Difference between revisions of "Seed phrase"

From Bitcoin Wiki
Jump to: navigation, search
(Storing Seed Phrases for the Long Term: Moving some content here from Storing bitcoins, some organization)
m (Paper and pencil backup: grammar)
 
(21 intermediate revisions by 7 users not shown)
Line 1: Line 1:
A '''seed phrase''', '''seed recovery phrase''' or '''backup seed phrase''' is a list of words which [[Storing bitcoins|store]] all the information needed to recover a Bitcoin wallet. Wallet software will typically generate a seed phrase and instruct the user to write it down on paper. If the user's computer breaks or their hard drive becomes corrupted, they can download the same wallet software again and use the paper backup to get their bitcoins back.
+
{{sample}}
 +
 
 +
A '''seed phrase''', '''seed recovery phrase''' or '''backup seed phrase''' is a list of words which [[Storing bitcoins|store]] all the information needed to recover Bitcoin funds [[Transaction|on-chain]]. Wallet software will typically generate a seed phrase and instruct the user to write it down on paper. If the user's computer breaks or their hard drive becomes corrupted, they can download the same wallet software again and use the paper backup to get their bitcoins back.
  
 
Anybody else who discovers the phrase can steal the bitcoins, so it must be kept safe like jewels or cash. For example, it must not be typed into any website.
 
Anybody else who discovers the phrase can steal the bitcoins, so it must be kept safe like jewels or cash. For example, it must not be typed into any website.
  
Seed phrases are an excellent way of backing up and [[storing bitcoins]] and so they are used by almost all well-regarded wallets.<ref>[https://bitcoin.org/en/choose-your-wallet Bitcoin.org: Choose your wallet]</ref>
+
Seed phrases are an excellent way of backing up and [[storing bitcoins]], so they are used by almost all well-regarded wallets.<ref>[https://bitcoin.org/en/choose-your-wallet Bitcoin.org: Choose your wallet]</ref>
 +
 
 +
Seed phrases can only back up funds on the [[block chain]]. They cannot store funds involved in [[off-chain transactions]] such as [[Lightning Network]] or [[Blinded bearer certificates]]. Although these technologies are in their infancy as of 2019 so its possible in future seed phrases could be used to backup them.
 +
 
 +
== BIP39 and its flaws ==
 +
 
 +
[[BIP_0039|BIP39]] is the most common standard used for seed phrases. One notable example is [[Electrum|Electrum wallet]], which is using its own standard, and for good reasons. BIP39 has some flaws, known in the technical community but not known much wider. They are described [https://electrum.readthedocs.io/en/latest/seedphrase.html#motivation here on this electrum doc page]. Most seriously, BIP39 flaws mean it is not true to say that backing up a BIP39 seed phrase and name of wallet software is the only thing a user needs to do to keep their money safe. BIP39 works this way because its designers wanted their hardware wallet to also support [[altcoin]]s. [https://walletsrecovery.org/ walletsrecovery.org] is an attempt at helping with this issue, but ideally there will be a better solution in the future.
 +
 
  
 
== Example ==
 
== Example ==
  
An example of a seed phrase is:
+
An example of a non-BIP39 seed phrase is:
  
     witch collapse practice feed shame open despair creek road again ice least
+
     hotel obvious agent lecture gadget evil jealous keen fragile before damp clarify
  
 
The word order is important.
 
The word order is important.
  
[[File:Mnemonic-seed-still-life.jpg|300px|thumb|none|alt=An example seed phrase written on paper|Example seed phrase on paper.]]
+
[[File:Seed phrase.jpg|300px|thumb|none|alt=An example seed phrase written on paper|Example seed phrase on paper.]]
  
 
== Explanation ==
 
== Explanation ==
Line 25: Line 34:
 
As seed phrases use natural language words, they have excellent error correction. Words written in bad handwriting can often still be read. If one or two letters are missing or unreadable the word can often still be deduced. The [[#Word_Lists|word list]] that the seed phrase words are drawn from is carefully chosen so that the first four letters of each word are enough to uniquely identify it. This compares well with writing down a raw [[private key]] where a single letter being unreadable or incorrect can make the private key useless (depending on the serialization format).
 
As seed phrases use natural language words, they have excellent error correction. Words written in bad handwriting can often still be read. If one or two letters are missing or unreadable the word can often still be deduced. The [[#Word_Lists|word list]] that the seed phrase words are drawn from is carefully chosen so that the first four letters of each word are enough to uniquely identify it. This compares well with writing down a raw [[private key]] where a single letter being unreadable or incorrect can make the private key useless (depending on the serialization format).
  
== Two-Factor Seed Phrases ==
+
== Two-factor seed phrases ==
  
 
Seed phrases, like all backups, can store any amount of bitcoins. It's a concerning idea to possibly have enough money to purchase the entire building just sitting on a sheet of paper without any protection. For this reason many wallets make it possible to encrypt a seed phrase with a password.
 
Seed phrases, like all backups, can store any amount of bitcoins. It's a concerning idea to possibly have enough money to purchase the entire building just sitting on a sheet of paper without any protection. For this reason many wallets make it possible to encrypt a seed phrase with a password.
Line 37: Line 46:
 
'''Warning''': The seed phrase password should not be confused with the password used to encrypt the wallet file on disk. This is probably why many wallets call it an extension word instead of a password.
 
'''Warning''': The seed phrase password should not be confused with the password used to encrypt the wallet file on disk. This is probably why many wallets call it an extension word instead of a password.
  
== Storing Seed Phrases for the Long Term ==  
+
== Storing seed phrases for the long term ==  
 +
 
 +
Most people write down phrases on paper but they can be stored in many other ways such as [[Brainwallet|memorizing]], engraving or stamping on metal, writing in the margins of a book, chiselling into a stone tablet or any other creative and inventive way.
  
In the past many people have accidentally lost bitcoins because of failed backups, mistyped letters, forgotten hard drives, or corrupted SSD devices. It's also important to protect the seed from theft. It is best not to get creative with your security, and instead use tried and true methods.
+
In the past many people have accidentally lost bitcoins because of failed backups, mistyped letters, forgotten hard drives, or corrupted SSD devices. It's also important to protect the seed from accidental loss.
  
 
It could be a good idea to write some words of explanation on the same paper as the seed phrase. If storing for the long term you may forget what a phrase is how it should be treated. A sample explanation that can be adapted is:
 
It could be a good idea to write some words of explanation on the same paper as the seed phrase. If storing for the long term you may forget what a phrase is how it should be treated. A sample explanation that can be adapted is:
  
<blockquote>These twelve words have control over BITCOINS. Keep this paper safe and secret, like cash or jewelry. The bitcoin information on this paper is encrypted with a passphrase. It is part of a multisignature wallet and was made by Electrum bitcoin wallet software on 1/1/2019.</blockquote>
+
<blockquote>These twelve words have control over BITCOINS. Keep this paper safe and secret like cash or jewellery. The bitcoin information on this paper is encrypted with a passphrase. It is part of a multi-signature wallet and was made by Electrum bitcoin wallet software on 2019-01-01.</blockquote>
  
==== Paper and Pencil Backup ====
+
==== Paper and pencil backup ====
  
Through bitter experience it has been found that one of the most practical storage mediums is '''pencil and paper'''. The private keys of a bitcoin wallet are encoded into [[seed phrase|random words from a dictionary]] which can be written down. If your hard drive crashes, you can find the paper with the [[seed phrase]] and restore the entire wallet. As [[seed phrase]]s use natural language words, they have good error correction. Words written in bad handwriting can often still be read. If one or two letters are missing the word can often still be deduced. The [[Seed_phrase#Word_Lists|word list]] that the seed phrase words are drawn from is carefully chosen so that the first four letters of each word are enough to uniquely identify it.
+
Through bitter experience it has been found that one of the most practical storage media is '''pencil and paper'''. The private keys of a bitcoin wallet are encoded into [[seed phrase|random words from a dictionary]] which can be written down. If your hard drive crashes, you can find the paper with the [[seed phrase]] and restore the entire wallet. As [[seed phrase]]s use natural language words, they have good error correction. Words written in bad handwriting can often still be read. If one or two letters are missing the word can often still be deduced. The [[Seed_phrase#Word_Lists|word list]] that the seed phrase words are drawn from is carefully chosen so that the first four letters of each word are enough to uniquely identify it.
  
For storing on paper writing with pencil is much better than pen
+
For storing on paper writing with pencil is much better than pen.<ref>[http://www.joethorn.net/blog/2011/12/07/pencil-does-not-fade Pencil Does Not Fade]
<ref>[http://www.joethorn.net/blog/2011/12/07/pencil-does-not-fade Pencil Does Not Fade]
 
 
</ref><ref>[https://www.quora.com/How-do-I-maintain-a-paper-notebook-that-can-remain-for-years How do I maintain a paper notebook that can remain for years?]
 
</ref><ref>[https://www.quora.com/How-do-I-maintain-a-paper-notebook-that-can-remain-for-years How do I maintain a paper notebook that can remain for years?]
</ref>.
+
</ref>
Paper should be acid-free or archival paper, and stored in the dark avoiding extremes of heat and moisture
+
Paper should be acid-free or archival paper, and stored in the dark avoiding extremes of heat and moisture.<ref>[https://www.loc.gov/preservation/care/deterioratebrochure.html Essential facts about preservation of Paper]
<ref>[https://www.loc.gov/preservation/care/deterioratebrochure.html Essential facts about preservation of Paper]
 
 
</ref><ref>[https://www.quora.com/If-I-write-with-a-pencil-on-my-notebook-will-the-writing-last-for-a-long-time-say-50-years-or-will-it-just-fade-away-gradually Writing in a notebook with pencil]
 
</ref><ref>[https://www.quora.com/If-I-write-with-a-pencil-on-my-notebook-will-the-writing-last-for-a-long-time-say-50-years-or-will-it-just-fade-away-gradually Writing in a notebook with pencil]
</ref><ref>[http://copar.org/bulletin14.htm CoPAR: Creating records that will last]</ref>.
+
</ref><ref>[http://copar.org/bulletin14.htm CoPAR: Creating records that will last]</ref>
  
==== Stamped Metal Backup ====
+
==== Metal backup ====
  
Even better than paper, there are a number of more [https://blog.lopp.net/metal-bitcoin-seed-storage-stress-test--part-ii-/ durable seed storage methods], like stamped metal plates. These are far more durable and can last a lot longer than paper. One of these methods is certainly recommended for anyone storing a significant amount of bitcoin.  
+
Seed phrases can also be [https://blog.lopp.net/metal-bitcoin-seed-storage-stress-test--part-ii-/ stamped or engraved into metal] which is significantly more durable than paper. Metal backups are recommended if the threat model involves fire, water, extremes of temperature or physical stress.
  
 
==== Methods that are not recommended ====
 
==== Methods that are not recommended ====
  
Some methods that are not recommended are: memorizing ([[Brainwallets]]), storing in a file on a computer (including online), or storing online.
+
Some methods that are not recommended are: storing in a file on a computer (including online), or storing online.
 +
 
 +
Some people get the idea to split up their phrases, like storing 6 words in one location and the other 6 words in another location. This is a bad idea and should not be done, because if one set of 6 words is discovered then it becomes far easier to brute-force the rest of the phrase. Storing bitcoins in multiple locations like this should be done with [[multi-signature]] wallets instead.
 +
 
 +
The [[Shamir Secret Sharing]] algorithm is sometimes promoted as a way to divide control of bitcoins, but in practice there are many pitfalls and trade-offs that make it not worth it.<ref>[https://blog.keys.casa/shamirs-secret-sharing-security-shortcomings/ Shamir's Secret Sharing Shortcomings] by Jameson Lopp, Casa blog, 2020</ref> <!-- See the main article: [[Shamir Secret Snakeoil]] (the other one redirects here, no need to have 2 wikilinks with different captions going to the same article -->
  
Some people get the idea to split up their phrases, like storing 6 words in one location and the other 6 words in another location. This is a bad idea and should not be done, because if one set of 6 words is discovered then it becomes far easier to bruteforce the rest of the phrase. Storing bitcoins in multiple locations like this should be done via [[multisignature]] wallets instead. Note that [[Shamir's secret sharing]] algorithm is also theoretically a secure way to store a seed in parts, but that it is currently difficult to find good-quality tools for doing it and there are many pitfalls in implementing it. Also, multi-signature wallets are better in a lot of ways, and most of the benefits Sharmir's algorithm has over multisig at the moment will disappear once technologies like [[Schnorr|Schnorr signatures]] are released.
+
Another bad idea is to add random decoy words that are somehow meaningful to you and later remove them to be left with only the 12-word phrase. The phrase words come from a known dictionary (see next section), so anybody can use that dictionary to weed out the decoy words.
  
Another bad idea is to add random decoy words that are somehow meaningful to you, and later remove them to be left only with the 12 word phrase. The phrase words come from a known dictionary (see next section), so anybody can use that dictionary to weed out the decoy words.
+
It's possible but risky to memorize ([[Brainwallet]]s) seed phrases. This should probably only be done in situations that really need it, such as crossing a hostile border where one expects to be searched.
  
== Word Lists ==
+
== Word lists ==
  
Generally a seed phrase only works with the same wallet software that created it. If storing for a long period of time it's a good idea to write the name of the wallet too.
+
Generally, a seed phrase only works with the same wallet software that created it. If storing for a long period of time it's a good idea to write the name of the wallet too.
  
 
The BIP39 English word list has each word being uniquely identified by the first four letters, which can be useful when space to write them is scarce.
 
The BIP39 English word list has each word being uniquely identified by the first four letters, which can be useful when space to write them is scarce.
Line 80: Line 93:
 
* [https://github.com/spesmilo/electrum/blob/master/electrum/wordlist/english.txt Electrum new-style wordlist]
 
* [https://github.com/spesmilo/electrum/blob/master/electrum/wordlist/english.txt Electrum new-style wordlist]
  
== Alternative name "Mnemonic Phrase" ==
+
== Alternative name "mnemonic phrase" ==
  
Seed phrases are sometimes called "mnemonic phrases" especially in older literature. This is a bad name because the word mnemonic implies that the phrase should be memorized. It is less misleading to call them seed phrases.
+
Seed phrases are sometimes called ''mnemonic phrases'', especially in older literature. This is a bad name because the word "mnemonic" implies that the phrase should be memorized. It is less misleading to call them seed phrases.
  
 
== The power of backups ==
 
== The power of backups ==
  
An especially interesting aspect in the power of paper backups is allowing your money to be two places at once. At the London Inside Bitcoin conference the keynote speaker showed 25 paper backups they were carrying -- all password-protected. With that one can carry $100,000 which can instantly be moved to a phone or transferred yet with total security. If it's stolen then there is no risk because it is backed up elsewhere. That is powerful.<ref>https://www.reddit.com/r/Bitcoin/comments/2hmnru/poll_do_you_use_paper_wallets_why_why_not_what/</ref>
+
An especially interesting aspect in the power of paper backups is allowing your money to be two places at once. At the London Inside Bitcoin conference, the keynote speaker showed 25 paper backups they were carrying&mdash;all password-protected. With that, one can carry $100,000 which can instantly be moved to a phone or transferred yet with total security. If it's stolen, then there is no risk because it is backed up elsewhere. That is powerful.<ref>https://www.reddit.com/r/Bitcoin/comments/2hmnru/poll_do_you_use_paper_wallets_why_why_not_what/</ref>
  
== See Also ==
+
== See also ==
  
* [https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki BIP39 mnemonic phrase standard]
+
* [https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki BIP39 seed phrase standard]
 
* [[Deterministic wallet]]
 
* [[Deterministic wallet]]
 
* [[Storing bitcoins]]
 
* [[Storing bitcoins]]
 
* [[Brainwallet]]
 
* [[Brainwallet]]
* [https://github.com/6102bitcoin/FAQ/blob/master/seed.md FAQ regarding bitcoin seeds]
+
* [https://github.com/6102bitcoin/6102bitcoin/blob/main/content/faq-bitcoin-seed.md FAQ regarding bitcoin seeds]
 +
* [https://web.archive.org/web/20210214135049/https://www.hodlalert.com/2020/12/21/generating-cryptographically-secure-random-numbers-with-coins-and-a-cup/ Generating Bitcoin Seed Phrases With Coins and A Cup]
  
 
==References==
 
==References==

Latest revision as of 17:28, 27 July 2023

This page contains sample addresses and/or private keys. Do not send bitcoins to or import any sample keys; you will lose your money.

A seed phrase, seed recovery phrase or backup seed phrase is a list of words which store all the information needed to recover Bitcoin funds on-chain. Wallet software will typically generate a seed phrase and instruct the user to write it down on paper. If the user's computer breaks or their hard drive becomes corrupted, they can download the same wallet software again and use the paper backup to get their bitcoins back.

Anybody else who discovers the phrase can steal the bitcoins, so it must be kept safe like jewels or cash. For example, it must not be typed into any website.

Seed phrases are an excellent way of backing up and storing bitcoins, so they are used by almost all well-regarded wallets.[1]

Seed phrases can only back up funds on the block chain. They cannot store funds involved in off-chain transactions such as Lightning Network or Blinded bearer certificates. Although these technologies are in their infancy as of 2019 so its possible in future seed phrases could be used to backup them.

BIP39 and its flaws

BIP39 is the most common standard used for seed phrases. One notable example is Electrum wallet, which is using its own standard, and for good reasons. BIP39 has some flaws, known in the technical community but not known much wider. They are described here on this electrum doc page. Most seriously, BIP39 flaws mean it is not true to say that backing up a BIP39 seed phrase and name of wallet software is the only thing a user needs to do to keep their money safe. BIP39 works this way because its designers wanted their hardware wallet to also support altcoins. walletsrecovery.org is an attempt at helping with this issue, but ideally there will be a better solution in the future.


Example

An example of a non-BIP39 seed phrase is:

   hotel obvious agent lecture gadget evil jealous keen fragile before damp clarify

The word order is important.

An example seed phrase written on paper
Example seed phrase on paper.

Explanation

A simplified explanation of how seed phrases work is that the wallet software has a list of words taken from a dictionary, with each word assigned to a number. The seed phrase can be converted to a number which is used as the seed integer to a deterministic wallet that generates all the key pairs used in the wallet.

The English-language wordlist for the BIP39 standard has 2048 words, so if the phrase contained only 12 random words, the number of possible combinations would be 2048^12 = 2^132 and the phrase would have 132 bits of security. However, some of the data in a BIP39 phrase is not random,[2] so the actual security of a 12-word BIP39 seed phrase is only 128 bits. This is approximately the same strength as all Bitcoin private keys, so most experts consider it to be sufficiently secure.[3]

It is not safe to invent your own seed phrase because humans are bad at generating randomness. The best way is to allow the wallet software to generate a phrase which you write down.

As seed phrases use natural language words, they have excellent error correction. Words written in bad handwriting can often still be read. If one or two letters are missing or unreadable the word can often still be deduced. The word list that the seed phrase words are drawn from is carefully chosen so that the first four letters of each word are enough to uniquely identify it. This compares well with writing down a raw private key where a single letter being unreadable or incorrect can make the private key useless (depending on the serialization format).

Two-factor seed phrases

Seed phrases, like all backups, can store any amount of bitcoins. It's a concerning idea to possibly have enough money to purchase the entire building just sitting on a sheet of paper without any protection. For this reason many wallets make it possible to encrypt a seed phrase with a password.

The password can be used to create a two-factor seed phrase where both "something you have" plus "something you know" is required to unlock the bitcoins.

This works by the wallet creating a seed phrase and asking the user for a password. Then both the seed phrase and extra word are required to recover the wallet. Electrum and some other wallets call the passphrase a "seed extension", "extension word" or "13th/25th word". The BIP39 standard defines a way of passphrase-protecting a seed phrase. A similar scheme is also used in the Electrum standard. If a passphrase is not present, an empty string "" is used instead.

Warning: Forgetting this password will result in the bitcoin wallet and any contained money being lost. Do not overestimate your ability to remember passphrases especially when you may not use it very often.

Warning: The seed phrase password should not be confused with the password used to encrypt the wallet file on disk. This is probably why many wallets call it an extension word instead of a password.

Storing seed phrases for the long term

Most people write down phrases on paper but they can be stored in many other ways such as memorizing, engraving or stamping on metal, writing in the margins of a book, chiselling into a stone tablet or any other creative and inventive way.

In the past many people have accidentally lost bitcoins because of failed backups, mistyped letters, forgotten hard drives, or corrupted SSD devices. It's also important to protect the seed from accidental loss.

It could be a good idea to write some words of explanation on the same paper as the seed phrase. If storing for the long term you may forget what a phrase is how it should be treated. A sample explanation that can be adapted is:

These twelve words have control over BITCOINS. Keep this paper safe and secret like cash or jewellery. The bitcoin information on this paper is encrypted with a passphrase. It is part of a multi-signature wallet and was made by Electrum bitcoin wallet software on 2019-01-01.

Paper and pencil backup

Through bitter experience it has been found that one of the most practical storage media is pencil and paper. The private keys of a bitcoin wallet are encoded into random words from a dictionary which can be written down. If your hard drive crashes, you can find the paper with the seed phrase and restore the entire wallet. As seed phrases use natural language words, they have good error correction. Words written in bad handwriting can often still be read. If one or two letters are missing the word can often still be deduced. The word list that the seed phrase words are drawn from is carefully chosen so that the first four letters of each word are enough to uniquely identify it.

For storing on paper writing with pencil is much better than pen.[4][5] Paper should be acid-free or archival paper, and stored in the dark avoiding extremes of heat and moisture.[6][7][8]

Metal backup

Seed phrases can also be stamped or engraved into metal which is significantly more durable than paper. Metal backups are recommended if the threat model involves fire, water, extremes of temperature or physical stress.

Methods that are not recommended

Some methods that are not recommended are: storing in a file on a computer (including online), or storing online.

Some people get the idea to split up their phrases, like storing 6 words in one location and the other 6 words in another location. This is a bad idea and should not be done, because if one set of 6 words is discovered then it becomes far easier to brute-force the rest of the phrase. Storing bitcoins in multiple locations like this should be done with multi-signature wallets instead.

The Shamir Secret Sharing algorithm is sometimes promoted as a way to divide control of bitcoins, but in practice there are many pitfalls and trade-offs that make it not worth it.[9]

Another bad idea is to add random decoy words that are somehow meaningful to you and later remove them to be left with only the 12-word phrase. The phrase words come from a known dictionary (see next section), so anybody can use that dictionary to weed out the decoy words.

It's possible but risky to memorize (Brainwallets) seed phrases. This should probably only be done in situations that really need it, such as crossing a hostile border where one expects to be searched.

Word lists

Generally, a seed phrase only works with the same wallet software that created it. If storing for a long period of time it's a good idea to write the name of the wallet too.

The BIP39 English word list has each word being uniquely identified by the first four letters, which can be useful when space to write them is scarce.

Alternative name "mnemonic phrase"

Seed phrases are sometimes called mnemonic phrases, especially in older literature. This is a bad name because the word "mnemonic" implies that the phrase should be memorized. It is less misleading to call them seed phrases.

The power of backups

An especially interesting aspect in the power of paper backups is allowing your money to be two places at once. At the London Inside Bitcoin conference, the keynote speaker showed 25 paper backups they were carrying—all password-protected. With that, one can carry $100,000 which can instantly be moved to a phone or transferred yet with total security. If it's stolen, then there is no risk because it is backed up elsewhere. That is powerful.[10]

See also

References