Why seed splitting is bad?

[Hashura]

I am trying to learn more about security practices. I saw another member share this link How to backup a seed phrase so I read it, but it is not beginner friendly.
In that same blog, there is a video about why seed splitting is a bad idea. A lot of members suggest to back up the seed phrase in multiple location, but when you split the phrase, suddenly it is bad? I thought it will make it more secure, so it made me curious. I watched the video but the explanation is full of technical jargon.
I search for seed splitting in the forum and found this discussion A. Antonopoulos’ Take on Seed Splitting and Bruteforcing but again, I don't understand the technical terms.
Can anyone explain why seed splitting is a bad idea, in layman's terms? I am genuinely confused.

[Charles-Tim]

You may split your seed phrase, but it is very possible for an attacker that sees some words of the seed phrase to brute force the whole seed phrase is the reason it is not recommended. The second reason is the single point of failure.

Instead you can read more about passphrase and use it instead. Backup the seed phrase in different locations from the passphrase. Both are needed to recover and to spend your coins. Two or three backups are recommended.

[tbct_mt2]

In that same blog, there is a video about why seed splitting is a bad idea. A lot of members suggest to back up the seed phrase in multiple location, but when you split the phrase, suddenly it is bad? I thought it will make it more secure, so it made me curious.

Making multiple wallet backups and store them at different locations is good because if one wallet backup is lost, or can not be used for wallet recovery, you will still have some other wallet backups to use for wallet recovery.

Splitting wallet mnemonic seed is a bad idea because with only one part of splitted seed, you can not recover your wallet. For example, if you splitted the mnemonic seed to three parts, you need all three parts for your wallet recovery later. Chance of one of three parts is lost actually not zero, therefore you have considerable risk of failing to recover your wallet, and lose your bitcoins.

Bitcoin has good security and it's impossible to brute force a wallet mnemonic seed if you lose one, two parts of your splitted wallet mnemonic seed recovery. You can think it like if people can brute force wallet seed, all bitcoins would have been stolen and Bitcoin has $0 in value already.

[Hashura]

You may split your seed phrase, but it is very possible for an attacker that sees some words of the seed phrase to brute force the whole seed phrase is the reason it is not recommended. The second reason is the single point of failure.

Instead you can read more about passphrase and use it instead. Backup the seed phrase in different locations from the passphrase. Both are needed to recover and to spend your coins. Two or three backups are recommended.

Making multiple wallet backups and store them at different locations is good because if one wallet backup is lost, or can not be used for wallet recovery, you will still have some other wallet backups to use for wallet recovery.

Splitting wallet mnemonic seed is a bad idea because with only one part of splitted seed, you can not recover your wallet. For example, if you splitted the mnemonic seed to three parts, you need all three parts for your wallet recovery later. Chance of one of three parts is lost actually not zero, therefore you have considerable risk of failing to recover your wallet, and lose your bitcoins.

Bitcoin has good security and it's impossible to brute force a wallet mnemonic seed if you lose one, two parts of your splitted wallet mnemonic seed recovery. You can think it like if people can brute force wallet seed, all bitcoins would have been stolen and Bitcoin has $0 in value already.

Ok thanks. So splitting the phrase does not do anything because if someone with technical knowledge sees one part, they can forcibly guess the rest anyway? In that case it is no better than storing the whole seed phrase, and it just makes it harder for the owner to recover the wallet because he needs to collect all parts, with risks of being lost. Did I understand it correctly?

So it is better to have multiple backup of seed phrase and passphrase in different location. I looked into passphrase but it seems like I cannot add it to my already existing Electrum wallet. Does this mean I have to make a new one?

[pooya87]

I search for seed splitting in the forum and found this discussion A. Antonopoulos’ Take on Seed Splitting and Bruteforcing but again, I don't understand the technical terms.
Can anyone explain why seed splitting is a bad idea, in layman's terms? I am genuinely confused.

That is mostly about the algorithm that was used to "split" the mnemonic. Shamir Secret Sharing is for "sharing" a secret not to split it for storage. Not to mention the implemenations of this algorithm may not be as reliable as you'd think. There are some that are flawed and that can introduce more risk in your storage scheme.
On top of that, the way that was explained there would make it easier for an attacker to brute force your seed phrase and find the whole thing to steal your coins.

When there is a better way to add an additional layer of security to your setup, you should use that. That better way is using the extra word also known as passphrase which can add extra entropy on top and if it is a strong phrase it can be impossible to brute force as well. You can store that separately.

[Aanuoluwatofunmi]

When splitting your seed phrase, you may make a mistake by your own self on them and get confused, but this is not even the bad aspect of it, but some smarter people may gain access and uses guesses to match them right and get access to your wallet, if we are indeed of the request for a better storage means for our seeds, wr may learn from this following links.

seeds backup tools
https://bitcointalk.org/index.php?topic=5263482.0

additional security to your seed phrase
https://bitcointalk.org/index.php?topic=5230920.0

[retaur]

Ok thanks. So splitting the phrase does not do anything because if someone with technical knowledge sees one part, they can forcibly guess the rest anyway? In that case it is no better than storing the whole seed phrase, and it just makes it harder for the owner to recover the wallet because he needs to collect all parts, with risks of being lost. Did I understand it correctly?

Yes, it mostly just mskes it harder for the user to recover. You'd then need to find (and potentially trust) or build a program that could reorganise your words in the right order. This would actually not take long for a computer to do (mere seconds) if you have every word (and most nmemomics are only 12 or 24 words long).

Even with a passphrase/extension if you pick something not on the word list or you mark it in some way it'll be obvious to an attacker where that word is meant to be or not obvious enough to you when you come back to it and forget what you've already done.

So it is better to have multiple backup of seed phrase and passphrase in different location. I looked into passphrase but it seems like I cannot add it to my already existing Electrum wallet. Does this mean I have to make a new one?

Yes, but you need to pick locations that are secure and not too many. You need for there to be a decent number of backups, not for there to be so many that someone can accidentally find one.

If you wanted to extend your seed phrase then yes again, you'd also need to make a new wallet (you can use your current nmemomic and just add extra to the end - but make sure you write things down exactly as it won't predict these if they're not in the wordlist). The private keys that are generated from the seed that's generated from the mnemonic change when you add extra words at the end (as the mnemonic changes).

[Hewlet]

Can anyone explain why seed splitting is a bad idea, in layman's terms? I am genuinely confused.

The main issue with splitting of seed phrase is that losing a part of it might lead to a loss of your asset which is the same thing that's possibly going to happen if you you just duplicate your seed phrase into multiple part and store it in an unsafe place. The emphasis basically isn't about splitting your seed phrase but rather, the emphasis should be about securing it in such a manner that a third party never gets access to it.

Your seed phrase is your responsibility to hold and keep safe and secure in anyway possible that's devoid of a third parties reach. As long as you can do that either through writing down your keys into different part and keeping it separately or alternatively splitting a single key and keeping it in a safe place, what matters most is that a third party doesn't lays his hand on it for no reason.

[Razmirraz]

Separating seed phrases in different locations can be a bad idea because if you forget one of the locations where you store some of the seed phrases, you will lose access to your wallet, besides you will also have difficulty accessing your wallet in an emergency because the process may take a long time due to separating the seed phrases. Instead of separating the seed phrase into two parts and storing them in different places, you can try copying several backups of the seed phrase to store them in different places, so that if one of them is lost, you can still access the wallet because you still have the other backup.
However, if you think that separating your seed phrase into two parts is the most effective way to keep your wallet secure, then you must have a solid plan to maintain its security and accessibility.

[nc50lc]

So splitting the phrase does not do anything because if someone with technical knowledge sees one part, they can forcibly guess the rest anyway? In that case it is no better than storing the whole seed phrase, and it just makes it harder for the owner to recover the wallet because he needs to collect all parts, with risks of being lost. Did I understand it correctly?

The answers needs to be separated so that it wont confuse you even further:

Some of the replies are talking about "naive splitting" where it's just a simple split into X number of parts
So one part will make it non-recoverable, but still falls to the argument that it's just a few bits which could be recoverable in the near future.

But the video and the second link is about a n-of-m seed splitting scheme
where losing one part isn't an issue since it's covered by the algorithm suggested by the article - the owner only needs 2 out of the 3 backups.
Rather, it's the possibility of it being bruteforced (in the future) if at least one backup is compromised.

-snip- I don't understand the technical terms.
Can anyone explain why seed splitting is a bad idea, in layman's terms? I am genuinely confused.

Technical terms are the least of your problems since you can just use a search-engine for their definition.
Instead, I'll explain your main concern that bruteforcing the remaining words could be possible in the near future:

First, the "checksum" is part of the last word which is a few bits (let's say numbers) that are reproducible from the rest of the entropy (seed phrase written numbers).
So, when bruteforcing, the attacker don't have to include it when guessing the remaining words.

Then, in BIP39 spec, those 24-words is equivalent to 264bits including an 8-bit checksum.
So if we split that to 3, that'll be 88bits and if we remove the checksum, that's 80bits (as mentioned multiple-times in the video)
Now let's do simple math: that 80 bits is equal to 2^80 combinations so, the attacker has 1 out of 2^80 chance to guess the correct remaining words.
In precise numbers: 1 out of 1,208,925,819,614,629,174,706,176 which looks a lot but not if computers can do quintillions per second.

It's currently not possible but given time, it will be possible with a super computer or even a few GPU.
To give you a comparison, the famous "puzzle transaction" has its 69-bit private key already bruteforced. (70 isn't bruteforced but calculated due to its pubKey being exposed)

[satscraper]

That better way is using the extra word also known as passphrase which can add extra entropy on top

Looks like this is not quite accurate because extraword-passphrase-25^thword' ^{(no matter what you call it)} doesn't increase the entropy generated by source/s wallets use to derive SEED. <passphrase> simply modifies ^{via PBKDF2} the 512-bit long seed used to derive the master private key, replacing the default salt (which is mnemonic) by mnemonic<passphrase>.

So, it is just additional layer of security for user because adding it changes all wallet's keys.

Users who implement it must take care of both SEED and passphrase.

[LoyceV]

Then, in BIP39 spec, those 24-words is equivalent to 264bits including an 8-bit checksum.
So if we split that to 3, that'll be 88bits and if we remove the checksum, that's 80bits (as mentioned multiple-times in the video)
Now let's do simple math: that 80 bits is equal to 2^80 combinations so, the attacker has 1 out of 2^80 chance to guess the correct remaining words.
In precise numbers: 1 out of 1,208,925,819,614,629,174,706,176 which looks a lot but not if computers can do quintillions per second.

It's currently not possible but given time, it will be possible with a super computer or even a few GPU.

Still, this would make me feel pretty secure. I like that it's not a black box, I can understand this:

Code:

Card 1: tooth XXXX XXXX master tackle XXXX idle XXXX fossil XXXX panel blossom caught balcony occur XXXX XXXX celery myth tuna XXXX clump sphere maximum
Card 2: tooth object remove XXXX XXXX shaft XXXX shy fossil pulp panel blossom XXXX XXXX occur sheriff stadium XXXX XXXX tuna candy XXXX sphere maximum
Card 3: XXXX object remove master tackle shaft idle shy XXXX pulp XXXX XXXX caught balcony XXXX sheriff stadium celery myth XXXX candy clump XXXX XXXX

Compared to keeping the full seed phrase at one location, I wouldn't worry about the risk of brute-forcing 8 words any time soon.

[nc50lc]

-snip-
Compared to keeping the full seed phrase at one location, I wouldn't worry about the risk of brute-forcing 8 words any time soon.

Yeah, it's arguable that the suggestion to backup the whole seed phrase isn't any better.
I think they're just pointing the fact that even with the given backup scheme of removing 8 words per backup, the security isn't completely safe.

Plus they can also use a BIP39 Passphrase to counter those arguments.

[Hashura]

The answers needs to be separated so that it wont confuse you even further:

Thank you for this, you explained it in a way that's very clear and easy to understand. +Merit!

It's currently not possible but given time, it will be possible with a super computer or even a few GPU.

Still, this would make me feel pretty secure. I like that  it's not a black box, I can understand this:

Code:

Card 1: tooth XXXX XXXX master tackle XXXX idle XXXX fossil XXXX panel blossom caught balcony occur XXXX XXXX celery myth tuna XXXX clump sphere maximum
Card 2: tooth object remove XXXX XXXX shaft XXXX shy fossil pulp panel blossom XXXX XXXX occur sheriff stadium XXXX XXXX tuna candy XXXX sphere maximum
Card 3: XXXX object remove master tackle shaft idle shy XXXX pulp XXXX XXXX caught balcony XXXX sheriff stadium celery myth XXXX candy clump XXXX XXXX

Compared to keeping the full seed phrase at one location, I wouldn't worry about the risk of brute-forcing 8 words any time soon.

-snip-
Compared to keeping the full seed phrase at one location, I wouldn't worry about the risk of brute-forcing 8 words any time soon.

Yeah, it's arguable that the suggestion to backup the whole seed phrase isn't any better.
I think they're just pointing the fact that even with the given backup scheme of removing 8 words per backup, the security isn't completely safe.

Plus they can also use a BIP39 Passphrase to counter those arguments.

Seems like it's not entirely a bad idea then. There are clearly some pros and cons based on everyone's replies, but I'm kind of leaning more into trying it out. I really appreciate all of the answers regardless.

[ColdLava40]

Losing some words of your seedphrase is same as losing the whole key. This is why it's adviced to not split the words, but store many copies at different locations. I've heard about people trying to brute force the keys if some words are missing, but the probability of recovering your seedphrase is very low.

It's no different from being completely lost. So if you must do this, you have to do it's with care and make sure each words are properly arranged not also to mix them up.

[LoyceV]

I think they're just pointing the fact that even with the given backup scheme of removing 8 words per backup, the security isn't completely safe.

I've never felt 100% happy with any seed storage method. It's always a compromise between the chance of losing access by myself, and the chance of someone else gaining access. There is no perfect solution, which is why I'm glad there are different approaches to choose from.

I'm kind of leaning more into trying it out.

Note that you don't have to limit yourself to just one method.

store many copies at different locations.

How many secure locations do you know where you can safely store your life savings without anyone ever finding it?

[Charles-Tim]

store many copies at different locations.

How many secure locations do you know where you can safely store your life savings without anyone ever finding it?

Almost all locations for me.

Since I have learned more about wallet on this forum, it is highly not convenient for me anymore not to extend the seed phrase with an extra word that is more than 30 characters long.

It can be encrypted on memory cards or disks as you definitely know about this also. I prefer memory cards which has been the one that I have tested before, but the one that I follow is the use of passphrase.


Posted by Charles-Tim

[Dogedegen]

I think they're just pointing the fact that even with the given backup scheme of removing 8 words per backup, the security isn't completely safe.

I've never felt 100% happy with any seed storage method. It's always a compromise between the chance of losing access by myself, and the chance of someone else gaining access. There is no perfect solution, which is why I'm glad there are different approaches to choose from.

I have a simpler method than yours, but you may not like it for some reason. My 24 word seed phrase is simply split into two. The first 12 and last 12 words in different locations and passphrase in third. It would require all three to be compromised so I can ignore anyone finding it. You could say but what if you lose one of these since you have no backups? To solve this I have 2 hardware wallets on which this wallet is. It is extremely unlikely that everything would fail at the same time. The chance is so low that I would accept my universe ordained unlucky life in that case.   The locations have nothing to do with each other so I don't see how anyone could connect they are related at all even if they could find it.

How many secure locations do you know where you can safely store your life savings without anyone ever finding it?

No method is perfect and I think it is not worthwhile to spend too much time trying to perfect it. One should just pick one really good method that covers the important bases and considerations and stick for it until there is a good reason to change it. Frequent changing especially for cold storage that is accessed very rarely is a very bad idea. With rarely I mean once in a few months or even years.

[Crypt0Gore]

I don't like splitting recovery seed because that one word that you split could put you to problem if you are unable to recover it, and the more you split the higher the risk you put yourself into.

You have more words to protect, something that should be on a single steel and keep very well, you should to write the words apart, then your eyes should be looking out for the other locations that you stored the splitter words.

Too much encounter because you want to keep your recovery seed safe, some people even choose cram the words in their brain, as if nothing can ever go wrong with the human brain.

[pawanjain]

I am trying to learn more about security practices. I saw another member share this link How to backup a seed phrase so I read it, but it is not beginner friendly.
In that same blog, there is a video about why seed splitting is a bad idea. A lot of members suggest to back up the seed phrase in multiple location, but when you split the phrase, suddenly it is bad? I thought it will make it more secure, so it made me curious. I watched the video but the explanation is full of technical jargon.
I search for seed splitting in the forum and found this discussion A. Antonopoulos’ Take on Seed Splitting and Bruteforcing but again, I don't understand the technical terms.
Can anyone explain why seed splitting is a bad idea, in layman's terms? I am genuinely confused.

The thing is, people usually consider that splitting the seed and storing it across multiple locations is less convenient.
We need to get all the splits of the seed to access our coins when compared to a single seed with multiple backups, in that case we just need to access one of the backups.
But from security point of view, I consider seed splitting more secure because if a person finds out one of the split then he still won't be able to find out the other part that easily.
If compared to storing a whole seed phrase, if a person gets hold of the hold seed phrase then he will be able to steals our funds easily if its not password protected.
A more secure way would be to split the seed phrase into two or three parts and then have their multiple backups as well and then have them all password protected too.
This will give us a three layer security although might be little inconvenient to find so many locations for the backups.