seed-splitting Standards

Andreas’s critiques & basic propositions

Mar 5 · 10 min read

the most secure bitcoin storage —

  • does NOT have a ! // single-point-of-failure

Hodlers avoid SPoF by — ‘separating access-information’

there are 3 ways to — separate access-information

  • software, with a set-up :

single-Signatory → but, requires l

multiple-Signatories → but, no & potential

i’ve extensively critiqued this in other articles…

today, i will critique the other popular method ,

which Andreas recommends—

  • #2 — separating [ seed-phrase ] — [ pass-phase ]

and show that —

  • is better

recently, from the Satoshi Roundtable,

Jameson Lopp wrote —

Arguments Against

but 1st, — since a respected community leader,

Andreas M. Antonopoulos,

has seed-splitting strategies…

let’s examine —

  • Andreas’s arguments seed-splitting
  • Andreas’s recommendations seed-splitting

we Love Andreas !… // fan art

from Andreas’s last 8 videos on personal storage

from oldest → to newest

above, from 25 July 2017

makes fun of seed-splitting with ridiculous examples —

“Don’t get smart. Don’t get fancy. Don’t say — well, i’ll write 3 of the words here and then, i’ll take the other 3 words — reverse them. Put them in my phonebook. Hide them in my library. Give them to my… Don’t get fancy.”

dismisses the threat of physical attack

“the chances that someone will get a hold of that [your seed-phrase] & know what it is — pretty slim”

recommends storing millions $ dollars in BTC

on a set-up with

— on a hardware devise, in a safe, with a paper backup

“you can store — i know people who store millions of dollars — i’m not joking”

above, Feb 21, 2018

“if you are trying to store bitcoins, you do not try to build your own scheme. That’s Rule #1. Do not roll your own crypto. You will fail.”

so scary, LOL …

“for the ultimate in cold, cold storage — what you do is generate the seeds on a hardware wallet, preferably with a multi-sig. you test them with a single transaction & then you wipe all of the hardware wallets — so that it only exists as a set of seeds, — backed up in multiply, very secure locations.”

cool ! — CWAP also exists only on paper

above, 10 July 2018


“if you have a very short pass-phrase and your seed — itself is compromised,…it is possible for someone……to brute force — say an 8 or 10 character pass-phrase……”

“you have to use a pass-phrase that has significant entropy…

“i’d use 8–10 words — that are not from the seed dictionary…”

above, 30 Aug 2018

security by obscurity

“security by obscurity — relying on the fact that people don’t know……is the weakest form of security…”

this sounds like, the strategy of — your big BTC savings, behind a “duress” pass-phrase

above, 20 Sept 2018 — one day before the Baltic HoneyBadger 2018 conference

“someone astutely pointed-out that — your pass-phrase effectively is a ‘brain wallet’ and we’ve talked about brain wallets before……’brain wallets’ are not secure…”

well, that’s funny…

“i read this [seed-splitting methods] all the time…”

really?… besides myself — i’ve never seen anyone write about this…

please, give me any links or info… thanks!

“they say — ‘all you have to do is take your 24 words and cut it in half and store 12 words in one place and 12 words in another place — that’s not the standard. and there’s a reason it’s not the standard — because it’s not secure.”

wait, what “Standard”…

now, it gets weird —

“next time you hear that, ask the simple question — ‘How much less effort is it to find one half of a seed ?”

“how hard is it for me to crack the other 12 words?”

spoiler alert ~ it’s 128 bits hard

so, i tweet —

and then, for over 1-minute, Andreas argues ~

24 words are sooooo much more secure than 12 words…

basically, implying that~ 128 bit is secure…

we’ll hear this argument again, soon…

and we hear again, —

“Don’t roll your own crypto. Don’t try to get smart about trying to implement schemes and systems to split your seeds, etc…”

next, Andreas implies that seed-splitting is opposed to BIP-39…

“BIP-39 is very carefully balanced”

wait, what…// let’s return to BIP-39 in a minute…

more appeal to authority

“it’s balanced by people who are actual cryptographers and know what they’re doing”

then, another ridiculous example of seed-splitting —

“i cut it into 24 bits. i mixed them up. i encrypted them. i put them on dropbox. i took that dropbox and then erased it from the web. and i can only access it on the archives…”

how to make a strong pass-phrase

“use a passphrase that is strong enough that it’s not easily brute-forceable. 6–8 English words is just about right.

note — it was 8–10, less than 3 months ago…

— not the well-established Standard, it seems…

not English words from the mnemonic list

so, i guess — you need to check the list…

just English words that don’t mean something

because humans are so good at generating randomness…

that are not a phrase

that you won’t be able to find on google

but, you can’t really check by googling…

that are not written in a book

or you saw it in a movie

pick 6–8 random words

but, hold on — because, — those numbers will decrease

memorize them

write them down

store them in a different location

i’m pretty sure — he’s talking about having more back-ups,

not separating access- info, yet…

so that your family actually has a chance of getting that back…

i guess, — because seed-splitting is soo complex…

and that’s going to be more secure

*** Really !?! — creating your pass-phrase is more secure than generating 12 seed-words from a hardware devise…

“and you’re not going to get robbed as easily


Just use the Standard as it was designed. ”

ok, so “the Standard” to which Andreas refers is BIP-39…

link here

BIP-39 outlines technical improvements for wallets, physical storage strategies… it says nothing about safes & tamper-evident bags…

it does not mention — seed-splitting

about it only says —

  • “A user may decide to protect their mnemonic with a passphrase.”
  • “The described method also provides plausible deniability, because every passphrase generates a valid seed (and thus a deterministic wallet) but only the correct one will make the desired wallet available.”

above, 3 Nov 2018

“i’ve been trying to debunk this [seed-splitting] now, probably for 2 years”

again, Andreas dismisses the dangers of physical theft —

“people… who are so worried that someone is going to break into their house, in a cat burglar suit, in the middle of the night, steal their seed and swipe their money.”

here, Andreas gives another example of seed-splitting —

“they take their 24 words and cut them into 4 pieces, they store each of the pieces in 4 locations. and they feel secure……64 bits per piece…”

again, this *misleading* argument —

“if you think 64 bits is one quarter of 256 bits……it’s 10⁵⁰ less secure — that’s 10 with 50 zeros in it — less secure…”

ok, whatever, BUT — 128 bit secure…

256 & 128 bit — are Both secure

i like this analogy —

*Consider two stars: Alpha Centauri and Sirius. It takes light 4.4 years to travel from Sun to the former star and 8.6 year to reach the latter. The correct answer is: they are both unreachable. There is no technology available to the humankind now and for the foreseeable future to reach either of them. The same is true about the encryption: *


again, mocking people who are concerned with physical theft —

“…a risk you really weren’t facing — which is, the mystical cat burglar who figures out — you are a bitcoin ‘fafillionaire’ comes and steals your seed.”

then, dismissing the user’s judgement & concern, further

“the average user is not good at doing that kind of risk-assessment — at understanding which risks matter and which risks don’t…”

all the Bitcoin Hodlers who have been and their families, might disagree — this risk does matter !

see Jameson Lopp’s repo — for the list of Attacks —

above, 7 Dec 2018

the 1st time, Andreas recommends —

“remove yourself — so you don’t have access to your crypto-currency.”

great!, — avoiding

multi-sig for cold-storage

then, Andreas recommends using multi-sig

“i think multi-signature is a good solution…”

a single-Signatory set-up, which requires physical travel

and finally, Andreas the problem —

“the problem is that if you actually control your money fully and you’re walking around with access to enormous amounts of money on a bearer-instrument, that has irreversible transactions — that makes a very appealing target.”

$5 wrench problem

“…you just beat them until they give you the password — this is a problem in cryptography, in digital currencies.”

…“it [the $5 wrench attack] is not an easy problem to solve.”

above, 1 Feb 2019

“different audiences, different groups are going to have different risk models, and they’re also going to have different tolerance for technical complexity”

“you have to figure out what is right for you”

lose vs theft

— comparing these risks,

let’s appreciate his advise, because

Andreas IS a security expert…

here, he summarizes it well —

“most people are very worried that someone is going to break-in, identify what the 24 words are, and steal their money — that’s not the biggest risk. the biggest risk is you lose it. you forget where you put it…”


“a simple 4–6 word, random English word, pass-phrase — is sufficient if you physically protect your seed from disclosure.”

wait, what — “if” ?… is that one is compromised — then, the other is un-crackable…

Andreas’s recommended word-length for pass-phrases changed from —

  • 8–10 words, in July ‘18
  • 6–8 words, in Sept ‘18
  • 4–6 words, in Feb ‘19

“Don’t try to improvise. Don’t try to do things like, cut up your seed into groups of words and sprinkling them in different locations. Don’t try to use overly complex pass-phrases…”




why have users generate their own pass-phrases?…

  • — users will create pass-phrases
  • — when we are using a wallet’s RNG to create seed-phrases & private-keys

also, this strategy misses the opportunity to skillfully use for

Questions —

what’s a cryptographically-secure

  • How many user-generated “ = ~ 128bits ?

4–6, or 6–8, or 8–10, or…

  • How many = ~ 128bits ?

i use 16-character passwords… what about you ?…


if you plan to separate your [seed-phrase], like Andreas recommends — from your [pass-phrase] —

  • keep your close to you — as it’s the more secure of the two…
  • store your potentially-weak, self-generated at the other/less-secure location
  • memorize the pass-phrase // → separate your access info

why not just split your seeds ?…

the basic propositions of seed-splitting

  • 24 words =~ 256 bits →crackable
  • 12 words=~128 bits →crackable
  • 6 words=~64 bits →
  • if u split a 24-word seed-phrase → into 2 shares of 12-words each — both shares are ~128bits
  • all shares are ” — knowing one share does provide any information about the other share… specifically — it does not make it easier to crack

CWAP — the counter Wrench-Attack protocol —

is based on these simple propositions…


  • we need to examine & discuss the “” for basic bitcoin storage strategies — much, much more…
  • Andreas’s critiques of seed-splitting are
  • than separating [pass-phrase] from [seed-phrase]
  • seed-splitting is based on

BONUS Question — checksum (CS)

  • does it — increase or decrease — security?…
  • where is it?… is it 1 of the 24 words ?… is it a whole word ?…
CS = ENT / 32
MS = (ENT + CS) / 11

| ENT | CS | ENT+CS | MS |
| 128 | 4 | 132 | 12 |
| 160 | 5 | 165 | 15 |
| 192 | 6 | 198 | 18 |
| 224 | 7 | 231 | 21 |
| 256 | 8 | 264 | 24 |

above, from BIP-39

please critique & collaborate !

i’m keyMonkey — on Twitter

cool links & about me


Written by


— CWAP — “Seed-Splitting” BTC Storage — HODL Safe! —