Best ways to create a secure seed or mnemonic

16 replies 296 views
Posts: 15 · Reputation: 147
#1Mar 19, 2019, 05:18 AM
Hey everyone, Sorry if this has been asked before. I know we need a CSPRNG for seed generation, but I'm curious if some wallets (whether they’re desktop, mobile, or hardware) can produce more random outcomes than others. I get the feeling that a computer could pull in more entropy compared to a basic hardware device. What do you all think? And what's your approach for creating a secure HD wallet? Cheers
6 Reply Quote Share
sage_moonSenior Member
Posts: 273 · Reputation: 1371
#2Mar 19, 2019, 05:56 AM
Although computers may have access to more sources of entropy, they have a security disadvantage because they are more prone to attacks. In contrast, hardware wallets are specifically designed for security and can be more reliable for generating secure private keys.
2 Reply Quote Share
coin_sigmaLegendary
Posts: 1275 · Reputation: 5553
#3Mar 19, 2019, 09:03 AM
I don't think there's a difference between different devices to generate random seed. If you want to generate a high-quality seed phrase, hardware wallets usually generate them because it generate 24 seed phrases with a passphrase, which is considered safest to generate a seed phrase, but you can also do that on different devices, like a desktop or mobile phone, using the Iancoleman tool and use the "Show entropy details" and put whatever you like to increase the entropy. The details should give you an idea about "time to crack" and don't forget to change the Mnemonic Length to 24 words. Here's the site: https://iancoleman.io/bip39/ Then download the entire page or download it from the source and run it to a device that doesn't have any internet connection (never connect it to the internet) to avoid online attacks.
4 Reply Quote Share
HyperRavenFull Member
Posts: 175 · Reputation: 633
#4Mar 19, 2019, 11:50 AM
No, there are probably no differences across wallets/os/devices. Most devices uses urandom to seed entropy and generate seeds and will thus provide seeds with similar level of security and/or entropy in theory. If implemented well, you should not need to worry about the source of randomness. Certain hardware wallets may use TRNG sources to seed their entropy. This is a good to have but is by far redundant; you are also not encouraged to use Javascript based wallet generator. Certain JS based wallets will seed from insecure sources.
4 Reply Quote Share
hash_bossLegendary
Posts: 1166 · Reputation: 5261
#5Mar 20, 2019, 06:47 PM
CSPRNG from OS and RNG from hardware wallet generally is secure enough. At very least, i know /dev/urandom use lots entropy source. But if you prefer use random source that you can verify, your choice is limited to 1. Use coin, dice or similar object to generate entropy by yourself and then enter it to wallet software you use. 2. Inspect source code of the wallet to check whether it actually use OS CSPRNG properly.
3 Reply Quote Share
w0lf404Hero Member
Posts: 801 · Reputation: 2381
#6Mar 20, 2019, 10:24 PM
I would never recommend anyone to use iancoleman for generating a seed phrase. OP is looking for a secure CSPRNG and a tool which generates the entropy through javascript can't be a good option.
2 Reply Quote Share
alt21Senior Member
Posts: 398 · Reputation: 1732
#7Mar 21, 2019, 04:35 AM
For the most part, the hardware wallets and the reputable computer software wallets generate secure seed phrases using CSPRNG. I 'd go for electrum all day, every day. Just make sure to decide if you want a cold storage device (i.e a fully airgaped laptop), or a software wallet. My other option would be to buy a reputable hardware device. I consider Coldcard, Passport and Trezor among the reputable ones. I 'd not choose Ledger for privacy reasons. Nothing bad with their security though. check the posts below.
3 Reply Quote Share
davealphaSenior Member
Posts: 257 · Reputation: 975
#8Mar 22, 2019, 08:19 PM
You can generate a Bitcoin wallet and then test the randomness of generated wallet but to be honest, I don't know how to do it. If you are very good at math and statistics, you'll probably know it or will be able to do a better research than me (I'm good but not very good). Have a look at this: https://stackoverflow.com/a/32041435 Nothing bad with Ledger's security? Ledger has been claiming since the first day that your seed phrase will never leave the Secure Element chip but recently, as it turned out, this claim was wrong because they implemented Ledger Recover service. Logically, Ledger Recover service should be impossible to exist if seeds never leave the Secure Element.
3 Reply Quote Share
alt21Senior Member
Posts: 398 · Reputation: 1732
#9Mar 23, 2019, 01:48 AM
I obviously didn't know this. I don't use them, I will update my post though to avoid confusion. It's a bloody stupid move on their part by the way.
2 Reply Quote Share
bridge2018Full Member
Posts: 50 · Reputation: 405
#10Mar 23, 2019, 04:55 AM
On theory Device can have better entropy than the hardware which has limited resource however the TRNGs are specifically designed for cryptographic purposes which ensures the randomness of seed generation but if you're paranoid about their security then simply use Electrum to generate your seeds on a complete offline device and then flash it once you generated so your seed will not be exposed to internet meanwhile you can have the satisfaction of better entropy seed using CSPRNG.
4 Reply Quote Share
HyperRavenFull Member
Posts: 175 · Reputation: 633
#11Mar 23, 2019, 08:52 AM
You cannot do so, because you cannot take a single generated address and test it for how random it is. In fact, any entropy measure cannot definitively tell you how random or unrandom any entropy source is; a perfectly predicable source could pass and be seen as a statistical random source. CSPRNG is more than sufficient. True TRNG is probably redundant for most and doesn't improve the security as much. TRNG in general are not specifically designed but are known random processes.
4 Reply Quote Share
silentchainHero Member
Posts: 473 · Reputation: 2317
#12Mar 23, 2019, 11:35 AM
The best source of entropy is that one which is based on truly random physical processes. One of them is avalanche breakdown which is appears in Reverse biased Zener diodes, read this to learn why it is random. Regarding wallets. Products manufactured by Foundation i.e. Passport, Passport batch 2 and presumably their new Passport 2 use Zener diode to generate randomness in the course of SEED  creation. I have Passport 2 and thunk that it is one of the best wallet currently available on market. Thus, if unpredictable random results is your priority at choosing the wallet for your stash then I would advocate Foundation's products.
5 Reply Quote Share
Posts: 15 · Reputation: 147
#13Mar 23, 2019, 02:51 PM
Thanks for your answers. Yes, i'm aware that it is recommended to generate the seed phrase offline. My feeling is that hardware wallets are convenient and safe to use but i'm not comfortable to let them generate the seed, according this: Source: https://coinbureau.com/review/bc-vault-review https://medium.com/@brandonarvanaghi/analyzing-trezor-firmware-mnemonic-seed-generation-for-bitcoin-and-ethereum-4b03fbaad24d If true, it is imo scary... Personally i use an electrum wallet, but generated the seed with the Python module "secrets" installed and use a live USB in Airplane mode. Indeed, electrum does not generate BIP39 seeds natively. https://security.stackexchange.com/questions/242492/is-pythons-secrets-module-using-the-same-code-as-the-random-module Am i paranoid? Might one day create a vulnerable wallet with a low value on it using a Mersenne Twister number generator and see if i someone is able to steal me....Could be fun... Cheers
1 Reply Quote Share
HyperRavenFull Member
Posts: 175 · Reputation: 633
#14Mar 24, 2019, 08:39 AM
My understanding of the library that is being provided by Trezor on their GitHub is for reference and not for production. The actual Trezor that is shipped doesn't have such vulnerabilities. I'm not sure what's going on with the "pre-loading" of private keys. I'm not aware of any instance, do you have an actual source that is supposed to be neutral? What does this prove? Electrum does not generate BIP39 seeds, to be accurate. Whatever seeds that are being generated is using the entropy at run time Paranoid. You should be more wary about wallets that isn't widely audited or used.
0 Reply Quote Share
hash_bossLegendary
Posts: 1166 · Reputation: 5261
#15Mar 24, 2019, 10:48 AM
FWIW, Electrum use os.urandom to generate seed and other sensitive data. AFAIK both os.urandom and secrets module use same CSPRNG, so i don't think what you did improve security.
7 Reply Quote Share
davealphaSenior Member
Posts: 257 · Reputation: 975
#16Mar 24, 2019, 12:56 PM
You are paranoid. Also, if you want to have a hardware Bitcoin wallet, I suggest you to have a look at ColdCard and The Passport Foundation. In terms of safety and security, these wallets are on another level. This is a very good article from ColdCard for paranoid users: https://coldcard.com/docs/paranoid/ Click on CTRL + F and paste this: Generating seed words with 256 bits of entropy by dice rolls. He should worry more about how to store his recovery seed phrases safely. I think people care too much about things that are already fixed and aren't really an issue.
3 Reply Quote Share
alt21Senior Member
Posts: 398 · Reputation: 1732
#17Mar 24, 2019, 05:25 PM
Suggesting specific brands is good because it will help OP choose a good device. Just to add a general opinion, I 'd definitely go for a hardware device that: 1. includes a secure element. 2. is reputable and well established in the space. 3. is not too expensive. I don't think we should pay absurd amounts of money for the device. Your wallet suggestions definitely cover the first 2, but they look expensive to me. I 'd rather focus on doing multisig with 2 reputable but cheaper wallets (but I don't know if there are any). Disclaimer: I own both a cheap device and an expensive device, but I keep using electrum on my air gapped laptop
2 Reply Quote Share

Related topics