Idea for extremely paranoid people who want to create a bitcoin wallet

[o_e_l_e_o]

I mean, if the words are not included in the BIP39 wordlist, it makes it more secure. Or isn't.

It is neither less secure nor more secure.

The thing to remember is that the words are simply an encoding of (in this case) 132 bits of entropy. The entropy is generated first. It is then encoded in to words primarily to make it human readable and easier to back up. You can encode the entropy any way you like - binary, hex, Base58, BIP39 wordlist, any other wordlist, and so on. The entropy doesn't change, only the way it is represented.

it will use the same encryption method to create the seed phrase but it will be more safer than before, or I am missing something here.

It is not encryption, it is simply representing the same data in a different format. But again, the security doesn't change.

And a question of seed phrase and pass phrase, the phrase you created by giving the wordlist of thesaurus, is it seed phrase or pass phrase? I mean in pass phrase we use our own preferred words. Or I am also missing something here.  

In this scenario we are talking about using a custom wordlist to generate a seed phrase. But in general you are right - seed phrases are almost always generated using the fixed BIP39 wordlist, while passphrases are generated using any words, symbols, or strings we want.

[1715016496]

1715016496

[1715016496]

1715016496

[ABCbits]

Personally i find it's surprising Electrum seems to use all 466K words rather than only first 2048 and even adjust total words accordingly. And lastly i wonder whether different version of Electrum have same behavior when you supply custom words.

Certainly it's been possible at least since Electrum moved away from using their own wordlist and moved to mirroring the BIP39 wordlist.

--snip--

That's interesting info. Personally i still find it's weird Electrum able to use more than 2048 words since in past word list used by Electrum use less than 2048 words[1]. I guess Electrum developer doesn't bother add extra checking or assume people wouldn't use custom words.

I do understand the underlying encoding procedure is same but the words are changed, and what if we remove all the words from BIP39 list and use the remaining ones to create a seed phrase for electrum, it will use the same encryption method to create the seed phrase but it will be more safer than before, or I am missing something here.

There's no encryption involved. And FYI, recovery words/seed/phrase generated by Electrum is based on Electrum Seed Version System[3], not BIP39[2].

[1] https://github.com/spesmilo/electrum/blob/5883aaf8ca2f79bf694d11ac6b63f5defd2a2c38/client/mnemonic.py#L23-L1650
[2] https://electrum.readthedocs.io/en/latest/seedphrase.html
[3] https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki

[o_e_l_e_o]

I guess Electrum developer doesn't bother add extra checking or assume people wouldn't use custom words.

I don't think it is simply that they don't bother to check. Rather it is a deliberate decision.

Under "Motiviation" on the link you shared to the Electrum seed versioning system, it explains why the Electrum devs did not want to use a system which depended on a fixed wordlist and could instead be used with any wordlist, and more importantly could recover seed phrases without knowing the wordlist used. It uses the same wordlist as BIP39 as default I assume simply because it is well known and does have a number of advantageous features (such as each word having the first 4 characters be unique, excluding similar words, etc.), but they are quite clear they do not want to depend on any fixed wordlist, and therefore allow users to use their own custom wordlist of any length.

[apogio]

In fact BIP39 is designed to be a universal standard for wallet creation. It is not mandatory to use it, but it is convenient.

As you said OP, people worry about the wrong things.
They worry about being brute-forced, but they don't worry about losing their backup and they keep only one backup.
They worry about a wallet being compromised, but they don't worry about using airgapped devices.

However, doing this completely misses the point. The above seed phrase has exactly the same entropy as a seed phrase using the default wordlist - 132 bits. Increasing the size of the wordlist does not change the underlying entropy used to generate the seed phrase.

Additionally, following BIP-39 is better than following a non-standard approach. Most of the time, people who try to implement something unique and non-standard end up losing money.

[LoyceV]

Additionally, following BIP-39 is better than following a non-standard approach. Most of the time, people who try to implement something unique and non-standard end up losing money.

That's why you should always test your backups before funding any wallet.

[Lakai01]

As you said OP, people worry about the wrong things.
They worry about being brute-forced, but they don't worry about losing their backup and they keep only one backup.
[...]

The losses of coins that I get told in my circle of friends and acquaintances usually have to do with scams, e.g. the Youtube channels with the title "Vitalik is giving away free ETH NOW!!!!" that were quite common until some time ago.
Closely followed by losses due to scams, however, is not so much the fact that there are no backups, but the fact that the backups are simply wrong, e.g. incorrectly written down mnemonic codes or private keys that are intentionally changed and "guaranteed to remember the change".

The latter can hardly be prevented - unless you tell someone about the change - but for the former, i.e. simply wrong backups, there is a quite simple solution:

After the setup (e.g. of a hardware wallet) you write down an address and reset the hardware wallet completely ... and then reinitialize it with the backup you wrote down. If the restore works, you can then send the coins to the respective wallet.



The fact that the backups are then often simply stored in a file folder for all to see is, of course, another issue here.

[o_e_l_e_o]

The latter can hardly be prevented

The easiest way to prevent such losses is just not to use such a technique in the first place.

Whenever someone comes up with their own system, one of two things happen. They either end up with something which adds absolutely no extra security at all, or they end up locking themselves out of their wallets. A prime example is when people swap words around. They either swap two or three words which is absolutely trivial to brute force and is not secure at all, or they scramble their entire phrase, forget the order, and can't figure out their back up.

There are standardized processes for a reason. Just use them.

[apogio]

There are standardized processes for a reason. Just use them.

Simple as that.

Additionally, those methods are ultra safe (if used properly). Custom methods are created to be safer, but they significantly decrease safety! 

[Lakai01]

The latter can hardly be prevented

The easiest way to prevent such losses is just not to use such a technique in the first place.
[...]

I was in a similar situation back when I created my first wallet (~ 2013), so can definitely understand someone thinking they are adding an extra layer of security when you swap a word. My rationale at the time was as follows:
The then 12 words were kept in such a way that someone could have found them if necessary. I thought at that time if this already happens the person should at least have a hard time accessing my coins.

In addition, cryptography and probabilities are simply difficult to grasp for many people. The fact that a simple exchange of words does not result in a purely statistical increase in security is probably difficult to understand for people with little technical knowledge.


But you're right, of course: The risk of forgetting one's own algorithm and ending up without coins is much greater than that the original threat scenario (in my case, finding the words) occurs at all.