The Importance of Passphrase in Securing Your Cryptocurrencies (English Version)

You may already be aware that your 24-word recovery phrase is the backup for all your cryptocurrency assets. It is absolutely crucial to store your 24 words securely and never enter them on a smartphone, computer, or any other device that can connect to the internet. If someone manages to obtain your 24 words, they can steal all your cryptocurrencies. Unless... What if I told you there is a way to add an additional layer of security to your 24-word recovery phrase? This can be done through a Passphrase.

The Passphrase is an advanced feature that allows you to add an additional word to your recovery phrase. For this reason, it is commonly known as the 25th word. Unlike the regular recovery phrase, you would choose the 25th word. There are no limitations on the word you choose. In fact, the only limitation is the use of a maximum of 100 characters. The Passphrase is also case-sensitive and can include numbers and symbols.

When you use a Passphrase on top of your regular setup, it opens up a completely new set of accounts. It is similar to having two completely different recovery phrases.

Why would you want to use a Passphrase and have a completely new set of cryptocurrency addresses?

Firstly, since the Passphrase adds an additional layer, using it would mean that someone who has your 24-word recovery phrase still wouldn't have enough information to access your valuable cryptocurrencies. They would need your 24 words and the 25th word created by yourself to access your cryptocurrency assets. If they only have your 24 words, they can only access your regular accounts. That's why accounts managed with a Passphrase are often referred to as hidden accounts.

But if at this point you're starting to worry, wondering, but how do they have access to my regular accounts? Let me explain.

If someone only has access to the 24 words of your recovery phrase but not the additional word you used to create a Passphrase, they can only access your regular accounts and not your hidden cryptocurrency assets. In other words, they would not be able to see or move any of your cryptocurrencies held in the "hidden" accounts since the additional Passphrase is necessary to access those accounts.

The 24 words of your recovery phrase are used to generate the private keys that grant access to your cryptocurrency addresses. However, if you have set up an additional Passphrase (a 25th word), that Passphrase is also required to generate the private keys that grant access to your cryptocurrency assets in the hidden accounts. So, if someone only has your 24-word recovery phrase, they cannot complete any cryptocurrency transactions or access your cryptocurrency funds.

On the other hand, using a Passphrase not only adds another layer, but it also adds more randomness to your backup. Now, the standard 24-word recovery phrase is already extremely random, with a massive total of 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936 possible combinations. However, these words are from a known list called the BIP39 word list.

With a 25th word, you would be taking this massive potential number of combinations to a whole new level. It also introduces a human element into the mix. Instead of relying on a set of 24 words generated by a device, you would be adding a random word that you personally thought of and created. However, I would like to add that using a recovery phrase created solely by a Ledger device is also very secure. Ledger devices have the highest certification in terms of the quality of our True Random Number Generator (TRNG) used to create your recovery phrase. Lastly, using a Passphrase would grant you Plausible Deniability. Let's see why that might be important.

What is plausible deniability?

Just like with anything of value, there will always be people trying to steal it by any means possible. Unfortunately, in the world of cryptography, I have seen rare occasions where individuals known to have certain wealth in cryptocurrencies are targeted for theft and physical threats. The Passphrase could offer limited protection for your cryptocurrencies in such events.

For the Passphrase, plausible deniability comes down to being able to make someone think that they now have access to your cryptocurrency fortune. For example, someone could be coercing you to hand over your recovery phrase or unlock your Ledger device. With your regular setup, you would only give access to your regular accounts, not the hidden ones. Especially if there is a small balance in your regular accounts while the majority of your cryptocurrencies rest in hidden accounts, this could be quite convincing. You could even use multiple hidden accounts with different Passphrases. This can be useful if the attacker is aware of the Passphrase function.

Plausible deniability does not provide certainty, but it could give you a chance to save your cryptocurrency fortune in extreme circumstances.

Can I use a Passphrase on my Ledger device?

Yes, you can! Several hardware wallets allow for a Passphrase, but they would require you to enter it on a computer. This would make your Passphrase vulnerable to online attacks. With Ledger, you can enter your Passphrase directly on your Ledger device to enable a hidden account. This prevents your Passphrase from falling into the wrong hands.

In reality, you have two options for setting up a Passphrase with Ledger. The first is to enter it on your device every time you want to use your Passphrase. Ledger refer to this as the "Set Temporary Passphrase" option. With this, once your Ledger device is turned off, it would grant access to your regular accounts again.

Another option is to link a Passphrase of your choice to a second PIN code. By choosing this option, you would first create a Passphrase directly on your Ledger device. After you have done that, you could choose a second PIN code for your Ledger device. After this, every time you turn on your device, you could choose between entering your normal PIN code or your secondary PIN code. If you entered your secondary PIN code, your hidden accounts behind a Passphrase could be accessed.

Best Practices advised by Ledger:

Using a Passphrase is considered an advanced option for some very simple reasons. Firstly, you must remember your Passphrase perfectly, as if one or more characters were reversed, you would be opening a completely different account. Even if one letter is in uppercase instead of lowercase or vice versa, you could have the same result.

If you do not remember your Passphrase letter by letter, you will not be able to access the crypto assets managed with it. For this reason, it is important that 1. You write it correctly when you first set it up and 2. You remember it perfectly.

Additionally, it should be noted that not all Passphrases are equally secure. They can be up to 100 characters long, and you can decide whether to include uppercase letters, numbers, or symbols. The longer and more complex the phrase, and the more types of characters you use, the more secure it will be. Ideally, you should treat it like a password and make it as complex as possible, without using common words directly.

For example:

Passphrase1: password → Very insecure due to its short length, absence of random characters or uppercase letters.

Passphrase2: ILikeUakaritech → Slightly more secure due to its length and use of uppercase letters, but still uses common words and does not contain numbers or symbols.

Passphrase3: H05!xp4e2i6dAnV?esRjfap953nxZprsi495nAASF5n,!f01.?d → Much more secure due to its complexity, length, and mixture of uppercase letters, numbers, and symbols, and not containing common words.

While Passphrase3 can be considered the most secure of the three, it is also the most difficult to remember. You can turn it into a cryptographic puzzle, such as "RdlebdUsl3nnsqmamaP!", which refers to the first letters and special characters/numbers of the phrase "I really enjoy reading Uakaritech's blog about the 3 new nano S devices that my friend Pedro advised me on!".

I want to emphasize that your Passphrase is sensitive information. Therefore, I recommend you treating it with the same care you would give to your recovery phrase:

• Never share your Passphrase with anyone.
• Never enter your Passphrase on a computer, mobile, or other internet-connected device.