Topic: Why doesn't every hardware wallet support two-factor seed phrases? (Read 583 times)

someone would have a better chance of convincing the government they lost their guns than their crypto in a boating accident.

Tell me about it! Every time I move some bitcoin to a cold storage wallet, I lose it within 24 hours. Every damn time!

Might as well save yourself some time here and just engrave your seed phrases directly on to your firearms.

What a coincidence! I also lost my boat in an unfortunate boating accident.

That is quite a careless habit you've developed, but it seems pretty typical for a red-blooded, freedom-loving American.  I've been losing firearms in unfortunate boating accidents since the early aughts.  I tend to store my seeds in the same places I store my firearms, so my bitcoin is just as vulnerable. 

And I haven't even owned a boat in last 4 years.   

I certainly hope so! I do think it is important to examine your security set up from every possible angle to protect against loss, disaster, forgetfulness, theft, etc.

Heh. No. of course no attacker will believe that. It's a running joke. Unfortunately I am very careless and lose all my bitcoin in a boating accident at least three times a year.

well you got all the bases covered. i thought i would be able to find some weakness in your strategy something you weren't doing but seems like you have it all done properly. so congrats.

you're joking right?    just don't expect an attacker to believe that...

Of course I also have a number of wallets which are used on a regular basis with frequent transactions, but such wallets are obviously not my main cold storage wallets and do not contain large amounts of funds. These wallets would be the first to go in the case of a $5 wrench attack. If an attacker is unsatisfied with such wallets and keeps going in search of a cold storage wallet, then I can hand over one or more such cold storage wallets which instead of being filled with regular transactions have the transaction pattern I described above - one or two deposits followed by months or years of inactivity. And as Pmalek said, the compromise of any of my wallets provides absolutely zero clues as to the existence of any other wallets.

And actually I just recently lost all my wallets once again in yet another unfortunate boating accident!

o_e_l_e_o has already said that you can't connect any of his multiple wallets through transactions coming in or going out. He mixes his coins to break the links. The discovery that wallet #1 belongs to o_e_l_e_o would therefore not lead you to blockchain evidence proving that wallets #2 and #3 are also o_e_l_e_o's. I am sure he has hot wallets and coins he would give you if you attacked him in his home. But if he did everything correctly, you are never going to know the person you are stealing from is o_e_l_e_o, and you can't possibly know how many other wallets he has and where.   

i don't know if a scenario like that is believable that you would only have bitcoin in cold storage but not a wallet that you use everyday. anyone that has any common sense would know that you have to have some hot wallet and demand to see that too. hopefully you have some decoy hot wallets too.

You are both right; some people have a 'cold wallet', note down its first receiving address and dollar-cost-average new coins into it every day, week or month, for instance. Or whenever they have extra money (fiat or Bitcoin) to move to their long-term cold storage investment.

Others buy a lump sum once and don't touch it (or save up more BTC into other wallets).

All this ambiguity is great for plausible deniability, because it means even a single deposit into a decoy wallet could represent the whole stash (as long as it is large enough).

You can find them here: https://github.com/spesmilo/electrum/blob/master/electrum/bip39_wallet_formats.json
Scans 14 in total - all the usual ones you would expect, plus a couple of unusual ones from specific wallets.

It does now, after I opened an issue about lost change last year: https://github.com/spesmilo/electrum/issues/7804

The way it works is that it scans the first derivation path on the list above for any transactions on either the first 20 receiving addresses or the first 10 change addresses. If it finds some transaction history, then it will recover the entire wallet, and it will also increment the account number by 1 for that specific derivation path and check that wallet too. It will repeat this process until if finds an empty wallet, and then move on to the next derivation path on the list above.

I have never looked into what derivation paths Electrum scans, but I am guessing the software scans a bunch of paths for change addresses as well, does it? Or does change automatically get recovered together with the correctly selected coin type and account number? Some non-standard wallets probably customize this as well that Electrum may or may not know about.

Correct on all counts. I actually said just this in another thread just a few days ago: https://bitcointalksearch.org/topic/m.61679886. You decoy wallets need to plausibly be your entire stash, and there must be no links (physical, electronic, or blockchain) between your decoy wallets and your main hidden stash.

I'm not sure about that. I have a handful of wallets purposefully for long term cold storage that simply have one or two deposits in to them, sometimes years ago, and no further activity since then. That's exactly what a main cold storage would look like. It's not going to be a wallet I'm spending from on a regular basis.

i know it's not a good idea i think the point i was trying to make though is by splitting up the passphrase into two parts, it makes it even harder for someone to discover it. so more security right? well, not so fast. there's also the issue of making things more complex for the owner of the wallet. the more complexity equals more possibility for problems to occur.

exactly. that's why i'm not even a huge fan of the additional passhprase but i do understand it has merits.

This is not a good idea, and remember that this is not ultimate protection for your assets, that can be brute force attacked, and keeping anything in your brain/memory is highly unreliable thing.
Please don't come up with this ''revolutionary'' splitting techniques for anything, because many security experts say that this is recipe for disaster.
People who are trying to make stuff to complex usually end up losing access to stuff they are trying to hide.
 

i could agree with that.  

hopefully the decoy coins amount to enough cash that they don't become wise to what you're doing.  you certainly don't want to be cheap there. it needs to be enough so that they actually believe you don't have a secondary stash somewhere that is bigger. because if they believe that then you got a whole other problem, convincing them that your net worth is that small. oh and here's a free tip: don't have any 2 ways transactions between your decoy and main wallet since when the robbers get home and see that your decoy coins are related to a bigger wallet, they might possibly pay you another visit.  

otoh, if they see that there was only a single deposit or two made to this wallet you gave them with no other activity they might begin to suspect you did it for that purpose...

That's a fair point. But if you check your derivation path, and it is the standard and very common m/84'/0'/0' for example, then I wouldn't feel the need to back that up as well, knowing how ubiquitous such a derivation path is and how easy it will be to recover from it in the future, even if I forget.

Ahh apologies, I misread. I'm still not a fan of splitting up an individual component of a back up, and much prefer that if you want to set a threshold of multiple back ups to recover your wallet then to use multiple components, such as seed phrase plus passphrase, or multi-sig. Having said that, splitting up a passphrase certainly can provide plausible deniability, especially if you then put some decoy coins on the wallets which were generated from both halves of your passphrase being used individually.

ok but if you never actually check what the derivation path is then how do you know it's not something unexpected? you really don't. that's why i'm always going to see if the expected derivation path is actually the path the funds are on. that's a very important check to do instead of just assuming "oh this is wallet xyz everyone says it uses such and such path so i don't need to check anything".

notice i was referring to splitting up the passphrase not the seed phrase. two different things. splitting up the passphrase would still provide - could still provide - plausible deniability. you would just need to remember which part came first.

this is a reasonable point of view. i think the local population is an important concept. that's really who you're most concerned with when you hide a seed phrase. they are the only ones that could possibly discover it thus i don't see the need for a passphrase. that just adds to the risk of something going wrong and you losing one or both. but to each their own. not saying passphrases are bad but i don't think they are for newbies.

I feel like a broken record, because I've said I feel like a broken record before about a similar discussion, but it's the common theme of security vs convenience, and actually convenience is partly security. You make something too complex, and you'll likely forget it or potentially mess up during the creating of it or when verifying it.

In most cases, a simple physical backup of a seed phrase or private key is secure enough. As long as it's secured physically. That eliminates online attacks, and realistically you're only at the mercy of your local population. Depending on how you secure it, will depend how likely it's it'll get compromised. However, let's be honest there's some pretty simple ways of doing it, which which would basically eliminate any common thief that happens to wonder in your house.

I don't think you can reach conclusions about bitcoin based on what some random altcoin is doing. Any worthless altcoin can decide to use completely moronic derivation paths if they want, as can any random piece of terrible wallet software. If you stick to reputable software using known processes, then the derivation paths are largely standardized.

As discussed above, it does not provide any plausible deniability which is one of the main benefits of a passphrase. And talking of human error, there are countless examples of people who have tried to be smart and split up their seed phrase and ended up making a mistake and locking themselves out of their wallet.

When there are standardized methods of doing something, which are tried and tested and provably more secure, then coming up with your own ad hoc system is almost always a recipe for disaster.

maybe it is for you but i have experience where the derivation path was m/44'/60'/0'/0 but no one knew that. i spent a long time researching and googling it before i came across it. that's an ethereum wallet but the point still stands. from that experience i learned about the importance of storing the derivation path because one little change like if you turned m/44'/60'/0'/0 to m/44'/60'/0/0 who would know how to fix that? no one would. you would just be making wild guesses. kind of like a brute force search.



well yeah i mean i'm not immune to making errors. i need to test things that i'm doing to make sure they are functioning the way they were intended to. i'm just not convinced on the security aspect of an additional passphrase. that's all. why not split your passphrase into 2 parts and store one somewhere and the other part somewhere else? that's even more secure right?

If you stick to the standard BIP44/49/84 derivation paths, then this step is unnecessary in my opinion. Those paths are so ingrained in the wider bitcoin ecosystem that even if you forget them you will have no problem recovering from them in the future. Hell, I would bet the majority of users don't even know what derivation path they use, because if they import their seed phrase in to some other piece of software it will almost certainly find their coins on these standard paths. And then you've got software like Electrum, which will scan a bunch of commonly used derivation paths for you if you forget.

It would only be if I were using a non-standard and custom derivation path for some specific reason that I would also back it up.

I'm not denying that, but it is still a mistake to think you are immune to human error.

well i wrote it down on a piece of 8.5 by 11 inch paper not only the seed phrase but some other important details like the derivation path and what software wallet it uses. i think those things are important. you cannot recover a seed phrase without knowing the derivation path unless you know the software you used...so when all was said and done i had used up about half of the sheet of paper. maybe i write big.

backups that i write on a piece of paper i already admitted i don't think those can be easily hidden. and they stick out like a sore thumb if someone happens to catch a glance of it.

organizations have different attack surfaces than individuals. they have more weaknesses when it comes to protecting sensitive information. the more people that know or have access to the information or could get access to it through someone they do know just multiplies the risk factor. a rogue employee that became unreliable and acted improperly you can have all the security in the world but if you put too much trust into one person then you can be doomed. show me a case where the US government had a 5 of 7 bitcoin wallet and they were able to brute force it because 3 of the 7 people because untrustworthy. organizations have attack surfaces that are vastly different than people like you and me.

A slip of paper is too big?

So you do agree that back ups are not immune to being found by an attacker.

I would suggest that multi-national tech giants like Google and Apple though to US government agencies including the FBI and the Pentagon all have serious security protocols in place, and yet all of these entities have suffered hacks or compromises. Maybe there was some human error involved, but that doesn't mean you are immune to making a mistake either. All the more reason to use a system which mitigates human error. Accidentally reveal your seed phrase? Thankfully you've not lost everything because you are using an additional passphrase.

i wrote down my seedphrase on a piece of paper recently but it didn't make me feel too good. i felt like no matter where i put it, since it is so big it would be easy for someone else to find it too. but i don't want a passphrase. that's just another thing that someone could find and maybe i forget where i put it or something. without both of them i would be screwed too. so if someone found one of them and not the other then they might not be able to get my money but neither would i!



tell me an example of someone that had a serious security protocol in place who "tripped up". that's the person i'm interested in hearing about because ultimately they had to have done something wrong. i'll let you know when i make my microscopic seed phrase backup. 

Once again, you are coming up with fantastical scenarios which are in no way based on reality. It's easy to come up with theoretically immune systems, but I am not aware of a single person who has microscopically engraved their seed phrase on to some object, and I'm guessing you aren't either. People don't do this. People write down their seed phrase on a piece of paper, and store it somewhere with varying amounts of security. Even stored somewhere very secure, it will not be immune to discovery, so an additional passphrase provides useful additional security.

Yes, you should be hiding your back up somewhere very secure, and yes, you can make it very unlikely to be accidentally discovered, but this assumes universally good security practices throughout the entire community (which will never happen), and even then, there is not a 0% chance of compromise. Even one of the bitcoin devs recently lost hundreds of bitcoin through poor security practices. If a bitcoin dev can trip up, then the average user can definitely trip up too.

well if you're going to be stamping your seed phrase onto a honking piece of metal then yeah, i mean anyone could possibly stumble upon it no matter how well you hide it. most people don't have the capability to do it but if you could reduce it to a microscopic size then it does become immune to unintended discovery. that's just the way it is. i suppose you think you could prove me wrong if i hid a microscopic seed phrase somewhere in my house and then give you as long as you want to to search through the entire house. do you really think you're going to find it even then? i think not. that's why i say it is pretty much immune to that issue.

i mean if you're writing your seed phrase down on a big 8.5x11 sheet of paper so that anyone can easily read it then yeah, i mean, that could be discovered quite easily most likely. there's nowhere you can hide that to make it immune to unintended discovery most likely. some people might disagree with even that though...

it's not realistic to think that a microscopic item can be discovered accidentally or even if someone was specifically searching for it. it's too small. you could be looking right at it and not even know what it was. but i know you would say you would lug around a huge magnifying glass that you inspected every single inch of the entire house. good luck. i doubt you would be successful even given unlimited time and resources...

And there is no back up which is is immune to unintended discovery either. So if you want to mitigate this risk, then you need a system where the discovery of said back up does not result in immediate compromise of your wallets.

Strongly disagree. You should be considering every realistic avenue in which your coins can be stolen, not just the most likely one.

there are 2 types of risk when storing a seedphrase on some physical medium as a backup. one is the risk of unintended discovery and the second is the risk of loss. a perfect backup would be immune to both of those. i was referring to unintended discovery not to the loss risk.
  
maybe it is safe from loss but not from unintended discovery. and because of that, it might become unsafe from loss if a powerful enough adversary decided to try and attack it.

if the risk is lower than other risks such as the risk of loss then it makes little sense to worry about the risk of unintended discovery.

Then you would be the first person in world to have a perfect security set up with no risk of compromise. There is no such thing as 100% safe. To quote Gene Spafford:


Maybe your seed phrase back up is "safe enough", but getting complacent and assuming there is no risk of it being discovered is a recipe for disaster. And since there is always a risk of it being discovered, then there is little to lose by mitigating that risk by using an additional passphrase.

the only additional benefit/security i can see from adding on a passphrase is the plausible deniability that MIGHT protect someone if armed bandits held them hostage and demanded their bitcoin. but if someone knows how to store their seedphrase properly then it is really not at risk of being discovered by anyone.

it is nice that you can have one seedphrase and re-use it as many times as you like by just changing the "passphrase".

yeah if it has a balance on it then that makes things much easier to detect if something went wrong on the passphrase entry step.

Every single possible passphrase will create a new, valid wallet. Those will at first all be unfunded, of course, so you can 'find' your wallet again either by noticing there is a balance on it (after having sent some funds to it) or - as Leo said - writing down an address and verifying that when you enter the passphrase for the second & third time, you get the same address again.

Not every time - just the first time. Once you've confirmed that you have definitely entered the correct passphrase the first time, by performing the process twice (or three times) and checking you reach the same set of addresses each time, then presumably you are going to fund the wallet. Every future time you enter the passphrase, you'll know that you entered it correctly because you will reach your wallet containing your coins.

But the chances of your seed phrase being compromised and your coins being stolen are exponentially higher than the chances of both your seed phrase and your passphrase being compromised.

That's the beauty of passphrases. There is no "right" wallet. Your hardware and software has absolutely no idea which wallet is the right wallet, and any string is a valid passphrase. This means it is harder to attack, and it gives you plausible deniability. This is a feature, not a bug.

i guess but anytime you ever have to enter your passphrase, it seems like (as you mentioned) you would have to do some type of additional verification that you have the right wallet. that seems like a real pain. the chances of something going wrong are higher than me not using a passphrase and someone figuring out my seed phrase. i think we could agree on that.

i don't use passphrases so maybe i'm not so knowledgeable on how many times you have to enter it. but maybe just once when you originally set it up? that being the case maybe what you said is feasible mitigation. i just dont like having to rely on some external data such as an address to tell me i have the right wallet. 

I'm not sure I follow you here. Once you've entered the passphrase, your wallet software will use it along with your seed phrase to derive your master keys for that wallet. A salt of that length will make no noticeable difference to the length of time it takes to derive the master keys, and once the master keys are derived, then everything from that point on is identical. The only difference is how long it will take you to enter the passphrase, which I agree on a hardware wallet will take a significant amount of time selecting one character at a time.

What algorithms were being used to assess the entropy? Adding a space might be classed as a "special character", of which there are 33 in ASCII, meaning you go from 26 possibilities for each character (assuming only lower case letters), to up to 59 possibilities for each character, which gives you a falsely elevated entropy result. Different algorithms also make different assumptions about how much knowledge of the password the attacker has.

Which is no different to just writing down the passphrase on paper, as I've been saying all along.

Agreed. It's a drawback, but also an advantage. The mitigation is to enter your passphrase, note down the first address, reset your wallet, enter your passphrase a second time, and check the first address matches what you wrote down from the first round. Repeat a third time if you like to be extra sure.

Then you could also store a seed phrase backup on a piece of paper glued between two pages in any book that you're confident is stored safely..
Or highlight 12/24 words across the book which, read front to back, result in the seed phrase. This has all been discussed over the years, though.

Yeah, that hyphen due to the column width was kind of unexpected. Other online versions don't have that hyphen. But the printed book apparently does.

those things can be dealt with by owning the book and highlighting the passphrase and then storing the book somewhere safe.

well lets say you decide to string together the hashes of the first 3 blocks of the blockchain.


as long as i store instructions about how to perform the above operation then i don't really need to write down all of that on paper. whether that is a suitable approach for a bip39 passphrase is a matter of other discussion but i'm not trying to argue that.

thats one of the serious drawbacks of the bip39 passphrase. there is no checksum for it. so the software has to accept whatever you type in and go with it.
you can have the last word on that.  

oh ok. in that case the argument seems to be reasonable however as you said, it is a rough argument and we don't actually know how many such 24 word seed phrases exist, if any. But according to your logic, it would be very quick to find one...

Very well possible, but what I'm saying is that if he downloads a different version of the (supposedly) same text, it may have different whitespace characters (impossible to tell with the naked eye) or other little changes that will be hard to spot / recognize and fix.

I can only imagine how long you would have to wait to confirm every transaction with this long text...... this is almost impossible to use in real life.
Why don't you simple ask ChatGPT and other AI crap tools to tell you what you should use for passphrase, you can even ask AI to generate 24 seed words for you, I am sure it's safu (not).  

I think that passphrase with spaces is giving much better results compared with same words combined into one.
I tried testing this for different passphrases (for password managers) and I almost always got better entropy results with spaces.
Can anyone explain why this is happening in simple words and does it really matter or not?

Imagine different revisions using different quotation marks..
“ ” " " ‘  ’ ' ' « »

There is also a chance of spaces being replaced with other types of whitespace. I notice that from time to time when copying some code snippets from a website into my editor. It looks like a space on the website, but the editor reveals that it's actually not an ASCII 0x20.

And of course line breaks being in different places and / or types of line breaks; CRLF vs. LF.

Honestly, that's a terrible choice of passphrase.

There is too much formatting which is very prone for error. Did you accidentally include a space before the line break? Did you use ' instead of " without realizing? Did different copies of the text use different formatting, different line breaks, no hyphens, etc.? Does your software parse line breaks in the same way as other software, or indeed at all? It is excessively long, too prone to errors, and too cumbersome to enter, especially on a hardware wallet.

If you can forget your passphrase, then you can just as easily forget which sentence you used or which word you started/end your passphrase with or which edition of the book you used and so on. Passphrases should be backed up on paper, just as seed phrases are.

Of course I do. But many people don't. Which is why we see people falling victim to clipboard malware on a weekly basis.

Unless you entered it wrong the first time without realizing it, sent coins to that wallet, and cannot discover the identical wrong combination to access your wallet again.

A better assumption is that no back up is ever 100% secure.

I was assuming you were only generating valid 24 word seed phrases to begin with.

I'm talking about using something like this:

that comes out of the actual book apparently. other copies you might find online do not hypenate the word "advantages". why would they?


the only real benefit of them is you're probably not going to lose them. there's always a copy somewhere. how many people come onto bitcointalk who forgot their passphrase or only remember part of it or their dog ate half the piece of paper they wrote it down on? they would give anything to just pickup a copy of the great gatsby and recover their money...

don't you double check who you're sending your btc too and the address you're giving to someone to send btc to you before you hit the send button? i do. with regard to passphrase entry, if you get it wrong the first time, just enter it again and pay attention a bit more. you have as many tries as you need. unlike with some other things which i wasn't referring to.



i assume it will remain secret. maybe that is a bad assumption but we have to start from somewhere.

you have to also add in the 8 bit checksum for the entire 24 words. so that's another factor of 2^8. So 16*16*256=65536. So maybe only 1 in that many would work. that's not a very large reduction in entropy. Basically reducing entropy by 16 bits from 256 to 240. not a huge deal.


I've seen this video before. Andreas is a really smart guy.

No one can argue with that. If you want the best security then that's the way to do it  

The video from Andreas Antonopoulous that I shared in post #15 explains very clearly why both of these are overly cute solutions that actually reduce your security. It's worth the 14 minutes to watch, IMO: https://www.youtube.com/watch?v=jP7pEgBpaO0

In a nutshell:

- Common phrases, book passages, quotes, etc. are easier to crack than 6 to 8 randomly picked words.

- Making things overly complex by choosing longer passages increases your odds of incorrectly entering data (on creation and/or recovery), forgetting where the passage starts and stops and details on how it was entered, and ultimately losing access to your crypto.

- Splitting your 24 words into two lists may help some, but not as much as you might think. If an attacker finds half of your word list, the other half is much easier to crack. 24 words provides 256 bits of entropy. 12 words gives you 128 bits of entropy (which is still good), but that something like 10^35 less complex to crack, and not 1/2 as difficult to crack as you might think.

- According to Andreas, the best option is to safeguard your words and apply a 6-8 random word passphrase to provide a 2nd layer of protection. Store the seed phrase and pass phrase securely and separately and you've got a good measure of protection that balances solution complexity and security while reducing the risk of permanent loss due to human error. Towards the end of the video, he gives some cautionary examples of how overly complicating the solution can cause you to forever lose access to your crypto.

Sure, but that's a sentence, not a paragraph. A unique sentence of 100 characters is perfectly reasonable as a passphrase.

A sentence from a popular book is not a particularly good choice of passphrase. Neither are song lyrics, famous quotes, lines from movies, etc. You also need to back up exactly which sentence you used, and in which edition of the book you drew it from.

Again, you are assuming everyone has 100% perfect security at all time. If it was easy as just telling people to just double check and verify things properly, then clipboard malware would never be successful and malicious wallet software would not exist. This is just not how the world works.

But you can not be certain it will remain secret for the rest of your life.

Twelve word seed phrases have a four bit checksum, meaning for any random twelve words there is an average one in sixteen chance that the checksum is valid. Given that you want two valid checksums in this system, then a very rough calculation would be that only one out of every 256 twenty four word seed phrases would meet this criteria.

not necessarily. not everyone needs a hardware wallet. plus if you only transact very occasionally then it's no inconvenience at all really. not much of one. but i didn't say 1000+ characters maybe a hundred or two hundred though would be fine.

no, where people go wrong is they forget their passphrase completely or store it somewhere where it gets lost or partially damaged. and they can't go download the novel to look it up. but i could if use my method. but yeah i'm not storing the paragraph of text on any computer. no need to. i would think that most popular novel is readily avaiable for viewing and download on the internet from multiple sources. surprising that more people dont utilize this obvious technique of adding extra security to their seed phrase without having to do extra storage.

then you just double check your data entry. very simple.

well when i create a seed phrase i am sure it is secret so i don't really need a passphrase for extra security. you even admitted that. now for plausible deniability and being able to use the same seedphrase with multiple different passphrases, it offers more use out of a single seed phrase so that's a different consideration in my opinion. 

yeah i mean it would have to meet the checksum on the first 12 words, second 12 words and then all 24 words overall. not sure how many such 24 word seedphrases like that exist. 

Big and obvious difference is that you can't use half of your words for anything if you lose second half, and your coins are lost forever.
Passphrase is optional, and without passphrase I can still access funds that are stored on my seed words, and I can have multiple passphrases.
Again, if you want to act smarter than security experts who created seed words than go for it, but first listen what Andreas Antonopoulos has to say about this:
https://www.youtube.com/watch?v=p5nSibpfHYE

Still preferable to an entire paragraph of text with 1000+ characters.

No, you aren't. People make mistakes writing down 12 word seed phrases. People will definitely make mistakes copying an entire paragraph.

Making it harder to read and more likely that you make an error

You are approaching this as if everyone in the world has perfect and unbreakable security at all times. This is simply not how things work. Yes of course you should keep your seed phrase safe and secure, but having a contingency plan is just common sense.

Or instead of lowering the entropy of your seed phrase by manually picking one which fulfills this very niche criteria, just use a passphrase. Additionally, your set up only provides one hidden wallet. With passphrases you can have as many hidden wallets as you like.

Yes, I'm 99% sure that all of them support a 25th / 13th word / passphrase. The word is passphrase. Not 'two-factor'.
Before putting your question like that, you should verify if the claim ('not all hardware wallets support it') is even correct, and maybe provide some links and numbers. For instance: '25% of hardware wallets do not have it'.

If you do not know how many support it, that's something else you can ask (but preferred that you do it on your own and post your results instead).

Wallets, all the way down!

yes.
I didn't think about that but maybe there exists 24 word seed phrases whose first 12 words (and 2nd 12 words) pass checksum so if you need plausible deniability just generate one of those type.

what's the difference between that and storing your seedphrase in one place and the passphrase somewhere else? none as far as i can see. to spend funds you need to recover both parts. only have one part, then you are SOL.

You should never do this with your seed phrase, and certainly not if that is your only copy, this way you are creating single point of failure and recipe for disaster.
I heard many scary stories of people trying to act smart, mixing words, splitting words and losing all bitcoin they had with extra complexity.
If you want to split something up than you should create multisig setup, or use inferior Secret Shamir Sharing scheme, that is still much better than what you suggested.

A second wallet is of course part of the "plausible deniability"-plan. Or even a third wallet.

You could, but there are significant drawbacks to doing so. Are you going to type out the entire paragraph every time you want to recover the wallet? On a hardware wallet which takes 10-20 seconds to input a single character, this could take you a very long time. Or on a computer, are you going to get lazy and just save the paragraph as a text file for easy access in the future? And are you certain that the paragraph is identical? Even an extra space, or an uppercase switched to a lowercase, or a missing comma, etc., is enough to generate a completely different wallet.

If your seed phrase is kept secret, maybe, but if you are sure your seed phrase is always going to be kept secret, then you don't need a passphrase at all. A passphrase should be kept secret and be strong enough to protect you wallet in the event that your seed phrase is compromised.

That's not accomplishing the same thing at all. Passphrases provide plausible deniability. Half a seed phrase does not.

Probably, here it is necessary to sacrifice one for the benefit of the other. Either you increase the protection with a password, but at the same time increase the risks of losing access, or leave everything as it is, but at the same time increase the chances of hacking your wallet physically. As happens in such cases, there is no universal solution and the choice will have to be made based on personal goals.

When a $5 wrench attacking, the password will not help in any way if life and health are dear to him. Everyone will remember the password, even if they really forgot it. Only the 2nd wallet with a small amount can help here to distract the attacker from the main wallet. I guess, plausible deniability is a weak argument against a $5 wrench attack.


Some models still have support for several seed-phrases at once. It seems that ledger had such a function when you enter different pins, you get access to different wallets.

Well, if you already type the password, then what is the point of the seed phrase, since you can just decrypt the databases that hold the private key?

And similarly, if you type the seed phrase, you don't need the password anyway and this is already the case when you recover a wallet.

What is probably better, is a way to type two different passwords at different types, where a wallet becomes "half-unlocked" when you type the first password, and fully unlocked when the second one is entered. ECC & hashing stuff don't have an algorithm for this, so you and I will have to look around and research such a process to get more info about how it can be done.

What if someone uses a paragraph out of a novel? They don't have to back anything up. yes, it is theoretically public knowlege but what good does it do anyone since they likely will not have access to the 12 or 24 seed phrase that goes along with it. So in a sense, I tend to disagree with you that a passphrase needs to be a total secret never seen before by anyone.


If you're using a 24 word seed phrase, you can just split it in half and let 12 of them be your "extended passphrase". As long as you hide the two halves in different places, it's accomplishing the same thing. If that's how you think of passphrases.  

Which brings us back to the question of why not just split up your 24 word seed into two groups of 12 and use one of those groups as your "extended passphrase". That's a question  

Ledger devices allow 100 characters. I'm not sure about other hardware wallets, but Electrum will only be limited by the hardware in your computer. (The actual limit on a passphrase is any message of length 2¹²⁸ - 1 bits, since it is being fed in to HMAC-SHA512. For reference, this works out to anything up to around 40 million billion zettabytes. )

Still, I would caution against using an excessively long passphrase. Something with 128 bits of security is more than enough. The longer you make it, the more risk of you incorrectly entering it, incorrectly backing it up, losing part of it, and so on.

I would never manually select words, but if you used a good wallet to generate another seed phrase properly, then you can be certain your passphrase has at least 128 bits of entropy.

You aren't meant to remember your passphrase. You are meant to back it up on paper just as you do with your seed phrase, although entirely separately. Obviously there is no point storing your seed phrase and passphrase back ups together.

i'm not using one because for one thing they are too expensive and #2 i dont like people putting limitations on something that restricts how i can set my passphrase. it's just annoying you would think that something that costed as much as it did could afford at least a kilobyte for a lengthy passphrase but i guess not  

why would i use the bip39 wordlist to select words to construct my passphrase out of?  

well i mean i'm not thinking about how many bits. i'm thinking about how convenient my passphrase is for me to memorize. if i have a 20 word passphrase that i can't forget and it is 120 characters in length then what's the problem with that? maybe that is the simplest thing for me. so it's necessary for me. maybe not for you.

but when you do that, you're kind of destroying the ability to memorize your passphrase...so time to get out the old titanium metal plate and start stamping letters... here's an idea though, if you're not against tatoos is you can get your passphrase tatooed on to you. in a private area no less. wonder if anyone ever did that. they won't lose it that way that's for sure.

Even if that's somewhat true, I'm not much of a fan of passphrases in the first place, and believe that every single passphrase should have some sort of password element to it, i.e a randomly generated sequence of characters. Otherwise, you're effectively making it less secure by using a non random set of phrases, especially if well known. I only say this, because of course a passphrase could actually be a good way of doing it, but most humans wouldn't go for a random passphrase, and come up with commonly thought of passphrases, which is obviously problematic.

Although, I do agree generally there shouldn't be any limitations on what characters can be used or the length. While, this isn't for hardware wallets, I've come across websites including banks which limited characters like "*", "(" and "@" which is totally unacceptable in my opinion.

You can't really judge the concept based on how one particular hardware wallet implements it. If you want more than 50 characters, then don't use a Trezor.

Having said that, a 12 word seed phrase, which can be encoded in at most 48 characters using the unique first four characters of each word, is more than strong enough to use as a passphrase. And 50 random ASCII characters would be in excess of 328 bits of security.

As I mentioned above, you want your passphrase to be strong enough to protect your coins should your seed phrase be compromised, at least for long enough until you can move them to a new wallet. I would say 80 bits should be a minimum, but ideally aim for 128. Any more than that is unnecessary.

I came across a comprehensive Q&A from Andreas Antonopoulos about using optional passphrases. I'm posting it here for reference in case it's of interest:

https://www.youtube.com/watch?v=jP7pEgBpaO0

Andreas provides a clear and approachable explanation of how passphrases work, things to avoid, how long it would take to brute force them, and best practices for using them. He recommends using a passphrase that's comprised of six to eight random words (!) to balance security and complexity.    

Thanks to o_e_l_e_o for introducing me to Andreas' work! It's really accelerating my learning.

a passphrase should be able to be more than 50 characters though. but if you're using a Trezor then you only have 50 characters to use for it. other hardware wallets probably has their own limitations on the length too so it's not unlimited, you can't just use any string of words you want of any length you want.

imagine you want to import your seed and passphrase into your new trezor but it won't work because your passphrase is too long. even though the BIP has no restriction on the length...

i don't see how 50 characters is sufficient to come up with a good "passphrase". maybe a good "password" but not a passphrase. 

I'd say, any worth their while have at least an option to have two factor authentication. While, that shouldn't be the determining reason of what a good, and bad hardware wallet is, I'd expect any of them that are at least somewhat security conscious, would have it as an option. Now, depending on how it's implemented that could mean additional risk as pointed out before, and that won't immediately be obvious to all users. So, I'd like to see warning messages on enabling or disabling any security feature on a hardware wallet through their software.

However, that's really only possible with software, since the actual hardware itself is limited usually, and I believe some operate without much software at all these days. Also, just to clarify what I mean by software is traditional software run on a separate computer to the actual hardware wallet itself, obviously the hardware wallet itself will have its own software running, but due to limits in size they usually can't include much documentation or information through that device.

All hardware wallets I know are supporting passphrase that is acting like salt to seed phrases, and that is not stored anywhere on device.
Password is something different and that is usually stored in device, that means there is a chance for getting extracted and device hacked.
You can also use multisig setup to make seed words much more secure, and some hardwre wallets have new methods of protection.

Hardware wallets you mentioned are not that modern like you think, and password in not as secure as you think.
Ledger have pin when you power on device and you can add additional passphrase later that is connected with pin.
Don't mix password with pin and passphrase.

One interesting new concept is used by Cypherock X1 hardware wallet device, they are not storing anything on device, and keys are split in multiple secure cards.

BIP39, which defines the standard for using a passphrase in an HD wallet, calls it a passphrase. For the sake of avoidance of confusion it is better to call it a passphrase and not a password, regardless of its actual length or composition, in order to differentiate it from the local passwords you use to unlock your wallets.

Further, calling it a passphrase helps to make it clear that it shouldn't just be a single word. Ideally you want it to be long and complex enough so that if your seed phrase is compromised, the passphrase still provides enough of a barrier against brute force attacks to keep your wallet safe. A single word does not achieve this.

when something is a single word, it is a password. if it consists of multiple words separated by spaces in between then it becomes a passphrase. so i guess in general it is a passphrase but it could just be a password...

I've certainly found the technical boards on this forum to be one of the best sources for accurate information. Stackexchange is another good resource. Reddit is very hit or miss, and often completely wrong posts are upvoted to the top. Youtube and other platforms used by crypto "influencers" are just a complete mess and should be completely avoided, except for one or two notable exceptions such as Andreas Antonopoulos.

Since the revelation that an attacker with physical access to a Trezor hardware wallet is able to extract the seed phrase, it should be mandatory to use a strong passphrase on every wallet you are using on a Trezor device.

Correct. This is defined in the original BIP39 documentation: https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#from-mnemonic-to-seed

Passphrase, not password, but essentially yes. If you don't enter a passphrase for a BIP39 wallet, the string "mnemonic" is still used as a salt for PBKDF2.

Barring privacy concerns, there isn't much issues with using TrustedCoin as 2FA. But even that is a pretty weak argument; using Electrum alone already means sacrificing a huge part of your privacy. It still does provide some security to your wallet, albeit not as significant as a cold wallet.

Most people associated 2FA with a rotating token which narrows the window for your attackers to act with that window. None of the wallet allows this without the participation of the third-party. Additional passphrase doesn't really work because no one should be required to remember anything related to their seeds, potential risks includes $5 wrench attacks, loss of memory, etc. If you want to secure your seeds properly, consider splitting them up into multiple locations. This would prevent the attacker from being able to get your entire seed without going through multiple barriers.

so everyone really has a password then even if they don't think they do. 

These days two-factor is usually referring to the usage of a separate device in addition to a password, with "something you have" being e.g. a mobile phone with an app or a dedicated hardware dongle and "something you know" being the password. The reason I'm pointing this out is because there is (was?) a way to set up two-factor (2FA) wallets with Electrum, but this requires the involvement of a third party which I wouldn't recommend. Just a heads up so you don't mix these things up.



Trezor used to mainly advertise this feature as a way to hide wallets. They actually still mention it as a security feature on their homepage too. Not sure why Ledger doesn't seem to advertise it as much.



I just looked this up because I found it interesting. The word "mnemonic" is prepended regardless of whether an additional passphrase is defined, so if you use the passphrase "satoshi" a strictly BIP39 compliant wallet will use the phrase "mnemonicsatoshi".

Thank you for your thoughtful reply, o_e_l_e_o.

As I get deeper into this, I'm realizing there's so much bad and/or only partially accurate information out there...I'm going to make an effort to spend more time here learning from this community going forward.

I've not read that particular wiki page before, but it is very poorly written.

It interchangeably uses the words password and passphrase. Better to define them and then keep them separate. When talking about extra words added to your seed phrase, most people would call that a passphrase, and reserve the word password to mean the password you type in to your wallet software to unlock it.

Also, passphrases do not encrypt your seed phrase in any way. Your seed phrase remains entirely unencrypted and readable in plain text. What they do is change the process by which you derive your root seed number and then the rest of your wallet from that seed phrase.

"Something you know" is just plain bad advice. You should not rely on remembering any passphrases you use. You should back them up on paper separately to your seed phrase.

If a passphrase is not present, PBKDF2 does not use an empty string. It uses the word "mnemonic" in the case of BIP39, or the word "electrum" in the case of Electrum.

But on to your questions:

1 - Most good hardware wallets do.

2 - Yes. Both Ledger and Trezor devices support the use of passphrases.

It is a very good feature and I make use of it on almost all of my wallets.

There are definitely tradeoffs to consider. Losing your password is one more vector to lose your coins, but then again having someone find your seed phrase without a password protecting it leads to the same outcome. I've just never hear anyone talk about adding a password to your seed phrase when dealing with hardware wallets.

That said, I did come across this thread that shows it's possible to add a 25th word on the Nano S, for example. Maybe it's just an issue of discoverability/promotion...

https://bitcointalksearch.org/topic/--5283562. 

The question doesn't make sense. Different manufacturers can make different choices.

It also adds an additional risk factor: forgetting the password means losing your money.

I see two main reasons for using a password on top of your seed words:

• To ensure the data can't be hacked by someone who gains physical access to your hardware wallet.
• To have plausible deniability in case of a $5 wrench attack.

As I've been trying to get more educated on bitcoin, I came across this wiki link on seed phrases.

https://en.bitcoin.it/wiki/Seed_phrase

Seed phrases, like all backups, can store any amount of bitcoins. It's a concerning idea to possibly have enough money to purchase an entire building with the key just sitting on a sheet of paper without any protection. For this reason many wallets make it possible to encrypt a seed phrase with a password.

The password can be used to create a two-factor seed phrase where both "something you have" plus "something you know" is required to unlock your bitcoins.

This works by having the wallet creating a seed phrase and asking the user for a password. Then both the seed phrase and extra word are required to recover the wallet. Electrum and some other wallets call the passphrase a "seed extension", "extension word" or "13th/25th word". The BIP39 standard defines a way of passphrase-protecting a seed phrase. A similar scheme is also used in the Electrum standard. If a passphrase is not present, an empty string "" is used instead.

Warning! Forgetting this password will result in the bitcoin wallet and any contained money being lost. Do not overestimate your ability to remember passphrases especially when you may not use it very often. Also, the seed phrase password should not be confused with the password used to encrypt your wallet file on disk. This is probably why many wallets call it an extension word instead of a password.

It got me thinking...

1. Why doesn't every hardware wallet support the use of a seed phase + password?  It seems like a really simple way to add a layer of protection in case the seed phrase you've written down is discovered. Right now, written seed phrases are like writing your bank account and log-in credentials on a piece of paper and hoping nobody finds it.

2. Do modern hardware wallets like the Ledger Nano S Plus, Nano X, Trezor, etc. already support applying a password to seed phrases? Is it just a feature that's hidden and not promoted that much?