MIME-Version: 1.0
References: <68330522-7e7c-c3b4-99a9-1c68ddb56f23@gmail.com>
	<f2d73a92-e1c5-9072-e255-fa012a9f9d1b@satoshilabs.com>
	<db184306-7ec0-322e-5637-7889b51f50bf@gmail.com>
In-Reply-To: <db184306-7ec0-322e-5637-7889b51f50bf@gmail.com>
From: James MacWhyte <macwhyte@gmail.com>
Date: Tue, 25 Dec 2018 00:30:26 +0000
Message-ID: <CAH+Axy6dKDOkE6cQYZUusTUxxOSwWchOWxYh6ZkhnOgXuELaYg@mail.gmail.com>
To: vitteaymeric@gmail.com, 
	Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="0000000000007dbdb1057dcdd32e"
Subject: Re: [bitcoin-dev] BIP39 seeds
Precedence: list

--0000000000007dbdb1057dcdd32e
Content-Type: text/plain; charset="UTF-8"

On Mon, Dec 24, 2018 at 2:48 PM Aymeric Vitte via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

>
> I don't see very well why it's easier to write n words that you cannot
> choose rather than a 32B BIP32 hex seed, and I have seen many people
> completely lost with their wallets because of this
>

In practice it has quite a few qualities that make it a bit more resilient
for physical (written) storage.

If a few letters of a word get rubbed off or otherwise become illegible, it
is pretty easy for a native speaker to figure out what the word is supposed
to be. Even a non-native speaker could look through the word list and
figure out which word fits. Missing characters in a hex string require more
advanced brute force searching, which the average user isn't capable of.

Additionally, having the bits grouped into words makes a more serious
recovery easier. If you lose one entire word, it can be brute forced in
about 5 minutes on a normal pc, even if you don't know which position the
missing word is in (I have published a tool that does just this:
https://jmacwhyte.github.io/recovery-phrase-recovery). If you are missing
two words, you can brute force it in about a week (napkin math).

If you were missing a random chunk of a hex string, I don't know how you'd
go about brute forcing that in a timely manner.

As an aside, from a UX standpoint we've seen that the 12 words don't *look*
important so people don't take them seriously (and they get lost). A hex
string or equivalent would look more password-y, and therefore would most
likely be better protected by users.

James

--0000000000007dbdb1057dcdd32e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><div><br></div><br><div class=3D"gmail_qu=
ote"><div dir=3D"ltr">On Mon, Dec 24, 2018 at 2:48 PM Aymeric Vitte via bit=
coin-dev &lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitco=
in-dev@lists.linuxfoundation.org</a>&gt; wrote:<br></div><blockquote class=
=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rg=
b(204,204,204);padding-left:1ex"><br>I don&#39;t see very well why it&#39;s=
 easier to write n words that you cannot choose rather than a 32B BIP32 hex=
 seed, and I have seen many people completely lost with their wallets becau=
se of this<br></blockquote><div><br></div><div>In practice it has quite a f=
ew qualities that make it a bit more resilient for physical (written) stora=
ge.</div><div><br></div><div>If a few letters of a word get rubbed off or o=
therwise become illegible, it is pretty easy for a native speaker to figure=
 out what the word is supposed to be. Even a non-native speaker could look =
through the word list and figure out which word fits. Missing characters in=
 a hex string require more advanced brute force searching, which the averag=
e user isn&#39;t capable of.</div><div><br></div><div>Additionally, having =
the bits grouped into words makes a more serious recovery easier. If you lo=
se one entire word, it can be brute forced in about 5 minutes on a normal p=
c, even if you don&#39;t know which position the missing word is in (I have=
 published a tool that does just this:=C2=A0<a href=3D"https://jmacwhyte.gi=
thub.io/recovery-phrase-recovery">https://jmacwhyte.github.io/recovery-phra=
se-recovery</a>). If you are missing two words, you can brute force it in a=
bout a week (napkin math).<br><br>If you were missing a random chunk of a h=
ex string, I don&#39;t know how you&#39;d go about brute forcing that in a =
timely manner.</div><div><br></div><div>As an aside, from a UX standpoint w=
e&#39;ve seen that the 12 words don&#39;t *look* important so people don=
9;t take them seriously (and they get lost). A hex string or equivalent wou=
ld look more password-y, and therefore would most likely be better protecte=
d by users.</div><div><br></div><div>James</div></div></div></div>

--0000000000007dbdb1057dcdd32e--