On Mon, Dec 24, 2018 at 2:48 PM Aymeric Vitte via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:

I don't see very well why it's easier to write n words that you cannot choose rather than a 32B BIP32 hex seed, and I have seen many people completely lost with their wallets because of this

In practice it has quite a few qualities that make it a bit more resilient for physical (written) storage.

If a few letters of a word get rubbed off or otherwise become illegible, it is pretty easy for a native speaker to figure out what the word is supposed to be. Even a non-native speaker could look through the word list and figure out which word fits. Missing characters in a hex string require more advanced brute force searching, which the average user isn't capable of.

Additionally, having the bits grouped into words makes a more serious recovery easier. If you lose one entire word, it can be brute forced in about 5 minutes on a normal pc, even if you don't know which position the missing word is in (I have published a tool that does just this: https://jmacwhyte.github.io/recovery-phrase-recovery). If you are missing two words, you can brute force it in about a week (napkin math).

If you were missing a random chunk of a hex string, I don't know how you'd go about brute forcing that in a timely manner.

As an aside, from a UX standpoint we've seen that the 12 words don't *look* important so people don't take them seriously (and they get lost). A hex string or equivalent would look more password-y, and therefore would most likely be better protected by users.

James