I've seen too many stories like this that end tragically. It's why I don't recommend passphrases: they result in a brittle 2-of-2 key architecture.
Login to reply
Replies (92)
What do you recommend one to do then?
Makes me feel queasy just thinking about this!
Responsibility is terrifying.
View quoted note →
This is why you should always test your seed signer before using it... Make sure that you can send/receive transactions before you actually use it as your storage.
IMO, passphrase > multisig > bare 12/24 seeds.
My takeaway from all of these stories is to KNOW your setup and all of its tradeoffs, because no matter the setup, there are always tradeoffs.
Oof
Wait, I am confused and concerned. When I set up my trezor I recorded the 24 words but did I screw myself not getting a 25th?
The passphrase is optional
Disagree.
12/24 with a passphrase is probably the best overall setup for a pleb.
What do you think of Bitkey?
If you have significant funds, nunchuk offers a robust 2-4 collaborative custody solution with inheritance planning
If you want DIY back up on steel consider using SEED XOR and/or have multiple hardware signers with the same private key. You can more safely store these at banks or with family since they are protected by a pin. Use tamper evident bags for both devices and seed plates. Store pin securely in a password manager
Ok, I will not panic. Thank you! But I will be looking into this more once I finish my work 😅
Lopp is just trying to use fear to sell his products imo
I would say it's even worse than that: breaking the passphrase is not difficult to an attacker, and basically impossible to the legitimate owner. The only thing a passphrase can do is help you lose funds
What's that paraphrase getting you? If I have your seed, I can pop your passphrase offline
You are ok
Just save the passphrase in your password manager. Without the seed phrase its useless anyway.
it depends on the passphrase, it's just a password at the end of it.
but it should be clearer on UI from wallets that prompt you to "make a passphrase" to "add security" that they should explain WTF it actually is.
For anyone new that doesn't know it's a dead trap.
For someone that knows but can't invest in a better setup (3-2 wallet) it fill an option that can work for some people.
If anyone uses one it has to be strong, 16 characters using letter, numbers, symbols, upper and lower case. At minimum.
In Trezor software they call this a "hidden wallet" and to access it with the device plugged in you enter the 25th word as a passphrase...
If you restore a wallet you use the 24 words and think of the 25th as another wallet connected to the existing 24 words. Most wallets will ask you if you have a 25th word, you enter it after the 25 word and your in.
This is the question of over-security can actually make you less secure. Some people who are worried about wrench attacks find this helpful as they can give up some coin and have rest hidden behind that word...
If I have your seed phrase, brute forcing your passphrase is not difficult, and gets easier every year. All I need is the UTXO set and cheap compute. There is no rate limiting, and the difficulty of testing a phrase is too low
Thank you for this detailed explanation!
A passphrase can be another twelve words.
If you've lost your seed phrase, what are the chances you haven't also lost your passphrase? And if you know how to protect your passphrase, why didn't you protect your seed phrase?
I'm not doubting that this setup isn't right for most people. But surely you can imagine a scenario where, given the right person and skills, it's beneficial?
I don't. The most generous situation is where someone had "some words" and "some more words", an attacker stole the first set, and not the second. First, why were they able to steal one and not the other, and you are somehow able to recall both? Second, you can do the same thing by using a 24 word seed phrase and storing half in one place and half in another.
In the end, "some words" plus "some more words" is indistinguishable from "some words", so why do we expect them to behave differently?
i'd argue that this is still an education issue.
View quoted note →
I don't want to go into my personal circumstances for obvious reasons, but I can confirm that you haven't thought about this from all angles. I'm not looking to argue, though. I agree with your overall sentiment. I'm merely saying, there are some very specific life variables out there that can make certain setups preferable over others. But for most people 12 words is enough.
It *would* be different if someone could brute force your seed phrase. In that case, adding words would definitely improve security. Since brute forcing a seed phrase is currently intractable, we have to assume that the attacker stole it. Presumably they would also steal your passphrase, but if not, it needs to be a pretty long, non obvious passphrase, or it will be trivial to brute force.
Now – is it more likely that your seed will be stolen in a way that makes your passphrase a useful defense, or that you'll someday forget it and lose all your funds?
I don't see what those could be, but I don't want you to expose yourself either
A mnemonic seed phrase without a pass phrase would mean its game over if an evil maid finds a seed QR or stamped metal back up. I teach noobs to use a passphrase and keep multiple copies, then hide their seed diligently and securely. @Jameson Lopp surely even device PINs need to be stored effectively?
I've seen too many stories like this that end tragically. It's why I don't recommend passphrases: they result in a brittle 2-of-2 key architecture.
View quoted note →
It's so important that wallet developers keep this as an advanced option, should come with good explanation and warnings. Even when a user thinks they understand what this is, they probably don't. Should not be a simple "optional" field to fill out when setting up a wallet, it should require some introduction, learning and explanation and warning.
For context, I've worked on important authorization systems and there are many things that I have considered. Perhaps someone else will point out my shortcomings here
The same kind of backup shortfall and misunderstanding can occur with multisig also, don't see how this is an inherent fault with passphrases.
ANY set up should be tested before using it for funds.
1. Set up wallet with passphrase
2. Put a small amount in wallet
3. *Wipe wallet and then recover from backup
Doing this is essential and will expose any problems with the setup, backup, and or user understanding.
Back up passphrase and seed on separate steel plates and keep them geographically separated if possible.
*Do the wipe and recovery directly from these same steel plates.
You know all this Mr. Loop.
I don’t agree with you, sorry 👎
This makes no sense.
A proper passphrase is not hackable, it has legitimate uses, like decoy wallets; it's an useful advanced feature that should be handled carefully..
Passphrase or no passphrase, it seems to me the important take-away should be to do the work to know what the hell you're doing. Everyone should be using some form of Testnet to test-drive the entire bitcoin ecosystem over and over until they get it. (if only some form of Testnet were more normalized across wallet software. Unfortunately, for those that do offer a Testnet experience, too many of them don't appear to take their implementation of it seriously).
A passphrase is rarely 128 bits, so it can be bruteforced
Nah
Use the real chain. Make mistakes. Learn.
Don't ape 100m dollars into a seed, but don't fret if you ape 100 into a seed, lose it, and learn a generational lesson. Embrace that lesson.
Manage your family's risk apporpriately.
Agreed. Multi-sig and seed xor are more useful, with better options for backup and inheritance planning.
Everyone thinks of theft as a risk, or obviously leaving funds on exchanges, but another very real and likely risk is simply losing access to a wallet, making it too complicated for themselves or their heirs to access.
Full responsibility with no safety net is very new to most people in our day. But worth learning.
A decoy wallet... for when someone gets your seed phrase? It's unlikely that someone will make their paraphrase long enough to prevent someone from brute forcing it. If you want a decoy seed phrase, why not change a few words and fix the checksum? At least then it's less obviously a decoy... "25 words" + low balance = decoy that you should run a dictionary attack on. 24 words with low balance is a wallet
it's a password.
you can't brute force a 16 character password I can't brute force it.
maybe a gvmt can do it fast enough, but if you're at that point you're more fucked than just 'oh fuck someone stole my seed phrase' level of fuck.
and if hardware become increasingly close to be able to do it you just make a new wallet.
plus the goal of the passphrase is to give you a layer of security, if someone stoles your seed phrase you should know that someone stole it, thus you gain time to change to a new wallet before they can do anything.
if you can't know that someone stole your seed phrase then your setup is just stupid.
That's bcrypt(10). Divide all of those by 1,000 to get a more realistic estimate. This assumes that each character is random, which you are most likely to forget, so really use the number of words / 4, etc.
24 words is a great place to be. This passphrase option isn't making it as hard as you think, and makes it much easier for you to forget your backup
Obviously you have make it long enough! 😅
Don't try to make ”your own cryptography"
I'm not sure whether you're arguing for or against what I said, but in my view the passphrase mechanism is actually "your own cryptography" tacked onto the seed phrase mechanism
I don’t understand this perspective. Passphrase is so important for self custody. And there are a million techniques to assure you never forget it. It’s way easier to store than a seed phrase and now you don’t get rekt if your seed is discovered.
Passphrase alone doesn't give you the wallet, you would need to brute force the seed too.
A passphrase adds entropy to your seed. Two things need to be broken, not just one. (seed and passphrase too)
Yes, but the seed has enough range already. If they didn't know your seed, they're not going to find it
Right....but I think the point is a passphrase will not weaken it.
The upsides are minimal, but that's okay because you might lose all your funds? 🤣
The Bitcoin equivalent of "we lose a little on each transaction but make up for it in volume"
Nah
Use a fake chain. Make the same exact mistakes. Learn and embrace the same exact lessons. All without risking even 100 of today's dollars worth of your family's eventual generational wealth.
To the vast majority who are still pre-coiners, this is a way easier sell for them to just get their feet wet.
You are right, it is always possible to lose a passphrase but what makes it more losable than a seed?
Thinking that it's a device specific passphrase and not an essential part of the seed
Just buy MSTR 🥴
Not sure what you mean.....a passphrase is not device specific and is not part of the seed but added to the seed. Any passphrase added to the seed makes a new wallet.
Not if its actually a strong passphrase lmao. Maybe a weak password
So someone should be not enough educated to use a weak passphrase, but has the competency to recalculate a checksum?
I repeat: it's an advanced feature, and like all advanced features it requires a precise application in relation to goals and circumstances.
For sure, every UI that exposes the passphrase possibility must do it carefully, use the correct terns ("25th word" is just wrong) and point the user to a good informative resource.
A many wallet approach is effective only as long as you backup the seeds in different locations. It's an advanced setup. You have more pieces to take care of, and so the risk of losing something increases. Like all advanced setups, it make sense in specific circumstances.
You can't just NOT READ the instructions. RTFM. Set it up, test transaction, recover it.
This is why you also test to make sure it works before you dump a bunch of money into a wallet...
> It's unlikely that someone will make their paraphrase long enough to prevent someone from brute forcing it
Reality check: for the casual user that doesn't have a life changing amount in Bitcoin, it is more likely that the seed is found by a roommate or some random guy that works in their property, instead of being the target of a determined, informed and well-equipped attacker.
So even a medium simple and high memorable passphrase can be effective in many situations as additional security layer.
You can even store it in a password manager or your computer.
Sure. But casual users don't use password managers, and if they do probably they don't have sufficient opsec and backup procedures in place.
A memorable (easy to transcribe and store as well) passphrase seems a good starting point.
What do you recommend?
Re-read the original post - the Bitcoin mantra is that you only need your 12/24 words
If a tool wants to support decoy seed phrases, it can recalculate the checksum for you. Breaking the philosophy that a seed phrase is all you need is dangerous, and will be more dangerous as Bitcoin becomes more popular
You're more likely to lose your phrase than to have it stolen
if you are using singlesig without a passphrase you are vulnerable to an attack where if anyone can sweep your funds if they physically find your seed. I see passphrase as a physical two factor without going down the full complexity of a 2of2 multisig wallet.
I talked about stolen *seeds*.
A passphrase can be memorizable, you can always store it securely in a password manager, and offline backup are safer since the format is not easily identifiable as is the case with seeds.
Make a 24 word seed
Use the first 12 words as a decoy
Use the second 12 words as a decoy
Use the second 12 plus the first 12 as a 24 word decoy
Now you have three decoys using the vast ecosystem of 12/24 phrase storage tools and no one ever has to lose funds because wtf is a 25 word seed
Yeah, this one is handy when you do the learning, but devastating if you just pile in without understanding the tech.
Even with the best UI, storing many seeds (an well know format, easy to spot) is more complex than having one seed with a customizable additional layer of security. I repeat, for advanced setups, not the casual user.
That's the problem: if you can memorize the passphrase, it's generally easy to brute force. If you can memorize 12 words, just do that. If you want a 24 word seed, store the first twelve, then memorize the second.
So far the argument has been that paraphrases are great for og Bitcoiners. That's fine, but they can figure out a way to work inside a system that doesn't burn the next billion Bitcoiners
There's always hex or base64
Splitting a 24-word seed does not create two valid 12-word seeds, the checksum fails.
And even if it were the case:
Even with the best UI, storing many seeds (an well know format, easy to spot) is more complex than having one seed with a customizable additional layer of security. I repeat, for advanced setups, not the casual user.
View quoted note →
its not hard to memorize 24 words + seed phrase,people have no idea how good memory is
although funny enough I can't mention this without a swarm of bitcoiners who say iTs NoT a GoOd iDeA tO mEmOriZE tHiNgs.
like bruh you do you if you don't want extra backups that can't be confuscated, but I lived through an era where police in Canada confuscated multisig wallets and they lost access to it.
Cmon, it's very hard to memorize 30+ random words. There are better ways to accomplish your goal
I thought the same until I tried it. its incredibly easy. you just do a memory palace / story technique.
this is a very misunderstood thing about humans
Thats fine, but you can just store a 24 word phrase as two 12 word phrase decoys and the rest of humanity will thank you
Exactly.
Method of loci - Wikipedia
Easy 😅
And you completely loose the resilient benefits of seeds.
Splitting a 24-word seed does not create two valid 12-word seeds, the checksum fails.
And even if it were the case:
View quoted note →
View quoted note →
On the flip side, if your seed has never seen the internet, it’s safe to write it down on a computer… you could even email to your lawyer or whatever.
Totally disagree, 12+1 memorized & seed phrase backed up in steel at least twice + passphrase memorized by all members of the family is the way to go for such a setup, way better than 24 words or multisig, which I doubt I could keep in my head.
Passphrase + seed words seems like a much safer (and simpler) set up to protect your seed words than multi-sig. This is a case of user error. Nothing to do with passphrases
I actually didn't know this. Wow.
The goal of passphrases is to produce a verifiably false passphrase + seed phrase combination. It is not JUST another seed word, it is a way to prevent the owner of the wallet to be protected in case of situations where the owner of the wallet is held hostage unless he reveals the true set of seed words
Note: * unverifiably false
The OP was about the pitfalls with added complexity in a setup, passphrases specifically.
I am saying it is maybe more correct to educate people on the importance of testing/proving recovery and good backup practices, and to not blame lost funds on something other than common user sloppiness.
I didn't get that from your replies, but you're right everyone should test restoration