Cracking a Crypto Seed Phrase With Missing Words

Remembering and purposefully omitting a few words from a backup seed phrase is not a good idea because one can hack up to four words.

The security of Bitcoin assets kept in self-custodial wallets depends heavily on the seed phrase’s strength, allowing users to access the wallet and demonstrate their ownership of the funds.

Bitcoin BTC$64,914 seed phrases, which typically have 12 or 24 words, are thought to be “unhackable” since it would be impossible to brute-force the entire phrase with the computing power needed.

Industry analysts and executives argue that even though a whole seedphrase cannot be brute-forced, access to cash is still possible if three or four words are absent.

What is the difference between a private key and a seed phrase?

A 12- to 24-word mnemonic sequence known as a “seed phrase” is used to locate a Bitcoin wallet. A seed phrase is a human-readable master key for all private keys, unlike a private key, which is often a string of 256 digits. This means that all it takes to regain access to the wallet is correctly entering 12, 18, or 24 words.

A person’s seed phrase contains more than just random words. Instead, those come from a list of 2,048 words outlined in the Bitcoin Improvement Proposal 39, or BIP39, a proposal that sought to develop a process for creating universal seed phrases.

One can attempt to brute-force a seed phrase or a few missing words since seed phrases only contain terms from BIP39-set 2,048 if not more.

Trezor hardware wallet analyst Lucien Bourdain stated, “If you are missing words, computers can try ‘brute force’ it, which means trying every possible guess.”

“Please be aware that a BIP39 recovery phrase ends with the word “checksum.” According to Bourdain, once you have the first 11 words, it is not a random term and can be calculated.

What number of words can be extracted from a private key?

According to the co-founder of algorithmic investing protocol Trading Strategy, Mikko Ohtamaa, “12 words are known to be unbreakable in the current security community.” Still, he informed Cointelegraph there is a way to guess a few phrases.

Bourdain refers to some approximate estimations of the computing energy and time required for recovering specific amounts of words to determine whether it is possible to recover a few words from a seed phrase.

Bourdain emphasized, “As you can see, the time required to guess words grows exponentially with each additional missing word.”

“Beyond four words, it becomes impractical. […] While recovering 2-3 words might be feasible, the computational power required to brute-force an entire 12 or 24-word seed phrase remains astronomically high.”

Previously, a few methods for recovering up to four words in a seed phrase, such as BTCRecover, ChatGPT, and the GitHub project, have been described by some industry insiders, like The Smart Ape. In addition, the Smart Ape said he misplaced four words from his private key but eventually found them.

Because up to four words can be recovered using current computational technology, one should exercise caution when storing a private key.

It should be understood that having a complete and accurate backup and storing it safely will yield greater efficiency than simply memorizing a few words from a seed phrase and cutting them out of a backup.

Always verify your backup twice, and create additional copies. According to Bourdain, other metal backup options are available to prevent unintentional destruction.