Difference between revisions of "Seed phrase"

From Bitcoin Wiki
Jump to: navigation, search
(moved discussion of decoy wallets to another section, based on reddit comments i saw, its best to emphasize the 2fa aspect)
m (Storing Seed Phrases for the Long Term: Add extra citation about pencils)
(8 intermediate revisions by 3 users not shown)
Line 1: Line 1:
A '''mnemonic phrase''', '''mnemonic recovery phrase''' or '''mnemonic seed''' is a list of words which [[Storing bitcoins|store]] all the information needed to recover a Bitcoin wallet. Wallet software will typically generate a mnemonic backup phrase and instruct the user to write it down on paper. If the user's computer breaks or their hard drive becomes corrupted, they can download the same wallet software again and use the paper backup to get their bitcoins back.
+
A '''seed phrase''', '''seed recovery phrase''' or '''backup seed phrase''' is a list of words which [[Storing bitcoins|store]] all the information needed to recover a Bitcoin wallet. Wallet software will typically generate a seed phrase and instruct the user to write it down on paper. If the user's computer breaks or their hard drive becomes corrupted, they can download the same wallet software again and use the paper backup to get their bitcoins back.
  
 
Anybody else who discovers the phrase can steal the bitcoins, so it must be kept safe like jewels or cash. For example, it must not be typed into any website.
 
Anybody else who discovers the phrase can steal the bitcoins, so it must be kept safe like jewels or cash. For example, it must not be typed into any website.
  
Mnemonic phrases are an excellent way of backing up and [[storing bitcoins]] and so they are used by almost all well-regarded wallets.<ref>[https://bitcoin.org/en/choose-your-wallet Bitcoin.org: Choose your wallet]</ref>
+
Seed phrases are an excellent way of backing up and [[storing bitcoins]] and so they are used by almost all well-regarded wallets.<ref>[https://bitcoin.org/en/choose-your-wallet Bitcoin.org: Choose your wallet]</ref>
  
 
== Example ==
 
== Example ==
  
An example of a mnemonic phrase is:
+
An example of a seed phrase is:
  
 
     witch collapse practice feed shame open despair creek road again ice least
 
     witch collapse practice feed shame open despair creek road again ice least
Line 13: Line 13:
 
The word order is important.
 
The word order is important.
  
[[File:Mnemonic-seed-still-life.jpg|300px|thumb|none|alt=An example mnemonic phrase written on paper|Example mnemonic phrase on paper.]]
+
[[File:Mnemonic-seed-still-life.jpg|300px|thumb|none|alt=An example seed phrase written on paper|Example seed phrase on paper.]]
  
 
== Explanation ==
 
== Explanation ==
  
A simplified explanation of how mnemonic phrases work is that the wallet software has a wordlist taken from a dictionary, with each word assigned to a number. The mnemonic phrase can be converted to a number which is used as the seed to a [[Deterministic wallet|deterministic wallet]] that generates all the [[Private key|key pairs]] used in the wallet.
+
A simplified explanation of how seed phrases work is that the wallet software has a list of words taken from a dictionary, with each word assigned to a number. The seed phrase can be converted to a number which is used as the seed integer to a [[Deterministic wallet|deterministic wallet]] that generates all the [[Private key|key pairs]] used in the wallet.
  
The English-language wordlist for the BIP39 standard has 2048 words, so if the phrase contained only 12 random words, the number of possible combinations would be 2048^12 = 2^132 and the phrase would have 132 bits of security.  However, some of the data in a BIP39 phrase is not random,<ref>[https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#Generating_the_mnemonic BIP39: Generating the mnemonic]</ref> so the actual security of a 12-word BIP39 mnemonic phrase is only 128 bits.  This is approximately the same strength as all Bitcoin private keys, so most experts consider it to be sufficiently secure.<ref>[https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#Security BIP32: Security]</ref>
+
The English-language wordlist for the BIP39 standard has 2048 words, so if the phrase contained only 12 random words, the number of possible combinations would be 2048^12 = 2^132 and the phrase would have 132 bits of security.  However, some of the data in a BIP39 phrase is not random,<ref>[https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#Generating_the_mnemonic BIP39: Generating the mnemonic]</ref> so the actual security of a 12-word BIP39 seed phrase is only 128 bits.  This is approximately the same strength as all Bitcoin private keys, so most experts consider it to be sufficiently secure.<ref>[https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#Security BIP32: Security]</ref>
  
It is not safe to invent your own mnemonic phrase because humans are bad at generating randomness.  The best way is to allow the wallet software to generate the phrase which you write down.
+
It is not safe to invent your own seed phrase because humans are bad at generating randomness.  The best way is to allow the wallet software to generate a phrase which you write down.
  
== Two-Factor Mnemonic Phrases ==
+
== Two-Factor Seed Phrases ==
  
Mnemonic phrases, like all backups, can store any amount of bitcoins. It's a weird idea to possibly have enough money to purchase the entire building just sitting on a sheet of paper without any protection. For this reason many wallets make it possible to encrypt a mnemonic phrase with a password.
+
Seed phrases, like all backups, can store any amount of bitcoins. It's a concerning idea to possibly have enough money to purchase the entire building just sitting on a sheet of paper without any protection. For this reason many wallets make it possible to encrypt a seed phrase with a password.
  
The password can be used to create a two-factor mnemonic phrase where both ''"something you have"'' plus ''"something you know"'' is required to unlock the bitcoins.
+
The password can be used to create a two-factor seed phrase where both ''"something you have"'' plus ''"something you know"'' is required to unlock the bitcoins.
  
This works by the wallet creating a mnemonic phrase and asking the user for a password. Then both the mnemonic phrase and extra word are required to recover the wallet. Electrum and some other wallets call the passphrase a '''"seed extension"''', '''"mnemonic extension"''' or '''"13th/25th word"'''. The BIP39 standard defines a way of passphrase-protecting a mnemonic seed. A similar scheme is also used in the Electrum standard. If a passphrase is not present, an empty string "" is used instead.
+
This works by the wallet creating a seed phrase and asking the user for a password. Then both the seed phrase and extra word are required to recover the wallet. Electrum and some other wallets call the passphrase a '''"seed extension"''', '''"extension word"''' or '''"13th/25th word"'''. The BIP39 standard defines a way of passphrase-protecting a seed phrase. A similar scheme is also used in the Electrum standard. If a passphrase is not present, an empty string "" is used instead.
  
 
'''Warning''': Forgetting this password will result in the bitcoin wallet and any contained money being lost. Do not overestimate your ability to remember passphrases especially when you may not use it very often.
 
'''Warning''': Forgetting this password will result in the bitcoin wallet and any contained money being lost. Do not overestimate your ability to remember passphrases especially when you may not use it very often.
  
'''Warning''': The mnemonic phrase password should not be confused with the password used to encrypt the wallet file on disk. This is probably why many wallets call it an extension word instead of a password.
+
'''Warning''': The seed phrase password should not be confused with the password used to encrypt the wallet file on disk. This is probably why many wallets call it an extension word instead of a password.
  
=== Decoy wallets ===
+
== Storing Seed Phrases for the Long Term ==  
 
 
This feature also provides plausible deniability, because every password generates a valid seed (and thus a deterministic wallet) but only the correct one will make the desired wallet available. You could create a ''decoy wallet'' which has the same mnemonic phrase but a different password, and if physically coerced then reveal only the first password and keep the second a secret.
 
 
 
On the other hand, the entity coercing you may already know about the concept of decoy wallets. They could continue beating you until you give up two or three passphrases.
 
 
 
For a longer discussion of this problem see [[Storing bitcoins#The 5 dollar wrench attack]]
 
 
 
== Storing Mnemonic Phrases for the Long Term ==  
 
  
 
Most people write down phrases on paper but they can be stored in many other ways such as [[Brainwallet|memorizing]], engraving on metal, writing in the margins of a book, chiseling into a stone tablet or any other creative and inventive way.
 
Most people write down phrases on paper but they can be stored in many other ways such as [[Brainwallet|memorizing]], engraving on metal, writing in the margins of a book, chiseling into a stone tablet or any other creative and inventive way.
  
For storing on paper writing with pencil is much better than pen<ref>[https://www.quora.com/If-I-write-with-a-pencil-on-my-notebook-will-the-writing-last-for-a-long-time-say-50-years-or-will-it-just-fade-away-gradually Writing in a notebook with pencil]</ref>. Paper should be acid-free or archival paper, and stored in the dark avoiding extremes of heat and moisture<ref>[https://www.loc.gov/preservation/care/deterioratebrochure.html Essential facts about preservation of Paper]</ref>.<ref>[https://www.quora.com/How-do-I-maintain-a-paper-notebook-that-can-remain-for-years How do I maintain a paper notebook that can remain for years?]</ref><ref>[http://copar.org/bulletin14.htm CoPAR: Creating records that will last]</ref>
+
For storing on paper writing with pencil is much better than pen<ref>[http://www.joethorn.net/blog/2011/12/07/pencil-does-not-fade Pencil Does Not Fade]</ref><ref>[https://www.quora.com/How-do-I-maintain-a-paper-notebook-that-can-remain-for-years How do I maintain a paper notebook that can remain for years?]</ref>. Paper should be acid-free or archival paper, and stored in the dark avoiding extremes of heat and moisture<ref>[https://www.loc.gov/preservation/care/deterioratebrochure.html Essential facts about preservation of Paper]</ref><ref>[https://www.quora.com/If-I-write-with-a-pencil-on-my-notebook-will-the-writing-last-for-a-long-time-say-50-years-or-will-it-just-fade-away-gradually Writing in a notebook with pencil]</ref><ref>[http://copar.org/bulletin14.htm CoPAR: Creating records that will last]</ref>.
  
 
Some people get the idea to split up their phrases. Storing 6 words in one location and the other 6 words in another location. This is a bad idea and should not be done, because if one set of 6 words is discovered then it becomes easier to bruteforce the rest of the phrase. Storing bitcoins in multiple locations like this should be done via [[multisignature]] wallets instead.
 
Some people get the idea to split up their phrases. Storing 6 words in one location and the other 6 words in another location. This is a bad idea and should not be done, because if one set of 6 words is discovered then it becomes easier to bruteforce the rest of the phrase. Storing bitcoins in multiple locations like this should be done via [[multisignature]] wallets instead.
  
 
Another bad idea is to add random decoy words that are somehow meaningful to you, and later remove them to be left only with the 12 word phrase. The phrase words come from a known dictionary (see next section), so anybody can use that dictionary to weed out the decoy words.
 
Another bad idea is to add random decoy words that are somehow meaningful to you, and later remove them to be left only with the 12 word phrase. The phrase words come from a known dictionary (see next section), so anybody can use that dictionary to weed out the decoy words.
 +
 +
It could be a good idea to write some words of explanation on the same paper as the seed phrase. If storing for the long term you may forget what a phrase is how it should be treated. A sample explanation that can be adapted is:
 +
 +
<blockquote>These twelve words have control over BITCOINS. Keep this paper safe and secret, like cash or jewelry. The bitcoin information on this paper is encrypted with a passphrase. It is part of a multisignature wallet and was made by Electrum bitcoin wallet software on 1/1/2012.</blockquote>
  
 
== Word Lists ==
 
== Word Lists ==
  
Generally a mnemonic phrase only works with the same wallet software that created it. If storing for a long period of time it's a good idea to write the name of the wallet too.
+
Generally a seed phrase only works with the same wallet software that created it. If storing for a long period of time it's a good idea to write the name of the wallet too.
  
 
The BIP39 English word list has each word being uniquely identified by the first four letters, which can be useful when space to write them is scarce.
 
The BIP39 English word list has each word being uniquely identified by the first four letters, which can be useful when space to write them is scarce.
  
 
* [https://github.com/bitcoin/bips/blob/master/bip-0039/bip-0039-wordlists.md BIP39 wordlists]
 
* [https://github.com/bitcoin/bips/blob/master/bip-0039/bip-0039-wordlists.md BIP39 wordlists]
* [https://github.com/spesmilo/electrum/blob/master/lib/old_mnemonic.py Electrum old-style wordlist]
+
* [https://github.com/spesmilo/electrum/blob/1.9.8/lib/mnemonic.py Electrum old-style wordlist]
* [https://github.com/spesmilo/electrum/tree/master/lib/wordlist Electrum new-style wordlist]
+
* [https://github.com/spesmilo/electrum/blob/master/electrum/wordlist/english.txt Electrum new-style wordlist]
 +
 
 +
== Alternative name "Mnemonic Phrase" ==
 +
 
 +
Seed phrases are sometimes called "mnemonic phrases" especially in older literature. This is a bad name because the word mnemonic implies that the phrase should be memorized. It is less misleading to call them seed phrases.
 +
 
 +
== The power of backups ==
 +
 
 +
An especially interesting aspect in the power of paper backups is allowing your money to be two places at once. At the London Inside Bitcoin conference the keynote speaker showed 25 paper backups they were carrying -- all password-protected. With that one can carry $100,000 which can instantly be moved to a phone or transferred yet with total security. If it's stolen then there is no risk because it is backed up elsewhere. That is powerful.<ref>https://www.reddit.com/r/Bitcoin/comments/2hmnru/poll_do_you_use_paper_wallets_why_why_not_what/</ref>
  
 
== See Also ==
 
== See Also ==
Line 69: Line 73:
 
* [[Storing bitcoins]]
 
* [[Storing bitcoins]]
 
* [[Brainwallet]]
 
* [[Brainwallet]]
 +
* [https://github.com/6102bitcoin/FAQ/blob/master/seed.md FAQ regarding bitcoin seeds]
  
 
==References==
 
==References==

Revision as of 17:03, 2 June 2019

A seed phrase, seed recovery phrase or backup seed phrase is a list of words which store all the information needed to recover a Bitcoin wallet. Wallet software will typically generate a seed phrase and instruct the user to write it down on paper. If the user's computer breaks or their hard drive becomes corrupted, they can download the same wallet software again and use the paper backup to get their bitcoins back.

Anybody else who discovers the phrase can steal the bitcoins, so it must be kept safe like jewels or cash. For example, it must not be typed into any website.

Seed phrases are an excellent way of backing up and storing bitcoins and so they are used by almost all well-regarded wallets.[1]

Example

An example of a seed phrase is:

   witch collapse practice feed shame open despair creek road again ice least

The word order is important.

An example seed phrase written on paper
Example seed phrase on paper.

Explanation

A simplified explanation of how seed phrases work is that the wallet software has a list of words taken from a dictionary, with each word assigned to a number. The seed phrase can be converted to a number which is used as the seed integer to a deterministic wallet that generates all the key pairs used in the wallet.

The English-language wordlist for the BIP39 standard has 2048 words, so if the phrase contained only 12 random words, the number of possible combinations would be 2048^12 = 2^132 and the phrase would have 132 bits of security. However, some of the data in a BIP39 phrase is not random,[2] so the actual security of a 12-word BIP39 seed phrase is only 128 bits. This is approximately the same strength as all Bitcoin private keys, so most experts consider it to be sufficiently secure.[3]

It is not safe to invent your own seed phrase because humans are bad at generating randomness. The best way is to allow the wallet software to generate a phrase which you write down.

Two-Factor Seed Phrases

Seed phrases, like all backups, can store any amount of bitcoins. It's a concerning idea to possibly have enough money to purchase the entire building just sitting on a sheet of paper without any protection. For this reason many wallets make it possible to encrypt a seed phrase with a password.

The password can be used to create a two-factor seed phrase where both "something you have" plus "something you know" is required to unlock the bitcoins.

This works by the wallet creating a seed phrase and asking the user for a password. Then both the seed phrase and extra word are required to recover the wallet. Electrum and some other wallets call the passphrase a "seed extension", "extension word" or "13th/25th word". The BIP39 standard defines a way of passphrase-protecting a seed phrase. A similar scheme is also used in the Electrum standard. If a passphrase is not present, an empty string "" is used instead.

Warning: Forgetting this password will result in the bitcoin wallet and any contained money being lost. Do not overestimate your ability to remember passphrases especially when you may not use it very often.

Warning: The seed phrase password should not be confused with the password used to encrypt the wallet file on disk. This is probably why many wallets call it an extension word instead of a password.

Storing Seed Phrases for the Long Term

Most people write down phrases on paper but they can be stored in many other ways such as memorizing, engraving on metal, writing in the margins of a book, chiseling into a stone tablet or any other creative and inventive way.

For storing on paper writing with pencil is much better than pen[4][5]. Paper should be acid-free or archival paper, and stored in the dark avoiding extremes of heat and moisture[6][7][8].

Some people get the idea to split up their phrases. Storing 6 words in one location and the other 6 words in another location. This is a bad idea and should not be done, because if one set of 6 words is discovered then it becomes easier to bruteforce the rest of the phrase. Storing bitcoins in multiple locations like this should be done via multisignature wallets instead.

Another bad idea is to add random decoy words that are somehow meaningful to you, and later remove them to be left only with the 12 word phrase. The phrase words come from a known dictionary (see next section), so anybody can use that dictionary to weed out the decoy words.

It could be a good idea to write some words of explanation on the same paper as the seed phrase. If storing for the long term you may forget what a phrase is how it should be treated. A sample explanation that can be adapted is:

These twelve words have control over BITCOINS. Keep this paper safe and secret, like cash or jewelry. The bitcoin information on this paper is encrypted with a passphrase. It is part of a multisignature wallet and was made by Electrum bitcoin wallet software on 1/1/2012.

Word Lists

Generally a seed phrase only works with the same wallet software that created it. If storing for a long period of time it's a good idea to write the name of the wallet too.

The BIP39 English word list has each word being uniquely identified by the first four letters, which can be useful when space to write them is scarce.

Alternative name "Mnemonic Phrase"

Seed phrases are sometimes called "mnemonic phrases" especially in older literature. This is a bad name because the word mnemonic implies that the phrase should be memorized. It is less misleading to call them seed phrases.

The power of backups

An especially interesting aspect in the power of paper backups is allowing your money to be two places at once. At the London Inside Bitcoin conference the keynote speaker showed 25 paper backups they were carrying -- all password-protected. With that one can carry $100,000 which can instantly be moved to a phone or transferred yet with total security. If it's stolen then there is no risk because it is backed up elsewhere. That is powerful.[9]

See Also

References