Bitcoin Q&A: Passphrases and seed storage

Ron asks about hardware wallet security. “Let’s say I use a securely protected,
very long and strong passphrase… with my BIP-39 compliant twenty-four
word mnemonic in my hardware wallet.” “Is it unsafe to publicly publish (on Facebook or Twitter)
the twenty-four word seed, treating my passphrase as… the thing that protects my assets
in my hardware wallet?” Ron, the short answer is, it is absolutely unsafe.
Long answer, let’s look at why it is unsafe. The BIP-39 standard works [by generating the
mnemonic, and converting it into a binary seed]. [The mnemonic] can range from twelve to twenty-four
words, but most wallets use twenty-four words [now]. Those twenty-four words actually encode [entropy
in a multiple of 32 bits], which is used to produce… [one root, the master extended key]
for your hierarchical deterministic walet. Basically, let’s say your master key. It is
produced from these twenty-four words. In the process of producing that, your BIP-39 compliant
wallet will operate a password stretching algorithm, [the PBKDF2 function], which has only a few rounds. By default, if you don’t use a passphrase,
it uses the [string] “mnenonic” as the salt. Think about it this way: we have the twenty-four words
and throw in another value, which we call the salt, just a string of the word “mnemonic,” and then
we mix it up, [or “iterate”], two thousand times… through this [key-stretching] algorithm
to produce another value, [the derived key]. The reason for that function, the [PBKDF2]
key-stretching algorithm, [which stands for…] Password-Based Key Derivation Function 2, is to ensure
that it is difficult to brute-force the passphrase. If you are using a passphrase on your
BIP-39 compliant wallet, in order to check.. if that ends up as a bitcoin address with money in it,
or to verify it against the known address, you must go through those rounds of hashing. That takes time, though it doesn’t take
a lot of time on a powerful computer. [For example], on this laptop, it would
probably take less than a millisecond. On a much less powerful device, like a USB
hardware wallet such as the Ledger or Trezor, which don’t have enough processing capacity,
it will actually take a few seconds. You will notice that when you enter your passphrase
on your hardware wallet, it will [display] a progress bar. It takes maybe two three seconds. In order to make
[the wallet] suitable for a small hardware device, [the developers] had to limit the
number of rounds of stretching. Unfortunately, that [makes it weaker by default]. You can implement a stretching algorithm in a laptop
that is a thousand times faster than a Trezor. On a GPU, it is maybe a hundred thousand times faster.
On an FPGA, maybe ten million times faster. And if you used an ASIC, you could probably do it
two hundred million times faster than on a Trezor. This would make it possible to try an
enormous number of [possible] passphrases. But if the attacker needs your twenty-four word seed and
your passphrase, that is a good security mechanism. If somebody finds your mnemonic seed lying around-
By the way, you shouldn’t have it lying around. But if they do find it because it is
not sufficiently physically secured, then brute-forcing the passphrase will require
either a lot of infrastructure or a lot of time. [The attacker] will need to have specialized computers,
GPUs, FPGAs, ASICs, etc. or it will take a long time. By ‘a long time,’ I mean a relatively complex passphrase
will keep you safe for several weeks to a month. A very strong, complex passphrase
will keep you safe for months, unless the [attacker] is willing to spend a million
dollars on hardware to break that passphrase. There are these trade-offs, right? At the bottom
end of these trade-offs is a small hardware wallet… which can’t do this faster than about
one or two seconds when you [enter] it in. You don’t want it to delay any more than that because
then the hardware wallet becomes difficult to use. That is the trade-off there. Someone astutely pointed out that your
passphrase is [kind of like] a brain wallet. We have talked about brain wallets before. Brain wallets [involve] making up a phrase, hashing it
many times, producing a bitcoin [private key], [derive a public key from that private key,
and then create a bitcoin address to use]. Brain wallets are not secure because, absent a second
factor, you can pre-compute a very long list of… of common strings that people will use [to
generate their private keys for their brain wallet]. Quotes or phrases from Star Trek and other movies or
TV shows, slogans from various cultural movements, poems, stories, whatever. You can pre-compute [a list of these] and [people
will tend to] produce the same brain wallets. There is no other factor [involved]. All you need to do is wait for someone to
use [one of those common words or phrases], and put money in one of the bitcoin addresses. You could just track a trillion Bitcoin addresses,
which would be a simple database [setup], If someone is dumb enough to put some money in
[one of those poorly generated address], you just take it. We have seen that happen again and again. People use brain wallets and within
an hour, someone has taken the money, because the brain wallet they chose wasn’t secure. Now, get this: brain wallets may be
more secure than what you just proposed, because I believe the number of rounds
used for most brain wallets is 16,000. But you can re-configure it and make your
brain wallet use a hundred thousand rounds. That will be far more [rounds] than
what a little hardware wallet can do. Brain wallets can be made secure with more rounds, but they can never be made as secure as a true two-
factor system, where one factor is the mneomonic… and the other factor is the passphrase. The attacker needs both [to take your money], Since the mnemonic itself is [between 128 and 256
bits of entropy length], you are not brute-forcing that. You would need to have all [the words],
or a significant chunk of [the words]… to have any meaningful way of brute-forcing
the rest of it, and the passphrase. So you can attack BIP-39 in certain ways,
but it costs a lot of money and takes a lot of time. To summarize all of that: the most important rule
in cryptography is, don’t roll your own crypto. Don’t try to do “smart” things, because
[most of the time] you will make mistakes. You will not understand the impact on
the complexity of solving the problem. Let me give you a classic example of this
that I read all the time. People will say: “All you need to do is cut your twenty-four words in half,
and store [each of the halves] in different places.” That is not the standard. It is not the
standard because that is not secure. Next time you hear that, ask the simple question:
how much [more] effort is it to find one half of a seed? If you split your seed in two, and I manage to
[find] one of these [six or] twelve-word halves, how hard is it for me to crack the other twelve words? Is it half as difficult [as having] twenty-four words?
It is not. It is 10^35 times less difficult, approximately. Why? Because what you cut in half is not
the base, it is the exponent of the complexity. You took something that had 256 bits and [split] it
into 128 bits, which is not half [as hard to crack]. It is [between] 10^30 to 10^40,
[much] less complex than 256 bits. Don’t roll your own crypto. Don’t try to get smart about
implementing schemes and systems to split your seed. You are far more likely to lose your money because you
simply forgot the scheme (because it wasn’t standard). If something happens to you, your heirs or
your family [will have more trouble accessing it]. Or because you forgot a password,
which we have seen again and again. Then you can’t [or don’t know how to] brute-force it. Or you go to another extreme, your scheme
is not really as complex as you think it is, and someone can brute-force it easily, so
you have effectively implemented a brain wallet. Your money will be stolen. The BIP-39 standard is very carefully
balanced to achieve the best ratio… of security and ease of use, security and resilience,
security and recoverability for small hardware devices. It is balanced by people who are actual
cryptographers and know what they’re doing. When you try to change the way you use it, you will
tip that balance [in ways you don’t fully understand], either too much towards security- “I took my BIP-39 seed, cut it into
twenty-four pieces, mixed them up, encrypted them, put them on Dropbox, then erased it
from the web, and I can only access it on the archive.” Your money will be gone. You made [a scheme that was] too complex,
buried your money in the desert without a map. Or you went [too far towards ease-of-use] and end up
with [a storage scheme] that is too easy to break, because you didn’t realize that you were [making]
a big change and not a small change in the complexity. Don’t roll your own crypto unless
you are an experienced cryptographer. I’ll tell you, I won’t do it. I don’t consider myself to be
experienced enough in cryptography to roll my own. I use the standards that are well-test, mature,
and peer-reviewed by very good cryptographers. [The standards] work well. Write your seed down.
Use a pen / pencil and paper. Write it down. Store it in a physically secure location like
a locked drawer or bank safe deposit box. [Maybe] etch [the seed words] on steel.
Keep multiple copies of that seed. Use a passphrase that is strong enough
to not be easily brute-forceable. Six to eight [random] words is just about right,
though not English words from the mnemonic list. Random words that don’t mean something
to you, not a phrase you will find on Google, not something written in a book
or seen in a [popular] movie. Pick six to eight random words. Memorize them.
Write them down. Store them in a different location. [Write instructions somewhere] so your family actually
has a chance to [access them] if something happens. That will be more secure. You will not be robbed
as easily. Use the standard as it was designed. Anthony had a quick follow-up there: “Passphrase,
does that mean the password on the hardware wallet?” There are two things on the hardware wallet:
the PIN, which is just to protect the physical device… and has nothing to do with the seed. If someone takes your physical hardware wallet,
they can’t simply unlock it [without the PIN]. The PIN is designed [with a time delay mechanism]. If you make a mistake, it takes twice as long to try
again and quickly escalates [after a few attempts]… to the point where you can only try one PIN a week,
then every two weeks, then once a month, etc. The PIN has nothing to do with the
security of the [storage of the] keys. The passphrase, however, an optional component
of the BIP-39 standard, is an additional security factor. That is separate from the PIN. In first-generation
hardware wallets, you would type it [on your keyboard]; in second generation hardware wallets, you click
directly on the screen of the hardware wallet… so that it is not entered on an online system. [The passphrase] is mixed in
with your mnemonic phrase. It affects the security of your keys,
and protects your seed [against disclosure].

42 thoughts on “Bitcoin Q&A: Passphrases and seed storage”

  1. My question would be if BIP39 is a standard isn't it subjected to the standardized attack vector. So a hacker only needs to break BIP39 and has the ablity to attack all wallets in existance.

  2. We need clones of Andreas to replace a lot of the other so called crypto "experts" You are a much needed voice in this space, Thank you Andreas.

  3. It's ok, Andreas, I devised my own infallible scheme! I'll post my passphrase, and my mnemonic seed online, but I'll post each one with different account. The seed with jondoe07, and the passphrase with jondoe08. Then no one will be the wiser! 👌 👌 👌

  4. Hi Andreas, would it be safe to mix 6 random words (that you have memorized) into your 24 seed words, and then make it public (so you will never lose it)?

  5. Aaaaand once again my brain expanded a little because I listened to you. Thank you for remaining a class act in a sector that seems to grow more phonies everyday.

  6. So does this mean that using the 12 word seed with the trezor model-t is significantly less secure than a Trezor one with a 24-word seed? The model-t only allows for generating a 12 word seed (via GUI) so it would seem trezor’s new product is bad purchase unless you have an existing 24-word seed you can input? If I have a ledger nano s should I just generate the seed on there and then input that into the trezor model-t or is that not advisable Incase ledger has an unknown vulnerability which would essentially make it like putting all your eggs in one basket?

  7. I used Shamirs Secret Sharing to cut my seed into a 3 of 5 that is distributed in different locations. What is your opinion on that?

  8. Hi Andreas! Can you please cover the current bug report:

    Its hard to understand what this actually means today.
    Does this bug mean that today some malicious miner that didn't update can print new bitcoin?

    secondly, If someone does create additional bitcoin than is suppose to be made… is there a way to tell that its in the system?

  9. Can you tell me lets say I keep my 24 word key secure and add a word for my passphrase. How secure would that second wallet be? Assuming they don't assume a 25th passphase and they dont have the 24 word seed?

  10. But half a seed representing 128 bits is still more than enough, isn't it?
    You just said, seeds are 12 to 24 words. So half of a 24 word should still be plenty secure?

    It's curious because at Honeybadger 2018 the Trezor dev said the same thing so you are probably correct. But why?

  11. I disagree with Andreas here. If the passphrase is cryptographically strong, i.e. 128 to 256 bits of entropy, then publishing the seed does not compromise the security. A 256 bits of entropy seed plus a 256 bits of entropy passphrase yields you a 512 bits of entropy. Giving up 256 bits (the seed) leaves you with 256 bits (the passphrase) and you're still good. In other words: A published 24-seed + 256 bits passphrase is equal to a 24-seed without a passphrase. Both have 256 bits of entropy.

    Ideally, one would use a 24-word-seed and a differently created 128+ bits passphrase (like a 12+ word diceware passphrase) and of course keep both secure and offline. The advantage is, should it turn out that the RNG of the hardware used was weak, you at least have the entropy of the passphrase, which is enough if it's 128+ bits.

    Also: @8:20
    128 bits of entropy is also unbruteforceable. In practical terms, there's no security difference between 256 and 128 bits of entropy, even less when key stretching is applied. Most wallets use a 12 word seed, which equals "only" 128 bits of entropy, anyway.

    Change my mind.

    PS: But that being said: don't fucking invent your own crypto.

  12. bcrypt was designed to be slow such that a hacker must wait a long time to decrypt and thus makes a hack even much less profitable over billions of iterations.

Leave a Reply

Your email address will not be published. Required fields are marked *