Lets say I use a securely protected, very long and strong passphrase. with my BIP39 compliant twentyfour word mnemonic in my hardware wallet. Is it unsafe to publicly publish on Facebook or Twitter the twentyfour word seed, treating my passphrase as. the thing that protects my assets in my hardware wallet? Ron, the short answer is, it is absolutely unsafe. Long answer, lets look at why it is unsafe.
The BIP39 standard works . can range from twelve to twentyfour words, but most wallets use twentyfour words . Those twentyfour words actually encode, which is used to produce. for your hierarchical deterministic walet. Basically, lets say your master key. It is produced from these twentyfour words.
In the process of producing that, your BIP39 compliant wallet will operate a password stretching algorithm, , which has only a few rounds. By default, if you dont use a passphrase, it uses the mnenonic as the salt. Think about it this way: we have the twentyfour words and throw in another value, which we call the salt, just a string of the word mnemonic, and then we mix it up, , two thousand times. through this algorithm to produce another value, . The reason for that function, the keystretching algorithm, PasswordBased Key Derivation Function 2, is to ensure that it is difficult to bruteforce the passphrase. If you are using a passphrase on your BIP39 compliant wallet, in order to check. if that ends up as a bitcoin address with money in it, or to verify it against the known address, you must go through those rounds of hashing.
That takes time, though it doesnt take a lot of time on a powerful computer., on this laptop, it would probably take less than a millisecond. On a much less powerful device, like a USB hardware wallet such as the Ledger or Trezor, which dont have enough processing capacity, it will actually take a few seconds. You will notice that when you enter your passphrase on your hardware wallet, it will a progress bar. It takes maybe two three seconds.
In order to make suitable for a small hardware device, had to limit the number of rounds of stretching. Unfortunately, that . You can implement a stretching algorithm in a laptop that is a thousand times faster than a Trezor. On a GPU, it is maybe a hundred thousand times faster.
On an FPGA, maybe ten million times faster. And if you used an ASIC, you could probably do it two hundred million times faster than on a Trezor. This would make it possible to try an enormous number of passphrases. But if the attacker needs your twentyfour word seed and your passphrase, that is a good security mechanism.
If somebody finds your mnemonic seed lying around By the way, you shouldnt have it lying around. But if they do find it because it is not sufficiently physically secured, then bruteforcing the passphrase will require either a lot of infrastructure or a lot of time. will need to have specialized computers, GPUs, FPGAs, ASICs, etc. or it will take a long time. By a long time, I mean a relatively complex passphrase will keep you safe for several weeks to a month.
A very strong, complex passphrase will keep you safe for months, unless the is willing to spend a million dollars on hardware to break that passphrase. There are these tradeoffs, right? At the bottom end of these tradeoffs is a small hardware wallet. which cant do this faster than about one or two seconds when you it in.
You dont want it to delay any more than that because then the hardware wallet becomes difficult to use. That is the tradeoff there. Someone astutely pointed out that your passphrase is a brain wallet.
We have talked about brain wallets before. Brain wallets making up a phrase, hashing it many times, producing a bitcoin, . Brain wallets are not secure because, absent a second factor, you can precompute a very long list of. of common strings that people will use . Quotes or phrases from Star Trek and other movies or TV shows, slogans from various cultural movements, poems, stories, whatever. You can precompute and produce the same brain wallets. There is no other factor . All you need to do is wait for someone to use, and put money in one of the bitcoin addresses.
You could just track a trillion Bitcoin addresses, which would be a simple database, If someone is dumb enough to put some money in, you just take it. We have seen that happen again and again. People use brain wallets and within an hour, someone has taken the money, because the brain wallet they chose wasnt secure. Now, get this: brain wallets may be more secure than what you just proposed, because I believe the number of rounds used for most brain wallets is 16, 000. But you can reconfigure it and make your brain wallet use a hundred thousand rounds.
That will be far more than what a little hardware wallet can do. Brain wallets can be made secure with more rounds, but they can never be made as secure as a true two factor system, where one factor is the mneomonic. and the other factor is the passphrase. The attacker needs both, Since the mnemonic itself is, you are not bruteforcing that. You would need to have all, or a significant chunk of . to have any meaningful way of bruteforcing the rest of it, and the passphrase.
So you can attack BIP39 in certain ways, but it costs a lot of money and takes a lot of time.
To summarize all of that: the most important rule in cryptography is, dont roll your own crypto. Dont try to do smart things, because you will make mistakes. You will not understand the impact on the complexity of solving the problem.
Let me give you a classic example of this that I read all the time. People will say: All you need to do is cut your twentyfour words in half, and store in different places. That is not the standard.
It is not the standard because that is not secure. Next time you hear that, ask the simple question: how much effort is it to find one half of a seed? If you split your seed in two, and I manage to one of these twelveword halves, how hard is it for me to crack the other twelve words? Is it half as difficult twentyfour words?
It is not. It is 1035 times less difficult, approximately. Why? Because what you cut in half is not the base, it is the exponent of the complexity. You took something that had 256 bits and it into 128 bits, which is not half . It is 1030 to 1040, less complex than 256 bits.
Dont roll your own crypto. Dont try to get smart about implementing schemes and systems to split your seed. You are far more likely to lose your money because you simply forgot the scheme because it wasnt standard.
If something happens to you, your heirs or your family . Or because you forgot a password, which we have seen again and again. Then you cant bruteforce it. Or you go to another extreme, your scheme is not really as complex as you think it is, and someone can bruteforce it easily, so you have effectively implemented a brain wallet. Your money will be stolen.
The BIP39 standard is very carefully balanced to achieve the best ratio. of security and ease of use, security and resilience, security and recoverability for small hardware devices. It is balanced by people who are actual cryptographers and know what theyre doing. When you try to change the way you use it, you will tip that balance, either too much towards security I took my BIP39 seed, cut it into twentyfour pieces, mixed them up, encrypted them, put them on Dropbox, then erased it from the web, and I can only access it on the archive. Your money will be gone. You made too complex, buried your money in the desert without a map.
Or you went and end up with that is too easy to break, because you didnt realize that you were a big change and not a small change in the complexity. Dont roll your own crypto unless you are an experienced cryptographer. Ill tell you, I wont do it. I dont consider myself to be experienced enough in cryptography to roll my own. I use the standards that are welltest, mature, and peerreviewed by very good cryptographers. work well.
Write your seed down. Use a pen pencil and paper. Write it down. Store it in a physically secure location like a locked drawer or bank safe deposit box. etch on steel.
Keep multiple copies of that seed. Use a passphrase that is strong enough to not be easily bruteforceable. Six to eight words is just about right, though not English words from the mnemonic list.
Random words that dont mean something to you, not a phrase you will find on Google, not something written in a book or seen in a movie. Pick six to eight random words. Memorize them. Write them down.
Store them in a different location. so your family actually has a chance to if something happens. That will be more secure. You will not be robbed as easily.
Use the standard as it was designed. Anthony had a quick followup there: Passphrase, does that mean the password on the hardware wallet? There are two things on the hardware wallet: the PIN, which is just to protect the physical device. and has nothing to do with the seed. If someone takes your physical hardware wallet, they cant simply unlock it . The PIN is designed . If you make a mistake, it takes twice as long to try again and quickly escalates . to the point where you can only try one PIN a week, then every two weeks, then once a month, etc. The PIN has nothing to do with the security of the keys.
The passphrase, however, an optional component of the BIP39 standard, is an additional security factor. That is separate from the PIN. In firstgeneration hardware wallets, you would type it in second generation hardware wallets, you click directly on the screen of the hardware wallet. so that it is not entered on an online system. is mixed in with your mnemonic phrase. It affects the security of your keys, and protects your seed .p