SeedSigner / seedsigner

Use an air-gapped Raspberry Pi Zero to sign for Bitcoin transactions! (and do other cool stuff)
MIT License
732 stars 171 forks source link

Keypad PIN code securing QR codes idea #515

Open Runixcube opened 11 months ago

Runixcube commented 11 months ago

here’s an idea that I need peer reviewed please. It appears sound to me but I could just be engineering backwards or something. I wouldn’t know without others reviewing it. Thanks.

Original pdf if you’d prefer to read it that way.

Keypad Seed Word security idea.pdf

Keypad Seed Word security idea

It is common for people to save their seed words written in a list of 12, or 24 words all numbered with the order. Either on paper or stamped into steel plates -

people seed say diary like this one enough hidden that more metal twelve spot shadow moon day year where sleep only drive online copy

Or as

1 people ———- 13 twelve 2 seed ————- 14 spot 3 say —————-15 shadow 4 diary ——-—— 16 moon 5 like —————- 17 day 6 this —————-18 year 7 one —————-19 where 8 enough ——— 20 sleep 9 hidden ———- 21 only 10 that ————- 22 drive 11 more ———— 23 online 12 metal ———- 24 copy

This has known and documented security issues namely being anyone finding the list can restore the wallet. A passphrase system has been added for security so it plays less of a risk.

The proposal below shows a way of further hiding and securing seed words using a common use method we are all familiar with, namely universal keypads as seen at cash machines, modern phone dialer’s, calculators etc

IMG_2441

IMG_2442

What I propose shows that any person finding your keepad word layout would not know what order your seed words are in the number. So you will another layer of security. First they need the keypad pin code to find the words. Then they need to put the words in order.

You will put 4 of your seed words in six boxes for a total of 24 words. You can also use 12 words but more on that later.

IMG_2446

This fills the keypad numbers up to form a PIN code.

Choose your own.

For this example we will use 204579

You see it now with the list in place. First four seed words are in box 2, next set of four words in the list are in keypad number 0, and so on until all our seed words are in place.

IMG_2451

Our pin 204579 puts the seed words back in order.

However we need to hide our words and so we fill the blank boxes with 4 random bip words so ours are hidden.

IMG_2452

We will fill the blanks to the left and right at the bottom later.

In its simplest form we have now hidden a list of 24 seed words. If only using this basic form it could or may help to fill the two blank spaces to give the illusion of a grid but leaving it as an obvious keypad may encourage an attacker to go with that method of decryption and be harder for them?

Your seed phrase is now in plain sight but unlike the list they are out of order, BUT in a way that should be easily remembered by users, or easier to hide a pin code?

I’m aware some will say if you don’t use a pincode enough you won’t remember it.

Here’s how we placed our seed words. Seed words 1,2,3 and 4 are in box 2, aka PIN number 2 on the keypad.

IMG_2443

So our pin code for this seed is clearly 204579

It is highly unlikely someone could guess our seed/pin anymore than they guess our bank pin (of course no one gets shut out of a paper/steel wallet like a bank cash point but I’m sure you can agree this is more secure than a list.

Many will nodoubt use memorable dates or a phone number they remember, maybe one from childhood that’s no longer used.

So with that in mind, someone discovering your passcode.

Earlier remember when we added in the random bip words to fill the keyboard to further hide our seed?

IMG_2452

There is another step we can take to make it even harder to discover our seed. That is rotation and/or reordering of our 4 seed words in any 1 or combination of boxes.

In this example anyone guessing our pin, maybe you used your birthday or similar. So they guess your pin. Now they believe they have your seed phrase and enter it to open your wallet.

However they find that doesn’t happen. No wallet is unlocked.

In a good situation they believe they have the pin wrong and move onto other variations.

However what they don’t realise is your first and last seed was in reverse.

This is an example, any number of boxes could be changed in a way you easily remember.

IMG_2444

1st and last seed words in reverse order, boxes 2 and 9 of your PIN code

IMG_2453

What if you used an X pattern to alter the order?

See here the 1st seed word is in the top left, 2nd seed word bottom right, 3rd seed top right and 4th seed word bottom left because you chose your x pattern that way.

IMG_2445

You could have left it that way but you didn’t, you did the same with the last digit in your PIN code, so your last 4 seed words are also out of order in an X

IMG_2453

This is more than enough for most people and multitudes safer than a seed word list but there is still more we can do if we want.

By surrounding the keypad like bellow we make the pin pad invisible and the added benefit is achieved if we rotated and/or reordered certain PIN code entries like above, seed numbers in boxes 2 and 9 were altered.

IMG_2448

You could if all this is peer reviewed and found valid now take a photo or screen shot of the above (without the outline of the keypad of course, that’s only here for clarification) and store it digitally. You’d only need to remember the first seed word and PIN code.

The word gives you the location of the first number of your pin code which we used 2, aka it’s the number on the keypad. You now should be able to see the keypad.

IMG_2450

The rest of your pin is 204579. So should be easy from here to recover your seed.

IMG_2455

This is a way to further secure seed words on paper and or steel plates. Even from the above image it’s tough to know the order of the seed.

Now earlier I spoke about 12 word seeds and how this also works. It works due to you can use a 3 digit pin. Say 097 which gives you 12 words or you could use a 6 digit pin as before but ignore two words in each box,

IMG_2456

The words are still there for all to see but it is you who knows which ones to ignore.

Again you can ignore in any pattern.

IMG_2457

And you can even mix it up like before. Here the first two and last two seed words are read differently. You read the first two in the first and last boxes of your PIN code but last two in all other boxes.

IMG_2458

And of course you can hide it further as before.

IMG_2448

QR code based systems

This idea would also work with QR code based systems. It only requires the qr code to be broken up into separate seeded words and stored as previous. The QR seed signer would scan each QR code to enter the seed.

This is useful because at the moment QR codes aren’t secured. Anyone finding them has access to all seed words. And it’s only a matter of time before computers are powerful enough that that’s all that’s needed.

A Seedsigner generates a seed phrase, splits the seed up into sets of 4 words ie 6 sets of 4 QR codes (seed words) instead of at the moment 1 QR code.

Then a Seedsigner/user can place them in the keypad pattern as per my method outlined above.

And then finally Seedsigner creates dummy QR codes containing random bip words for the other pin pad placement.

Hey presto a secure QR PIN code.

IMG_2460

Same rules apply to use it.

Your PIN code is the order the QR codes are scanned and seed signer adds them all together as you go; SS enters your seed words together. If the order is wrong you ain’t seeing a wallet.

Think of it like this.

If I give you 6 qr codes all lined up. And say scan them in one at a time in order. You do it. A wallet is loaded.

I now mix them up and throw in 4 others (6 if I’m disguising the pin pad; filling in the two blank spots either side of the bottom pin 0)

I say find them now and scan them. You most likely wouldn’t find them.

So to ensure I know which ones are which in future I lay them out/draw them in a pattern. The pattern looks like this

IMG_2442

I remember where I left them.

Example in places 234678

That’s an easy number to remember.

I come back later and know where they are and what order to scan them.

Hence a PIN code.

I hope this has been of interest and welcome feedback if there are flaws and not worth anything, that’s why this is being put out to the community.

Thanks JM

ps…. Clearing out a friends belongings you find a scrap of paper. There are no other clues.

IMG_2462

jdlcdl commented 11 months ago

Just some thoughts:

There is a likely non-zero probability that words in a mnemonic are duplicated, so perhaps some thought should be given to duplicates in the grid of "random words" which are NOT part of the mnemonic... for hiding the instances where the scheme suggests that duplicates exist in the same pin-code button box.

This entire scheme, as well as all of the variations are what I like to call "meta secrets". Combined, they're all part of your "secret" and I mean that in the context of "Can you keep a secret?" which is a question we all must ask ourselves... and we must live with the consequences of the reality far into the future as opposed to how sincerely we answer that in the present. Complexity, for the most part, works against us... so does our own ability to remember secrets and meta secrets, and also how we plan to transfer those secrets to our heirs.

This scheme feels much like "border wallets", except that my gut-feeling is that it's slightly less secure (by some factor of four but I'm not sure how that plays out exactly) and maybe even more if the expanded grid does NOT cover all 2048 seed words while also being slightly easier to remember/execute... but the scheme itself is also a secret, especially if few are using it.

A strong bip39 passphrase can be as 'hard' (or even harder) than a mnemonic and is a single additional "secret" that can easily be transferred to an heir, and/or recorded in case we forget. Also, it provides for "decoy" wallets. It has been vetted by many, and even if your heirs only had the following: "My funds are hidden in mnemonic X with passphrase Y and I used standard wallets when I stacked during the 3rd-4th epochs." then they'd have a very good chance of learning that they must keep their secrets, that you're referring to bip39, and that native-segwit derivation was likely used. Assuming they knew nothing more than "don't trust, verify", they'd easily find the help they need to recover your treasure. Personally, during my last breath, I want to be able to relax in peace and enjoy that moment, instead of thinking "oh no! what have I done?".

Besides all that... I really don't have any major issues with this... we all have to weigh our own threat-model and keep our secrets secret.

Thank you for writing this up, for your deep thoughts, for your creativity, and for being here to share your ideas with others.

p.s. A shameless plug to my recent-ish "Can you keep a secret?" thoughts is here... a crowd which you, apparently, are a part of too! ;)

Runixcube commented 11 months ago

Thanks for taking time to read my work and then commenting. 🙏

Yes it would need someone smarter than me to do the math to say how secure it is though it is certainly more secure than seed words on a plate or paper that is common at the moment.

I read the piece you wrote/ linked too. Thanks, it was very thought provoking.

Have a nice day

jdlcdl commented 11 months ago

Wondering if you can provide an example, because I'd like to try to break it... but I'm not interested in trying to crack it if it has a bip39 passphrase.

Make a 12 or 24 word mnemonic, record it, and the fingerprint. Make an example of your grid w/ 4 words per cell, in whatever rotations you like... but in a shape where a pincode overlay would cover all your words within the standard 1-9+0 buttons.

I will do my best.

Runixcube commented 11 months ago

Excellent idea. I should have included one in my original write up, I’ll update it (and my first post as I see the software here does all the formatting)

Bellow is my idea in its most basic form, grid lines are intact and the two bottom areas # & * on a keypad are blank, I could have filled them making 48 words total and taken the lines away but seeing as this is merely a test, proof of concept and you know what it is there’s no point. If you can’t crack the basic one adding 8 more words will make it even harder.

Everyone likes a good mystery, so…

Clearing out someone’s belongings after death you find this piece of paper. No other clues just this.

IMG_2462

jdlcdl commented 11 months ago

I think I'm starting to understand some of the math involved in brute forcing this.

Assuming that:

...brute forcing different pins would require:

In a 12 word mnemonic, the 12th word contains 7 entropy bits (and 4 checksum bits), so out of the 720 attempts, roughly 128/2048 or 6.25% of those will be valid mnemonics and the rest of the brute force attempts can be ruled out.

In a 24 word mnemonic, the 24th word contains 3 entropy bits (and 8 checksum bits), so out of the 115200 attempts, roughly 8/2048 or 0.39% of those will be valid mnemonics and the rest of the brute force attempts can be ruled out.

On my desktop computer, this takes 1m13s for the example provided above, and reveals 50 valid 12word mnemonics and 577 24word mnemonics that are valid, which is "ballpark" for the above estimates. BUT:

Would you consider putting some funds into a UTXO within this wallet on testnet?... or providing an address from that wallet, in a response below, so that we can pretend that it's trivial to scan the blockchain for funds? I will then try to reveal your pin and mnemonic -- and the code used to do so.

Runixcube commented 11 months ago

Thing is if it’s as easy as you’re suggesting the funds will be gone before you find the wallet as others maybe watching.

if all you found was the paper could you find the wallet with no further details?

what are my seed words?

and are they

12 or 24?

Runixcube commented 11 months ago

Earlier I looked at the linked page bellow and also asked them to take a look at this to see what they think.

https://www.whatisbitcoin.com/security/guess-my-seed-phrase

Runixcube commented 11 months ago

I think I should give more details of what I’ve done so we can work this out faster and not waste time as we’d need to explore this anyway and you can do the math easier.

jdlcdl commented 11 months ago

I think I should give more details of what I’ve done so we can work this out faster and not waste time as we’d need to explore this anyway and you can do the math easier.

There is rotation or reordering. How many I won’t say.

There may or may not be decoy wallet or wallets.

If there are rotations, and an arbitrary amount of them, or if there are ignored words so that maybe it's more than 3 digit pin for 12 or 6 digit pin for 24... then it quickly gets much harder than mine. I cannot know your pin or mnemonic without knowing at least an address to search for, or a pubkey, or a fingerprint. Knowing those gets us the "must search the blockchain" task from trivial-but-resource-and-time-consuming to immediate... but it's hardly so difficult that it could not be done by a determined attacker who knows there is something worth-while to steal.

My computer found many possible pins/mnemonics. I could give you a list and the code...but I'd love to have something to search for just to take the mystery/experiment as far as we can (while it's fresh in my head). I wouldn't share the code without your confirmation that there are no real funds on this... and that you haven't put real funds behind this method and also lost that piece of paper yet. I'll share as soon as we've exhausted the task and you confirm that it's safe to do so.

Btw: 2 more cells makes it harder but only trivially so (12 11 10 instead of 10 9 8). If it were a large sheet of cells and you had to lay a virtual keypad in the right position, and rotations were mandatory, it might get out of reach and into computationally-hard territory, which is the real goal. If it's a good idea, then it's a good idea for many to do... and then it becomes a good idea for attackers to optimize code for cracking real funds in the wild... so no matter what, to avoid "security by obscurity", we have to assume sophisticated attackers.

Runixcube commented 11 months ago

If im understanding -

is the public info you need just to speed up the process as the article I linked to above all they shared was the seed words and say finders keepers.

Can’t I just do that as time it takes to disappear is important here as if someone used this method whilst still alive time could be what stops them losing their bitcoin.

jdlcdl commented 11 months ago

I have not figured out the code for 1) rotated words in one or more of the cells nor for 2) scrambled words in one or more of the cells, but I'm thinking about how to implement that currently (so far, Im mind-boggled) and also just trying to figure out how to estimate the math as I did above.

With the unrotated assumption, I've already found 50 12 word seeds that are valid and 577 24 word seeds. So they're all valid wallets -- without bip39 passphrases, and I'd need a target to shoot for. The fingerprint would widdle it down bigtime, likely I'd land exactly on it for each match, with only 1 in 4-billion chance of error. Else, the very first address on a known derivation path is almost as easy (but does include a few more sha512 hash rounds). With only an address... and if you tell me it's one of the first 10 receive addresses on a standard derivation path... It would be 10x harder but every small non-standard change we make to that target makes it harder.

Since you've mentioned that there are rotations, we can already assume that I have not yet found it... but I should be "capable" to find it once I figure out the implementation of doing so... but also Im not sure if it will be computationally out of reach since I haven't figured on how to calculate the math of the brute force.

True that not having a target or having the target harder to find could keep funds safe. But we have to assume mistakes by the user and perfection by the attackers. They already have an instantly fast index of all addresses that hold funds on the blockchain (like almost exists in blockchain explorers), and they're only attacking you because they know you have more funds than the attack costs and they already found your backup like above.

Runixcube commented 11 months ago

One other thing I forgot to mention. We need to explore this to see how viable it is.

jdlcdl commented 11 months ago

So are you saying that there are 4 duplicated words in your 12 or 24 word mnemonic?

jdlcdl commented 11 months ago

About exploring this as a backup method. If it is easy to crack without duplicates but impossible to crack with duplicates, then requiring duplicates becomes a rule, not an option, else someone who chooses not to duplicate (which is not even hardly likely in a real mnemonic) won't be protected. Same with rotations, if adding one or more rotations makes it secure and not having any rotations makes it insecure (I'm getting the feeling that this is the case), then it become mandatory and not optional, else someone using it who does not rotate (and take the risk that they'll forget what the rotation was) is not protected.

Runixcube commented 11 months ago

No duplicates in the seed phrase. I just gave away that it’s a 12 word seed.

Also I just thought

jdlcdl commented 11 months ago

Im misunderstanding

There is atleast one double repeating digit/number in the sequence.

If that statement is true, I'm thinking that it means the pin might read like 133, and then there would be 4 duplicated words. What did you mean by "there is at least one double repeating digit in the sequence."?

That said, while it's not likely, it is possible... and it makes the computation a little bit harder.

jdlcdl commented 11 months ago

we're quickly getting into the very realistic/probable realm of meta-secrets that would have to be recorded on the sheet, else they'd be forgotten and funds lost. Even with just some scrambling (because the mnemonic is sliced up in pin-digits), I think it's likely a good idea that the user would write the wallet fingerprint on the sheet... so that they know when they get the right pin... but maybe not.

Runixcube commented 11 months ago

For a 12 word seed I’d just write a pin like this and/or remember it

Example

Means 3rd digit is read bottom two words not top. Then next number 3 is read top as the bottom has already been used.

I agree it could start getting difficult to remember and that’s something to avoid so what is the bare minimum that can be gotten away with?

jdlcdl commented 11 months ago

Originally, my thought that this was like a border wallet, except easier by a factor of 4... because it can be assumed that with each cell of four words, the words are constrained to being adjacent to each other (even if they are rotated or worse, out of order).

But it becomes much harder to crack once it's optional to reorganize the words and even take them out of their boxes. It becomes much harder than 24 scrambled seed words, because it could be any 12 or 24 of the 40 currently, or any 12 or 24 of 48 if you use the other two boxes on the bottom.

As I mentioned earlier. I think I can provide a list that includes your mnemonic IF AND ONLY IF, it was done without rotations, ignoring words, and scrambling. If that is an optional rule that users might employ... then this method seems trivial... but if it's mandatory to rotate/scramble/ignore some... then my gut feeling is that it can become computationally hard to crack... while also being hard to remember for the user.

Runixcube commented 11 months ago

Words are never removed from their box.

For a 12 word seed, 6 digit pin, 2 words in boxes can be ignored as in my original paper

for 12 word seed, 4 digit pin, 1 word in a box can be ignored

whole box of words is used for a 6 digit 24 word seed but words can appear in reverse order etc

Runixcube commented 11 months ago

Im misunderstanding

There is atleast one double repeating digit/number in the sequence.

If that statement is true, I'm thinking that it means the pin might read like 133, and then there would be 4 duplicated words. What did you mean by "there is at least one double repeating digit in the sequence."?

That said, while it's not likely, it is possible... and it makes the computation a little bit harder.

Sorry I missed this earlier.

there are no duplicated words in the seed.

The seed is 12 words

a repeating digit means like this example

112345

This would mean the top could be read on the first pass, the bottom words on the next

ie

112345

would be

cheap miracle use daughter glare empower other orchard shoot merit loyal gap

that is without rotation.

Say it was

112345

Now becomes

use daughter cheap miracle glare empower other orchard shoot merit loyal gap

because the bottom was read first on the first digit.

jdlcdl commented 11 months ago

So the 1's being adjacent in the above example, is it correct that the pin code can also be "12345", with no step of having to remember to ignore? and instead having to remember to start at the bottom or start at the top with rotations?

If the 1's can be separated, as in 121345, then I can see it, but this is what I meant by stripping words out of their boxes (ignoring is sort of doing that too).

All of these possible meta-secrets and permutations makes the code-cracking MUCH more difficult... likely into "good enough" as security goes... but I still think it either requires the user to record more info on the paper... or they risk losing funds. And if all of this is optional, then we should assume the user will do what is easiest, and not rotate anything, not ignore anything... since it's within the rules. Our assumptions should be "The user will be sloppy, forgetful, lazy and that attacker is the smartest guru that we'll never even get a chance to meet or become." We should be left with simple to employ for the user... and not enough resources in the universe for the attacker to have a good chance of winning.

btw: Im still thinking about how to implement the rotating of words efficiently.

jdlcdl commented 11 months ago

I wish I'd paid attention in math classes... (and that if I did I'd remember them still).

My gut feeling is that "arbitrary" rotations/permutations of words in a box means 4*3*2*1=24 for each pin digit, starting with a 12 word seed, this would be 10*24 * 9*24 * 8*24 = 9953280 possible 12 word combos with 622080 of them likely to be valid mnemonics... less hard than scrambling 12 words (already a bad idea). For a 24 word seed it becomes 10*24 * 9*24 * 8*24 * 7*24 * 6*24 * 5*24 = 28894769971200 with 112870195200 of them likely to be valid mnemonics. I'm not convinced that 100s of trillions is quite into big-number territory but I'm sure it's more than Im willing to run on my scrawny 4core xeon desktop... in python. Still, it should be easier than cracking 24 scrambled words.

I'm not absolutely sure about those numbers there, but it leads me to believe that I should gracefully back-away from pursuing trying to crack your seedphrase given that arbitrary rotations and permutations are a possibility.

Thank you for this challenge, it's been fun, and a useful exercise... but I'd worry about loss of those meta secrets by the user and I wouldn't rule out a determined attacker with resources and reason to challenge this method.

Runixcube commented 11 months ago

I don’t see the number repeating as ignoring or jumping boxes. I just see a pin pad with a PIN code.

so I’m just inputting a pin. Easy enough to remember or hide else where.

As for the rotation I would use one method and remember that ie first pin is reversed, last pin is reversed.

I also should have paid more attention in maths.

It’s been good fun working through this with you and I do agree that I have started to feel it maybe easier to crack than 24 scrambled words but thought the extra words upto 48 might level things out.

I still wondering if you have found the seed and/or just the 2 decoy seeds I placed but with the amount you said you’ve discovered from the words you’ve probably got it but you still have to trawl through all that data to find the wallet right. Then if I’d put a passphrase on you’d have that too so I’d have created a bigger headache for you.

Runixcube commented 11 months ago

So the 1's being adjacent in the above example, is it correct that the pin code can also be "12345", with no step of having to remember to ignore? and instead having to remember to start at the bottom or start at the top with rotations?

If the 1's can be separated, as in 121345, then I can see it, but this is what I meant by stripping words out of their boxes (ignoring is sort of doing that too).

All of these possible meta-secrets and permutations makes the code-cracking MUCH more difficult... likely into "good enough" as security goes... but I still think it either requires the user to record more info on the paper... or they risk losing funds. And if all of this is optional, then we should assume the user will do what is easiest, and not rotate anything, not ignore anything... since it's within the rules. Our assumptions should be "The user will be sloppy, forgetful, lazy and that attacker is the smartest guru that we'll never even get a chance to meet or become." We should be left with simple to employ for the user... and not enough resources in the universe for the attacker to have a good chance of winning.

btw: Im still thinking about how to implement the rotating of words efficiently.

Pin can be anything that helps you remember where you put your seed. If you haven’t had a go at making your own example maybe have a try. When I was making it I remembered that you said about hash numbers and I went reading. I saw that the last number is a hash so I made a point of including decoy wallets rather than just random bip words in the hope it would throw in even more wallets for an attacker to trawl through thus increasing their time, energy and money.

For a 12 word seed 123456 would just mean the first two words in each box as 6 * 2 = 12

It’s not hard for me to remember a pin and that i should read the first digit backwards and or last or even every other digit.

For a 24 word seed with 6 digit pin say 123456 all words would need to be used per box as 6 * 4 = 24.

Rotation is what saves it as it increases the randomness as does the words being in different boxes but when you run a computer program you’re just putting all the possible seeds together and you’re not even trying to work the pin out.

With not everyone having a computer program to do that calculation it’s safer than a list from a find and enter type attack by someone in the house, disgruntled spouse, child etc. A simple 6 digit pin even without rotation is probably good enough for that situation?

jdlcdl commented 11 months ago

I still wondering if you have found the seed and/or just the 2 decoy seeds I placed.

I only implemented the non-ignoring/non-rotating version. It found 50 12word seeds and 577 24word seeds, but if you did any scrambling then none found would be yours. While I did the math in the previous post, I never implemented code that would exhaust those arbitrary permutations per cell.

If you didn't rotate/scramble any of the cells for the decoy seeds, then I suspect I found them both.

Runixcube commented 11 months ago

In all this I almost forgot. QR codes are never scrambled. This method achieves that. I wonder if you feel it has any value for that application?

jdlcdl commented 11 months ago

Perhaps it can. As you said, any obscurity is safer if found by a normie... and that's the worry which is most likely.

We're talking here in public, so we must respect that "security by obscurity" is NOT a public security solution. If we discuss it, then others will know that we may be using it, and others may follow our lead... so we must be vigilant and for the most part not "home roll" our security solutions.

However, without speaking for others, I believe that security by obscurity is a real thing. The military doesn't share it's methods. Bitcoiners don't always share how they secure their secrets, for the most part, they don't speak of their bitcoin at all. If your threat is a normie finding it, and not a sophisticated attacker (which is ok as long as you're ok with it but by all means is not something that I would ever recommend publicly,nor should you, nor should anyone), then things like:

But in public, especially coming from this community, we have to have the highest of standards, and the ones that are most vetted are a simple mnemonic and bip39 passphrase (hard to crack)... or better yet a multisig with mnemonics distributed geographically (hard to crack and expensive because of distance and how many others obstacles might be in the way). And we must always take into account usability for the user... we don't want them clobbering themselves because of our advice/bad-ideas.

Runixcube commented 11 months ago

I thought I’d share this as I believed it could be of use, therefore it was important that it be tested by others. I had contemplated that someone smart would take one look at it and laugh saying it’s a basic math problem and easily solved/cracked.

Just storing seed phrase amongst other words is enough for most people alongside a passphrase. As seedsigner said the other day “words are everywhere”

I do have further ideas on this, a physical object, but I think it might get complicated and then like you say people lose their funds.

Have a nice day and again thanks for your time 😊