there are 3 ways to — separate access-information
- #1 — multi-sig software, with a set-up :
— single-Signatory → but, requires physical travel
— multiple-Signatories → but, no privacy & potential Signatory collusion
i’ve extensively critiqued this in other articles…
today, i will critique the other popular method ,
which Andreas recommends—
- #2 — separating [ seed-phrase ] — from — [ pass-phase ]
and show that —
- #3 — ‘seed-splitting’ is better
Arguments Against
but 1st, — since a respected community leader,
has actively opposed seed-splitting strategies…
let’s examine —
- Andreas’s arguments against seed-splitting
- Andreas’s recommendations compared to seed-splitting
from Andreas’s last 8 videos on personal storage
from oldest → to newest
above, from 25 July 2017
makes fun of seed-splitting with ridiculous examples —
“Don’t get smart. Don’t get fancy. Don’t say — well, i’ll write 3 of the words here and then, i’ll take the other 3 words — reverse them. Put them in my phonebook. Hide them in my library. Give them to my… Don’t get fancy.”
dismisses the threat of physical attack
“the chances that someone will get a hold of that [your seed-phrase] & know what it is — pretty slim”
recommends storing millions $ dollars in BTC
on a set-up with — a SPoF (single-point-of-failure)
— on a hardware devise, in a safe, with a paper backup
“you can store — i know people who store millions of dollars — i’m not joking”
above, Feb 21, 2018
“if you are trying to store bitcoins, you do not try to build your own scheme. That’s Rule #1. Do not roll your own crypto. You will fail.”
so scary, LOL …
“for the ultimate in cold, cold storage — what you do is generate the seeds on a hardware wallet, preferably with a multi-sig. you test them with a single transaction & then you wipe all of the hardware wallets — so that it only exists as a set of seeds, — backed up in multiply, very secure locations.”
cool ! — CWAP also exists only on paper
above, 10 July 2018
pass-phrases
“if you have a very short pass-phrase and your seed — itself is compromised,…it is possible for someone……to brute force — say an 8 or 10 character pass-phrase……”
“you have to use a pass-phrase that has significant entropy…
“i’d use 8–10 words — that are not from the seed dictionary…”
above, 30 Aug 2018
security by obscurity
“security by obscurity — relying on the fact that people don’t know……is the weakest form of security…”
this sounds like, the strategy of — hiding your big BTC savings, behind a “duress” pass-phrase
please read my article on this important topic—
above, 20 Sept 2018 — one day before the Baltic HoneyBadger 2018 conference
“someone astutely pointed-out that — your pass-phrase effectively is a ‘brain wallet’ and we’ve talked about brain wallets before……’brain wallets’ are not secure…”
well, that’s funny…
“i read this [seed-splitting methods] all the time…”
really?… besides myself — i’ve never seen anyone write about this…
please, give me any links or info… thanks!
“they say — ‘all you have to do is take your 24 words and cut it in half and store 12 words in one place and 12 words in another place — that’s not the standard. and there’s a reason it’s not the standard — because it’s not secure.”
wait, what “Standard”…
now, it gets weird —
“next time you hear that, ask the simple question — ‘How much less effort is it to find one half of a seed ?”
“how hard is it for me to crack the other 12 words?”
spoiler alert ~ it’s 128 bits hard
so, i tweet —
and then, for over 1-minute, Andreas argues ~
24 words are sooooo much more secure than 12 words…
basically, implying that~ 128 bit is not secure…
we’ll hear this misleading argument again, soon…
and we hear again, —
“Don’t roll your own crypto. Don’t try to get smart about trying to implement schemes and systems to split your seeds, etc…”
next, Andreas implies that seed-splitting is opposed to BIP-39…
“BIP-39 is very carefully balanced”
wait, what…// let’s return to BIP-39 in a minute…
more appeal to authority —
“it’s balanced by people who are actual cryptographers and know what they’re doing”
then, another ridiculous example of seed-splitting —
“i cut it into 24 bits. i mixed them up. i encrypted them. i put them on dropbox. i took that dropbox and then erased it from the web. and i can only access it on the archives…”
how to make a strong pass-phrase
“use a passphrase that is strong enough that it’s not easily brute-forceable. 6–8 English words is just about right.
note — it was 8–10, less than 3 months ago…
— not the well-established Standard, it seems…
not English words from the mnemonic list
so, i guess — you need to check the list…
just English words that don’t mean something
because humans are so good at generating randomness…
that are not a phrase
that you won’t be able to find on google
but, you can’t really check by googling…
that are not written in a book
or you saw it in a movie
pick 6–8 random words
but, hold on — because, in 4 months — those numbers will decrease again !
memorize them
write them down
store them in a different location
i’m pretty sure — he’s talking about having more back-ups,
not separating access- info, yet…
so that your family actually has a chance of getting that back…
i guess, — because seed-splitting is soo complex…
and that’s going to be more secure
*** Really !?! — creating your own pass-phrase is more secure than generating 12 seed-words from a hardware devise… i don’t think so !!!
“and you’re not going to get robbed as easily
what…
Just use the Standard as it was designed. ”
BIP-39 outlines technical improvements for wallets, not physical storage strategies… it says nothing about safes & tamper-evident bags…
it does not mention — seed-splitting
about pass-phrases, it only says —
- “A user may decide to protect their mnemonic with a passphrase.”
- “The described method also provides plausible deniability, because every passphrase generates a valid seed (and thus a deterministic wallet) but only the correct one will make the desired wallet available.”
above, 3 Nov 2018
“i’ve been trying to debunk this [seed-splitting] now, probably for 2 years”
again, Andreas dismisses the dangers of physical theft —
“people… who are so worried that someone is going to break into their house, in a cat burglar suit, in the middle of the night, steal their seed and swipe their money.”
here, Andreas gives another example of seed-splitting —
“they take their 24 words and cut them into 4 pieces, they store each of the pieces in 4 locations. and they feel secure……64 bits per piece…”
again, this *misleading* argument —
“if you think 64 bits is one quarter of 256 bits……it’s 10⁵⁰ less secure — that’s 10 with 50 zeros in it — less secure…”
ok, whatever, BUT — 128 bit IS secure…
256 & 128 bit — are Both secure
i like this analogy —
*Consider two stars: Alpha Centauri and Sirius. It takes light 4.4 years to travel from Sun to the former star and 8.6 year to reach the latter. Which one is easier for us to get to? The correct answer is: they are both unreachable. There is no technology available to the humankind now and for the foreseeable future to reach either of them. The same is true about the encryption: no technology exists now that would break either 128-bit or 256-bit encryption.*
again, mocking people who are concerned with physical theft —
“…a risk you really weren’t facing — which is, the mystical cat burglar who figures out — you are a bitcoin ‘fafillionaire’ comes and steals your seed.”
then, dismissing the user’s judgement & concern, further —
“the average user is not good at doing that kind of risk-assessment — at understanding which risks matter and which risks don’t…”
all the Bitcoin Hodlers who have been specifically — targeted and their families, might disagree — this risk does matter !
see Jameson Lopp’s repo — for the list of Attacks —
above, 7 Dec 2018
the 1st time, Andreas recommends —
“remove yourself — so you don’t have access to your crypto-currency.”
great!, finally — avoiding SPoF // single-point-of-failure
multi-sig for cold-storage
then, Andreas recommends using multi-sig
“i think multi-signature is a good solution…”
a single-Signatory set-up, which requires physical travel
and finally, Andreas beautifully articulates the problem —
“the problem is that if you actually control your money fully and you’re walking around with access to enormous amounts of money on a bearer-instrument, that has irreversible transactions — that makes a very appealing target.”
$5 wrench problem
“…you just beat them until they give you the password — this is a problem in cryptography, in digital currencies.”
…“it [the $5 wrench attack] is not an easy problem to solve.”
seems easy to me — just Separate your Access Info
above, 1 Feb 2019
“different audiences, different groups are going to have different risk models, and they’re also going to have different tolerance for technical complexity”
“you have to figure out what is right for you”
lose vs theft
— comparing these risks,
let’s appreciate his advise, because
Andreas IS a security expert…
here, he summarizes it well —
“most people are very worried that someone is going to break-in, identify what the 24 words are, and steal their money — that’s not the biggest risk. the biggest risk is you lose it. you forget where you put it…”
pass-phrases
“a simple 4–6 word, random English word, pass-phrase — is sufficient if you physically protect your seed from disclosure.”
wait, what — “if” ?… the whole point is that if one is compromised — then, the other is un-crackable…
Andreas’s recommended word-length for pass-phrases changed from —
- 8–10 words, in July ‘18
- 6–8 words, in Sept ‘18
- 4–6 words, in Feb ‘19
“Don’t try to improvise. Don’t try to do things like, cut up your seed into groups of words and sprinkling them in different locations. Don’t try to use overly complex pass-phrases…”
Summary
objections
why?…
why have users generate their own pass-phrases?…
- dangerous — users will create weak pass-phrases
- unnecessary — when we are already using a wallet’s RNG to create seed-phrases & private-keys
also, this strategy misses the opportunity to skillfully use pass-phrases for inheritance —
Questions —
what’s a cryptographically-secure pass-phrase —
- How many user-generated “random” words = ~ 128bits ?
4–6, or 6–8, or 8–10, or…
- How many alphanumeric characters = ~ 128bits ?
i use 16-character passwords… what about you ?…
recommendations
if you plan to separate your [seed-phrase], like Andreas recommends — from your [pass-phrase] —
- keep your [seed-phrase] close to you — as it’s the more secure of the two…
- store your potentially-weak, self-generated [pass-phrase] at the other/less-secure location
- Don’t memorize the pass-phrase // → separate your access info
- make a secure pass-phrase // link here
but, why not just split your seeds ?…
the basic propositions of seed-splitting
- 24 words =~ 256 bits →uncrackable
- 12 words=~128 bits →uncrackable
- 6 words=~64 bits → crackable
- if u split a 24-word seed-phrase → into 2 shares of 12-words each — both shares are ~128bits
- all shares are “unrelated” — knowing one share does not provide any critical information about the other share… specifically — it does not make it significantly easier to crack
CWAP — the counter Wrench-Attack protocol —
one of Bitcoin’s 1st seed — splitting protocols,
is based on these simple propositions…
Conclusions
- we need to examine & discuss the “Standards” for basic bitcoin storage strategies — much, much more…
- Andreas’s critiques of seed-splitting are very weak…
- seed-splitting is more secure > than separating [pass-phrase] from [seed-phrase]
- seed-splitting is based on simple & secure prepositions
