Bitcoin Q&A: Passphrases and seed storage

Do passphrases protect against leaks or compromises of mnemonic seed words? Why are brain wallets usually insecure? Why should you not “roll your own …


  1. Have you traded with any forex or binary options broker either regulated or unregulated and when it got to the point of making withdrawals of your invested money all transactions got ceased up? Feel free to contact Mr Robert Smith
    He's an expert in trading and had helped a lot of traders including myself recover their lost funds
    Contact him via his telegram @Robertsmith1994

  2. I disagree with Andreas here. If the passphrase is cryptographically strong, i.e. 128 to 256 bits of entropy, then publishing the seed does not compromise the security. A 256 bits of entropy seed plus a 256 bits of entropy passphrase yields you a 512 bits of entropy. Giving up 256 bits (the seed) leaves you with 256 bits (the passphrase) and you're still good. In other words: A published 24-seed + 256 bits passphrase is equal to a 24-seed without a passphrase. Both have 256 bits of entropy.

    Ideally, one would use a 24-word-seed and a differently created 128+ bits passphrase (like a 12+ word diceware passphrase) and of course keep both secure and offline. The advantage is, should it turn out that the RNG of the hardware used was weak, you at least have the entropy of the passphrase, which is enough if it's 128+ bits.

    Also: @8:20
    128 bits of entropy is also unbruteforceable. In practical terms, there's no security difference between 256 and 128 bits of entropy, even less when key stretching is applied. Most wallets use a 12 word seed, which equals "only" 128 bits of entropy, anyway.

    Change my mind.

    PS: But that being said: don't fucking invent your own crypto.

  3. But half a seed representing 128 bits is still more than enough, isn't it?
    You just said, seeds are 12 to 24 words. So half of a 24 word should still be plenty secure?

    It's curious because at Honeybadger 2018 the Trezor dev said the same thing so you are probably correct. But why?

  4. Can you tell me lets say I keep my 24 word key secure and add a word for my passphrase. How secure would that second wallet be? Assuming they don't assume a 25th passphase and they dont have the 24 word seed?

  5. So does this mean that using the 12 word seed with the trezor model-t is significantly less secure than a Trezor one with a 24-word seed? The model-t only allows for generating a 12 word seed (via GUI) so it would seem trezor’s new product is bad purchase unless you have an existing 24-word seed you can input? If I have a ledger nano s should I just generate the seed on there and then input that into the trezor model-t or is that not advisable Incase ledger has an unknown vulnerability which would essentially make it like putting all your eggs in one basket?

Leave a Reply

Your email address will not be published.