I’m sure I must be missing something, but new to wallets and have a question about the recovery seed. I have spent a while researching articles online and nothing has made the following clear.
If all that is needed to recover a wallet is the recovery seed, and if the recovery seeds come from a known list of 2000 words, then what’s to prevent someone (presumably an automated program) from randomly guessing recovery seeds until they find ones that are in use? Or what prevents a Trezor from randomly generating a new recovery seed for a new device (user 2) that’s the same as another one used by someone else (user 1j, which would presumably give user 2 access to the crypto of user 1?
Again, this is coming from all the warnings I see about the danger of someone getting my recovery seed, which I keep reading is ALL that’s needed to access the crypto.
I’m sure I’m missing something but nothing I’m reading makes the above clear to me. Any help for the clueless new guy appreciated…
the number of possible combinations, basically there is too many for any computer to guess your seed.
First, the 256-bit random number is generated in the Trezor device on its Microcontroller by the RNG (Random Number Generator). This number has 256 zeros or ones, so the entropy, or randomness, of this number is 2 ^ 256. This equals approximately 10 ^ 77. For comparison, it is estimated that there are 10 ^ 78 to 10 ^ 82 atoms in the known universe.
A random number of the same length is then generated in the connected computer and sent to the Trezor device. These two numbers are now together hashed by the SHA-256 algorithm - this number, which is again 256-bit, is the basis for the creation of the recovery seed, let’s call it initial entropy.
I can see the likelihood of my particular recovery seed being randomly guest is low, but the probability of someone’s recovery seed being randomly guessed doesn’t seem impossibly low, esp. if millions of people are using bitcoin and generating multi millions of recovery seeds and lots of computer power around that could be generating an awful lot of random recovery seeds. Is the only protection here the mathematics of probability?
Thanks. I watched the video, which is good and helpful but still doesn’t really answer my question. Regardless of how a recovery seed is generated, if a recovery seed is 12 or 24 words from a list of 2048 words as specified in the wiki, and all someone needs is the list of words to access a wallet, then Isn’t the probability here the probability of how one can arrange 12 or 24 items in order from a pool of 2048 items? That’s still a large number of possibilities, but it’s a lot less than a number of atoms in the universe.
This leads me to continue wondering if I’m missing something here. Am I correct that if somebody has the same list of words as my recovery seed in the same order than they can access my wallet? That’s all they need?
And theoretically, the Recovery seed for the model T, with only 12 words, would be less secure than a 24 word seed.
Thanks for the replies. I still think you are answering a different question than I’m asking.
I accept that the wallet is generated by an incredible atoms-in-the-universe random probability process.
I accept that the recovery seed is generated by an incredible atoms-in-the-universe probability process.
But once the recovery seed - a list of 12 or 24 (or some number) of words from a list of 2048 words - is generated, then it doesn’t make any difference how random the process was to create it.
Let’s take the example to the extreme - let’s say the recovery seed is 1 word, “sandwich” (and that it’s on the list of 2,048 words). There could be an incredibly random process with 2^1,000,000 possibilities that led to “sandwich”. But now that’s the recovery seed. And what Trezor and everyone is saying is that all I need to recover my wallet is the seed. Which means all anyone needs to access my wallet is the seed. So the probability that someone could access my wallet is NOT 2^1,000,000. It’s the probability of someone guessing ‘sandwich’. It has nothing to do with the randomness that created the wallet or created the seed. It’s 1 / 2048, in this case.
Now I understand that there’s a big difference between guessing 1 out of 2048 and guessing 12 or 24 out of 2048 in order, but do you see what I’m pointing out - it’s got nothing to do with the randomness that created the seed. It’s a different probability scenario entirely.
Unless I’m missing something in my understanding that all someone needs is a recovery seed to access a wallet.
yes, you are missing the fact that there is this many “combinations”: 115792089237316195423570985008687907853269984665640564039457584007913129639936
that is how many wallets can there be out of 2048 words, do you really thing it is that easy to “guess”? It is not.
you are missing the fact that the private key is the number…
see, that’s where you are wrong. Yes someone can guess a word. But you need all 24/12 words in the same exact order to access the wallet, one does not matter
even if you give a word to them it is still impossible to get all words in correct order
A private wallet key is simply a number between 1 and 2^256 and to brute force it all you need is to continue guessing until you hit the right number between 1 and 115 quattuorvigintillion.
This would mean that the incredibly random process “collapses” to a “weaker” one that only has 2048 possibilities. So yes, it is meaningless to talk about 2^1000000 if the result is one of 2048 possibilities.
Now, consider a random process that has 2048 possibilities and generates one of the 2048 words.
Take two of those and put them in a sequence. This gives you 2,048 * 2,048 = 4,194,304 possibilities – for every one of the 2,048 choices the first random process can make, the second one can still pick any of the 2,048 options.
So this “two random processes” can be replaced by one random process with 4,194,304 outcomes. Every outcome corresponds to a pair of words, and there are 4,194,304 pairs of words.
If you pick a word from the list, then I have 1 in 2048 chance to guess your word.
If you pick two words, I have 1 in 2048 chance to guess the first one, and 1 in 2048 to guess the second – but 1 in 4,194,304 to guess both at the same time. (I have something like 2 in 2048 chance that I get one word right and the other wrong. But if I want to get both right, that’s 1 in 2048*2048.)
Continue adding words this way, and the randomness grows exponentially, and the chance to guess all the correct words at once drops like a stone.
In the end, you really have a random process with 2^256 options that are expressed as 24 words from the wordlist, and so the chance that you happen upon someone else’s seed is so small it rounds to zero.
What you need to keep in mind is that it’s not possible to guess the words one by one.
Let’s say my seed is inherit reopen soldier favorite latin section siege harbor chaos protect bridge chicken.
If you want to guess the first word, you can try inherit all all all all all all all all all all all. But you have no way to know that you hit the right first word! The seed as a whole is not my seed. Did you get the right first word? Who knows? There is no way to tell.
Thank you, matejcik! With the respect to the folks who spent time responding previously, this is the first reply that directly answers my question and acknowledges that the recovery seed guessing probability is different than the wallet-generation probability.
So the probability of guessing a recovery seed is then:
(1 / 2048) ^ (number of recovery seed words)
So a 12 word seed would have a probability of 1 / 2048 ^ 12, assuming a seed word can be used repeatedly.
I also see now that 2048 is itself a power of 2, or 2 ^ 11. So a 12 word seed would have a probability of 2 ^ 132 of being guessed. Still a big number, but not 2 ^ 256. I’m guessing that the ability to more easily memorize a 12-word recovery seed is considered a balancing advantage.
Interestingly, then, a 24 seed phrase has a probability of 2 ^ 264 of being guessed, which is actually more improbable than the 2 ^ 256 of the process that created it.
So thanks - your reply was very helpful.
Two other quick security questions, if you have the time. I’m sure they are covered elsewhere…
The PIN is all that is needed to access a physical device, right? If someone finds a Trezor, all they need is the device PIN to access the wallet?
Does the recovery seed tell you anything about whether there are passphrase wallets within the wallet? You still need the passphrase for accessing a sub-wallet with a passphrase, yes?
It isn’t really because the remaining 8 bits are a checksum. I.e., for a given option out of the 2^256, there is exactly one 8-bit value that correctly extends the seed from 256 to 264 bits.
The distinction is only useful in theoretical matters. For practical purposes, both 2^128 and 2^256 are effectively the same as “infinity”.
You’re not supposed to memorize the seed! Humans are notoriously unreliable backup devices. Use a cryptosteel like everyone else.
But yes, given that the practical security of a 128 bit key is the same as that of a 256 bit key, it’s nicer and faster to only have to deal with 12 words.
Standard wallet, yes. They also need to know the passphrase(s) to access any hidden wallets.
The recovery seed cannot contain any information about whether you have any hidden wallets. (Otherwise it would have to change every time you add a hidden wallet. Which you know is not what happens.)
You always need a passphrase to access a hidden wallet.
Firstly I would like to thank Frypto for asking this question and matejcik for answering it. As I have just bought Trezor and I’ve been wondering about the same thing.
However even thought the 2^256 is a big combination space, I am wondering the following.
If you wanted to brute force it, I assume you could get the algorithm for creating the bitcoin addresses inside Trezor using the seed (it’s not secret), right? And to check if some particular seed is used (i.e. has some Bitcoin on it), you would only need to generate say 20 addresses (gap size) and check on blockchain (which you can also get locally), whether there is something there. So you could write a brute force script running all the time. I wonder if someone made a calculation, how long would it take a conventional computer today to try all the combinations and then extrapolate the probability to hit someone’s seed let’s say in a year. Is it still good enough? Will it still be good enough in 10 years?
