BIP39 Passphrase Recovery (Or Hidden Wallet Password, 25th word) For Ledger, Trezor, Keepkey, etc


so I made a number of videos that look
at ways to recover from an error in your 24 words seed phrase but the really
good thing about these tools like BTCRecover is they can also help you to
recover from an error in your passphrase so this can happen when you’ve typed in
your recovery phrase it’s correct it’s right but then you notice that your
wallet is spitting out a whole bunch of addresses that don’t seem to quite line
up with where your crypto should be and there’s no transactions or anything like
that lining up with it and you might be thinking yourself oh no because you’d
written down your recovery phrase but you’d rely on the fact you would
remember your passphrase and you know this is actually a really easy mistake
to make and this is one of the reasons why both ledger and Trezor warn users
that adding a passphrase to their recovery phrase is an advanced feature
because it’s easy to forget and it’s an easy mistake to make in the some wallets
like electrum don’t even ask you to type in your passphrase twice so if you’re just in a
hurry and working in an Electurm it’s entirely possible you could just have a typo in your passphrase and send the funds to the wrong place and not
realize you’ve made that mistake for months and months and months and I’m
gonna make a number of videos as to some really easy ways to make sure that
you’re validating your passphrase before you start loading those up with crypto
there’s some important notes to start firstly you will need a correct 24 word
seed for this tool to work in the way that I’m going to demonstrate here today
you also need to know at least one public address that was used with your
wallet so basically what this does is it looks at a variety of tests a whole
bunch of different pass phrases and is looking for this public address that
you’ve listed so let’s say for example like I have in my other videos we
purchased some Ethereum on coinbase and we remember we sent it to this
address so that’s the address we’re going to use so firstly you need to
download the repository for the segwit fork of BTCRecover I cover this in
another video the link will be in the description to both my original video
and this repository that I’ll use so you can any to set up an air-gapped ubuntu
18.04 environment which is covered in my previous video on this so if you watch
it for about the twelve and a bit minutes to 21 minutes you get
step-by-step instruction on how to do that you can run this stuff
directly in Windows if if you’re feeling that desperate and the whole idea of
using Linux is too confronting so that’s something we can do and you know
alternatively if there is enough demand so you know say 10 or people so people
are requested in the comments or someone decides to sponsor it I can also update
and distribute an amnesic Linux distribution with these crypto tools
prepackaged so like a live USB you can just boot that’ll have all this stuff
baked in so once we’ve loaded up our air-gapped
ubuntu environment we have two options to use BTCRecover to recover a
passphrase firstly we can use a password list file in my opinion a password list
is really easy to understand in a really good place to start so that’s where
we’re going to start so password list is good to use if you think you have a
pretty good idea as to what your password was or maybe you’ve got a few
options for passwords you might have used but you think you maybe made a typo
in there somewhere so basically how this works is you create a list of passwords
that you think it was you will also need to add any likely spelling mistakes that
you might have made because it won’t go and try and add in extra letters for you
so for example this file might password file might have like six rows in it so
I’ve actually done a common misspelling of Ethereum in there that I often see
online as well you know maybe you weren’t sure how much year it was and
you thought maybe it was one of those two as well so you know a file would
have these six rows in it and you can make password files that are quite long
because basically increasing the size of your password file will give you a
linear increase in computation time so what that means is if you double the
number of passwords in your password list file it will take twice as long and
that’s quite different to the token file which we’ll look at later so this is why
I suggest that even a long list of potential passwords might be a better
approach than trying to use a token list just because it’s really easy to
understand what you’re doing and it decreases the chance you’re going to
make a mistake and have BTC recover do something that says it’s going to take
you know a days and weeks when it turns out you might have made a
mistake in the token file the other thing that you can use is called a token
list file and that’s where you might remember parts of your password or let’s
say blocks of letters and words that make up a large password and you know
this can work really well if you have like a small number of tokens that your
passwords will be made up of but once your list starts getting longer you
might need more so for example our token file might include the following lines
because we remember that we would often use these different characters to make
up passwords but the issue is that for it just to test all possible
combinations of these including all type of variations if we’re working on a
password this long that would require thousands of years so to use the token
file we need to help it out and we can give it instructions to know roughly
where we think these words should go so we might remember that our password
started probably with one of these three words so start with you know Ethereum
or Etherium or Bitcoin you know we might remember that would have ended
with one of these years and that maybe we had this symbol somewhere in between
these are the tokens so doing that significantly decreases the amount of
possible password combinations that a token file will produce and it makes it
quite manageable to recover even some fairly long and potentially complex
passwords if you say have a habit of like stringing different passwords of
different sets of words together but this is the point is the documentation
for how to do a token file can get quite complex it is well documented on BTCRecover but I won’t spend time on going into the complex details of how to
intricately craft a token file because that is just way beyond the level of
complexity that I think is helpful to deal with here and you know something
like forums reddit or the comments section is much better place for that so
my suggested workflow for this is firstly that you create a secure
environment to run the tool I also suggest that you get the tool
working and test it with one of these scenarios that I’m going to go through
here below just so that you can make sure you’re getting the syntax right and
you can be confident that you understand how the tool works before putting your
own real information in there I’d suggest you start with a password
list and only move on to a token list if you don’t have success with that the
first password list okay so our first example is going to be looking for
what’s basically the first address on the default derivation path so I’ve got
the phrase that were using I’ve got the actual passphrase you can see there it’s
going to type it with it and we’re going to be looking for the first address in
the first account on the default derivation path and that’s this one right
here we’re going to be using a password file that’s this one here it just has
one word in it one line that’s it so we our best memory of it was that it was
this and look come on we’re going to use to find that is this one here so
basically what we’ve got with I’ve basically put in a lot of different
options here that I think are going to give you the best chance of finding it
first go so we’re gonna check for a typo assuming it caps lock on we’re going to
check for a typo similarly swap some letters maybe we accidentally hit one
letters twice maybe we accidentally left one out maybe we had one letter
capitalized or not we’re a little for a maximum of three typos and we’re also
going to use this typo map here which what it does is it’s four if you
accidentally hit a little letter next to one of the ones in the passphrase we’re
looking at the default bip32 path and our wallet type is Ethereum our address
generation limit is just one because we’re only looking at the first address
so we’ll just run that so it’s asking us to enter the extended public key we
don’t have that we have one address and we want our best guess of the phrase
well we know what the right phrase is so I’ll put that in there and there we go
so it’s working and there we go so that found it in about 30 seconds found the
password YouTube so we now know that the correct passphrase is ‘youtub’
so we can start using that so I move on to a second example and that is a longer
password and we’re gonna have a longer password list too so this is actually
going to use a different pass phrase which means that all of the addresses it
generates will be different for the test so we’re going to be looking for this
address here and you know we think the password
was Ethereum2019 so we’ll use this password file here and I’ve also added
in you know listing ah maybe I misspelled Ethereum when I was doing it
I wasn’t sure which year it was and maybe you’ll use one of these Bitcoin
style addresses too so we’ll just stick all of those variants in there we’re
going to use this command here and the only real difference for this one is
that we’re using a different password file so that’s this one here it’s gonna
be the same phrase we don’t have an X pub file the address we’re looking for
is this one which is different to the one we use in the last example we know
our seed which is this then we hit go this one is gonna take a little while
longer so this one’s a good one where you know
it’s time to go and get yourself a coffee all right so we can see it found
it and there you go so obviously we’d miss spelt Ethereum and I whoops it was
2018 not 2019 and no capitalization so it found it and took about eleven
minutes but it could have taken an hour if it had had to go all the way to the
end so that’s great so let’s also have a look at what it would look like to do
basically the same recovery but to use a token list so this was a more advanced
way of doing it and this token list here well he was a very similar password list
to this obviously it would include more because you know everything could
potentially have an at in it but you know it’s just an easy way to chain
together lots of blocks of a password so this time we’re also going to be using
the tenth address so say we couldn’t remember what the first address was
we’re going to using the tenth address and that’s particularly common for
things like Bitcoin that increment the address every time but for things like
Ethereum that might mean that on say myetherwallet you would have scrolled
through say the first couple of pages of addresses and then selected the ten so
perhaps using using the first nine for different things and my video on myetherwallet talks about that it’s also going to be coming from a different derivation
path so if you have ledger live or something like that it talks about
different accounts and every time you add an account in ledger life it changes
the derivation path and that’s important because the derivation path is used in
this tool we’re using the same password for an example too but yes we’re looking
for a different address this command is the same as what we had before but
you’ll notice this time we’ve set the address limit generation limit to 20
because we’re not just after the first address we’re also setting the
derivation path to this so m/44/60/0/1 the other thing that’s important to note is
that increasing the address limit to 20 actually doesn’t take 20 times longer so
you know doubling the number of addresses you’re generating from 10 to
20 will actually increase the processing time by about 20% so if in doubt
particularly if you’re using a coin like Bitcoin that gives you a new receiving
address every time you go to receive coins you know just set this address
limit to be say you know 10 20 or even 50 it won’t increase the processing time
enormous ly so it’s a good thing to do so for in this example we’re doing 20
and we’re using the token file that is this one here so it’s using this tokens
positional dot txt so here we go we don’t have an X pub file in these
examples the address we’re looking for is this one and the seed we know that is
correct is this one here so again this is the point where you grab you a
Bitcoin mug go and get a coffee if you’re wondering where my cute Bitcoin
mug came from it was a gift from my wife and you can just get them on Amazon so
if you’d like one of them there’ll be a link in the description so that’s just
finished running now and you’ll notice it’s dark behind me it took a bit longer
to run and the reason is that I actually made a typo up here
sorry up here in that I put in the wrong derivation path so I’ve fixed to my
notes and they will be correct in the description for the video but I didn’t
notice that I’d had that air until have been running for two hours so I fixed it
up ran it again and off we go and as you can see it found the phrase just the
same as with the password list and I only took about 10 minutes to it and a
full run would have taken about three hours so there we go and I think that’s
also just a really good example that it’s really important that you have
things like your derivation path right because again it’s very easy to make a
typo that’ll just have this do a full run that might take hours now is and
find nothing hey look I hope that’s been helpful in for helping you to recover
from an error in your passphrase and as you can see here it’s something that is
definitely doable to recover at the same time this should probably also be a good
reminder and a good illustration that a short passphrase for your in addition to
your 24 word seed is on its own not an invincible level of security so even
though you have a passphrase you still need to keep your 24 words seed secure
but put them that give us a yell if you’ve got any other questions or
queries with this example so best of luck thanks for watching I hope that was
helpful just hit subscribe if you’d like to be kept in the loop about future
content I make to help people stay safe in the crypto space and to recover if
they get into trouble or if there’s a question you’d like some more
information about or topic you’d like me to cover in the future just leave a
reply

Leave a Reply

Your email address will not be published. Required fields are marked *