How to generate a seed/mnemonic of high quality?

[bestcoin_59]

Hello Everyone,

First of all sorry if this question has already been ask. I know that we should use a CSPRNG
to generate the seed, but was wondering if some wallets (Desktop/Mobile/Hardware) are
able to produce more unpredictable random results than others. My feeling is that a computer
might be able to gain more entropy than a rudimentary piece of hardware. What is your feeling
about it? And how would you do to generate a secure HD wallet?

Regards

[mcdouglasx]

Hello Everyone,

First of all sorry if this question has already been ask. I know that we should use a CSPRNG
to generate the seed, but was wondering if some wallets (Desktop/Mobile/Hardware) are
able to produce more unpredictable random results than others. My feeling is that a computer
might be able to gain more entropy than a rudimentary piece of hardware. What is your feeling
about it? And how would you do to generate a secure HD wallet?

Regards

Although computers may have access to more sources of entropy, they have a security disadvantage because they are more prone to attacks. In contrast, hardware wallets are specifically designed for security and can be more reliable for generating secure private keys.

[BitMaxz]

I don't think there's a difference between different devices to generate random seed.

If you want to generate a high-quality seed phrase, hardware wallets usually generate them because it generate 24 seed phrases with a passphrase, which is considered safest to generate a seed phrase, but you can also do that on different devices, like a desktop or mobile phone, using the Iancoleman tool and use the "Show entropy details" and put whatever you like to increase the entropy. The details should give you an idea about "time to crack" and don't forget to change the Mnemonic Length to 24 words.

Here's the site: https://iancoleman.io/bip39/
Then download the entire page or download it from the source and run it to a device that doesn't have any internet connection (never connect it to the internet) to avoid online attacks.

[ranochigo]

No, there are probably no differences across wallets/os/devices.

Most devices uses urandom to seed entropy and generate seeds and will thus provide seeds with similar level of security and/or entropy in theory. If implemented well, you should not need to worry about the source of randomness. Certain hardware wallets may use TRNG sources to seed their entropy. This is a good to have but is by far redundant; you are also not encouraged to use Javascript based wallet generator. Certain JS based wallets will seed from insecure sources.

[ABCbits]

What is your feeling
about it?

CSPRNG from OS and RNG from hardware wallet generally is secure enough. At very least, i know /dev/urandom use lots entropy source. But if you prefer use random source that you can verify, your choice is limited to
1. Use coin, dice or similar object to generate entropy by yourself and then enter it to wallet software you use.
2. Inspect source code of the wallet to check whether it actually use OS CSPRNG properly.

[hosemary]

Here's the site: https://iancoleman.io/bip39/
Then download the entire page or download it from the source and run it to a device that doesn't have any internet connection (never connect it to the internet) to avoid online attacks.

I would never recommend anyone to use iancoleman for generating a seed phrase.
OP is looking for a secure CSPRNG and a tool which generates the entropy through javascript can't be a good option.

[apogio]

For the most part, the hardware wallets and the reputable computer software wallets generate secure seed phrases using CSPRNG.

I 'd go for electrum all day, every day.

Just make sure to decide if you want a cold storage device (i.e a fully airgaped laptop), or a software wallet.

My other option would be to buy a reputable hardware device. I consider Coldcard, Passport and Trezor among the reputable ones. I 'd not choose Ledger for privacy reasons. Nothing bad with their security though. _{check the posts below.}

[Synchronice]

Hello Everyone,

First of all sorry if this question has already been ask. I know that we should use a CSPRNG
to generate the seed, but was wondering if some wallets (Desktop/Mobile/Hardware) are
able to produce more unpredictable random results than others. My feeling is that a computer
might be able to gain more entropy than a rudimentary piece of hardware. What is your feeling
about it? And how would you do to generate a secure HD wallet?

Regards

You can generate a Bitcoin wallet and then test the randomness of generated wallet but to be honest, I don't know how to do it. If you are very good at math and statistics, you'll probably know it or will be able to do a better research than me (I'm good but not very good).
Have a look at this: https://stackoverflow.com/a/32041435

I 'd not choose Ledger for privacy reasons. Nothing bad with their security though.

Nothing bad with Ledger's security? Ledger has been claiming since the first day that your seed phrase will never leave the Secure Element chip but recently, as it turned out, this claim was wrong because they implemented Ledger Recover service. Logically, Ledger Recover service should be impossible to exist if seeds never leave the Secure Element.

[apogio]

Nothing bad with Ledger's security? Ledger has been claiming since the first day that your seed phrase will never leave the Secure Element chip but recently, as it turned out, this claim was wrong because they implemented Ledger Recover service. Logically, Ledger Recover service should be impossible to exist if seeds never leave the Secure Element.

I obviously didn't know this. I don't use them, I will update my post though to avoid confusion.
It's a bloody stupid move on their part by the way.

[Bitcoin Smith]

On theory Device can have better entropy than the hardware which has limited resource however the TRNGs are specifically designed for cryptographic purposes which ensures the randomness of seed generation but if you're paranoid about their security then simply use Electrum to generate your seeds on a complete offline device and then flash it once you generated so your seed will not be exposed to internet meanwhile you can have the satisfaction of better entropy seed using CSPRNG.

[ranochigo]

You can generate a Bitcoin wallet and then test the randomness of generated wallet but to be honest, I don't know how to do it. If you are very good at math and statistics, you'll probably know it or will be able to do a better research than me (I'm good but not very good).
Have a look at this: https://stackoverflow.com/a/32041435

You cannot do so, because you cannot take a single generated address and test it for how random it is. In fact, any entropy measure cannot definitively tell you how random or unrandom any entropy source is; a perfectly predicable source could pass and be seen as a statistical random source.

On theory Device can have better entropy than the hardware which has limited resource however the TRNGs are specifically designed for cryptographic purposes which ensures the randomness of seed generation but if you're paranoid about their security then simply use Electrum to generate your seeds on a complete offline device and then flash it once you generated so your seed will not be exposed to internet meanwhile you can have the satisfaction of better entropy seed using CSPRNG.

CSPRNG is more than sufficient. True TRNG is probably redundant for most and doesn't improve the security as much. TRNG in general are not specifically designed but are known random processes.

[satscraper]

 

if some wallets (Desktop/Mobile/Hardware) are
able to produce more unpredictable random results than others.

The best source of entropy is that one which is based on truly random physical processes. One of them is avalanche breakdown which is appears in Reverse biased Zener diodes, ^{read this to learn why it is random}.

Regarding wallets. Products manufactured by Foundation i.e^{. Passport, Passport batch 2 and presumably their new Passport 2} use Zener diode to generate randomness in the course of SEED  creation. I have Passport 2 and thunk that it is one of the best wallet currently available on market.

Thus, if unpredictable random results is your priority ^{at choosing the wallet for your stash} then I would advocate Foundation's products.

[bestcoin_59]

Thanks for your answers. Yes, i'm aware that it is recommended to generate the seed phrase offline.
My feeling is that hardware wallets are convenient and safe to use but i'm not comfortable to let them
generate the seed, according this:

Devices such as Trezor, Ledger, ELLIPAL and most wallets come pre-loaded with private keys, meaning a level of trust is involved. Private keys on the BC Vault are user-generated for ultimate anonymity.

Source: https://coinbureau.com/review/bc-vault-review
https://medium.com/@brandonarvanaghi/analyzing-trezor-firmware-mnemonic-seed-generation-for-bitcoin-and-ethereum-4b03fbaad24d
If true, it is imo scary...

Personally i use an electrum wallet, but generated the seed with the Python module "secrets" installed and use
a live USB in Airplane mode. Indeed, electrum does not generate BIP39 seeds natively.
https://security.stackexchange.com/questions/242492/is-pythons-secrets-module-using-the-same-code-as-the-random-module

Am i paranoid? Might one day create a vulnerable wallet with a low value on it using a Mersenne Twister number generator and see if i someone is able to steal me....Could be fun...

Cheers

[ranochigo]

Thanks for your answers. Yes, i'm aware that it is recommended to generate the seed phrase offline.
My feeling is that hardware wallets are convenient and safe to use but i'm not comfortable to let them
generate the seed, according this:

Devices such as Trezor, Ledger, ELLIPAL and most wallets come pre-loaded with private keys, meaning a level of trust is involved. Private keys on the BC Vault are user-generated for ultimate anonymity.

Source: https://coinbureau.com/review/bc-vault-review
https://medium.com/@brandonarvanaghi/analyzing-trezor-firmware-mnemonic-seed-generation-for-bitcoin-and-ethereum-4b03fbaad24d
If true, it is imo scary...

My understanding of the library that is being provided by Trezor on their GitHub is for reference and not for production. The actual Trezor that is shipped doesn't have such vulnerabilities. I'm not sure what's going on with the "pre-loading" of private keys. I'm not aware of any instance, do you have an actual source that is supposed to be neutral?

Indeed, electrum does not generate BIP39 seeds natively.
https://security.stackexchange.com/questions/242492/is-pythons-secrets-module-using-the-same-code-as-the-random-module

What does this prove? Electrum does not generate BIP39 seeds, to be accurate. Whatever seeds that are being generated is using the entropy at run time

Am i paranoid? Might one day create a vulnerable wallet with a low value on it using a Mersenne Twister number generator and see if i someone is able to steal me....Could be fun...

Paranoid. You should be more wary about wallets that isn't widely audited or used.

[ABCbits]

Personally i use an electrum wallet, but generated the seed with the Python module "secrets" installed and use
a live USB in Airplane mode. Indeed, electrum does not generate BIP39 seeds natively.
https://security.stackexchange.com/questions/242492/is-pythons-secrets-module-using-the-same-code-as-the-random-module

Am i paranoid? Might one day create a vulnerable wallet with a low value on it using a Mersenne Twister number generator and see if i someone is able to steal me....Could be fun...

Cheers

FWIW, Electrum use os.urandom to generate seed and other sensitive data. AFAIK both os.urandom and secrets module use same CSPRNG, so i don't think what you did improve security.

[Synchronice]

Am i paranoid? Might one day create a vulnerable wallet with a low value on it using a Mersenne Twister number generator and see if i someone is able to steal me....Could be fun...

Cheers

You are paranoid. Also, if you want to have a hardware Bitcoin wallet, I suggest you to have a look at ColdCard and The Passport Foundation. In terms of safety and security, these wallets are on another level.
This is a very good article from ColdCard for paranoid users: https://coldcard.com/docs/paranoid/
Click on CTRL + F and paste this: Generating seed words with 256 bits of entropy by dice rolls.

What does this prove? Electrum does not generate BIP39 seeds, to be accurate. Whatever seeds that are being generated is using the entropy at run time

Am i paranoid? Might one day create a vulnerable wallet with a low value on it using a Mersenne Twister number generator and see if i someone is able to steal me....Could be fun...

Paranoid. You should be more wary about wallets that isn't widely audited or used.

He should worry more about how to store his recovery seed phrases safely. I think people care too much about things that are already fixed and aren't really an issue.

[apogio]

You are paranoid. Also, if you want to have a hardware Bitcoin wallet, I suggest you to have a look at ColdCard and The Passport Foundation.

Suggesting specific brands is good because it will help OP choose a good device.

Just to add a general opinion, I 'd definitely go for a hardware device that:

1. includes a secure element.
2. is reputable and well established in the space.
3. is not too expensive. I don't think we should pay absurd amounts of money for the device.

Your wallet suggestions definitely cover the first 2, but they look expensive to me. I 'd rather focus on doing multisig with 2 reputable but cheaper wallets (but I don't know if there are any).

Disclaimer: I own both a cheap device and an expensive device, but I keep using electrum on my air gapped laptop