Securing Electrum seed phrases though Seed Extension

[virasog]

One of my friends is very sensitive about seed phrases lost. He does not have a hardware wallet and is storing his Bitcoin on an Electrum wallet on cold storage (that never connects to the internet).
However, the thing is that he does not want to keep the seed phrases on a piece of paper (physically) as he thinks that it can be stolen or theft or even lost and he may lose all of his bitcoins.

So what is doing now that he has created a new wallet with seed extension. He has created four or five different wallets (to divide his funds in different wallets), each of them with the same seed extension, the words which he memorizes and can never forget.



Now he keeps the original electrum seeds on a piece of paper as well as he is storing it online on his Gmail. He is of the point of view that now he is 100% secure as he cannot lose the seed phrase as it is stored both physically and electronically. Secondly, if someone hacks his seed phrases both physically or online, that is of no use because he has seed extensions to the seed phrases which only he knows about.

Given these conditions, is he doing it the right and secure way?

[1715151048]

1715151048

[1715151048]

1715151048

[1715151048]

1715151048

[1715151048]

1715151048

[Charles-Tim]

He minimize the seed phrase. People should not believe in memorizing. It can fail. But you also posted that he has the seed phrase on his Gmail. If not strong passphrase is used and if a hacker see the seed phrase, there is possibility to brute force the passphrase. Online backup like Gmail and others are not safe. I will prefer to just have everything offline, like two or three backups in different locations.

[promise444c5]

You mentioned  that he's using a cold storage, I don't  know how he's managing  it if it's  just a standard wallet instead of using it on an airgapped  device , well the phone might be used as an airgapped device but may I ask how he make his transaction or he hasn't made any transaction (not just  buying), has he spent any input.
Then if he is using a cold storage, storing his phrases on a Gmail which is in a form of hot storage dispute the entire usefulness of the cold storage, apart from phishing attacks  his  phone could get lost and his gmail datas could get exposed if fallen into the wrong hands.
I would suggest  him also having  a usb drive that will only be used for the storage and used whenever he needs the seed .

[SilverCryptoBullet]

However, the thing is that he does not want to keep the seed phrases on a piece of paper (physically) as he thinks that it can be stolen or theft or even lost and he may lose all of his bitcoins.

If he can lose a piece of paper (physically), he can lose his hardware wallet if it he has it.

So what is doing now that he has created a new wallet with seed extension. He has created four or five different wallets (to divide his funds in different wallets), each of them with the same seed extension, the words which he memorizes and can never forget.

Using a same word or same words for seed extension is good, but memorize it, it's not good.

Now he keeps the original electrum seeds on a piece of paper as well as he is storing it online on his Gmail.

Storing it on a piece of paper, it is good.
Storing it on his Gmail, not good. His Gmail can be hacked or Google can see the seed phrase.

He is of the point of view that now he is 100% secure as he cannot lose the seed phrase as it is stored both physically and electronically.

He can lose both, physically with piece of paper and electronically with his Gmail.

Secondly, if someone hacks his seed phrases both physically or online, that is of no use because he has seed extensions to the seed phrases which only he knows about.

He can lose the words for seed extension when his brain has problem and memory gone.

Given these conditions, is he doing it the right and secure way?

Not secure.

Gmail.
Memorize.
Two big risks.

How to back up a seed phrase

[m2017]

Now he keeps the original electrum seeds on a piece of paper as well as he is storing it online on his Gmail.

It turns out that he eventually moved away from his concept of memorizing seed phrases and still decided to write it down?

He is of the point of view that now he is 100% secure as he cannot lose the seed phrase as it is stored both physically and electronically.

Combining these 2 storage methods (online and offline) on the one hand provides advantages (online - access from anywhere in the world, offline - there is nothing more reliable than this method if natural disasters don't occur nearby), but on the other hand, they increase the risk of data leakage (especially online).

I don't think that storing (by any means) seed phrases can be 100% safe.

Secondly, if someone hacks his seed phrases both physically or online, that is of no use because he has seed extensions to the seed phrases which only he knows about.

I would divide the seed phrase into several parts and store it online in different services (which also increases the risk of loss), and also, I would not post part (for example, 4 words) of the seed phrase anywhere online.

Given these conditions, is he doing it the right and secure way?

If it helps him keep the seed phrase safe, then it's probably the right way.

[Zaguru12]

So what is doing now that he has created a new wallet with seed extension. He has created four or five different wallets (to divide his funds in different wallets), each of them with the same seed extension, the words which he memorizes and can never forget.

It’s tricky when he says he can’t forget the memorized word, it could be a common word he uses and that’s risky because same way he is scared about losing the physical storage maybe due to people surrounding him, will be same risky the common words Carries. He can actually do something like a decoy and leave off some dust amounts on seed phrase without passphrase such that when someone restores the wallet they think it’s the right wallet and not a passphrase behind it

You mentioned  that he's using a cold storage, I don't  know how he's managing  it if it's  just a standard wallet instead of using it on an airgapped  device , well the phone might be used as an airgapped device but may I ask how he make his transaction or he hasn't made any transaction (not just  buying), has he spent any input.

If you’re thinking of how he spend then it is simple he can just make use of QR code from the airgapped device and also could save the transaction and move it out to the other device. Using a phone as airgapped can be tricky because the device might have touched the internet before and could already have an hidden malware on it before been use as airgapped. And what do you mean by standard wallet? It can also be used as a cold wallet too.

[promise444c5]

If you’re thinking of how he spend then it is simple he can just make use of QR code from the airgapped device and also could save the transaction and move it out to the other device. Using a phone as airgapped can be tricky because the device might have touched the internet before and could already have an hidden malware on it before been use as airgapped. And what do you mean by standard wallet? It can also be used as a cold wallet too.

To be sure  you need to ask him if he's using a view only wallet that's  how we can know if he's truly  using it as cold storage because  he didn't made mention of using any other device apart from the one he's  is using as cold storage

[satscraper]

Given these conditions, is he doing it the right and secure way?

I would not store SEED online using Gmail.

I would store its pgp encrypted version directly in blockchain.
 
To do this I would create  OP_RETURN zero value output transaction containing  the relevant message in HEX format.

[Yamane_Keto]

By storing the seed in Google, we cannot assume that this wallet is cold storage.

Your friend reduced the entropy from 128 bit key strength, which is considered safe, to about 10 non-random characters, which a person can remember.

Let us take the entropy of such a passphrase
we've got

26 small chars + 25 big chars +10 digits+3 special chars= 64 possibilities.

(64^10)/2 = 5.76460752* 10¹⁷ (entropy would be greatly reduced if social attack was used and the word was easy to guess.)
While electrum entropy
(2^128)/2 = 1.70141183 * 10³⁸


In short, Seed Extension word that can be remembered will not be secure enough if the hacker gains access to the wallet seed.

// I modified the wording to avoid misunderstanding the phrase.

[Z-tight]

Secondly, if someone hacks his seed phrases both physically or online, that is of no use because he has seed extensions to the seed phrases which only he knows about.

Since you said your friend memorized the passphrase and 'can never forget it', then i am certain it is a weak passphrase, and so if an attacker gets hold of the seed phrase, they would be able to brute force the passphrase and steal the funds. Your friend is doing so many things wrong and only creating a false sense of security, all they need is an offline wallet and to either add a strong passphrase or set up a multisig wallet as extra layers of security. They must also back up their seed phrase and passphrase on paper, but in different locations.

In short, Don’t Use any Seed Extension words to replace your electrum wallet seed words.

A passphrase does not replace the seed phrase, it is only an extra layer of security and it is very recommended, because an attacker would need seed phrase + passphrase to be able to steal the funds. However, only people who know exactly what they are doing should set it up.

[satscraper]

In short, Don’t Use any Seed Extension words to replace your electrum wallet seed words.

I think you got him wrong
Seed Extension doesn't replace  Electrum's SEED, it just extends the given SEED to add the security at the case when that SEED is caught  by someone else’s hands.

Read on Seed Extension.

Adding SEED extension to SEED phrase  is a good practice.

[Hatchy]

I would suggest  him also having  a usb drive that will only be used for the storage and used whenever he needs the seed .

Did you even get to understand what op had said? His friend doesn't have a hardware wallets and from what op said, he stores his Bitcoin using an airgapped device. Using phones as airgapped device is not actually recommendable as not all phones can function without the Internet. Some mobile devices on start on need the Internet to setup and as such, you can't call it an airgapped device anymore.  Though ops friend might have a good idea, but it would still be better to store his seedphrase offline and in safe locations. Passphrase adds an extra layer of security to your seed by creating a hidden wallets using your seed phrase so if an attacker gets hold of your seed, they might not be able to access your real wallet where your funds are stored. What ever method ops friend chooses to to his seed, he should make sure to minimize the risk of exposing it to online as it's no longer safe.

I would suggest  him also having  a usb drive that will only be used for the storage and used whenever he needs the seed .

Again, USB drive still isn't recommended as most of these drive can be corrupted and lead to damaging if stored data. After a drive is corrupted, you might be forced to format the drive to access it but then your stored data will no longer be there. Store your funds offline in safe locations and avoid anything that would lead to loss of funds.

[promise444c5]

Given these conditions, is he doing it the right and secure way?

I would not store SEED online using Gmail.

I would store its pgp encrypted version directly in blockchain.
 
To do this I would create  OP_RETURN zero value output transaction containing  the relevant message in HEX format.

Hmm interesting  but how do we store the private key of the  pgp encryption  I think we should also talk about that

[Yamane_Keto]

A passphrase does not replace the seed phrase, it is only an extra layer of security and it is very recommended, because an attacker would need seed phrase + passphrase to be able to steal the funds. However, only people who know exactly what they are doing should set it up.

I think you got him wrong
Seed Extension doesn't replace  Electrum's SEED, it just extends the given SEED to add the security at the case when that SEED is caught  by someone else’s hands.

My answer was to this part, he assumed that if the wallet seed was hacked, the passphrase would make his wallet safe, so he was not careful about its security and kept it in a gmail account, and we all know how easy it is to hack these accounts.
So I explained to him in terms of entropy how relying on passphrase is not safe.

Secondly, if someone hacks his seed phrases both physically or online, that is of no use because he has seed extensions to the seed phrases which only he knows about.

[satscraper]

Given these conditions, is he doing it the right and secure way?

I would not store SEED online using Gmail.

I would store its pgp encrypted version directly in blockchain.
 
To do this I would create  OP_RETURN zero value output transaction containing  the relevant message in HEX format.

Hmm interesting  but how do we store the private key of the  pgp encryption  I think we should also talk about that

https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP

https://developers.yubico.com/PGP/

[LoyceV]

storing his Bitcoin on an Electrum wallet on cold storage (that never connects to the internet).
~
Now he keeps the original electrum seeds on a piece of paper as well as he is storing it online on his Gmail.

That's not cold storage, that's flaming-hot storage!

Since you said your friend memorized the passphrase and 'can never forget it', then i am certain it is a weak passphrase,

Even better: he memorized 5 passphrases.

if someone hacks his seed phrases both physically or online, that is of no use because he has seed extensions to the seed phrases which only he knows about.

A seed phrase has 2 functions: provide a strong random number, and avoid mistakes writing it down. OP's friend basically replaced the first function by his own passphrases, and I doubt they have the same strength. But the second function is completely gone: one mistake and he loses access.

Creating your own "system" for Bitcoin storage is, in general, a bad idea.

[Zaguru12]

To be sure  you need to ask him if he's using a view only wallet that's  how we can know if he's truly  using it as cold storage because  he didn't made mention of using any other device apart from the one he's  is using as cold storage

He must surely have an hot wallet which he can use to track bitcoin transactions an also to broadcast a transaction if not that’s no where near a cold wallet.

Since you said your friend memorized the passphrase and 'can never forget it', then i am certain it is a weak passphrase,

Even better: he memorized 5 passphrases.

According to OP he uses only one passphrase for the 5 wallets seed phrases, which to me defeats the purpose of splitting wallets. Because it is even more easy to an attacker to break through because ones they get hold of the five seed phrase which is already exposed online, the attacker needs to brute force just one of them to get a passphrase that will work for all the remaining.

[khaled0111]

Extending different wallet seeds with the same passphrase is the same as using the same password for different accounts. It's not safe.
Also, Gmail is an email service meant to be used to send/receive emails not to store your sensitive data. I'm talking from personal experience. I used Yahoo in the past to store my wallets' seeds but after few months of inactivity those mails were deleted so I lost access to my wallets.

[dkbit98]

Given these conditions, is he doing it the right and secure way?

His setup is not clod storage, and I have seen many people doing the same mistakes that are disaster waiting to happen.
Storing seed words on g00gle drive can never be consider safe, this is computer of someone else, and I am not exactly sure how and why he would use gmail at all
There are alternative ways he can use if he doesn't want to keep anything on paper (maybe encrypted Satochip Seedkeeper cards), and I would not trust human brain to remember anything long term.

[Pmalek]

You mentioned  that he's using a cold storage, I don't  know how he's managing  it if it's  just a standard wallet instead of using it on an airgapped  device...

He is using it on an airgapped device (hopefully). Electrum can be used either as a hot or a cold wallet.

To be sure  you need to ask him if he's using a view only wallet that's  how we can know if he's truly  using it as cold storage because  he didn't made mention of using any other device apart from the one he's  is using as cold storage

A watch-only wallet has no private keys and can't sign transactions. The cold wallet needs private keys, otherwise there is no use for it. The online wallet is the one without private keys, created by importing (master) public keys that belong to the cold wallet.

Even better: he memorized 5 passphrases.

No, it's the same passphrase across all of his wallets. Not that it matters. Memorizing seeds and passphrases is a bad idea. A knock to the head, the normal aging process, and a bunch of other things can make your forget what's important.

So what is doing now that he has created a new wallet with seed extension. He has created four or five different wallets (to divide his funds in different wallets), each of them with the same seed extension, the words which he memorizes and can never forget.

[promise444c5]

A watch-only wallet has no private keys and can't sign transactions. The cold wallet needs private keys, otherwise there is no use for it. The online wallet is the one without private keys, created by importing (master) public keys that belong to the cold wallet.

Yes! I made mentioned  of the watch only wallet because  if he truly  use a cold wallet then he must have the watch only wallet to view his balance and make transactions  which requires  signing from the cold wallets  since its  our main  sturage with the private keys just as you've  said above in your comment.
Sometimes people  think  they are using  a cold wallet because they only connect  to Internet  when they want to make a transaction... and that really  sucks
Let's just admit he's using it on an airgapped device...

[Pmalek]

Sometimes people  think  they are using  a cold wallet because they only connect  to Internet  when they want to make a transaction... and that really  sucks

I have heard that many times. A computer that you disconnect from the Internet doesn't become a cold wallet just like that. It's like saying I am a virgin because I only have sex on Saturday. It doesn't work like that. There are also people who refer to mobile phones as cold wallets with a claim that they keep their phones in airplane mode and turn their WiFi off. When they want to make a transaction, they turn everything on. This is very far from the truth.

[promise444c5]

~

Exactly  my point proven !!
The example was hilarious though she needs to convince any listener without using any word related to s*x    had to laugh while reading  it ,same goes to anyone claiming that too he have to convince us without using any word related to internet .
Why in the first  place  did I point  it out ?? I was also a victim of this same though before joining  the forum and I even went to the extent of showing  it in one of my replies , there I got corrected  on the perfect  procedures  to setup of a cold wallet on an Airgapped  device.
Now, seeing this bring  a flash back and I have to raise it for others to learn too.

[Cricktor]

I'd like to hear an explanation regarding status of cold wallet in the context of here presented backup scheme.

This is what I understood from this case.

Someone has mnemonic recovery words that he fears to loose or have them stolen, therefore he creates at least one distinct wallet with those mnemonic recovery words which are extended by an (optional) mnemonic passphrase (the 13^th or 25^th additional passphrase supplementing the commonly 12 or 24 mnemonic recovery words). Of course, this optional mnemonic passphrase should not be easy to guess and should be complex enough so that brute-forcing it isn't feasible (it should not be any information already available online, no song title, no known dictionary words sequence and so on).

This seed words extended by the supplementary mnemonic passphrase generate a wallet with completely different private keys than a wallet with the seed words (mnemonic recovery words) alone.

Now let's assume this user treats the air-gapped cold part of his wallet with the private keys indeed cold, ie. never touching an online network and internet. An online watch-only hot part of the wallet facilitates broadcasting signed transactions (signing PSBTs with the cold offline part).

When the mnemonic recovery words are saved in GMail, definitely a "hot" environment and not a safe storage if you only have your recovery words not supplemented by an additional mnemonic passphrase, you'd still can't recreate the wallet without the additional mnemonic passphrase.

I don't consider it a good and safe storage if you only try to memorize the additional mnemonic passphrase because this will fail you sooner or later (I had my own bad experience with this even with hints written for a complex supplementory mnemonic passphrase once; no coins were lost when I realized, I can't recover the wallet anymore, I moved funds out of it).

Can you explain me why everybody here says the cold wallet is actually a hot wallet when only the mnemonic recovery words are backed up in a hot environment but the recovery words definitely aren't sufficient alone to recover the wallet. The private keys are kept cold, they don't touch the internet, what touches the internet isn't in any way sufficient to recover the private keys. How is this a hot wallet as you all claim?

I ask because I want to understand it as it clashes with my understanding of cold vs. hot wallet.

We don't need to discuss if the entropy of the additional mnemonic passphrase is sufficient or comparable to e.g. the entropy of 12 recovery words. If I choose to secure a possible disclosure of my mnemonic recovery words with such a supplementary mnemonic passphrase, then of course the entropy of this mnemonic passphrase needs to be large enough so that brute-forcing is unfeasible. We know that it's computationally expensive to brute-force an additional mnemonic passphrase as you have always to go through 2048 rounds of PBKDF2 and further key derivation for each candidate.