Hello,
I read this article about a guy that give away a partial mnemonic seed on twitter with 1 BTC reward. Every week he gave 1 word after another, so it become easier to crack.
And here an article about the bitcoin dev that cracked it :
https://medium.com/@johncantrell97/how-i-checked-over-1-trillion-mnemonics-in-30-hours-to-win-a-bitcoin-635fe051a752When you read this article, you can see that John Cantrell made some hypothesis :
This means the derivation path is in the format m / 49' / coin_type’ / account’ / change / address_index.
Figuring out the derivation path was a huge risk for this project. I assumed that Alistair simply generated a new wallet and the only transaction made was to deposit the 1 BTC. With that assumption it means the derivation path for the first address would be m/49'/0'/0'/0/0.
BIP-39 does this using a Password-Based Key Derivation Function with HMAC-SHA512 as the hash function, the string “mnemonic” as the salt, and the 12-word mnemonic as the password. It also uses 2048 iterations and each iteration requires two SHA512 calculations. This means this step will cost in total ~4096 SHA-512 calculations.
John Cantrell guessed the mnemonic seed because it was quite straight forward, with default parameters. But I can see two customization possibles :
- Custom address_index (but limited to 2B possibilites)
- Custom PBKDF2 iterations (from 2k to 1M)
Is it good security practice to use custom parameters above ? Even if you forget them, you still have your mnemonic seed and will be able to bruteforce address and PBKDF2. It can make your mnemonic seed more secure if someone stole it from you. Give you time to move funds etc.