Seed phrases, a random combination of words from the Bitcoin Improvement Protocol (BIP) 39 list of 2,048 words, act as one of the primary layers of security against unauthorized access to a user’s crypto holdings. But what happens when your “smart” phone’s predictive typing remembers and suggests the words next time you try to access your digital wallet?
Andre, a 33-year-old IT professional from Germany, recently posted on the r/CryptoCurrency subreddit after discovering his mobile phone’s ability to predict his entire recovery seed phrase as soon as he typed down the first word.
As a fair warning to fellow Redditors and crypto enthusiasts, Andre’s post highlighted the ease with which hackers can use the feature to drain a user’s funds just by being able to type the first word from the BIP 39 list:
“This makes it easy to attack, get your hands on a phone, start any chat app, and start typing any words off the BIP39 list, and see what the phone suggests.”
Speaking to Cointelegraph, Andre — known as u/Divinux on Reddit — shared his shock when he first experienced his phone accurately guessing the 12–24 word seed phrase. “First, I was stunned. The first couple of words could be a coincidence, right?”
As a tech-savvy individual, the German crypto investor was able to reproduce the scenario wherein his mobile phone could accurately predict the seed phrases. After realizing the possible impact of this information if it went out to the wrong hands, “I thought I should tell people about it. I’m sure there are others who also have typed seeds into their phone.”
Andre’s experiments confirmed that Google’s GBoard was the least vulnerable, as the software did not predict every word in the correct order. However, Microsoft’s Swiftkey keyboard was able to predict the seed phrase right out of the box. The Samsung keyboard, too, can predict the words if “auto-replace” and “suggest text corrections” have been manually turned on.
Andre’s initial stint with crypto dates back to 2015 when he momentarily lost interest until he realized he could buy goods and services using Bitcoin (BTC) and other cryptocurrencies. His investment strategy involves purchasing and staking BTC and altcoins such as Terra’s LUNA, Algorand’s ALGOand Tezos’ XTZ,and “then dollar-cost averaging out into BTC when/if they moon.” The IT professional also develops his own coins and tokens as a hobby.
A safety measure against possible hacks, according to Andre, is to store significant and long-term holdings in a hardware wallet. To Redditors across the world, he advised: “Not your keys not your coins, do your own research, don’t FOMO, never invest more than you are willing to lose, always double-check the address you are sending to, always send a small amount beforehand and disable your PMs in settings,” concluding:
“Do yourself a solid and prevent that from happening by clearing your predictive type cache.”
Related: STEPN impersonators stealing users’ seed phrases, warn security experts
Blockchain security firm PeckShield recently warned the crypto community about a large number of phishing websites targeting users of the Web3 lifestyle app STEPN.
#PeckShieldAlert #phishing PeckShield has detected a bath of @Stepnofficial phishing sites. They insert a false Metamask browser extension leading to stealing your seed phrase or prompt you to connect your wallets or “Claim” giveaway. @Metamask @Coinbase @WalletConnect @phantom pic.twitter.com/cmWUcprMAN
— PeckShieldAlert (@PeckShieldAlert) April 25, 2022
As Cointelegraph reported, based on PechShield’s findings, hackers insert a forged MetaMask browser plugin through which they can steal seed phrases from unsuspecting STEPN users.
Access to seed phrase guarantees complete control over the user’s crypto funds via the STEPN dashboard.
FAQs
There's just one big BUT! Someone else can use your seed phrase and gets access to your crypto, as blockchains don't care who enters a seed phrase. Crypto users have come up with many ways to protect a seed phrase. They encrypt it, add an extra word to it, divide it into parts, and store it in different places.
Can someone randomly guess your seed phrase? ›
After all, seed phrases are just strings of words — on paper, that seems like an enormous security risk. Fortunately, seed phrases cannot be “guessed” randomly with current technology. Some of the data in the phrase isn't random, but 12-word phrases have a security of 128 bits.
How do hackers get your seed phrase? ›
If a seed phrase is stored on a computer or any device that can connect to the internet, then it is vulnerable to hackers. Even computers that are disconnected from bluetooth and wifi are prone to various malware that can expose the seed phrase.
What are the chances of guessing a Bitcoin seed phrase? ›
With this number of words, there are 2,048 to the power of 12 (more than a decillion) possible seed phrase combinations, which is such a large number that the odds of someone guessing your phrase are almost zero.
What happens if someone gets my ledger seed phrase? ›
Your 24-word recovery phrase (sometimes called a mnemonic or seed phrase) is the master key to all your crypto accounts. Anyone gaining access to your recovery phrase can very easily clone your accounts on their own device (or software wallet) and spend your funds.
What happens if someone steals your seed phrase? ›
If your seed phrase is lost, you can transfer your assets to a new device. If it's stolen, it could be used to steal your assets (same as if someone hacks your seed phrase when using a hot wallet), which is why we emphasize the need to keep your seed phrase safe & well hidden.
How hard is it to crack a seed phrase? ›
When an attacker knows the unordered words of a 12-word seed, there are only around half a billion possible combinations, which is relatively easy to test with a decent GPU. A 24-word seed, however, has roughly 6.24^24 possible combinations — and that's a lot of zeros.
Can two people have the same seed phrase? ›
The total number of cryptocurrency wallets is insignificant compared to the number of possible seed phrases. Put simply, it's virtually impossible for two people to receive the same seed phrase.
What is the 12-word phrase? ›
A 12-word seed phrase acts as a key to unlock access to a crypto wallet and is also the ultimate recovery tool for wallets on the blockchain.
How do you know if someone has your seed phrase? ›
The only way that someone can know your seed phrase is either because you shared it with them, they somehow gained access to it or they got access to most of the words that make up your seed phrase. A recovery phrase is usually generated from a specific list of 2,048 words.
While memorization is a powerful security tool, it introduces a single point of failure: you. Once you've committed your seed phrase totally to memory, your bitcoin security is highly centralized. For starters, you're completely reliant on your ability to recall your seed phrase in the eleventh hour.
How do you reveal seed phrases? ›
Navigate down to Settings > Security & Privacy. Scroll down, and click on the button that reads "Reveal Secret Recovery Phrase". Enter your password to reveal your Seed Phrase / Secret Recovery Phrase.
How do you keep crypto seed phrase safe? ›
Crypto Steel.
A highly secure way to back up your seed phrase is by permanently affixing the words to indestructible stainless steel or titanium metal plates. (Steel is more commonly used.)
How many 24 word seed phrases are there? ›
Number of Possible Seed Phrase Combinations
For a 24 word seed phrase, there are about: 1,976,184,989,650,196,401,895,611,477,481,606,960,695,807,738,293,598,959,606,742,767,068,384,079,188,241 possible valid combinations.
What does a crypto seed phrase look like? ›
The phrases contain words drawn from a list of 2,048 English words called the BIP39 standard, which the BitPay Wallet and many other leading crypto wallets utilize, offering 128-bit encryption. Most seed phrases are either 12 or 24 words in length, and each is unique to the wallet that created it.
Can a seed phrase be linked to multiple wallets? ›
All the private keys stored on a crypto wallet can be recovered by entering a seed phrase into a different wallet, as long as they're in the proper sequence.
Can someone steal my crypto from my Ledger? ›
Your Ledger is protecting an encrypted copy of your seed phrase inside of it with military-grade cryptographic hardware, and remember that it's your job to make sure your recovery phrase stays offline, and is never entered into a computer, into a phone, or shared with anyone or any application asking for it.
How does a crypto wallet get hacked? ›
In addition to attacking crypto wallets directly, hackers can use phishing attacks to get personal information from wallet holders. For instance, people who use the popular MetaMask wallet may have received phishing emails asking for personal information in 2022.
Should I take a picture of my seed phrase? ›
This is one of the riskiest forms of seed phrase storage. Never store your seed phrase by simply taking a photo of it, as this makes it accessible to anyone who has access to your phone.
Can someone guess my private key? ›
Conclusion. The cryptography of Bitcoin is extermely strong. You can rest assured that if your Bitcoins are stored on a secure hardware wallet, the chances that they get stolen through a random guess of your private key is close zero.
Seed phrases are a standard in the cryptocurrency community and are used across a number of software and hardware wallets (including MyEtherWallet and Ledger Nano S). A single 24 word seed phrase with a password/passphrase, along a particular path (called an HD path) will produce a particular private key.
Is it possible to brute force a seed phrase? ›
Seed phrases, also known as mnemonic phrases, are used to generate private keys and are typically 12-24 words long. The number of possible combinations of words that could be used in a seed phrase is very large, making it computationally infeasible to try every possible combination through brute force.
What is it called when a seed cracks open? ›
Scarification in botany involves weakening, opening, or otherwise altering the coat of a seed to encourage germination.
Is a 12 word seed phrase safe? ›
Is 12-Word Seed Phrase Secure Enough? A 12-word seed phrase provides 128 bits of entropy, which is secure enough for most people. However, a longer phrase, such as a 24-word seed phrase, provides even more security, as it has 256 bits of entropy.
What does BIP39 mean? ›
BIP39 is a design implementation that lays out how cryptocurrency wallets create the set of words (or "mnemonic codes") that make up a mnemonic sentence, and how the wallet turns them into a binary "seed" that is used to create encryption keys, which are then are used to execute cryptocurrency transactions.
What to do if seed phrase is compromised? ›
I think my seed phrase has been compromised, what should I do? We recommend immediately withdrawing all funds you have received to addresses that you control to mitigate the possibility of theft. This seed phrase enables anyone who is in possession of it to move all received funds to any blockchain address.
What is the 12-word phrase to the private key? ›
Basically, your 12-word phrase is a set of words that allows you to recover and use your private key. And if you can recover your private key, you can access your wallet from anywhere in the world without having to carry anything around. It's a simple, user-friendly security measure which is very powerful.
What is the secret phrase in crypto? ›
Your Secret Recovery Phrase (SRP) is a unique 12-word phrase that is generated when you first set up MetaMask. Your funds are connected to that phrase. If you ever lose your password, your SRP allows you to recover your wallet and your funds.
What happens if you lose your 12-word recovery phrase? ›
If you lost your phrase and don't have the possibility to enter the wallet with your password, then your access to your funds is lost. You have full control over your funds, and with this, you have full responsibility for keeping your 12-word phrase safe.
What are the chances someone gets the same 12-word seed phrase as me in a crypto wallet? ›
A recovery phrase is usually generated from a specific list of 2,048 words. That means that your 12-word seed phrase has an iteration of 2,048 words. Therefore, it's almost impossiblethat someone could successfully guess your seed phrase.
A hot wallet refers to a virtual currency wallet that is accessible online, and it facilitates cryptocurrency transactions between the owner and end-users. A collection of private keys stored on a program connected to the internet is used to store and send different currencies such as Bitcoin.
What is the difference between private keys and seed phrase? ›
While seed phrases provide access to a single crypto address, a private key will grant access to the user's entire wallet on any given blockchain (which can be linked to multiple blockchain accounts). In this sense, private keys could be considered less secure, as more can be accessed with just one line of data.
What is an example of a seed phrase? ›
What is an example of a seed phrase? An example of a seed phrase would be a collection of 12 or 24 words from the BIP39 list of 2048 approved words. These are words such as “bottle, across, and any.”
How many seed phrases are there? ›
Technically speaking, these 24 words are a representation of a string of random digits called a seed, from which all the keys in your wallet are derived. The seed is used to generate your master private key, which generates the rest of your private keys. Private keys are used to generate corresponding public keys.
What is the secret recovery phrase? ›
A recovery phrase (or “seed phrase”) is basically a human-readable form of your wallet's private key—the unique, secret passcode used to authenticate and encrypt your wallet access.
What happens if you lose your crypto recovery phrase? ›
Lost your Recovery phrase? If you lost your Recovery phrase but still remember your PIN code, you can unlock your Ledger device with the PIN code and manage your crypto assets.
What is the 12-word phrase on Coinbase? ›
Also known as a 'Seed Phrase', is a 12-word secret phrase that gives you access to your digital wallet and allows you to authorize cryptocurrency and NFT transactions from your wallet.
Can I use my recovery phrase on any wallet? ›
Having this phrase means you can restore all of your existing private keys on another wallet, and retrieve your funds on the blockchain. This means you will never be dependent on any one wallet provider – you can access your crypto anywhere, as long as you have that phrase.
How many copies of your seed phrase should you have? ›
Create more than 1 copy of your recovery phrase and keep them all in different (but hidden) places. In case of a natural disaster (fire, flood, etc.), you will still have access to your other copies.
What is the best seed phrase backup? ›
The Best Crypto Seed Phrase Backups of 2022
- Cryptotag Zeus. This premium seed phrase backup tool is made from titanium and is extremely durable. ...
- Billfodl Stainless Steel Backup Tool. ...
- imKey Secret Box Pro. ...
- XSEED Pro. ...
- SteelWallet by ShiftCrypto. ...
- XSEED Plus. ...
- imKey Secret Box. ...
- XSEED.
While the combination of the words, in their correct sequence, will be unique to you, the words themselves may repeat. For instance, you might see a word appear twice or even more times in your seed. This is perfectly normal.
Which wallets use 24 word seed? ›
The Trezor One and Ledger Nano S generate new word seeds that are 24 words long. The Trezor Model T generates new word seeds that are 12 words long. However, all Trezor, Ledger and Keepkey hardware wallets can have previous word seeds of 12, 18 or 24 words restored on them.
Can hackers get your seed phrase? ›
If a seed phrase is stored on a computer or any device that can connect to the internet, then it is vulnerable to hackers. Even computers that are disconnected from bluetooth and wifi are prone to various malware that can expose the seed phrase.
What are the odds of guessing a crypto seed phrase? ›
A recovery phrase is usually generated from a specific list of 2,048 words. That means that your 12-word seed phrase has an iteration of 2,048 words. Therefore, it's almost impossible that someone could successfully guess your seed phrase.
Can I create my own seed phrase? ›
It is not safe to invent your own seed phrase because humans are bad at generating randomness. The best way is to allow the wallet software to generate a phrase which you write down. As seed phrases use natural language words, they have excellent error correction.
Can someone steal your crypto from your wallet? ›
Because private keys are stored in application and device wallets, hackers can access them and steal your cryptocurrency.
Is it safe to give seed phrase to MetaMask? ›
Never ever share your Secret Recovery Phrase with anyone.
It would give that person the ability to access and transfer all of your funds. The MetaMask team will never ask you for it. If anyone or any website asks you to share it, they're trying to scam you.
Can someone hack MetaMask with seed phrase? ›
Even if the scammer does not use a keylogger to get your password, it is possible for a scammer to get access to the encrypted file where your seed phrase and private key is stored.
Are crypto seed phrases case sensitive? ›
Note that seed phrases are case-sensitive.
Can a crypto scammer be traced? ›
As a digital currency, there is no way to track or identify who is sending or receiving Bitcoin. This is a perfect way for a scammer to receive a lot of money with no way of tracing it back to them.
In addition to attacking crypto wallets directly, hackers can use phishing attacks to get personal information from wallet holders. For instance, people who use the popular MetaMask wallet may have received phishing emails asking for personal information in 2022.
How do I get my crypto back from a scammer? ›
Five Ways to Try to Get Your Funds Back from a Scammer
- Look for the Transaction ID Code. Blockchain technology records all cryptocurrency transactions, even fraudulent ones. ...
- Monitor Your Credit Score. ...
- Document the Scam. ...
- Notify the Crypto Exchange. ...
- Report the Scam to Law Enforcement.
Navigate down to Settings > Security & Privacy. Scroll down, and click on the button that reads "Reveal Secret Recovery Phrase". Enter your password to reveal your Seed Phrase / Secret Recovery Phrase.
What not to do with MetaMask? ›
Don't share your Secret Recovery Phrase and private keys
Anyone who has your Secret Recovery Phrase or private keys can control your assets, and therefore send tokens out of your accounts. Never share them with anyone, including the MetaMask team or anyone claiming to represent us.
Is it safe to have MetaMask on phone? ›
Avoid using MetaMask on Android
There may be a higher chance of finding a malicious program or application on Android especially since: You download new applications everyday. New applications have different access permissions on your phone. You connect your phone to public WiFi access points frequently.
What is the new warning on MetaMask? ›
Aussie cryptocurrency users are being warned about a new scam that is trying to steal their funds. MailGuard sounded the alert and said it had been blocking fake emails supposedly sent by MetaMask, a crypto wallet that has more than 30 million users worldwide.
