 This is something that is being discussed all the time, especially on newbie forums and it really needs to be addressed very, very carefully. Piros asks, A friend had the idea to achieve two out of three protection from my wallet seed by storing the seed in the following way. Location 1. Seedwords 1-8 and 9-16. Location 2. Seedwords 1-8 and 17-24. Location 3. Seedwords 9-16 and 17-24. It sounds a lot like Shamir, meaning Shamir's secret sharing scheme, or SSSS, but easier. One location doesn't reveal the whole seed, but any two of them are enough. Is this safe? Absolutely not. Your friend is wrong. It is absolutely not safe to split your mnemonic phrase into parts ever. Do not ever split your mnemonic phrase into parts and store those parts separately. A mnemonic phrase is for backup. You backup the entire phrase in multiple locations and that is both secure and resilient. If you need security from someone seeing your phrase, you need to physically secure it with devices like storing it on steel, in a sealed, tamper-evident device, and putting it in a locked system like a safe or vault, safe deposit box, etc. If you are even more concerned about someone accessing your seed, add a passphrase, which you also need to backup preferably on steel, somewhere in a secure location as well, a separate secure location. If you are super paranoid and you want to do some kind of scheme like this, you need to use a standard such as SLIP39, which is a mechanism for producing Shamir's secret sharing scheme splits of a mnemonic phrase that can be recombined in a K of N share system. For example, you can do a mnemonic phrase that splits two of three, as you just described, using SLIP39. There is a fundamental difference between Shamir's secret sharing scheme and what you described. We'll go through that difference in a second and you'll see why this is not safe and it's also not that resilient. Shamir's secret sharing scheme uses a polynomial function to guarantee that if you have created a K of N scheme under Shamir, if you have anything less than K, the quorum, it is entirely mathematically equivalent to having zero amount of information about the key, meaning that adding a new share is the same as brute forcing the entire key space. This is really important to realize and we'll see why in just a second. Let's go back to the example you offered. One of your shares has keys 1 through 8 and then 9 through 16 and then 17 through 24. What you're describing here is splitting in three, a 24-word mnemonic phrase that contains 256 bits of entropy. 256 bits of entropy cannot be brute forced. Now let's look at one of these shares. One of these shares is keys 1 through 8 or words 1 through 8 and 9 through 16. That means that that mnemonic phrase backup that you've created, that split of your mnemonic phrase, contains 16 of 24 words. How many words are left out of that mnemonic phrase? Eight. So that means that there are eight words missing. Now, even worse, one of those words is actually a checksum, meaning that one of those words can be guessed much more easily because only the one word that fits perfectly completes the checksum. So you don't even need to check for balance on the mnemonic phrase by going to a blockchain. That's one of the advantages of mnemonic phrases, but it's also one of the weaknesses of the system you've described. No matter how you do it, one of these pieces of paper will have the checksum word or the checksum word will be the one that's missing. In the first example, the checksum word's missing. Effectively, that means that there are seven words which contain key material in the missing share. How hard is it to crack or brute-force seven words? Is it three times easier than brute-forcing all 24 words? I mean, it's only one-third of the words, so theoretically it would be three times easier. No, not even close. This is an exponential. You're talking about brute-forcing 80 bits instead of 256 bits. Brute-forcing 80 bits is not three times easier or takes only one-third of the time of brute-forcing 2 to the 256 bits of entropy. Brute-forcing 80 bits of entropy is 2 to the 196 times easier, if I'm doing the math correct, than brute-forcing 256 bits. In fact, brute-forcing 80 bits in a dictionary where you already have the checksum and you can check if it works quickly is so easy that it can be done potentially with a cluster of machines in the next decade with someone who has enough computing power. So you could do this with A6, you could do this with FPGAs, you could do this with GPUs. Cracking 80-bit keys is considered only marginally secure. So what you did is you just reduced the security of your mnemonic phrase from 256 bits to 80 bits, which is a catastrophic reduction in security. Worse, if you have some mistakes or you lose parts of this, this is not a very resilient system. Not only do you give an attacker the opportunity of getting your mnemonic phrase by simply looking in two places or brute-forcing eight words after they found one of your mnemonic phrases, but you've also created a situation where if you lose two of them, you're done. I think it would be much better if you used an actual Shamir's secret sharing scheme, but as I've said many times before, complexity is not just the enemy of security. In many cases, it's the enemy of usability, meaning that the more complex you make the scheme, the more likely you are to run into trouble recovering your data, and certainly your errors will have tremendous difficulty recovering your data. The scheme you have described is not secure and is also not resilient and is not a good scheme. And the one you described is probably better than some of the others I've seen out there. I have received dozens of emails from people who are desperate for help because they split their phrase up and lost one part of it. And all I can say is, I'm really, really sorry. It's probably lost forever. And the worst thing is that for some of these people who are lucky, it's brute-forcible, but that means that they're going through all of this pain and trying to brute-force it. And they didn't actually achieve better security because a determined and well-equipped attacker could brute-force it just as fast as they can or faster. So they didn't achieve security, but they lost a lot in resilience. This is a terrible idea. Do not do it. Do not do DIY security. Do not do DIY cartography. Use the standards that have been written by experts who are carefully balancing the need for resilience, the need for security, and thinking about the threat model and how to appropriately address all of those risks in a way that is well-documented, interoperable, standards-based, and predictable. And that is a much better way to do this. So don't do it.