# 1 Solid Shots: Who is calling the shots?

Our # 1 Solid Shots is posed as a question.

0x6A92CaE39FB085FB2f69467F93D5a8B32Ee87B9B

Who manages all these 40 character wallet addresses? and further who ensures that these are unique? - In other words, who is calling the shots in Web3?

When you sign up for any service on web sites like Amazon, you are asked to supply 2 critical pieces of information. Username/email address and password. You choose these and these belong to you. Your username is public (in most web sites), your password is private. Many of you delegate "password thinking" to a password generator such as Chrome's. This is a smart practice because "The unpredictable randomness of a good computer algorithm is far greater than the unpredictable randomness of humans"! This fact makes algorithmic passwords less susceptible to dictionary attacks.

When you submit this username/password info to say Amazon servers, Amazon asserts that the username is not already taken by some other person before creating an account for you. If this transaction failed, you get suggestions on how to fix and resume. Amazon mediates this transaction ensuring everyone is playing by its rules. You trust Amazon with your password on every subsequent sign in. You blindly trust Amazon and its engineers/staff they hire, to keep your private information private indeed.

The Web3 world also is all about accounts that store value, store code, execute code, transact value and so on. The question is who is playing Amazon's role in this world?

In Web3 too we have to think of some password equivalent as a starting point. But that's where the analogy ends. Web3 departs from there on, taking a very different road with very different trade offs. These roads are new! These roads were not around when the web was being built!

(-> (-> ethers .-Wallet (.createRandom #js {:locale "en"})) 
  .-mnemonic)

; every time you run this you get a different phrase
; => {:phrase "civil ranch license real message 
  inherit sudden bridge cage loop rescue play", 
  :path "m/44'/60'/0'/0/0", :locale "en"}

We can use Chrome's password generator to manage passwords for us. Similarly, in Web3, we can use the excellent Ethers js Wallet API to do that job for us. We generate a random 12 word passphrase using the createRandom API. The call returns a passphrase. This passphrase is called a mnemonic. civil ranch license real.. is not a phrase I would have ever dreamt of. That's why it's lazy-smart choice to delegate mnemonic creation to computer code.

(def mnemonicWallet (-> ethers .-Wallet (.fromMnemonic "civil 
  ranch license real message inherit sudden 
  bridge cage loop rescue play")))

; => "0x6A92CaE39FB085FB2f69467F93D5a8B32Ee87B9B"

Unlike the Amazon example, where a username/password combo operates 1 unique account, the mnemonic in this example is like a seed that deterministically generates numerous accounts or wallets for us. The above 0x6A92.. address is the first of many 20 byte addresses that can be generated from the mnemonic. It takes 40 characters in Hex to represent 20 bytes. The wallet address is just 1 public facing attribute. Every wallet has a private key as well. In this example, it only belongs to the person who conjured up the mnemonic. You need the private key to sign messages and write them to the blockchain.

(def path "m/44'/60'/0'/0/1")
(def mnemonicWallet1 (-> ethers .-Wallet (.fromMnemonic "civil 
  ranch license real message inherit sudden 
  bridge cage loop rescue play" path)))
(-> mnemonicWallet1 .-address)

; => "0xA0A3cf77A8aA9477c64880D1AD50982bCfb326Ea"

(def path "m/44'/60'/0'/0/2")
(def mnemonicWallet2 (-> ethers .-Wallet (.fromMnemonic "civil 
  ranch license real message inherit sudden bridge cage 
  loop rescue play" path)))
;=> "0x5c8431445735a27d1C977D941b9fF0890A8a3245"

The above are the second and third wallets originating from the same seed passphrase. From one, 12-phrase mnemonic seed, you may generate as many wallets as you wish. As you can tell, the choice of the seed mnemonic is ultra important! You should always use software to generate them as we did here. Using vanity seeds or "nice looking wallet addresses" (like vehicle registration plates ending in "786" in Mumbai) lead to extremely painful outcomes. This is because vanity passphrases are predictable and hence weak. The more vain you are the more susceptible you become to dictionary attacks.

These wallets use an open publicly known "1 way function". Just another way of saying that "It's easy to generate addresses given the passphrase. It's almost impossible to generate a passphrase given an address". This means you should never divulge your passphrase to anyone. You should certainly not use the “civil ranche..” passphrase from this post or from any example code you might see on the web or books. Anyone who happens to know your passphrase can masquerade as you in this word. No questions. This is not a design flaw! This is precisely also the reason you have the freedom to use your account from any computer that can execute the code like the above and carry on your business.

Since all wallets use the same software, it's inaccurate to think that software of a specific wallet created your account. If you take the same passphrase that you used in MetaMask to say a computer having a different wallet software say Trust or Brave - you get the exact same addresses and wallets back. That's because the algorithm is open and deterministic. For the same input, you get the same output series. Moreover, all this wallet generation can happen in Airplane mode! When you create wallet addresses from passphrase, no network call is being made. These wallets exist on your device that generated them independently of the network or blockchain. That's why you can have accounts without Amazon, MetaMask or Google intermediating or setting the rules for you. In fact you have wallets independent of even the Blockchain!

No one is there to ensure uniqueness either. Uniqueness is enforced by Math and Entropy. The Web3 world relies on the fact that 20 byte addresses are 2^160 possibilities. So as the hashing algorithm used for the address has a very very big number of possibilities and a very very low rate of collisions, final addresses should be unique. Yes there is a slim chance of collision - i.e that some passphrase would generate the exact address as another passphrase. This is the risk we happily take for not having to trust intermediaries to do the right thing on our behalf. A compromise in the Amazon ecosystem is orders of magnitude more likely than a collision in our wallet generating algorithm.

Last and perhaps most importantly, there is no "forgot password" business here in Web3. You lose your password, you permanently lose your access. Simple! Brutal! The value stored in your wallets are locked out for posterity. There is no way you can ask someone to retrieve it for you. There is no one. You stand no chance against Math and Entropy. This trade-off is desirable too and willingly taken for not having to place trust on intermediaries. If you don't want riches to rags stories in your autobiography, you really need to take your secrets seriously and to your graves!