The BIP39 Passphrase, and how even the best hardware wallets let us down

Long post alert. Here's the tl;dr: Most hardware wallets leave your coins at risk because they implement the passphrase feature in a way that sounds good in theory but is unsafe in real world use. Below, I've explained why, and offered solutions. But first, an explanation:

I've noticed that almost no one who uses a hardware wallet regularly uses a passphrase with their seed, and the few who do use a very short passphrase that isn't safe.

At first, I assumed this was because people don't understand what a passphrase is (it's NOT a password), but I've come to realize it's probably because most hardware wallets implement the BIP39 passphrase feature so poorly.

What Is A Passphrase?

Your seed words produce a wallet.

Your seed words and a passphrase produce a totally different wallet. With just one seed, you can have as many passphrase wallets as you want. I have three: one for work, one for personal use, and one for testing.

The passphrase is part of BIP39. If you set up a passphrase with one wallet, it will work with any BIP39 compliant wallet, just as your seed words work with any BIP39 compliant wallet. It's brilliant.

Why Use A Passphrase?

A thief doesn't need your hardware wallet or your app to steal your coins. All they need is your seed words, because the seed provides the addresses and keys. But with a passphrase, your wallet is safe even if somebody finds your seed words, because your wallet wasn't made from your seed. It was made from the combination of your seed and passphrase.

Your Seed = A Wallet.
Your Seed+Passphrase = Totally Different Wallet.

If somebody finds your seed words, but you use a passphrase, they won't even know a passphrase wallet exists. And even if they think you might be using a passphrase wallet, it would take years (if not centuries) for them to brute force attack it.

That's safety!

The catch, of course, is that if you lose your passphrase, you'll lose access to your coins, just as you'd lose access to your coins if you lose your seed words. So, you have to write down your passphrase and keep it somewhere secure, somewhere separate from where you store your seed words. Somewhere safe.

What's A Good Passphrase?

A good passphrase is 4 to 8 words long and includes spaces. I'd recommend keeping your passphrase under 50 characters max, because some wallets (like Trezor) only work with passphrases that are 50 characters max (though I won't be surprised if they up it to 100). Other wallets allow a passphrase to be up to 100 characters.

Why use separate words?

It's easy to screw this up:
zingeryummygustojesterquirkysurfing

It's easy to get this right:
zinger yummy gusto jester quirky surfing

And since a passphrase is something you choose, you can create a passphrase you'll remember (but still, write it down and secure it as a backup). Don't pick something obvious that could be on a brute force attack list, like a song title, movie quote, etc. Choose something unique to you that couldn't be guessed by anyone. Or, if you're not creative, pick a few fun words out of a dictionary.

Now, The Bad News:

Most hardware wallets implement the passphrase feature piss poorly.

Most hardware wallets don't save your passphrase on the device, which means you have to enter the passphrase every single time you use it.

The example I used above ("zinger yummy gusto jester quirky surfing") is 40 characters long. Who is going to type a 40 character passphrase on a tiny device every time they use it? Most people aren't even willing to type a long password into a desktop or laptop even though they have a full size keyboard!

Here's three reasons why forcing a user to type a passphrase every time is bad:

1: It discourages using a passphrase at all.

2: If someone does use a passphrase, they're likely to use a short one (which is easily brute forced).

3: The user will need to have access to the passphrase every time they use the wallet, which means the passphrase won't be safely secured. Instead, it'll be somewhere they have instant access to, which means it'll be somewhere easy for anyone else to find.

In other words, hardware wallet makers are unintentionally encouraging users to be less safe, not more.

That's bad.

OK, But What About A $5 Wrench Attack?

One argument I'm seeing a lot of people make against saving a passphrase on the device is the potential for a $5 wrench attack, where an attacker forces you to open the wallet by threatening to beat the hell out of you. That's an absurd argument.

If an attacker is so familiar with crypto that he knows what a hardware wallet is, he'll also know you've got more than one wallet on that thing and he'll force you to enter whatever credentials are required, including a passphrase.

Another argument I see against saving a passphrase on a hardware wallet is plausible deniability. Here's the thing: an attacker threatening to beat you if you don't send him your crypto won't care about your hardware device. He'll demand you show him the balances in your app and send all of it to him. The hardware device doesn't show your balances, thus, plausible deniability isn't about whether or not a passphrase is saved in your hardware device. It's about whether or not your software wallet app shows your balances. If your app shows your balances, your plausible deniability is gone.

The idea behind not saving a passphrase on a hardware wallet is misguided, and it causes users to be less safe, not more.

Here's The Solution:

We need to encourage hardware wallet makers to integrate saved-passphrase login.

One option is to save the passphrase on the device with a unique login PIN, as Ledger does. Another option could be to import the passphrase using a QR code with an airgapped wallet, though even in that case, it would be more secure if the device saved the passphrase.

Using a passphrase needs to be fast and easy, because it should be something the user can do quickly, every single time they use their wallet. The entire point of a hardware wallet is that it locks a user's keys inside it. If your passphrase isn't locked inside of it, your passphrase isn't safe since you have to retrieve it and enter it every time you use your wallet.

How Should A Hardware Wallet Implement A Passphrase Feature?

A hardware wallet should save the passphrase on the device and offer three login options. Yes, three.

1: Open the device to the seed wallet.

2: Open the device to a seed+passphrase wallet.

3: Open the device to a duress/lockdown/wipeout mode.

If a device uses PIN codes, assign each login to a separate PIN (perhaps even assigning 0 0 0 as a duress/wipeout PIN).

If a device has a fingerprint scanner, have the user set up the thumb to log into the main seed wallet, fingers 1, 2 and 3 to log into separate passphrase wallets, and the pinkie finger to open the device to a duress/wipeout mode.

Last, but not least, a good hardware wallet needs some form of micro usb backup, encrypted with a user created password so the user can wipe out the device at any time and fully restore it with all features and settings intact.

Whoa, That's A Lot.

I know this is a long post, but safety matters, and a passphrase increases your safety.

Using a passphrase should be easy. Hardware wallet makers need to start implementing this potentially powerful form of seed security properly instead of making it harder to use due to poor implementation.

Think about how many times we've seen posts about getting hacked, but it turns out that somebody found their seed words & stole their coins. With a passphrase, that wouldn't have happened. If they'd used a passphrase, the thief would have only found an empty wallet. But it isn't realistic to expect people to enter a good passphrase every time they use their wallet, especially if the wallet is the size of a thumb drive.

That's part of the reason people aren't using a passphrase. That's part of the reason they're getting robbed.

I'll say it again: needing to enter the passphrase every time makes the user less safe, not more. Hardware wallets need a passphrase wallet login.