If I have your seed phrase, brute forcing your passphrase is not difficult, and gets easier every year. All I need is the UTXO set and cheap compute. There is no rate limiting, and the difficulty of testing a phrase is too low
Discussion
A passphrase can be another twelve words.
If you've lost your seed phrase, what are the chances you haven't also lost your passphrase? And if you know how to protect your passphrase, why didn't you protect your seed phrase?
I'm not doubting that this setup isn't right for most people. But surely you can imagine a scenario where, given the right person and skills, it's beneficial?
I don't. The most generous situation is where someone had "some words" and "some more words", an attacker stole the first set, and not the second. First, why were they able to steal one and not the other, and you are somehow able to recall both? Second, you can do the same thing by using a 24 word seed phrase and storing half in one place and half in another.
In the end, "some words" plus "some more words" is indistinguishable from "some words", so why do we expect them to behave differently?
I don't want to go into my personal circumstances for obvious reasons, but I can confirm that you haven't thought about this from all angles. I'm not looking to argue, though. I agree with your overall sentiment. I'm merely saying, there are some very specific life variables out there that can make certain setups preferable over others. But for most people 12 words is enough.
It *would* be different if someone could brute force your seed phrase. In that case, adding words would definitely improve security. Since brute forcing a seed phrase is currently intractable, we have to assume that the attacker stole it. Presumably they would also steal your passphrase, but if not, it needs to be a pretty long, non obvious passphrase, or it will be trivial to brute force.
Now – is it more likely that your seed will be stolen in a way that makes your passphrase a useful defense, or that you'll someday forget it and lose all your funds?
it's a password.
you can't brute force a 16 character password I can't brute force it.
maybe a gvmt can do it fast enough, but if you're at that point you're more fucked than just 'oh fuck someone stole my seed phrase' level of fuck.
and if hardware become increasingly close to be able to do it you just make a new wallet.
plus the goal of the passphrase is to give you a layer of security, if someone stoles your seed phrase you should know that someone stole it, thus you gain time to change to a new wallet before they can do anything.
if you can't know that someone stole your seed phrase then your setup is just stupid.
That's bcrypt(10). Divide all of those by 1,000 to get a more realistic estimate. This assumes that each character is random, which you are most likely to forget, so really use the number of words / 4, etc.
24 words is a great place to be. This passphrase option isn't making it as hard as you think, and makes it much easier for you to forget your backup