Forgotten your wallet passphrase? How to crack your BIP39 passphrase

This article is inspired by a customer who doesn’t remember the exact passphrase of his hardware wallet. Fortunately, he still knew his seed and the public address where he sent his coins

With a little research, I found the tool BTCRecover, which allows you to bruteforce wallets. The tool tries all possible combinations of misspellings in the passphrase and sees if the known address can be derived that way. After my initial tests, the program works surprisingly fast.

BTCRecover not only shows how easy it is to find your passphrase, but also how insecure simple passphrases are. If you choose only one word or name, it is a piece of cake for attackers to find it out, if you only have the necessary information

Requirements:

  • A Linux computer, preferably Ubuntu (Windows instructions can be found here)
  • Minimal experience with the terminal
  • Your seed (12 or 24 words)
  • An approximate memory of your passphrase (the less you remember, the longer it will take)
  • An address of your wallet as old as possible

ATTENTION: We cannot guarantee the security of the software shown here. You act at your own risk. These instructions require you to enter your seed on the computer. You should do this only in case of absolute emergency. During the process, it is safer to keep your computer offline or even use a completely new Ubuntu installation. Once you have found your passphrase, you should immediately send your coins to one of your other wallets and reset the hardware wallet

Download BTCRecover

Passphrase

Download BTCRecover from this link and extract the archive.

Install Python 3

Open the terminal in the Btcrecover folder and install Python 3 with:

sudo apt install python3-tk

Install Dependencies

First install pip3 with:

sudo apt install pip3

Then install the required dependencies with:

pip3 install -r requirements.txt

Test run

Tries out if the installation completed without any problems:

python3 run-all-tests.py -vv

If the test completes, the result should be “OK”. That a few tests fail and are skipped is normal because we have not installed GPU acceleration yet

Password tokens

At this point we need to think about which parts of the seed phrase we remember. For this we create a text file called “tokens.txt” in the directory of BTCRecover. For this example, I’m using a randomly generated wallet, which of course doesn’t have any coins in it

In this file, we now horizontally write all the parts of the word that definitely appear differently in the passphrase. In our example, I think I remember the passphrase “dasisteintest”, which is why I write “dasisteintest” in the text file.

If you remember different passphrases, you can write them into the file vertically, separated by line breaks

If you are sure that the passphrase starts with a certain word, you can write it with a ^. If I remembered that the passphrase starts with “that”, I would write “^that” into the file

More information about the token list can be found here.

Passphrase bruteforcing

There are a lot of functions for this step. To show all these functions you can use

python3 btcrecover.py --help

to see all of them

For our use case, we start the bruteforce process with:

python3 btcrecover.py --no-dupchecks --passwordlist tokens.txt --addr-limit 1 --typos-capslock --typos-swap --typos-repeat --typos-delete --typos-case --typos 3 --bip32-path "m/84'/0'/0" --wallet-type bip39

*Customize the derivation path for your wallet

BTCRecover warns you once again that this is sensitive data. Confirm this by clicking OK.

If you still know your XPub , enter it. If you only have one of your addresses, click Cancel first.

Now enter an address from your wallet that is as old as possible

Next, you need to enter your seed . Make sure that no one is looking over your shoulder and that you are disconnected from the Internet.

The process will start. Depending on how much information you have given the program, the whole process can take quite a long time. For simple typos, however, it should only take a few minutes

When the whole process is finished, you should get a result. Either nothing is found and you have given the program too little / wrong data, or the passphrase is found and displayed at the end of the dialog.

If the process takes a long time because you have little information, you can activate GPU acceleration enable

In our example, BTCRecover shows that I used “dsaisteintest ” as passphrase instead of ” dasisteintest”

Donate to us:

If you enjoyed this or any of our other posts, we would appreciate a small donation:

Leave a Reply