BIP39 brute-force complexity (or how hard it is to break someone's secret words)

Nice old post about the mnemonics brute-forcing complexity:

So if we take in consideration todays total hashrate of the whole bitcoin network ( and assume that the network can check mnemonic combinations with the same speed (which it cannot actually) - the “guessing speed” will be ~35K PH/s or ~3e4 * 1e15 or ~3e19 H/s. Which means that every second the whole network will guess ~30’000’000’000’000’000’000 combinations. That’s A LOT, isn’t it? :slight_smile:

For a standard cardano wallet with 12 mnemonics there are (2048^12)/16 possible valid combinations, or ~3e38 combinations. If we divide the number of all combinations on the number of combinations guessed each second - we will get that the whole bitcoin network will need around 1e19 seconds, to try all possible combinations.

1e19 seconds is ~1.6e17 minutes, or 2.7e15 hours, or 1.15e14 days or 3.17e11 years. There we have it - the whole bitcoin network would need ~317’000’000’000 YEARS in order to try all possible standard 12-word wallets.

Want to do the same for paper-wallets? :slight_smile: Paper wallets have 27 secret words, which gives (2048^27)/512 possible combinations with is ~5e86. Dividing it by hash-power and rounding up gives us ~5.07e59 years, or somewhere around this number of years:

507 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000

P.S. There was a lot of discussion about the security of 9 words that are not printed on the paper-wallet but filled out manually. Well, (2048^9)/512 ~ 1.2e27 which gives us ~1.3 years.

So even if some extra “el33t h4x0r”, or CIA, or aliens would decide to break into your printer just to steal your 18 secret words that are printed on the paper - they would additionally have to rent the WHOLE bitcoin network for more than a year to have a guaranteed chance to get your ADA :slight_smile:

And don’t forget that it’s an IMAGINARY use of a LARGEST computer-power network on the planet, which, of course, impossible in reality. Idk, works for me. As I mentioned before - I am totally ok getting some paper-wallets on a USB stick and going to a public printing-service to get them done on a colored printer and some nice paper. Zero concern about their clerks hacking me later :smiley:

P.P.S Just some interesting stats, but anything under 9 words should already be considered totally insecure, for example:

  1. 3 word key gives (2048^3)/2 or ~4e9 combinations and would be completely iterated by the assumed network in under a second :slight_smile:

  2. 6 word key gives (2048^6)/4 or ~1.8e19 and would also be iterated by the imaginary network in under a second.


an awesome account of the facts.
Can I use it as second part of my currently under-construction storyboard?

1 Like

Not only it would be a pleasure for me, but I would also actively encourage you to do so :slight_smile:

1 Like

I do have a question. I may not understand the correct process. My current understanding is we just enter the mnemonics seed words to generate your wallet. But no password and no other information is needed.

In my head I believe all the math adds up to someone guessing just your account. If there are millions of accounts out there how many guesses of mnemonics words will it take to get a random hit on an account?

So my question is, I know the words are available and known, how hard is it to just keep adding combinations together until you find an account that has those words?

What am I missing?

Again, I know I am missing something. Thanks for any help in understanding.

Just do the math. Oversimplified 3.4*1e38 (possible wallets) versus 1e6 (existing wallets) means the probability is still 3.4*e-32, so probably once in 24 billion years. Assuming one wallet is created in every second and a proper CSRNG is used to generate entropy.

Did you try to read this post?

Thank you for this great response.

1 Like

Yes, I did read the post.

What I see is it is very hard to generate every wallet with all combinations. Also it is very hard to specifically guess my wallet address one time. People win the lottery all the time and that is a random number. Yes there are 12 words that would need to be guessed.

I just don’t know why someone would not write a program to randomly recreate a wallet using 12 random words from the list of 2048 to see what they might find.

The odds of finding a random wallet are higher then finding my specific wallet words.

I see what _ilap is saying with his example, I just don’t understand why people won’t try to make programs that will try to guess a random wallet address. Yes, you are going to ask if I read the post and tried to process this but I can’t get past that in my head. For this reason I have my Cardano divided into 3 different wallet addresses. Not keeping all my eggs in one basket.

Maybe I will be more comfortable putting it all in a paper wallet.


They do. Especially for the Bitcoin. There are “miners” that do run special high power computers that do the only thing - generate random wallets and look for balance. What’s the problem here? It’s an open API.

You may try to make your own as a home-project. There are lots of libraries for all languages that allow to generate addresses for different cryptocurrencies easily. Try it and then report your results to us :slight_smile:

I have about gajillion (actual calculated estimate) times bigger chance to just die suddenly from some weird shite happening inside my organism or by tripping on my own leg and falling down on my way to kitchen. So I don’t have to worry about someone breaking into my wallet by chance - it’s not gonna happen.

Lottery is designed to be won. Cryptocurrency wallets are designed to not be guessed by chance.

1 Like

Well if 1 time in 45,000,000 is “all the time” then yes they do. (UK National Lottery statistic but not atypical I believe.)

Which means, given UK death rates, if you buy a ticket 24 hours before the draw you’re 100 times more likely to die during that time than win.

And the chances of guessing a sequence of 12 words from 2048 are much, much, much worse than winning the lottery.

Humans are not good at dealing with probability, the only way to get a handle on it is to study the numbers. Or just believe what those who do are telling you.


But there’s always a chance, tho :rofl:


On the same topic, btw. There are 340 282 370 000 000 000 000 000 000 000 000 000 000 possible valid 12 word Cardano wallets. Even if every person on the planet would have 1000 wallets each in total there would be used:


Of all possible Cardano Wallets. :slight_smile:

And, again, if we had the whole bitcoin network at our disposal and we could guess ~30’000’000’000’000’000’000 combinations every second that means that we would have about


Chance to get a wallet with a balance every second. Now, I tell you that on the opposite side - you will have the 100% chance to have to pay for the electricity you spend each of those seconds :slightly_smiling_face:

Building on the previous comment. A human lifespan (in a good case) is ~ 2838240000 seconds (90 years). With a ~0.0000000000000000088162076% chance to find an address with a balance every second - in 90 years the network would have ~0.0000000250225131% chance to find a wallet with anything in it.

~0.0000000250225131% in 90 years!.

I have ~ 100% chance to not being alive in 90 years :slight_smile:

~0.00000142857% is the chance of being struck by lightning in any year.
So it’s ~0.00012857142% chance to be struck at least once in 90 years.

And remember - all of this is for standard 12 word wallets. To get the results for a paper wallet - take the same numbers and multiply them by infinity :slight_smile:


Are you saying any passphrase under 9 words is insecure, or just wallet seeds ? A 7 word random passphrase has roughly the same entropy as an 11 character PW using upper, lower and symbols.

No, he meant, if you have more than 18 publicly known mnemonics and less then 9 uknown ones for paperwallet, that’s considered insecure.
Cos, you can break a paperwallet in a year which has the first 18 mnemonics leaked, assuming you have enough money to borrow the hash power of the bitcoin network for a year.

So, I would sleep like a baby anyway, after I print the first 17th mnemonics in any piblic print service.

1 Like

Slightly OT but maybe to be considered: centralized servers usually take care about bruto-force attacks, and limit the based on IP or the username.
All of them isn’t possible with blockchains. That’s why the entropy has to come from a certain length + mnemonics.