Why you should be using a passphrase with a hardware wallet

3 Min Read
646 Words


If you are using a Trezor or Ledger to secure your cryptocurrency, you are already in pretty good shape for protecting your assets.

I personally own both brand of devices and they are good solutions to Be your own bank.

A hardware wallet is a simple secure device that stores a private key that acts as a seed to create unlimited wallets on many different blockchains. This key once entered into the device during installation is never meant to come out of the device again. All transactions are signed by the device and the signed transaction is passed onto the network to confirm ownership.

That being said, there is an ugly secret neither manufacturers want you to know. Your private key can be extracted from the device if someone has physical access. In fact, not only can your seed words be extracted, your pin can as well. Granted this type of attack is difficult to perform, it is certainly possible. About a year ago this was big news in the industry and while existing devices are still vulnerable, all manufacturers recommend using a passphrase to secure your device further.

"According to Trezor’s post, attackers need access to the device, as well as a specialized device to send timed voltage glitches through it. Once cracked, the attacker can brute force the one to nine-digit PIN. The whole process can take as little as 15 minutes.

Trezor and Kraken reiterate the importance of using the optional passphrase feature to protect holdings further. Attackers cannot compromise those Trezor wallets protected by a strong passphrase using the method detailed here."

What makes a passphrase so secure?

When initializing your hardware wallet you enter a 12 or 24 word seed phrase to determine the seed of your HD wallet chain. From there new wallets can be created based on this seed. These 12/24 words are known by the device, they are highly secure single purpose devices that make it extremely difficult to extract these words. There have been proof of concept demonstrations where it is possible to do so. There is no question some time in the future this will become trivial as technology advances.

When you use a passphrase, you add a 13th or 25th word to your seed that is never stored on the device. So even if a bad actor got physical access to your hardware wallet, there would be no way to extract your passphrase. Your device will still work with your seed words, but it would be a completely different set of wallets.

Another benefit of a passphrase

Even if you use the same 12/24 seed words, you can have an unlimited number of passphrases that unlock an unlimited different HD wallet chains. This gives you plausible deniability of other wallets.

If you use your device without a passphrase, it will act as if you are using an empty passphrase. If you enable a passphrase, you can enter it at the time of unlocking your device and will unlock a different set of wallets. If you enter another passphrase, it will open another set of wallets from either of these. So you can have one set of wallets that protect the bulk of your crypto, and a smaller subset on another passphrase if you face a $5 wrench attack.

xkcd 538

Setting up a passphrase varies depending on your device, but once enabled you will have the option to enter a passphrase whenever you unlock the device. If you skip this, it will use the 12/24 words as a seed. If you enter a passphrase, it will use these 12/24 seed words in addition to the passphrase.

Cover image source

Securely chat with me on Keybase

Why you should vote me as witness

Posted Using LeoFinance Beta