Your seed phrase is a universal backup to your coins, keeping it safe is a crucial part of managing and securing your funds in case your wallet is inaccessible.

BIP39 describes the process of generating a mnemonic sentence that is later used to generate master private key by randomly selecting between 12 and 24 numbers in the range of 0–2047. Each number represents an index to a word in a preset word list of 2048 words from the English dictionary (other languages are supported as well). These index numbers are then used to generate a master private key and the user is eventually presented with the mnemonic sentence or a seed phrase. As long as the user backs up this list of words in the correct order, they will always be able to recover their funds as all private keys are generated from the master private key. A cool feature that is often missed when reviewing the mechanics of a BIP39 seed phrase is the fact that all words in the dictionary can be uniquely identified by the first 4 characters, making it easier to type in hardware wallets where you sometimes need to use a small touch pad and also makes it harder to misspell longer words.

If a list of 12 words from a known 2048 words dictionary sounds like a small set to randomly select such an important key from, then that’s because humans are really bad at imagining just how big, big numbers are.

If I gave someone my first 6 words of my seed phrase in the correct order, they would still need to go over a key space of 2048⁶ combinations, which is: 73,786,976,294,838,206,464 options. Even if we could compute 100 billion guesses per second it will still take us over 23 years to go over the entire key space and cover all possible combinations. And that’s for a single seed phrase which we had the first 6 words for in the correct order.

The security of your coins is as strong as the weakest link. A highly secure hardware device like a Coldcard/Trezor/Ledger is (almost) useless if your seed is stored in your email inbox, or as a photo on your mobile device.

When deciding how to protect your seed phrase, you will have to find the right balance between too much to too little security. Having a very complex security scheme can often leave users locked out of their wallets and their funds, while taking no security precautions will often lead to theft.

Should I set a password for my seed?

You probably should. As confusing as it sounds, setting a password for your seed is not the same as setting a password for your wallet. Setting a password for your wallet means that the particular software installed on your phone or computer will require the user to input the selected password whenever your wallet software is used. Even if your wallet software is password protected, anyone with access to your seed phrase can still access your funds regardless if they know the password for your wallet software.

Setting a password for your seed is like adding a custom 13th (or 25th) word, and saving this password in a different location from where you keep your seed phrase is effectively like setting up 2FA for your seed.

Setting a password for your seed will increase the level of security in 3 ways

1. Mitigate hardware wallet security vulnerabilities - Hardware wallets do not store your seed password on the device, in contrast to your seed phrase itself. There are known vulnerabilities in some hardware wallets that allow the extraction of the seed phrase.
2. Diversification of the way you store your seed - If you use a password, you can store the seed phrase in one place and your password in another without jeopardising your security. One part is useless without the other.
3. Plausible deniability - Your seed phrase is valid with or without a password set, however, setting a password for your seed will generate different public/private keys and therefore different Bitcoin addresses. Saving just a small portion of your wealth on Bitcoin addresses generated by your passwordless seed phrase will allow you to possibly fend off any $5 wrench attacks and also to make sure that your seed was not exposed (as long as the Bitcoin is there, it's most likely not been exposed).

Should I split my seed phrase?

Maybe, it adds complexity but offers some benefits. There are 3 common ways of splitting your seed into multiple shares

1. Seed XOR - Originally developed by Coinkite, Seed XOR is an open source software that allows you to split your seed into 2 shares (each share is a valid BIP39 seed phrase). Combining the 2 shares with the software will result in the original seed phrase.
2. Shamir Secret Sharing Scheme - Using this method will allow you to define any number of shares to split the seed into and any number of required shares to recover it. For example, you could generate 5 shares and require any shares 3 for recovery. This provides some protection from data loss however SSSS has some pitfalls which you must consider.
3. Word split - When using a 24 word seed, you could split your seed phrase into 3 shares, where any 2 shares can recover the complete seed phrase. 1st share holds words in positions 1–16, 2nd share holds 9–24, and the 3rd share holds 1–8 and 17–24. Anyone who gets a hold of just one share will need to recover 8 missing words, which is practically impossible. You should not use this method with a 12 word seed phrase, since each share will hold 8 words leaving just 4 words for an attacker to recover, a task that can, and have been done in the past.

How should I store my seed phrase?

Whether you chose to set a password for your seed phrase, split it or xor it - You still need to store it in a way that will allow you to successfully recover and restore it 10, 20 or even 50 years from now. Storing your seed phrase on any digital media is risky, especially on devices that are connected to the internet.

Regardless of the method you choose to store your seed phrase in, you should always make several copies and store in a safe location that only you have access to. You should also always separate your seed phrase from your password if you chose to set one up.

1. Pen and paper - Make sure to allocate at least 15 minutes for this task, do it in a quiet room and pay close attention to what you're doing. You don't want to end up with a bunch of words you can't really read. Laminate to avoid any water damage.
2. DIY Metal storage - Safu.Ninja describes the process of punching your seed phrase on metal wafers, which is a cheap and more robust way of storing your seed than using a piece of paper. You do have to consider the type of metal you choose to use for the wafers as ideally you'd want this solution to be protected from any corrosion, high temperatures and physical damage.
3. Other metal based storage - There are many options for devices that were specifically designed to safely store seed phrases for long periods of time, honourable mentions are HODLR.swiss, Seedplate and Blockplate. They've been all battle tested extensively by Jameson Lopp.

Things you probably should not do

1. Store your seed phrase in any digital device that has internet access.
2. Mix up the order of the words in an attempt to increase the level of security.
3. Obfuscate your real seed words by placing them along other decoy words.
4. Memorize your seed.

Stack your sats wisely.

Over the course of our operation, we've seen a lot of people who found various, creative ways to obfuscate their seed phrases. A few days ago we received an email from Dan regarding an Electrum seed phrase he had hidden within a bunch of other decoy words back in 2017, using some sort of pattern that he was positive he'll remember. The reason he used this method was because he believed that it would increase the security of his seed phrase and that this will allow him to store it online in his email account. We could not disagree more.

The list is about 600 words long, 350 of which are in the Electrum (and BIP39) English word list. Electrum seeds follow a different generation process, you can read more about it here. After exchanging some emails with Dan, we gathered that:

1. He had used a pattern, most likely a constant space between each word in the list
2. He did not mix up the order of the words - If the first seed word was written in index 36, the second word could only be in index 37 or above.
3. He remembered that he started entering the real seed words after about 250 decoy words.

What we had to do in order to crack this one open is to create a small tool that:

1. Loops through the provided word list, starts with spacing = 1 and increases the spacing variable every time. Each iteration checks to see if a valid Electrum seed is produced for the given spacing limit.
2. Gather the valid seeds and use common derivation paths to generate the first few Bitcoin addresses.
3. Check for any activity on those Bitcoin addresses.

Since Dan didn't have any information regarding the receiving addresses that were used, and since we wanted to make sure we are not missing anything, for every valid Electrum seed we generated several addresses for common derivation paths and had to check to see if there was any activity on those addresses. If we had prior information regarding an address that was used to receive funds for the lost seed, we could skip this compute intensive task and simply compare the generated addresses for each derivation path to the address we had information for and greatly reduce the time it took to check each valid seed phrase.

After a short period of time, we managed to find the lost seed and recover Dan's coins which we then transferred to a fresh BTC address only he owns.

Need help recovering your seed phrase?

We at Cipher Recover have special software and hardware to help recover partial seed phrases for all wallet types. Contact us for more details.

Bitcoin seed phrases or mnemonics are a combination of 12 to 24 words selected randomly from a known dictionary by your wallet software or hardware device. When a user is presented with their seed phrase, they are instructed to carefully write it down on a piece of paper and store it somewhere safe. Unfortunately, sometimes users neglect to follow these instructions and end up quickly writing their seed phrases on random pieces of paper that are then crumbled and stained in various ways.

Recently we were contacted by Sam who had his Ledger broken into pieces in an unfortunate turn of events. Sam had recently gone through a divorce and some of the ETH stored on the Ledger device belonged to his father in law who wanted to cash out. Sam remembered that he followed the instructions and wrote down his 24 word seed phrase, but when he pulled out the piece of paper and tried to restore the seed to a newly bought Ledger device he soon found that he can't read some of the words he had written down.

Highlighted are the unknown words as the rest are legible enough for us to read. Initially, we thought that we could probably solve this manually as we've been working on so many partial seed cases that we were confident that we could recognize most of these words, but we were wrong, very wrong.

1. Crouch
3. Blind
6. Battery
7. Oven
13. No idea, but it looked like it ends with 'ral'

Looking at these words carefully, we were pretty sure about 1, 3 and 7, but 6 can't be right. For us it read 'batery' so our brains immediately assumed Sam forgot to write the extra 't', but Battery is not a part of the BIP39 wordlist that is used by Ledger.

We decided to give up on the manual recovery route and make some adjustments to our already existing tools that handle partial seed recoveries. If we treated these words as completely lost, it would make this case nearly impossible to resolve since 5 missing words means going through A LOT (2048^5) of possible seed phrases.

Our seed recovery tool was modified to accept either complete words, like those we can definitely recognize and partial words where could include recognizable letters and let it run through the BIP39 wordlist for any matching words that using them produced a valid seed phrase.

Finding valid seed phrases is only one part of the process, we still need to use some common derivation paths to generate ETH addresses and check for any balances or transactions on those addresses. Even though there is a standard for derivation paths, some wallets (and in some cases only for some coin types) choose non-standard derivation paths.

To better understand derivation paths, imagine that each seed phrase represents an entrance key to a tall apartment building with hundreds of floors and thousands of doors. Your precious coins are behind one of the doors but to be absolutely sure if they're there or not you must check all doors or know exactly where they are. Although automated, this is a lengthy process that we would like to avoid, so we can look at some of the common doors the coins are usually behind. If we come up short, we can always check all doors.

Running our modified tool found over 7 billion valid seed phrases matching the relevant information we could gather from the piece of paper. After going through almost half of these seed phrases, we were able to find the correct and complete phrase that had the missing ETH. To our disbelief, these were the missing words.

1. Crouch
2. Bread
6. Betray
7. Oven
13. Moral

We securely recovered Sam's funds and transferred the coins to a freshly created Ethereum address that he has created for us.

Need help recovering your seed phrase?

We at Cipher Recover have special software and hardware to help recover partial seed phrases for all wallet types. Contact us for more details.

Consider your Bitcoin security score as a number on the scale of 1-10, with 1 being the least secure option and 10 being the most secure. Trezor, Ledger, Bitbox02, Coldcard and other physical hardware wallets are closer to the 10 score mark while hot wallets such as Exodus, Jaxx and other closed-source web/mobile apps closer to the 5 score mark and leaving your coins on an exchange is probably on the 1 or 2 score mark.

With that in mind, we suggest anyone with a considerable amount of money invested into Bitcoin to purchase a physical hardware wallet as it allows you to get the best from both worlds, security and ease of use. But what if we wanted to get a similar security score using an old laptop? In the following article we will detail exactly how to accomplish just that.

Requirements:

1. A laptop, anything from the last decade should do.
2. An Ubuntu 20.04 LTS Boot USB Drive (Instructions)
3. An additional free USB stick of any size

Following these instructions should get you up and running with your fresh Ubuntu 20.04 LTS installation.

Permanently Disable Networking

To make sure none of your wired/wireless network interfaces are loaded on boot, in the Network settings screen, make sure everything is set to OFF

Download Electrum wallet

Electrum is a great open source Bitcoin wallet that can also work completely offline. Download the latest version to your home PC or any other internet capable machine. Make sure to also download the Signature file and save both files to your additional USB Stick mentioned in requirement no. 3

Once both files are on the USB stick, plug it to your new and secure Ubuntu laptop and copy over both files to your Ubuntu Desktop

Verify the integrity of your Electrum wallet

It's always important to make sure that the file you intended to download from the official website corresponds with what you actually downloaded, to do that, let's first import Electrum's public key:

gpg --keyserver keys.gnupg.net --recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6

Then, we can verify that what we've downloaded corresponds with the file produced by the Electrum developers:

gpg --verify ~/Desktop/electrum-4.1.2-x86_64.AppImage.asc ~/Desktop/electrum-4.1.2-x86_64.AppImage

A valid output looks like this:

gpg: Signature made Thu 08 Apr 2021 16:47:31 IDT
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [unknown]
gpg:                 aka "ThomasV " [unknown]
gpg:                 aka "Thomas Voegtlin " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

Once we verified the Electrum file, we can change its permissions so that we can execute it correctly by running

chmod +x ~/Desktop/electrum-4.1.2-x86_64.AppImage

Now you can go to your Ubuntu Desktop and double click the file to run Electrum and go through the wizard to create your wallet.

Exporting your master public key

Your xPub/zPub is your master public key, allowing you to generate public Bitcoin addresses and create transactions later to be signed on your laptop. Even though your master public key does not expose your private keys and cannot lead to any online theft, you should not share it with anyone or to any device that you do not have full control over since it poses a privacy risk since holding the master public key allows the holder to view and link any transactions you've executed.

To export your master public key, go to Wallet -> Information

The prefix for Legacy accounts starts with xpub while the prefix for Segwit accounts starts with zpub as shown in the image above.

Copy your master public key and save it to your USB stick as a text file.

Importing your master public key

On your home PC or any internet capable machine, install Electrum as you did before on your laptop and plug in your USB stick that contains the text file with your master public key.

After launching your Electrum wallet, opt in to use 'Standard wallet' and then choose 'Use a master key' and paste in your xPub/zPub. Now that you've completed the wizard, you have a 'Watch only' version of your wallet on your home PC.

Receive and send coins from your offline wallet

Now that we have an offline laptop with Electrum installed (holding our private keys) and another instance of Electrum installed on our home PC (holding our public keys) we can use this setup to send and receive Bitcoin.

Sending Bitcoin is a bit of a lengthy process as you need to jump back and forth between your home PC and offline laptop, this is where physical cold wallets such as Trezor really simplify everyday usage without reducing your security level.

To receive Bitcoin you can simply use the 'Request' tab on your home PC and get a fresh Bitcoin address. Any Bitcoin sent will be displayed in your watch only wallet while the private keys for that wallet are only stored in your disconnected laptop.

To send Bitcoin, you will need to:

1. On your home PC, create an unsigned transaction
2. Save it as a text file to your USB stick
3. Plug the USB stick to your offline laptop
4. Load and sign the transaction on your offline laptop
5. Save the signed transaction to your USB stick
6. Plug the USB stick to your home PC
7. Load and broadcast the transaction to the Bitcoin network

Create an unsigned transaction

On your home PC's Electrum, go to the Send tab and fill in the address and amount to the relevant fields, click Pay, configure the fee and click Send. Then click the export button and select to save to file and navigate to your USB stick

Load and sign the transaction on your offline laptop

Next, plug your USB stick to your offline laptop and launch Electrum. Go to Tools -> Load transaction -> From file. Navigate to your USB stick and select the .pbst file saved in the previous step. You should be able to see that the 'Sign' button is now enabled, click it to sign the transaction. Next, as you did in the previous step, export the signed transaction to a file and save it to your USB stick.

At this point, you've created a transaction using your master public key, transferred it to your offline laptop, signed it and now we are ready to broadcast it to the Bitcoin network

Load and broadcast the transaction to the Bitcoin network

This is the final step, plug the USB stick back to your home PC and in your Electrum wallet go to Tools -> Load transaction -> From file. This time, load the .txn file which is the signed transaction.

Clicking the Broadcast button will complete the process and broadcast the transaction to the Bitcoin network.

Blockchain.com is by far the most common and one of the first ever Bitcoin wallets holding over 70 million customer wallets according to latest statistics. In the past, creating your wallet was a cumbersome task, most wallets required the user to download the entire blockchain database, a process that took a couple of days. Users who wanted fast access to a web wallet could simply use Blockchain.com and get access to their own private wallet in a matter of minutes. This and the intuitive UI offered by Blockchain.com made it a good choice for the average user.

Need help recovering your password?

We at Cipher Recover have special software and hardware to help your lost blockchain password. We've helped many recover their first and second Blockchain passwords and we can help you too.

Blockchain.com's security model

Normally, a locally installed wallet allows you to back up your encrypted wallet file and as long as you keep record of your password and have access to the encrypted file, you can decrypt it and access your coins.

With Blockchain.com, instead of having an encrypted wallet file, the user is insturcted to select a password and is given a Wallet ID in the form of a GUID (i.e. 00f4fcc0-b3ed-441d-b05f-e4fa2b98f896). All private information including the private key is then encrypted using the password that was selected by the user and uploaded to Blockchain.com's servers for storage. As long as you have your Wallet ID and you password you should be able to access your funds.

Recovering your lost Wallet ID

If you've lost record of your Wallet ID, you can find it in the following methods:

Searching your email Inbox for any emails from Blockchain.com

Each and every email you ever received from Blockchain.com contains your Wallet ID at the bottom of it.

Online Wallet ID reminder utility

Blockchain.com has an online utility that will send you a reminder email for all Wallet IDs linked to a given email address

Recovering your 2FA device

If you've set up a 2FA on your Blockchain.com account, disabling it an easy process but requires their staff to manually approve your request which takes up to 2 weeks. Use this page to initiate the process.

Recovering your Blockchain.com password

If you've forgotten your account password, you can try and recover it. Blockchain.com cannot access or recover the password for you as they do not store it but rather encrypt all sensitive information with the password you selected when you created your wallet

Manual recovery

The basic approach to recovering your password is to create an Excel sheet with all relevant and optional passwords that you might have used, then, expanding each option to multiple other options. For example, if you usually use the password Password123 then you may want to include Password1234 and Password111. After listing all options, you can copy and paste each option and try to decrypt your wallet via Blockchain.com's website. Don't worry - You can try as many times as you want since the decryption process happens in-browser and does not communicate anything back to their servers until you hit the correct password.

Recovering with BTCRecover

A more advanced approach is to use Brute Force or Dictionary attacks on your wallet. This will allow you automate a part of the process in case you could not find the correct password manually. BTCRecover is an open source software developed by gurnec (and currently maintained by 3rditeration) and can help you scale your cracking attempts.

Using BTCRecover requires some technical knowledge and has basically two ways to recover your password:

1. Using a dictionary attack - Requires you to create a long list of possible passwords in a text file and feed it to BTCRecover
2. Using a token file - Allows you to create structures of passwords that you might have used and attempt any password that matches the pattern you provided.

First, install BTCRecover by following these instructions, then use the download-blockchain-wallet.py script to download your encrypted wallet to your local machine.

Using a dictionary attack

Once you have your wallet locally, you can start creating your dictionary. This is a simple process where you create a new text file and input every password you can think of that may have used when creating your Blockchain.com account.

The final step is to run BTCRecover, providing it with the required parameters.
Note: wallet.aes.json is the file downloaded via the download-blockchain-wallet.py script and my-passwords.txt is your dictionary.

python3 btcrecover.py --wallet wallet.aes.json --passwordlist my-passwords.txt

Using a token list

Token lists can be really simple or really complex, depends on how you want to use them. To fully understand how token lists work, you can read this instruction page. To get back to our Password123 example, let's say we're not sure if we've capitalized the P or if we used 123/1234/111/123456 or any other combination of numbers. A good token to represent all of the possible options is the following

%[Pp]assword%1,6d

The above will generate passwords with an upper case and lower case P and will append any digits in the length of 1 to 6. Relevant candidates for the above token are:

Password123
Password111
password91874
password000000

To run your token list attack, simply use the following command

python3 btcrecover.py --wallet wallet.aes.json --tokenlist my-tokens.txt