The encrypted data is then transmitted to the network through this USB flash drive.

I have purchased a few high-level encrypted USB drives, including two fingerprint USB drives.

Biometrics, especially fingerprints, can be very easily bypassed, even on high end 3D ultrasonic fingerprint scanners such as those on the latest flagship phones - https://bitcointalk.org/index.php?topic=5281976.msg55391797#msg55391797. It will be trivially easy to fool a basic USB fingerprint scanner.

Even if the thief takes the U disk and breaks it, he still needs to crack the password of Winrar or 7-Zip, and get the handwritten portion.

There is a reason that everyone here and every good wallet tells you to write down your seed phrase and store it offline. If you want to ignore all that advice and do your own thing then obviously we can't stop you, but you greatly increase the risk of loss.

Thank your suggestion. I will store a portion of the unencrypted wallet data on USB drives, but the remaining handwritten portion is not stored at my home.

[Greg Tonoski]

Thank your suggestion. I will store a portion of the unencrypted wallet data on USB drives, but the remaining handwritten portion is not stored at my home.

I would recommend encrypting "seed phrase" into two complementary encryption keys using standard XOR operation. You would preserve the security strentgh and be able to recover without remembering unique, non-standard scheme. BIP39-XOR, SeedXOR, SeedTool tools (available in GitHub) demonstrate the concept.

[ABCbits]

The file is encrypted with WinRAR and 7-Zip.

Both WinRAR and 7-Zip use AES-256 which usually considered secure (although as @o_e_l_e_o said, it comes down how they implement it). Anyway, if you plan to store the encrtypted data for really long time, you need to consider possibility AES-256 deemed obsolete or no longer secure enough in distant future.

(2) I have purchased a few high-level encrypted USB drives, including two fingerprint USB drives. The seller claims that these encrypted USB drives cannot be cracked. Therefore, relatively weak passwords (~20 characters) can be used for the electronic files stored on these drives. Also, every encrypted file must have a password explanation.

I doubt security of such USB drive, especially since usually biometric usually only used as authentication (not encryption). And there's also possibility serious theft would just open the USB drive and take NAND/flash drive.

[lyw123]

(2) I have purchased a few high-level encrypted USB drives, including two fingerprint USB drives. The seller claims that these encrypted USB drives cannot be cracked. Therefore, relatively weak passwords (~20 characters) can be used for the electronic files stored on these drives. Also, every encrypted file must have a password explanation.

I doubt security of such USB drive, especially since usually biometric usually only used as authentication (not encryption). And there's also possibility serious theft would just open the USB drive and take NAND/flash drive.

[/quote]
Storing partial unencrypted wallet data on a fingerprint-encrypted USB drive or writing it directly on paper doesn't make much difference. These fingerprint-encrypted USB drives are specifically designed for protecting corporate trade secrets, and I don't think they can be easily cracked.

[pooya87]

Storing partial unencrypted wallet data on a fingerprint-encrypted USB drive or writing it directly on paper doesn't make much difference. These fingerprint-encrypted USB drives are specifically designed for protecting corporate trade secrets, and I don't think they can be easily cracked.

Digital storage has other shortcomings that just being hacked/cracked. For example hardware problems that is where the USB disk is harmed either physically or due to electrical issues or other things and the data on it becomes inaccessible. Or we have the data decay/degradation by passage of time.

[Cricktor]

Considering OP's lack of knowledge in crypto safety, he will likely handle his mnemonic recovery words stuff on a potentially unsafe device or (even worse) on his daily computer. o_e_l_e_o already pointed this out that any handling of mnemonic recovery words on a computer should be done on a safe and permanently offline (or agnostic disposable) device.

I find overly complex encryption schemes, self invented worst of it, a quite sure road to loss and desaster later, unless you perfectly document everything. How do you protect your documentation then? Never rely on your memory alone, it will fail you in some future (I speak from own experience).

As others have pointed out: go for proven schemes (mnemonic words and separate mnemonic passphrase; stored safely in redundant safe and secret locations // multi-sig stored safely in redundant locations // use hardware wallet(s)). Mnemonic recovery words and (if used) a mnemonic passphrase should only be backed up on physical non-digital media (paper and for protection against paper harming conditions or events: stamped in stainless steel or titanium).

If OP needs some inspiration: you may have a look into free PDF book at https://www.smartcustody.com. But understanding crypto and Bitcoin in particular is also important to judge what is appropriate or what is silly. Work through everything on https://learnmeabitcoin.com, you won't regret it.

[Synchronice]

I am currently using a highly complex method to store a set of 24 mnemonic words. Decoding the mnemonic requires 20 minutes.

I am considering why not use a simpler approach?
For example, writing down 15 words on papers, and storing the remaining 9 words on an encrypted USB drives and online emails. Certainly, both the paper documents and electronic file should be kept with multiple copies.

Question: Given the first 15 words out of 24, can a hacker crack the wallet?

I ask chatGPT, and it say that is secure. However, considering that AI models often give unreliable information, it would be better to seek advice from friends on this website. Thanks!

Adding passphrase is better, and some message is obtained here https://blog.trezor.io/is-your-passphrase-strong-enough-d687f44c63af
The official Trezor website has calculated the security length of a passphrase. It states that a passphrase containing characters from 0-9, a-z, A-Z is considered secure with a length of 10 characters. With 62^10 possible combinations, this is equivalent to approximately 5.41 words, or 2048^5.41.

Keep in mind that increased security comes with increased responsibilities. There have been complains about losing seed phrase but there hasn't been a case when wallet was cracked by someone via bruteforcing (unless seed owner made a huge mistake). For sure, you have to save it securely but don't save it in a way that you'll lose access on it.
Also, if you are so afraid of your wallet getting cracked, then keep in mind that even if it's possible to crack your wallet in a year, you still have a timeframe that allows you to create a new wallet and transfer coins from old wallet to new one. Even if you know that you lost some part of your seeds and attacker will crack it in a day, you still have time to create a new one and transfer from old to new wallet.

Also, keep in mind that if you use 24 words seed phrase, even if you reveal words in unordered way, hacker still won't be able to crack your wallet, but will be able to crack if you use 12 words seed phrase and reveal all of them.

Storing partial unencrypted wallet data on a fingerprint-encrypted USB drive or writing it directly on paper doesn't make much difference. These fingerprint-encrypted USB drives are specifically designed for protecting corporate trade secrets, and I don't think they can be easily cracked.

Digital storage has other shortcomings that just being hacked/cracked. For example hardware problems that is where the USB disk is harmed either physically or due to electrical issues or other things and the data on it becomes inaccessible. Or we have the data decay/degradation by passage of time.

He can probably buy some waterproof, fireproof, extreme conditions proof safe and store his USB there. Btw instead of storing something on USB disk, if I were him, I would buy Coldcard or Passport wallet.

[NotATether]

Question: Given the first 15 words out of 24, can a hacker crack the wallet?

No.

I am considering why not use a simpler approach?
For example, writing down 15 words on papers, and storing the remaining 9 words on an encrypted USB drives and online emails. Certainly, both the paper documents and electronic file should be kept with multiple copies.

You're taking a big risk in not only storing the words on a single USB drive, but also storing it on the internet. At least use two USB drives in case you lose one.

And email is the last place you'd want to store any sensitive information in because the protocol is so ancient, that everyone can get their dirty hands on it without even opening your account.

[lyw123]

Storing partial unencrypted wallet data on a fingerprint-encrypted USB drive or writing it directly on paper doesn't make much difference. These fingerprint-encrypted USB drives are specifically designed for protecting corporate trade secrets, and I don't think they can be easily cracked.

Digital storage has other shortcomings that just being hacked/cracked. For example hardware problems that is where the USB disk is harmed either physically or due to electrical issues or other things and the data on it becomes inaccessible. Or we have the data decay/degradation by passage of time.

The most terrible thing is that all U disks are broken at the same time. I currently have 3 encrypted USB drives and plan to buy one more. In addition, I have added another preventive measure.

Also, keep in mind that if you use 24 words seed phrase, even if you reveal words in unordered way, hacker still won't be able to crack your wallet, but will be able to crack if you use 12 words seed phrase and reveal all of them.

I own 4 trezor one. There are two ways to recover the seed phrase of Trezor One on Trezor Suite, one is standard and the other is advanced.
When restoring with the standard mode, the words are entered directly in a unordered way, via the computer. If someone saw all the unordered words, he should try 24*23*22*...3*2*1 times to crack the wallet.
If 12 out of 24 words have been exposed, he should try 12*11*10*...3*2*1 times, then this recovery method is obviously not secure. If I enter in advanced mode, will there be no problem?
Of course, a safer way is to write down the 24-word password and encrypt only the passphrase.

As others have pointed out: go for proven schemes (mnemonic words and separate mnemonic passphrase; stored safely in redundant safe and secret locations // multi-sig stored safely in redundant locations // use hardware wallet(s)). Mnemonic recovery words and (if used) a mnemonic passphrase should only be backed up on physical non-digital media (paper and for protection against paper harming conditions or events: stamped in stainless steel or titanium).

        I divided the seed phrase and passphrase into two parts, one handwritten and the other stored on USB drives. If the files in the fingerprint U disks are not encrypted, then I do not need to remember any passwords to recover the wallet data. If I have three fingerprint-encrypted USB drives, and check whether they work properly every year. Then the probability will be very very low that they all are unusable at the same time. Your method: seed phrase and separate passphrase were backed up on physical non-digital media. There are no much difference between yours and mine?

        Handwriting all the seed phrase and passphrase on papers is also risky. First of all, I have to divide them into two parts, and each part must have multiple backups. If all two parts are hidden in my home, once they are found by thieves, I am died. What should I do? Doesn't it hurt my head? The encrypted fingerprint U disks are specially made for corporate secrets, with AES256 hardware encryption. How can thieves or ordinary hackers crack it? Top hackers may be able to, but they don't care about my altcoins. The main problems for encrypted USB drives are: 1) they may all fail simultaneously. 2) All were stolen by thieves. 3) In the distant future, AES256 encryption will no longer be unbreakable.

        As for storing the wallet file encrypted  (only winrar)  with a strong password on the email, there are two purposes: 1) Once all USB drives and hardware wallets fail, or they all were stolen by thieves. 2) If my house catches fire, all files, USB flash drives, and hardware wallets may be burned. This is the final recovery plan.
        
        If the thief knows that you have a lot of Bitcoin, he may steal all related things in your home, including hardware wallets, handwritten papers, anything. Can your solution deal with such extreme situations?

[moderator's note: consecutive posts merged]

[Synchronice]

Also, keep in mind that if you use 24 words seed phrase, even if you reveal words in unordered way, hacker still won't be able to crack your wallet, but will be able to crack if you use 12 words seed phrase and reveal all of them.

I own 4 trezor one. There are two ways to recover the seed phrase of Trezor One on Trezor Suite, one is standard and the other is advanced.
When restoring with the standard mode, the words are entered directly in a unordered way. If 12 out of 24 words have been exposed, then this recovery method is obviously not secure. If I enter in advanced mode, will there be no problem? Of course, a safer way is to write down the 24-word password and encrypt only the passphrase.

I don't own trezor but I'll explain what I mean.
Let's say that your wallet's seed phrases are: good, absent, ability, hair, icon, jealous, hammer, ignore, jaguar, machine, napkin, observe. Let's say that you have to enter these words in an ordered way, i.e. at first you have to enter good, then ability, then hair, then icon and so on. If you leak these words in an unordered way, in case of 12 words seed phrase, hacker will be able to crack your wallet in half an hour with good rtx GPU but if you have 24 words seed phrase, if you leak even 24 words in an unordered way, hacker won't be able to crack it because it will take him probably million years to crack it. That's all I wanted to say.

[o_e_l_e_o]

If all two parts are hidden in my home, once they are found by thieves, I am died. What should I do?

Hide them better and also have off site back ups.

You can hide a piece of paper in hundreds of places in your home a thief would never find it. Under a floorboard. Inside a door. Inside some piece of furniture or equipment. Inside some fitting or socket.

And having your only back ups in the same place as your wallets themselves (i.e. at home) is incredibly risky as a single event can still wipe you out. Everyone should have at least one off site back up.

How can thieves or ordinary hackers crack it?

I already showed you a link where someone cracked a fingerprint reader on a $1000 smartphone in 3 minutes. The fingerprint reader on a $20 USB drive will be trivial by comparison.

Can your solution deal with such extreme situations?

Yes. Unless the thief has a month to systematically disassemble and dismantle my entire house, they won't find the back ups I have hidden at home. And even if they did, they wouldn't be able to access my wallets since the other necessary information is backed up off site.

[lyw123]

How can thieves or ordinary hackers crack it?

I already showed you a link where someone cracked a fingerprint reader on a $1000 smartphone in 3 minutes. The fingerprint reader on a $20 USB drive will be trivial by comparison.

Thank you very much, o_ e_ l_ e_ o！
I saw that video, and knew that the fingerprint U disks were not unbreakable.
So the handwritten documents (corresponding to the unencrypted files of USB drives), will not be stored at my home (off site backups).