The safety of a seed phrase is paramount to the security of cryptocurrency assets stored on self-custodial wallets as it enables users to access the wallet and prove ownership of funds.
Usually consisting of 12 or 24 words, Bitcoin (BTC) seed phrases are believed to be “unhackable” as brute-forcing the whole seed phrase would require an impossible amount of computational power.
While an entire seed phrase cannot be brute-forced, industry analysts and executives say one can still access funds if up to three or four words are missing.
What is a seed phrase, and how is it different from a private key?
A seed phrase is a mnemonic code of 12 to 24 words to recover one’s cryptocurrency wallet. Unlike a private key — usually a string of 256 digits — a seed phrase is a human-readable master key for all private keys, allowing one to restore access to the wallet by just entering 12, 18, or 24 words in the correct order.
The words in someone’s seed phrase are not just random words. Instead, those are derived from a list of 2,048 words, described in the Bitcoin Improvement Proposal 39, also referred to as BIP39, which aimed to create a universal seed phrase process.
As seed phrases only use words from BIP39-set 2,048, one may try to brute-force a seed phrase or at least a few missing words.
“If you are missing words, computers can try ‘brute force’ it, which means trying every possible guess,” said Lucien Bourdain, an analyst at the hardware wallet firm Trezor.
“Please note that the last word of a BIP39 recovery phrase is a ‘checksum.’ It is not one of the random words and can be calculated easily once you have the first 11 words,” Bourdain added.
How many words can be recovered from a private key?
“12 words are known to be unbreakable in the current security community,” said Mikko Ohtamaa, co-founder of algorithmic investment protocol Trading Strategy. But still, there is a way to guess a few words, he told Cointelegraph.
In order to assess whether it’s possible to recover a few words from a seed phrase, Bourdain referred to some rough estimates of computational energy and time required for recovering certain amounts of words.
“As you can see, the time required to guess words grows exponentially with each additional missing word,” Bourdain stressed, adding:
“Beyond four words, it becomes impractical. [...] While recovering 2-3 words might be feasible, the computational power required to brute-force an entire 12 or 24-word seed phrase remains astronomically high.”
Some industry people like The Smart Ape have previously described a few ways to recover up to four words in a seed phrase, using tools like the GitHub project, BTCRecover or ChatGPT. The Smart Ape also claimed that he lost four words from his private key and managed to find them.
As the existing computational technology allows one to recover up to four words, one should be careful when storing a private key.
Related: Are crypto cards still a thing in 2024? Industry weighs in
One should also understand that remembering a few words from a seed phrase while cutting them out from a backup will not be as efficient as having a complete and accurate backup and storing it safely.
“Always double-check your backup and make multiple copies. Metal backup solutions are also available to avoid accidental destruction,” Bourdain stated.
Magazine: Meet the hackers who can help get your crypto life savings back