General security

Please be gentle first post and first time farming.
I am seeing a lot of comments about people loosing XCH by being transfered out of their wallets. I understand using all the 3rd party stuff can send your wallet key out but people also claiming they haven’t used 3rd party apps.
Question is how easy is it to guess a wallet key? When entering mnemonic in Chia GUI it knows if a word is wrong…there are also a finite number of words in each mnemonic slot. Could a brute force check give you the mnemonic for a known wallet?..
Not that I’m in the exclusive club of actually winning any XCH but will not be impressed if I lost it!

It can be brute forced in theory of course - but only with a huge amount of time - like heat death of the universe, or masses of compute - it is slightly easier to attempt to brute force all of the wallets at the same time of course, but still requires an immense amount of compute.

Chia mnemonic is 24 words (from memory), imagine the alphabet of words used only has 1000 different words, that’s still 10^72 combinations, compared to 3.40 × 10^38 128 bit integers, which is a common key length. You can increase the size of the alphabet to rapidly increase the size of the set of all keys.

Personally selected mnemonics (brain wallets) can be a lot weaker, since humans aren’t good random number generators - bitcoin blockchain is constantly being scanned for wallets created using permutations of functions over common phrases and sequences, but a randomly generated wallet should be as secure as an integer key generated at the equivalent length to the size of the alphabet ^ number of words chosen, which gets massive even with a relatively small alphabet.

It is more likely that people who have lost coins have been compromised in some other way.

1 Like

OK that’s put my mind at rest that key cannot be brute forced (also had a poke around github and there are 2048 words in use!).
There was some concern (again new to this) that a RPC call can make Chia show keys…but surely this can only occur if another port has been opened and not via the 8444 port.

When clicking on the key button, the PC user password “should be asked” which is not the case currently.

I’m no expert on this type of security issue, but from what I read here and there, that you can relatively easily recover your private key from the system it’s installed on. So If there is any malware or whatever that gets installed, it’s easy to hack your wallet or GUI.

In general you don’t want to store funds on a computer/wallet that is also running farming/mining software or better yet no network connection at all. If you want to be safe you need a cold wallet

Farm into a cold wallet, see other posts on how to do this.

Do not install software from 3rd parties, no tools, no pooling software, no forks on the same PC.
I know this is terrible hard to do, and Chia has some blame for pushing us towards 3rd party software due to the lack of good build-in reporting / plot management / official pools etc.

Your XCH are valuable, people will try to steal them.