A question that seems to be often raised is “is the automatically generated 12 words passphrase secure?” This is explained by the fact that a user only needs the private key to log into a Burst account. This post should help you understand the almost-impossible-to-crack nature of the 12 words passphrase.
Six months ago a little game was launched, called “The Canary – Burst Early Warning System“. It was a call for everybody to try to crack 12 different accounts, each one set up using the auto generated passphrase and containing 1000 Burst. The first account had a passphrase of 1 word, each account had one more word until the last one composed of 12 words.
What can we take away from this game 6 months after its launch?
The 3 first accounts have been cracked. The 9 remaining accounts are still sitting with 1000 burstcoins in each, resisting a very optimized cracking tool testing 160,000 combinations per second. It would take an estimated time of 515 days to crack the 4th account with the 4 words passphrase, according to Sergey Blagodarenko. And every word added makes it exponentially harder, even though the list of 1626 words used by the Burst wallet is publicly available.
In fact, to put in perspective how many passwords can be generated by a list of 1626 words in a 12 word combination, the number would be 341,543,870,028,173,427,817,970,975,906,355,941,376 or 341 undecillion. That can be broken down into 341 billion billion billion billion. This is called a “large number” in mathematics, difficult to imagine because of how astronomically large it is. Brute forcing a 12 words passphrase will, on average, take longer than the universe has existed – billions of billions of years. 5 Words is over 2,000 years, each additional word make it 1,626 time harder.
In conclusion, your wallet is safe with a 12 words auto generated passphrase. You should be much more worried about viruses and keyloggers. I personally recommend keeping your burstcoins safe by only storing the passphrase on paper and only using a local wallet to manage your funds. If you are really paranoid, adding caps, numbers or symbols makes the account exponentially harder to crack (virtually impossible). In its mobile wallet, the PoC Consortium even added new words to the list.
Also published on Medium.