Examples: query, "exact match", wildcard*, wild?ard, wild*rd
Fuzzy search: cake~ (finds cakes, bake)
Term boost: "red velvet"^4, chocolate^2
Field grouping: tags:(+work -"fun-stuff")
Escape special characters +-&|!(){}[]^"~*?:\ - e.g. \+ \* \!
Range search: properties.timestamp:[1587729413488 TO *] (inclusive), properties.title:{A TO Z}(excluding A and Z)
Combinations: chocolate AND vanilla, chocolate OR vanilla, (chocolate OR vanilla) NOT "vanilla pudding"
Field search: properties.title:"The Title" AND text
Is it hypothetically possible to access other people's wallets using brute force?

Yes, the mnemonic is the only thing that defines the private key of your wallet. If you somehow will get to know someone's mnemonic phrase, you will have full access to their wallet. That's why it's so important to keep the phrase secret.

I should also note that it's possible to generate a private key without using a mnemonic phrase. Commonly used wallets usually do not expose this functionality (because you won't be able to back up your wallet by writing that phrase somewhere), but theoretically, it's possible. It will reduce the possibility of a collision (from 1 in 2048²⁴ ≈ 3⋅10⁷⁹ as you correctly stated, to 1 in 2⁵¹² ≈ 10¹⁵⁴), but won't eliminate it completely. Because wallets are generated independently, there is no real way to prevent collision in the theoretical sense.

You also may find interesting the tool called "vaniton". Basically, it implements the brute force, but instead of trying to find the exact keys (which is not feasible), it just searches for mnemonic phrases that will produce nice-looking addresses (i.e. containing some predefined substrings, for example).

Now, to your questions:

  1. Purely hypothetically – yes, collisions are possible.
  2. Estimating the exact speed is hard because it really depends on the hardware. On my machine, the vaniton's benchmark showed the rate of 13.7 addresses per second. Adding more servers would proportionally increase the speed of the brute force attack. Again, if we are talking purely theoretically, there's no limit on the potential speed of the attack (but in reality even using all computing power available on Earth won't help much).
  3. Yes, that's correct.

I would emphasize once more: while these statements are all correct in theory, it's not possible to brute force 3⋅10⁷⁹ phrases in any practical sense (no matter how many servers you use). For example, if you had access to 1 billion servers, each one will still need to check approximately 3⋅10⁷⁰ phrases, which is still an astronomically huge number. Even assuming the rate of 3 million phrases per second (on each server) it would take 10⁶⁴ seconds or about 3⋅10⁵⁶ years (that's a 56-digit number). For comparison, the current age of the Universe is "just" 1.37⋅10⁹ years.


Thanks for such a detailed answer!

Evgeniy Trifonov   one year ago Report
0 Answers
one year ago
one year ago