|
|
|
@ -716,11 +716,21 @@ image::images/mbc2_0507.png["From mnemonic to seed"]
|
|
|
|
|
|
|
|
|
|
[TIP]
|
|
|
|
|
====
|
|
|
|
|
The key-stretching function, with its 2048 rounds of hashing, is a very
|
|
|
|
|
effective protection against brute-force attacks against the mnemonic or
|
|
|
|
|
the passphrase. It makes it extremely costly (in computation) to try
|
|
|
|
|
more than a few thousand passphrase and mnemonic combinations, while the
|
|
|
|
|
number of possible derived seeds is vast (2^512^).
|
|
|
|
|
The key-stretching function, with its 2048 rounds of hashing, makes it
|
|
|
|
|
slightly harder to brute-force attack the recovery code using software.
|
|
|
|
|
Special-purpose hardware is not significantly affected. For an attacker
|
|
|
|
|
who needs to guess a user's entire recovery code, the length of the code
|
|
|
|
|
(128 bits at a minimum) provides more than sufficient security. But for
|
|
|
|
|
cases where an attacker might learn a small part of the user's code,
|
|
|
|
|
key-stretching adds some security by slowing down how fast an attacker
|
|
|
|
|
can check different recovery code combinations. BIP39's parameters were
|
|
|
|
|
considered weak by modern standards even when it was first published
|
|
|
|
|
almost a decade ago, although that's likely a consequence of being
|
|
|
|
|
design for compatibility with hardware signing devices with low-powered
|
|
|
|
|
CPUs. Some alternatives to BIP39 use stronger key-stretching
|
|
|
|
|
parameters, such as Aezeed's 32,768 rounds of hashing using the more
|
|
|
|
|
complex Scrypt algorithm, although they may not be as convenient to run
|
|
|
|
|
on hardware signing devices.
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
Tables pass:[<a data-type="xref" href="#mnemonic_128_no_pass"
|
|
|
|
|