Oddbean new post about login | logout Who can explain me this? #asknostr @Jameson Lopp evaluates passphrase backups as "mediocre" and considers SeedXOR the superior alternative. He argues that passphrases are flawed due to their 2-2 setup, posing a risk of losing funds if one part is lost. Nevertheless, the same vulnerability exists for SeedXOR (2-2, 3-3, …). I don’t see any downside as long as the passphrase has a 256 bit entropy. Multiple backups are essential for both solutions. Lopp on Passphrase backup: „This gives you a security model that's the same as a 2 of 2 multisig setup. Do you know why 2 of 2 multisig isn't popular? Because it has 2 single points of failure - if you lose either part, you're screwed. I've seen quite a few people over the years get locked out of their funds because they forgot or lost the passphrase that accompanied their seed phrase.“ Lopp on SeedXOR backup: „Seed XOR is, in my opinion, a superior way to achieve the properties that folks try to get with a "25th word passphrase" or via naive seed splitting, while decreasing the complexity and improving plausible deniability. Note that this is essentially an N of N (2-of-2 / 3-of-3 / etc) split backup, so you're going to want multiple sets of XOR'd backups to ensure that losing a single plate doesn't cause catastrophic loss.“ Source: https://blog.lopp.net/how-to-back-up-a-seed-phrase/
I'm more into m of n ( e.g. 2 of 4) multisig
Passphrase is really just a 25 word seed. If you can look after 24 words, but find 25 scary , then I don'tknow what to say to you.
Thanks for your reply, but that doesn’t answer my question.
I hope someone gives you the answer you're looking for. I don't believe that passphrases are particularly insecure.
Not using a passphrase decreases the complexity and points of failure of the setup, which he values more than outright security, since a complex (secure) setup is useless if you forget or lose access to the details, and is best left to advanced users, or the company he works for - wink. He's writing to the masses, where an XOR'd set of seed words lets you have a simpler setup, easy to restore, and also includes plausible deniability since each of the XOR seed plates is a valid set of words by itself. An attacker has to know it's one of a set to know there's a larger wallet elsewhere. The seed+passphrase setup is similar, in that you can load funds onto the seed-only wallet, and you keep the passphrase safe for the "real" wallet. But an attacker now has your entire seed phrase.
Thank you for your response. Here my comments to that: 1) Passphrase and SeedXOR have similar complexity. I understand the point, that more complex solutions increase the risk of loss due complexity. Anyhow, that has nothing do to with my question. 2) Why is a SeedXOR easier to restore? Please explain. In my opinion Passphrase is easier to restore and supported by most wallets. Furthermore the seed phrase of a passphrase secured wallet has the same deceive feature as the seed of a SeedXOR. You can load both with „ready to lose funds“ to deceive an attacker. The attacker doesn’t know that a bigger wallets exists in both cases. 3) what is the difference in the attacker having the seed phrase of a 256 bit passphrase wallet or a seed phrase of a SeedXOR wallet. Please explain.
Good points. They are pretty similar in effect. I'd argue that plausible deniability is little better since each XOR part looks like a seed. And that it might also imply more care from the holder when storing than just a (shorter) passphrase. I agree passphrase is easier to understood and to use. And the security is the same IF treated well. But it's a big if.
Yes, both backups are brittle. In my experience, people tend to A) Create incredibly complex passphrases B) Not back them up because they created the passphrase in their head Also, I think folks fool themselves about the utility of durress wallets. In general, I like seedxor more because you KNOW it's getting backed up AND the backups have plausible deniability.
Thanks Lopp, appreciate your feedback. What do you precisely mean by "fooling themselves about the utility of a duress wallet"? Are you suggesting that a sophisticated attacker would be aware of this regardless?
Mainly that duress wallets are speculative. 1. You're speculating about the attacker's knowledge and motivation. For example, there was a physical attack recently in which the victim gave up their wallet pretty quickly, but the attacker kept torturing them for hours in case they were holding out. 2. You're speculating about how you'd act in a high stakes stressful situation.