Difference between revisions of "Seed phrase"

From Bitcoin Wiki
Jump to: navigation, search
m (Passphrase-Protected Mnemonic Phrases: edit punctuation)
(renamed to two-factor mnemonic phrase, added comment about wallets sometimes calling it the seed extension)
Line 25: Line 25:
 
Most people write down phrases on paper but they can be stored in many other ways such as [[Brainwallet|memorizing]], engraving on metal, writing in the margins of a book or chiseling into a stone tablet.
 
Most people write down phrases on paper but they can be stored in many other ways such as [[Brainwallet|memorizing]], engraving on metal, writing in the margins of a book or chiseling into a stone tablet.
  
== Passphrase-Protected Mnemonic Phrases ==
+
== Two-Factor Mnemonic Phrases ==
  
Many wallets support for the creation of a passphrase-protected mnemonic seed. This works by the wallet creating a mnemonic phrase and asking the user for a passphrase. Then both the mnemonic phrase and passphrase are required to recover the wallet.
+
Many wallets support for the creation of a two-factor mnemonic seed. This works by the wallet creating a mnemonic phrase and asking the user for a password or extension word. Then both the mnemonic phrase and extra word are required to recover the wallet.
  
The passphrase could be written down alongside the mnemonic phrase, or it could also be memorized to create a two-factor mnemonic phrase where both ''"something you have"'' plus ''"something you know"'' is required to unlock the bitcoins. This feature also provides plausible deniability, because every passphrase generates a valid seed (and thus a deterministic wallet) but only the correct one will make the desired wallet available. Or you could create two wallets which have the same mnemonic phrase but different passphrases, if coerced to give up the passphrase you can reveal the first passphrase only and keep the second a secret.
+
The password could be written down alongside the mnemonic phrase, or it could be memorized to create a two-factor mnemonic phrase where both ''"something you have"'' plus ''"something you know"'' is required to unlock the bitcoins. This feature also provides plausible deniability, because every password generates a valid seed (and thus a deterministic wallet) but only the correct one will make the desired wallet available. Or you could create two wallets which have the same mnemonic phrase but different passwords, if coerced to give up the password you can reveal the first password only and keep the second a secret.
  
The BIP39 standard defines a way of passphrase-protecting a mnemonic seed. A similar scheme is also used in the Electrum standard. If a passphrase is not present, an empty string "" is used instead. In the BIP39 standard the passphrase is made intentionally hard to bruteforce, PBKDF2 is a slow function to calculate and each attempt to guess a passphrase requires a few slow EC point multiplications in order to calculate bitcoin addresses and check whether there are any bitcoins held in them. Needless to say the passphrase should be long one to make it even harder to guess or bruteforce.
+
The BIP39 standard defines a way of passphrase-protecting a mnemonic seed. A similar scheme is also used in the Electrum standard. If a passphrase is not present, an empty string "" is used instead. In the BIP39 standard the passphrase is made intentionally hard to bruteforce, PBKDF2 is a slow function to calculate and each attempt to guess a passphrase requires a few slow EC point multiplications in order to calculate bitcoin addresses and check whether there are any bitcoins held in them. Needless to say the passphrase should be long one to make it even harder to guess or bruteforce. Electrum and some other wallets call the passphrase a ''"seed extension"'' or ''"mnemonic extension"''.
  
 
== Word Lists ==
 
== Word Lists ==

Revision as of 14:19, 22 September 2017

A mnemonic phrase, mnemonic recovery phrase or mnemonic seed is a list of words which store all the information needed to recover a bitcoin wallet. A wallet will typically generate a mnemonic backup phrase and instruct the user to write it down on paper. If the user's computer breaks or their hard drive becomes corrupted, they can download the same wallet again and use the paper backup to get their bitcoins back.

Anybody who discovers the phrase can spend the bitcoins. Keeping the seed secret is required for keeping possession of your bitcoins.

Mnemonic phrases are a superior way of backing up and storing bitcoin so all good wallets use them.

Example

An example of a mnemonic phrase is:

   witch collapse practice feed shame open despair creek road again ice least

The order is important.

An example mnemonic phrase written on paper
Example mnemonic phrase on paper.

Explanation

A simplified explanation of how mnemonic phrases work is that the wallet software has a wordlist taken from a dictionary, with each word assigned to a number. The mnemonic phrase can be converted to a number which is used as the seed to a deterministic wallet that generates all the key pairs used in the wallet.

The English-language wordlist for the BIP39 standard has 2048 words, if the phrase has 12 words then the number of possible combinations is 2048^12 = 2^132, so this phrase would have 132 bits of security.

It is not safe to invent your own mnemonic phrase because humans are bad at generating randomness, the best way is to allow the wallet software to generate the phrase which you write down.

Most people write down phrases on paper but they can be stored in many other ways such as memorizing, engraving on metal, writing in the margins of a book or chiseling into a stone tablet.

Two-Factor Mnemonic Phrases

Many wallets support for the creation of a two-factor mnemonic seed. This works by the wallet creating a mnemonic phrase and asking the user for a password or extension word. Then both the mnemonic phrase and extra word are required to recover the wallet.

The password could be written down alongside the mnemonic phrase, or it could be memorized to create a two-factor mnemonic phrase where both "something you have" plus "something you know" is required to unlock the bitcoins. This feature also provides plausible deniability, because every password generates a valid seed (and thus a deterministic wallet) but only the correct one will make the desired wallet available. Or you could create two wallets which have the same mnemonic phrase but different passwords, if coerced to give up the password you can reveal the first password only and keep the second a secret.

The BIP39 standard defines a way of passphrase-protecting a mnemonic seed. A similar scheme is also used in the Electrum standard. If a passphrase is not present, an empty string "" is used instead. In the BIP39 standard the passphrase is made intentionally hard to bruteforce, PBKDF2 is a slow function to calculate and each attempt to guess a passphrase requires a few slow EC point multiplications in order to calculate bitcoin addresses and check whether there are any bitcoins held in them. Needless to say the passphrase should be long one to make it even harder to guess or bruteforce. Electrum and some other wallets call the passphrase a "seed extension" or "mnemonic extension".

Word Lists

Generally a mnemonic phrase only works with the same wallet software that created it. If storing for a long period of time it's a good idea to write the name of the wallet too.

The BIP39 English word list has each word being uniquely identified by the first four letters, which can be useful when space to write them is scarce.

See Also