Why you should be using a passphrase with a hardware wallet

in LeoFinance2 months ago


If you are using a Trezor or Ledger to secure your cryptocurrency, you are already in pretty good shape for protecting your assets.

I personally own both brand of devices and they are good solutions to Be your own bank.

A hardware wallet is a simple secure device that stores a private key that acts as a seed to create unlimited wallets on many different blockchains. This key once entered into the device during installation is never meant to come out of the device again. All transactions are signed by the device and the signed transaction is passed onto the network to confirm ownership.

That being said, there is an ugly secret neither manufacturers want you to know. Your private key can be extracted from the device if someone has physical access. In fact, not only can your seed words be extracted, your pin can as well. Granted this type of attack is difficult to perform, it is certainly possible. About a year ago this was big news in the industry and while existing devices are still vulnerable, all manufacturers recommend using a passphrase to secure your device further.

"According to Trezor’s post, attackers need access to the device, as well as a specialized device to send timed voltage glitches through it. Once cracked, the attacker can brute force the one to nine-digit PIN. The whole process can take as little as 15 minutes.

Trezor and Kraken reiterate the importance of using the optional passphrase feature to protect holdings further. Attackers cannot compromise those Trezor wallets protected by a strong passphrase using the method detailed here."

What makes a passphrase so secure?

When initializing your hardware wallet you enter a 12 or 24 word seed phrase to determine the seed of your HD wallet chain. From there new wallets can be created based on this seed. These 12/24 words are known by the device, they are highly secure single purpose devices that make it extremely difficult to extract these words. There have been proof of concept demonstrations where it is possible to do so. There is no question some time in the future this will become trivial as technology advances.

When you use a passphrase, you add a 13th or 25th word to your seed that is never stored on the device. So even if a bad actor got physical access to your hardware wallet, there would be no way to extract your passphrase. Your device will still work with your seed words, but it would be a completely different set of wallets.

Another benefit of a passphrase

Even if you use the same 12/24 seed words, you can have an unlimited number of passphrases that unlock an unlimited different HD wallet chains. This gives you plausible deniability of other wallets.

If you use your device without a passphrase, it will act as if you are using an empty passphrase. If you enable a passphrase, you can enter it at the time of unlocking your device and will unlock a different set of wallets. If you enter another passphrase, it will open another set of wallets from either of these. So you can have one set of wallets that protect the bulk of your crypto, and a smaller subset on another passphrase if you face a $5 wrench attack.

xkcd 538

Setting up a passphrase varies depending on your device, but once enabled you will have the option to enter a passphrase whenever you unlock the device. If you skip this, it will use the 12/24 words as a seed. If you enter a passphrase, it will use these 12/24 seed words in addition to the passphrase.

Cover image source

Securely chat with me on Keybase

Why you should vote me as witness

Posted Using LeoFinance Beta


This is very important. I have been reading into this topic over the past weeks and prepared myself to do exactly that: using a passphrase. However, assuming that your 12/24 recovery seed is compromised, a single word passphrase would offer only little protection against an attack using Amazon AWS. The attacker could double check each wallet for crypto assets and continue until a sufficiently large wallet has been found. They might even assume that you have a dupe, with just a few assets to trick them.

Trezor itself has written an article about that matter and suggests multiple words, alphanumerics or an entire sentence. Below is a list they posted, calculating the costs to crack the passphrase today and an estimation for the costs in the year 2030.


Is your passphrase strong enough?

I have created a passphrase that is more powerful than a single word. The only downside of that is that it takes longer to enter on the device (and I highly suggest to never enter it on the computer/phone and always use the hardware wallet itself). But it is actually great to do that because it will strengthen your memory more and more each time you do that. I also do the recovery seed backup check directly on the device every day from memory and dial that repetition frequency down over time, when my synapses have created enough myelin (a protein sheath around the synapses, increasing the travel speed of the electric impulses when triggering my mnemonics).

At first I thought it might be impractical but I actually think this is fun and neither the input on the device nor the mere recall of the memory takes much time.

Posted Using LeoFinance Beta

That's impressive. I can barely remember my name some days. lol

Posted Using LeoFinance Beta

Interesting. I didn't know that was an option. Good to know though. Thanks for the info.

I've been using a Trezor and I think it's the safest option to use a hardware wallet.

Posted Using LeoFinance Beta



How this all started with Toruk

Posted Using LeoFinance Beta

Security is massive considering the longer we all do this the more we have to protect.

Posted Using LeoFinance Beta

Very good advice. I didn't know about these either or the fact that you could create whole sets of wallets just by adding different passphrases. Thank you for this. I'll have to revisit my device.

Posted Using LeoFinance Beta

Previous time I have got some ads on Trezor but did not think about the feature of it about security. it's really great and secured I think ok now it's time to you have own Bank at hand

Posted Using LeoFinance Beta

I think I will just secure mine by locking all in ETH liquidity pools, the GAS fee will protect them forever.

Very interesting. I still feel like I have so much to learn about my Ledger Nano X and even then I won't be scratching the surface of all the stuff it can do. I really need to take the time to just sit down with it and explore all of the features. Is this something you can add one you have already set it up?

Posted Using LeoFinance Beta

Are the hardware wallets expensive to buy?

It is (or going to be) mandatory when travelling and going through customs if you don't want to be robbed by governments.
Thanks for sharing.

Posted Using LeoFinance Beta

When it comes to your crypto (and private data!), you can never be too careful. Using a passphrase creates an extra layer of security for your accounts. Even if someone steals your recovery seed, they still wouldn't be able to steal your crypto if you use a passphrase

Posted Using LeoFinance Beta




Posted Using LeoFinance Beta