Added Split Phrase Card Output

[mctrivia]

Seed phrases are a great way to backup but if someone finds where you wrote them down you could lose everything. My suggestion is to store seed phrase on 3 cards where 2 of 3 cards are needed to recover. This way if one is lost you can still recover, and if a 3rd party finds 1 there is still 10n/3 bits of missing data for them to guess(n is number of words in seed). At 24 word seed phrase this makes 80bits missing which is still years to brute force.

[cernekee]

Seed phrases are a great way to backup but if someone finds where you wrote them down you could lose everything.

I had the same concern. My proposed solution was to use Shamir's Secret Sharing Scheme: https://bitcoin.stackexchange.com/a/80589

I'd like to perform the conversions using this "bip39" project (which only needs a web browser) instead of App::BIP39Utils because the latter requires compiling a bunch of other dependencies. In order to convert between the 24-word mnemonic and the raw hex entropy value, something like this is needed: https://github.com/iancoleman/bip39/pull/271

So currently I'm maintaining this change in my local branch...

[mctrivia]

yah i thought about doing a more complicated system. but this is likely to be used by my kids after I die and this is super easy for anyone and still secure.

[cernekee]

Using SSSS is pretty easy -- worst part is that it requires a separate tool. You just convert to hex, split, then convert each share back to mnemonics. And you don't lose any security at all, because one share is useless on its own.

I thought about integrating it into the bip39 page but the UI would probably be clunky. It didn't seem like a good fit for how the tool currently works. Maybe a button that opens a new import/export window would help.

[mctrivia]

yes but I wanted to keep simplest possible and be secure. This way each card is also useless for forceible future when using 24 word seeds. 80 bits is a lot to brute force. Did a quick test and using 1 computer could try 2000 combinations per second. Thats 19,167,393,131,891 years to brute force. Could chop 7 digits off with an ASIC probably. May be doable in a life time with several shipping crates full of custom ASICs.

[iancoleman]

Thanks for this. I appreciate the consideration and effort that went into this. It's an elegant implementation, especially the ux is seamless.

One consideration is some wallets use 12 word seeds (eg mycelium with 500K installs). This greatly reduces the number of guesses needed. (I usually base my worst-case estimates on zxcvbn which uses 10B guesses per second, see this zxcvbn demo). The default strength for the tool is 15. Most hardware wallets use 24 words, but I'm cautious about the security of users that don't use 24 word mnemonics.

The question is, should this feature be included (with the addition of a warning when the user enters a weak mnemonic) or should it be kept as a separate tool (eg shamir39, ssss via command line, manual splitting, external web tool)...? I think it's good to keep the feature here but need some time to think through the security a bit more and get more feedback.

Thanks again for putting the thought and time into this feature.

[mctrivia]

will add warning showing estimated crack time based on 10billion per second. 18words takes more then 3 years. probably shouldn't be done with less

[mctrivia]

not sure if there is a way to merge pull requests bit 280 shows the time it takes to hack. 18 words and up is probably realistically safe(10billion is a lot when you also have to calculate derivative path and check if address was ever used on a coin they may have). 24 words for sure is safe.

[iancoleman]

I personally would not use this feature so merging it comes with some internal conflict, but it's been shown to be secure and people would / will find it useful so let's merge it. Thanks for the effort and commentary in this PR, I appreciate it.

[joostjager]

Does picking the words to blank out randomly add any security over splitting in three groups (1-8, 9-16, 17-23) and making cards with two of those groups on it? Which of the two groups are on the card can be encoded more compact, but maybe this explicit format leaves less room for misinterpretation?

[mctrivia]

You are correct. The random was written for psychological reasons. I have made this in pdf form also that is just as secure in the manner you describe.

On Sun, Dec 1, 2019, 12:54 PM Joost Jager, notifications@github.com wrote:

Does picking the words to blank out randomly add any security over splitting in three groups (1-8, 9-16, 17-23) and making cards with two of those groups on it? Which of the two groups are on the card can be encoded more compact, but maybe this explicit format leaves less room for misinterpretation?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/iancoleman/bip39/pull/279?email_source=notifications&email_token=ADRERA4ZIK3GJYKNLW267HDQWQB63A5CNFSM4GFKNKU2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEFRSCWI#issuecomment-560144729, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADRERA5PHOFQH35RK4R6SUTQWQB63ANCNFSM4GFKNKUQ .

[iancoleman]

@mctrivia, I'm considering some changes and am hoping for your comments

• Add a link to this video outlining the caution required when splitting: https://www.youtube.com/watch?v=p5nSibpfHYE

• Hide the split info by default (mainly because the simple action of 'click generate, see output' shows a warning text on the splits which to me seems kinda silly to be showing warnings from the 'main default use case'.

Any thoughts?

[mctrivia]

i think the warning is not needed for 24 word phrases. But if you want to hide by default that's fine. Just an extra feature that is really only a good idea with long phrases.