I'm having trouble following the logic of this... How is it better for you if someone finds your entire seed phrase than if they only find 2/3 of it? If they have it all they don't have to crack anything?

I originally agreed with this video, but after revisiting the topic I see the "never split the phrase, no exceptions" as a dogmatic and flawed perspective, which doesn't take into account all threat models. A threat model in favor of a 2 of 3 recovery scheme: you don't have any 100% secure locations, but you have locations that are secure most of the time and can know and act relatively quickly when one of them gets breached: Examples of these locations are homes, apartments, bank safe deposit boxes, and pretty much every safe location because you inherently need to trust people and the environment when it comes to physical items. As other comments have pointed out, someone finding one of your backups is not as bad as someone finding your whole seed phrase, and so each copy of your seed phrase in different locations reduces your security. Also, a tamper evident device has a much better place with part of a split phrase than it does a full phrase, because one will tell you that you need to move your funds asap, while the other will tell you that your funds are gone. And if you are able to move your funds because of a breach faster than the missing words can be cracked, then 80 bits of security is a fine buffer (which my math below says it does). Then Andreas mentions the "super paranoid" method would be using a passphrase, and have that in another secure location (the passphrase would need to be 12 characters long to have higher than 80 bits of security (or 40 characters to match the 256 bits of security), so it won't be easy to remember). However, this is basically a 2 of 2 recovery scheme, so his whole spiel about losing 2 parts that he mentions later is even worse in this method. Unless you aren't confident that you could always access any 2 of 3 locations, splitting would be better. A threat model in favor of phrase splitting over SSS: You don't have access to an airgapped/secure computer, and don't want to be dependent on the few hardware wallets that support SLIP39: Recovering funds with SSS is much more complex compare to putting two phrase parts together. As Andreas said, complexity is the enemy of security and usability. In this case, you'll need to use some software on a computer to reconstruct the phrase from the shamir secrets, and malware stealing keys is generally a bigger threat than having a vault looted (SSS decreasing security). SLIP39 is not widely adopted, and having flexibility in what tools (especially hardware wallets) you can use to recover funds is important (SSS/SLIP39 decreasing usability). Currently, Trezor and some other hardware wallets support SLIP39, but Ledger and many others do not. Also, I would equally want to get a new wallet if I found out one part was breached, whether I was using phrase splitting or SSS, because practically speaking, the attacker just needs one more part. Some math: I would only apply this to 2/3 split for 24 word seed phrases, not sure other threshold/share combinations, and definitely not for 12 word seed phrases. Based on iancoleman's bip39 tool, it would take 3830854 years to crack. My own calculations using 1 trillion guesses per second and either 2048^7 possibilities or 2^80 possibilities, it still would take thousands of years. And I don't see a future where 80 bits is hard to crack for retail but easy to crack for an unsophisticated attacker, which would be the threat model for most people. In security, the only rule that applies to all is that there is no one size fits all.

If you are assuming that a bad actor got 1 of your 3 seed splits, wouldn't they just have the whole 24 words in your senario?

Don't use a quite sensible idea of splitting your keys in a 2/3 multishard method and securing in safe places. Instead keep your full seed phrase on one sheet and store it in a BANK. Jesus Christ.

If you lose 2 of 3, you're screwed. But if you don't seed split, you just need to lose 1 of them. Maybe I'm not understanding this one.

While I don't necessarily agree that the scheme posed in the question is the best idea (storing 2/3rds of the words in plain text in 3 separate locations), I am convinced that it is a far, far superior idea to the one that aantonop proposed, which is to store the entire 24 words in a single location and physically guard it.

This video is stupid AF. It's trying to argue that physically distributing your seed is worse than having it whole in one place alone. He arguments it by saying that finding one 1 of 3 set make it easier to bruteforce your way into the seed..... vs finding the whole seed which would give you the seed without moving a finger 🤦

Good luck cracking 80 bits in the time it takes me to find out one of my shard has been compromised.

This is the only thing I have ever had the knowledge to disagree on with Andreas. The point is that you can lose one and still be fine and a bad actor would need to find 2. With 8 words missing, even if one is the checksum, it would take a while to crack (enough time to transfer funds). SLIP is too complicated for most retail users. He read the question wrong at one point as well. 3:33. Each has 16 words not 8. So you can lose 1 key and be fine

My neighbor's wife accessed my seed last night. What should I do now??

If you have all 24 seed words stored in one location and that secure location is compromised, then you have 0 (zero) bits of security. I'd rather have 80 bits than no bits of security. What am I missing here!?

@aantonop any update on this? I think there is a major flaw in your logic (as others have pointed out already), happy to be proven wrong. You were so focused on how much easier it is to brute force 80 bits of entropy vs 256 but that you completely ignored the fact that in the alternative scenario where he hadn't split it up, whoever found 1 copy would have the full seed already and not need to brute force anything, assuming 1 out of 3 locations compromised in both scenarios, all other things being equal etc. Surely an attacker having to brute force "only" 80 bits of entropy is better than them having the entire seed? Looking forward to hearing from you. Cheers

I just totally disagree. The biggest risk for your seed is entering it into a normal general purpose computer (your PC). You never know what malware is there, even if you are very professional. That is why you use a hardware wallet. So for your backup you need a mechanism which does not need a computer to create or to restore. The 2 out of 3 scheme allows this SLIP39 does not! Further assuming you use 2 out of 3 with your 24 word seed. Why do you do this and how do you do this. You do this to have a backup and because you have no total control on the locations you store them in. Still you decided to do so to cover risk of lost by catastrophe like fire. Of cause for every day use you have your hardware wallet. You secure your backup as good as possible with a seal so you detect if someone has opened and read the (part) seed words and you lock them as good as possible. You choose locations which are distant and independent of each other. That is required for catastrophe protection, but this means you will not notice a lost backup part at once. But you will notice at some time and then you will move your coins at once to another seed. It is totally unimportant if it is possible to crack this in a cluster somewhere in future requiring still a lot of time. You will (have to) be faster in detecting lost backup and moving your coins. You will not be fast enough if someone gets access to a full backup (all seed words). Now to the numbers: BIP39 uses 1/32 of encoded data as checksum. There are 2048 different words, each word encode 11 bits. The Checksum for 24 word seed is 8 bits, which is quite less than a word. This means if you brute force attack a part backup, you will find every 256 tries a result with a valid checksum. But this does not mean you found the seed. 8 words are 2^88 or 88 bits to crack. Even if you assume you do spare the 8 checksum bits, this is still 80 bits to crack including accessing the blockchain because an attacker will find 2^72 (2^80/2^8) wrong seeds! So my result: 2 out of 3 is an easy to use and sufficient secure method for seed backup of a hardware wallet! A backup which weights and covers all risks (lost and disclosure) very well!

Terrible idea to put your unseizable coins in a bank. It's insane that you would rely on that.

Splitting seed words would buy you time to move your coins to another wallet when one of your seed storage devices is stolen.

"Don't split your keys because attackers can brute force it with partial slices." also "Don't split your keys because if you lose one slice you won't be able to brute force it with partial slices." Hummm... something seems amiss here.

All it takes is the bank manager to look up the ledger leak list and see if anyone on it is a box holder at his bank. Opens the box (justified by saying "customer was suspicious") takes a pic of your seed, so no way to prove he tampered with it. You're done. Even if you have paraphrase if can be brute forced.

Just a Thank You from me. Please keep em coming...

Fun fact trezor one (which was MADE by the ppl who made the SLIPs) default recovery also goes down to 80 bits

I think this is some sort of crypto urban legend. How in earth could be NOT storing complete phrase in one place less secure that doing so? If the place is compromised it's gone. That's 1bit security. Shamir secret sharing is obviously superior, but in the end of 2022, I'm not aware of any other wallet than Trezor T, that supports it. And using some other tool to create Shamir backup from your seedphrase? Seriously? Maybe on some shady website? :)

I keep mine in metal safes in 2 countries (one is fireproof) and also inside fireproof LiPo battery sleaves; besides having 2 of 3 Ledgers with me in a (different country than the safes)

The math on this as follows. Brute forcing 8 words (not including the check sum word) is 2^88. 4:18 . IF the last word (checksum) is included it would be 2^80 as he said. It is not quick nor cheap to brute for this. 6:19 He is saying it could be done in the next decade with a cluster.

I think this logic is very much flawed tbh. Yes you reduce the security to only 80 bits instead of 256 if one location is compromised. However, assuming there is less than 100 million $ hidden behind your keys, it seems unlikely to me that it would be worth the effort to brute force those 7/8 words. It seems much more likely to me that someone will break into your vault and steal your entire seed and take your coins... Especially is you store the entire seed in multiple locations, to me you are increasing liability instead of decreasing it. In aantonop his proposal all you have to do is threaten one person to give you access to the safe and it's game over. If you store it in a bank which should be 'safe' the bank can still fk you. In the proposal of the questioner you would have to do that in two different locations realistically speaking which is much less feasible from a practical standpoint, especially if we're talking 2 different continents.

I dont get this guy. Kind of BS, if you ask me. He's saying "yes, store a backup of your seed phrase because that is safe" but at the same time "dont split your seed phrase because that makes it unsafe"? WHAT?!?! You dont add vulnerability by splitting it. If youre going to store it anywhere in a safe and responsible manner, then yes, by all means, store it split. Store each part in a safe and responsible way, and you have increased your security, not diminished it. Youre not wrong that it isnt a shamir scheme and that if the partial phrase is uncovered, some information about the seed is revealed. Im not disputing that. Im disputing the assertion that having 2/3 of a phrase is less safe than having all of it, which is what your spiel at the beginning claimed. Clearly having 2/3 is less safe than having none of it, obviously, but you are assuming that any of it will be accessible by a bad actor simply because the user decided to make a split. It think its non-sequitur. This guy is responding to a fundamentally different question than the one asked. The question asked was "is splitting the seed safe" and his answer is "you should store your phrase in a safe". Cant both be true? Youre not answering the question; youre distracting from it.

Don't split your seed. Use a passphrase, memorize, and back up (steel / paper). Keep multiple copies of your seed (steel / paper) at your home. Keep your passphrase back ups off site, e.g. relative. Your seed is 100% safe from a thief finding it - you need both the seed and passphrase to restore your wallet

I disagree with andreas, its better to split the seed world in two locations coz lets say you put one half in a safe deposit box and other in a secret location etc , the chances of an attack in both the places is incredibly rare ( even siezure from bad govts ) however its not super difficult to pass this knowledge to your heirs! if you ensure its placed few more places

You proved mathematics is important & common sense sucks

If you guess how many silver coins I hold in my hand, I'l give you both of them.

What are your thoughts on seedless multisig (ala Casa)? Do you see improving security and UX so anyone can adequately secure without metal plates and treasure maps? I think the risk of loss by over securing(lost seed/passphrase) is greater than loss of funds in most scenarios?

That's cryptography 101.

Why is Bitcoin not even a bit like a Coin??

Is it safer splitting 12 words and 12 words and storing separately vs the example you gave of 16/8?

If you have a 24-word phrase which is the standard with ledgers nowadays and split it in half, that is pretty secure. Dont spread the pieces all across the world though. Put one piece in the attic and one in the basement for example. Hide your ledgers well. Have at least one clone and hide the clone in a bank box. In case your place burns down, you have the ledger and can withdraw the funds to make a new seed phrase on a new device. You can dig down some crypto steel in a sturdy box in your back yard with your full seed phrase. The likelihood of anyone finding it is close to zero and it would likely survive a natural disaster. Keep in mind that you will die some day and that you might want someone to be able to recover your assets. Maybe dont go as far as trusting any single person with all your info but what you can do is to give them some sort of instruction. Write the instructions in your will or leave them in a bank box. Make sure it is something they will understand but that doesnt necessarily make any sense to any outsiders.

Trust the Banks?

How is shamir different than XOR? Which to choose?

isnt a loteasier to get brute forced if we let the full mnemonic phrase in one place, like a 2.94e79 times easier than 256 bits entropy mnemphrase if someone finds it out in just one place?????

The new remix of the song at the end made me think someone was tapping on my window.

Lots of disagreement here. I think the thought is if you hide your key in one place.. ( full Key ) opposed to hiding the 3 partial keys in three places, its more likely ( better chances) that a person would be able to find 2 of the three keys hiding places rather than just one assuming that the hiding place was equal secure.

1) What if you use an encyption/file splitting program that for example splits a seed into two encrypted files (that are useless on their own)? Only when they are combined and decrypted together can they produce the entire seed. Could be doing this offline. You could supplement this to a billfodl or cryptosteel type device. We dont want to be opening tamperproof seeds everytime we need to look at it. I suspect most people would still yeild to pen and paper for quick access. 2) What if you are working with a team and dont want any one ( or 2) people to have access to the entire seed? I suspect an admin role would be required to use the entire seed, while other members have no access once wallets are set up.

Andreas - would your objections be assuaged by splitting the phrase into two batches of twelve words each? Wouldn't having access to only twelve words still leave twelve unknown words - which is sufficient for protecting many wallets on their own? (Echoing the point from Jeffrey Meland earlier in the comments)

Safe deposit box!!! Noooooo! Worst place ever.

What about 12 and 12? im still not convinced 12 and 12 is a bad idea

Skip to 1:00 for the short answer.

You’re more likely to lose the seed than to have it stolen. That’s the reality. Physical barriers are better than cryptography. Keep it simple, don’t tell people about your money. Be kind.

Thank God ! You Answered Just One Question Today ... I Had Time to digest This Time....

What about this solution for the seed: Location A and C (1-12) Location B and D (13-24). As long only one location ist compromised, no problem. If A and B or C and B or A and D or C and D are compromised to the same time, no problem. Only problem is if A and C or B and C, or at least 3 locations to be compromised. In my opinion it sounds pretty save as it es unlikely that 2 locations are compromised to the same time. In addition memorize all of your words, quite easy with linking 3-5 words by embedding them in a story and repeat everyday for 2 weeks. Then later test your memory once a week. For me personally, it's the only way to feel safe and independent, as i know i can leave country immediately without looking for the seed.

The general public mass adopters will not pursue this extreme geek-level of detail. What is a simple yet still secure suggestion? Thank you.

How were you able to calculate the brute force cracking difficulty? How many years do you think it will be until a 256 "bit" code is brute force-able?

Would you recommend 24 words over 12 words? Or is 12 words OK?

Hi aantonop may I ask what is the best wallet keeping USDT. I sold some btc recently and waiting to buy back when btc break down on price. But in the main time I just want to keep my USDT in a personal wallet than in the exchange. Thank you

Storing keys in an encrypted pendrive with good backed up password a good plan?

Thanks!

For all the comments misinterpreting this video, he didn’t say someone finding part of the key is worse than someone finding the whole key. He said that someone finding part of the key built as the question states is worse than someone finding one part of a SSSS

Eyebrows!!!

Shamir onde Trezor T is a good option??

Ok I'm imagining someone breaking into my home. If the burglar finds 24 words he will immediately go to the local store and transfer all my crypto in a matter of 1 hour. If he finds 12 words he will need to study brute forcing or find a friend who knows about how to brute forcing. In this time I will notece the break in and transfer my founds. I don't get it.

This is the 1st video of his I've seen and I won't watch anymore because of this one

This decentralized world is sending us back to banks

disagree.It's a good idea for most people. 7 words need 2 Millenium to be hacked.

i think u missed the point. its not about the nsa trying to crack it - its aboutensuring me mum cant get me crypto braz.

this is what ChatGPT says about brute forcing 7 words. can you explain why AI says one thing and you say another? "Assuming the 7-word phrase is randomly generated from a list of 2048 words (which is the standard for BIP39 mnemonics), there are 2048^7 possible combinations, or about 1.4 x 10^21 combinations."

Bro, you misinterpreted the question.

Can you make a video explaining how to make bitcoin account

So this is a good idea?????? LOL

wrong

Nice mug

I believe Andreas IS Satoshi himself

if you wanna add a bit of splitting security to your backup a good way would be to use SSSS 2 of 2. put 1 away in high security like normal and keep the 2nd in like dropbox and whatever where it's not very secure but you're sure you'll never lose it.

Haha wow

What about jumbling up the words based on a number you keep in your brain? Forgetting the number or dying aside, is this MORE secure?

I have a proposal to save the seeds, distribute them in 3 different places geographically written on paper in key places. But I do not write one of the words in any of the 3 written in case someone casually found it. The missing word is stored only in brain memory. What do you think of this mechanism?

Satoshi has spoken...

Mathematik he know... but emphatic he dont have

you need salt