Although I have no proof of this, I would suspect the following is true: The total number of people in the world who have lost their keys due to complexity of managing 24 words, is a far greater number than the number of people whose accounts were hacked due to only having 12 words.
Similarly, I know a lot more people who have lost Bitcoin due to forgotten wallet passwords than I know have lost Bitcoin due to hacks that could have been prevented by wallet passwords.
I'm not a math major but it seems to me they are equally strong. It is the management of the keys that is more practical with 12 vs 24 words.
When one person drives a car at 190 mph and the other person drives at 195 mph (and the speed limit is 60 mph) They are both "certifiable " :-) When they crash, does it really matter?
I’ve heard all of the following as this topic has come up previously. Unsure if all are accurate:
If the 12 and 24 worlds are both truly random, then it is easier to crack the private key itself than to brute force either the 12 or 24 words. [I believe there are also some caveats here as to if the particular address has been spent from before or not, and what bitcoin address type it is. Someone could clarify that aspect]
If your source of randomness for the 12 or 24 words had some slight bias (but was still fairly random) then the extra 12 words could help a lot. [Also tin foil hat things like the dice that were used were assessed for their deviation from random, sound was analyzed from writing down the 12 words, etc etc.]
The increased risk of loss or a transcription error of 24 words vs 12 words might negate any benefits. Assess which risk is larger for you.
If future changes to bitcoin make it so cracking the private key is harder than brute forcing 12 words, having 24 would have you covered. Or, when that happens, just move your funds to the new address type in the future with a new 24 word seed.
The one benefit of 24 words is that if you get scammed and someone is telling you to enter your seed phrase online, you have a little bit of extra time for your brain to tell you to stop before entering all the words.
A 12 word seed, if you managed to get "true" entropy while generating it would be enough. But I guess, a 24 word seed would "protect" you if your process for generating the seed wasn't random enough. There is a great video 1 from Crypto Guide explaining it.
I’m not a cryptographer but my understanding is your actual bitcoin private key is 128-bits. So using a 24 word phrase that generates a 128-bit key anyway is unnecessary complexity.
its exponentially harder to brute force a 24 word seed phrase than a 12 word seed. pure math nothing else. And if the client looses his phrase it doesnt matter if he picked 12 or 24. he wont remember the phrase by memory anyway (at least 99% if them).
it's possible to brute force a 12 word seed in some days with the right ressources (most likely only avaiable for secret services and such who have quantum computers with at least ~100 qubits). That's not the case for 24 word seed. Such an attack would exceed the average lifetime of a human ;)
you need to improve your understaning of cryptography basics ;) brute forcing the seed phrase means try every possible combination of words. assuming you have 12 word phrase and you KNOW the exact 12 words but not the order its simple 12! (around 500.000.000 possibilities, takes a second to brute force with good gpu) BUT if you dont know any of the 12 words you have to try every possible combination (use the word list) and this differs extremely to a simple sum of 12! :P
the hashes (in binary) have the same structure and lenghts thats correct, but you (better to say hashcat or whatever u are using^^) is deriving them from all the different combinations of possible words. the longer the seed phrase the longer it takes....anyway its pointless to try to brute force a seed phrase from ZK ^^
You really think a single Sig 12 word seed is going to be cracked in a few days with a quantum computer?
So why are all these wallets providing 12 word phrases like electrum, green wallet, wasabi, jam, samourai etc. So you're saying none of these developers are wrong?
first; you did not understand me -> 12! = 479001600 that is the total number os possibilities assuming you have a 12 word seed (and you know all of the words but not the order)
second: if we assume that you have the capabilities (both technical and financial pov) a 12 word seed is a joke for 1000 qubits (or even more assuming perfect syncronization of superstates and the binary compilation and algorithms far beyond basic grover for error correction and so much more) - I know that most likely nobody will understand what I am talking about but anyway...it takes some days and you got the result.
-> what is important to notice: nobody performs such attacks in practice yet, there are endless reasons why it's not a real option to the time of writing. but this will change in the next decades.
The amount of words stem from the amount of bits the initial sequence is comprised of, in other words: More words equal a stronger [more secure] sequence, or root key.
Footnotes