View All R&D Articles

Can Someone Steal My Crypto with Just a Seed Phrase?

December 28, 2022

As leaders in cryptocurrency recovery, Datarecovery.com often receives questions about the security features of various wallets. While we don’t recommend a specific wallet — or a specific cryptocurrency — we’re happy to address some common misconceptions about the technology. 

Recently, we received this question from a client:

If someone gets a hold of my seed phrase, but I have a really good password, is it likely that my wallet can be broken into?

The short answer: Yes. If someone has your cryptocurrency wallet’s seed phrase, they have access to your funds. They don’t need your wallet password to take everything out of the wallet.

The strength of your password doesn’t matter — the seed phrase can be used to generate a new private key, which gives them full access to your wallet (and all of your funds). 

What is a seed phrase, and how is it different from a wallet password?

Crypto wallets are software used to store private keys. Private keys allow people to send and receive cryptocurrencies like bitcoin and ether. The bitcoin private key is a 256-bit number — it’s not the same as the password — but the password unlocks the wallet and allows access to the full private key.

Since you probably won’t remember 256-bit private keys, you’ll need a password to access your crypto wallet. That password should be strong — at least 8 characters, with a mix of numerals and special characters. Without a strong password, a malicious actor could potentially guess your password using a brute force attack.

A seed phrase is different: It’s a mnemonic code randomly generated during the creation of an address. The seed phrase is not dependent on your wallet file (commonly referred to as a wallet.dat file, though different wallets use different file extensions). 

Most cryptocurrencies use a 12-word BIP39 seed phrase. Here’s an example of a typical seed phrase:

tuna motion accuse wheel gap during talent into vacuum crowd language ranch start scan include

When a seed phrase is randomly generated, it’s incredibly secure.  

Related: What Info Do You Need to Access a Lost Bitcoin Wallet?

What if someone guesses my 12-word seed phrase?

If you’ve got a lot of crypto (or even a small amount, depending on the crypto in question), you might have reasonable concerns about seed phrases. After all, seed phrases are just strings of words — on paper, that seems like an enormous security risk.

Fortunately, seed phrases cannot be “guessed” randomly with current technology. Some of the data in the phrase isn’t random, but 12-word phrases have a security of 128 bits.

Brute-force attacks cannot currently guess seed phrases, and even more specialized attacks are limited by the sheer size of the seed phrase — it would take an attacker thousands of years to guess the phrase, unless they had access to several of the words from the phrase.

The BIP39 word list is pre-defined and must be in the correct order. We’ve developed some tools to identify the full seed phrase when three or fewer words are missing or out of order.

In other words, if part of your seed phrase has been revealed, your funds are no longer safe. Move the funds to a different address to a new seed phrase; ideally, you should keep several wallets to limit your risk.

Is cryptocurrency wallet recovery possible?

If you’ve lost both your password and your address seed phrase, wallet recovery is extremely unlikely. However, if you have a portion of your seed phrase or password, our engineers may be able to use proprietary techniques to restore access to the wallet file.

Datarecovery.com provides free evaluations, and our cryptocurrency recovery services feature a no data, no charge guarantee. If we’re unable to recover your assets, you don’t pay for the attempt. 

With fast turnaround times and industry leading technology, we offer a secure way to restore lost Bitcoin while maintaining your privacy. Get started by calling 1-800-237-4200 or click here to submit a case online.