Signum Security

Signum Security

Signum’s Automatically Generated Passphrase

Centralized organizations usually limit the number of login attempts made for the online accounts they provide.  If they did not do so, the short passphrases that they allow would quickly be compromised.  They also do not usually disclose their authentication algorithm publicly.

The open-source nature of the Signum client allows unlimited login attempts.  Programs can test combinations as quickly as billions per second, attempting all possible combinations.  For this reason, the Signum account reservation process automatically generates long, complex passphrases–12 words drawn randomly from a list of 2,048 English words for the Phoenix and BTDEX wallets, and 1,626 English words for the classic wallet.

At first, a passphrase generated by selecting 12 words randomly from a publicly available collection may seem counter-intuitive.  However, upon further analysis, the strength of this system is apparent.

The number of passphrases that can be generated from Signum’s list of 1,626 words (used for Signum’s classic wallet) in 12-word combinations, is as follows:  341,543,870,028,173,427,817,970,975,906,355,941,376.

This is more than 341undecillion, or 341 billion billion billion billion.  In mathematics, this is euphemistically referred to as a “large number.” It is so large that it is difficult to imagine.  Attempting all possible combinations, a process that is known as brute-forcing, would take billions of billions of years on average.

The number of possible combinations for Signum wallets that use 2,048 randomly selected words is much larger.  However, the difference is considered to be immaterial, as can be seen from the analysis that follows:

Attempting to compromise an account protected by one of Signum’s automatically generated passphrases is an exercise in futility.  There is also no way of knowing that other words have not been added to an account’s passphrase.

Number of Words Possible Passphrase Combinations Bits of Entropy
1 1,626 10.66
2 2,643,876 21.33
3 4,298,942,376 32
4 6,990,080,303,376 42.67
5 11,365,870,573,289,400 53.34
6 18,480,905,552,168,500,000 64
7 30,049,952,427,826,000,000,000 74.67
8 48,861,222,647,645,100,000,000,000 85.34
9 79,448,348,025,071,000,000,000,000,000 96
10 129,183,013,888,765,000,000,000,000,000,000 106.67
11 210,051,580,583,132,000,000,000,000,000,000,000 117.34
12 341,543,870,028,173,000,000,000,000,000,000,000,000 128

Your account is safe with the 12-word passphrase generated by Signum software.  It could be made exponentially more complex by adding additional words, letters, or numbers, but it is already more than sufficient.

In 2017, a public experiment demonstrated the security of Signum’s passphrases.  The experiment involved 12 accounts, each containing 1,000 Signum.  The passphrase for each account was automatically generated, but the organizer limited the number of words to 1 for the 1st account, 2 for the 2nd, etc.  The passphrase for the 12th account had 12 words.  A public announcement was made challenging anyone who wished to participate in attempting to crack the passphrases.

After 6 months, only the first 3 accounts had their passphrases discovered. The remaining accounts could not be compromised even after being tested by a highly-optimized password cracking tool that tried combinations at a rate of 160,000 per second.  It would take an estimated 515 days to crack the 4th and more than 2,000 years to crack the 5th.  With each additional word increasing the difficulty by 1,626, cracking the 12th passphrase would not be possible, even though the list of 1626 words is publicly available.


12 words drawn randomly from a list of 1,626 English words. In another word – uncrackable.

Best Practice

Do not enter your passphrase into an online form or disclose it to anyone you cannot trust.

Online Wallets

Always use official wallet software.  Online wallets are not official wallets and are centralized by nature.

Security Implications of Blockchain-Based Cryptocurrency

Signum is a blockchain-based cryptocurrency. A single passphrase (private key) protects each account. If you cannot produce the passphrase for your account, you cannot access the account, and the coins associated with it will have no value. There is no central organization to contact in this circumstance, so care must be taken when creating an account to preserve a record of its passphrase.

Accounts secured by a single passphrase are colloquially known as brain wallets because the passphrase could conceivably be stored only in the account holder’s memory.  For most people, preserving a record of a critical account’s passphrase in this manner is not recommended.

The best way to preserve a record of passphrases is to store it securely in more than one location.  Saving it to a computer hard drive, entering it into a password manager file, or printing it on paper are all good options, but any of these can fail.  It is essential to have a backup.

The same care given to passphrases should also be taken when making transactions.  Signum transactions are not reversible.  If a transfer is made to an account without a known passphrase, there is no way to retrieve it.  When transferring Signum among several accounts, ensure that the passphrase is known for each.

Associating the value of an account with its passphrase is a helpful way to determine the appropriate level of security for protecting the passphrase.  For accounts with higher values, take more extensive security measures.

All passphrases will eventually need to be entered on a local device to sign transactions.  The device should be secure from intrusion and uncompromised by malicious software that could record keystrokes.  It is possible to sign transactions using a device that is not connected to the internet (air-gapped) using Signum’s offline transaction signing feature for enhanced security.

Following are a few best practices:

  • Do not enter your passphrase into any online form.
  • Do not use online wallets for accounts with a significant balance or that will ever hold a significant balance.
  • Do not change the 12-word passphrase generated during account setup (adding to it is not problematic but is unnecessary).  The 12-word passphrase protects against Brute Force and Rainbow Table attacks.
  • Do not use special characters.  ASCII code representations can be used but are entirely unnecessary.  Unicode characters are not always consistent between programs.  Note:  Microsoft Word uses Unicode characters.  Therefore, it is not ideal for composing or storing passphrases that contain special characters.
  • Do not share passphrases with anyone that you cannot trust.
  • Do not store unencrypted passphrases on remote nodes or local workstations.
  • Do not leave a printed passphrase next to a computer.
  • Use special care when connecting to remote nodes.
  • Use accounts with smaller balances for daily operations.  Access accounts with higher balances only when necessary and with particular attention to security.
  • Use discretion when considering password management software.

Signum’s Vision for Security

Signum security entails more than just passphrase and wallet security.  From its inception, Signum has sought to enhance the faster adoption of blockchain technology while guaranteeing maximum security in all aspects of its operation.  It was created in 2014 when attacks on cryptocurrency networks were already commonplace.  To keep the network safe, the development team implemented several strategies.

To prevent collusive node attacks, attacks where 51% of the nodes conspire to harm the network, Byzantine fault-tolerance technology was employed to build dependable protocols.  The focus was on identifying honest nodes by setting an upper boundary for maximum tolerance.

To prevent denial of service attacks (DDOS), all nodes were required to perform proof-of-capacity validation.  Regular vetting identifies and blacklists problematic nodes.

To keep details private and funds free from third-party entities and attacks, the Signum network employs advanced encryption. Even when sending funds on the network, details are not easily revealed.

The nature of threats to cryptocurrency networks changes rapidly.  The development team has adopted a system of progressive improvement that involves constant checks to identify and fix even theoretical gaps.

Anatomy of a Passphrase

Account ID and address are derived from a permanent and immutable cryptographic hash of an account’s passphrase.

Elliptic-curve cryptography (ECC) is used to generate a public key, a private key (for signing transactions), and a so-called agreement key (for message encryption) from an account’s passphrase.  It is not necessary to understand these keys precisely as they are only used programmatically.  It is an account’s passphrase that allows interaction with the blockchain for making transactions.

  • A passphrase can be any string of characters.  Signum uses 12 random selections from a collection of English words.
  • A private key is a cryptographic hash of an account’s passphrase.
  • A public key is a cryptographic hash with the private key as a seed.  It decodes as two interchangeable public addresses; an almost unique number ( account id ) and the more commonly used Reed-Solomon formatted address.
  • Although the public key, numeric account id, and RS address are all derived from the cryptographic hash of an account’s passphrase, the passphrase is not derivable from any of these.

7 + 6 =

Share This