I would say it's even worse than that: breaking the passphrase is not difficult to an attacker, and basically impossible to the legitimate owner. The only thing a passphrase can do is help you lose funds
Discussion
it depends on the passphrase, it's just a password at the end of it.
but it should be clearer on UI from wallets that prompt you to "make a passphrase" to "add security" that they should explain WTF it actually is.
For anyone new that doesn't know it's a dead trap.
For someone that knows but can't invest in a better setup (3-2 wallet) it fill an option that can work for some people.
If anyone uses one it has to be strong, 16 characters using letter, numbers, symbols, upper and lower case. At minimum.
If I have your seed phrase, brute forcing your passphrase is not difficult, and gets easier every year. All I need is the UTXO set and cheap compute. There is no rate limiting, and the difficulty of testing a phrase is too low
A passphrase can be another twelve words.
If you've lost your seed phrase, what are the chances you haven't also lost your passphrase? And if you know how to protect your passphrase, why didn't you protect your seed phrase?
I'm not doubting that this setup isn't right for most people. But surely you can imagine a scenario where, given the right person and skills, it's beneficial?
I don't. The most generous situation is where someone had "some words" and "some more words", an attacker stole the first set, and not the second. First, why were they able to steal one and not the other, and you are somehow able to recall both? Second, you can do the same thing by using a 24 word seed phrase and storing half in one place and half in another.
In the end, "some words" plus "some more words" is indistinguishable from "some words", so why do we expect them to behave differently?
I don't want to go into my personal circumstances for obvious reasons, but I can confirm that you haven't thought about this from all angles. I'm not looking to argue, though. I agree with your overall sentiment. I'm merely saying, there are some very specific life variables out there that can make certain setups preferable over others. But for most people 12 words is enough.
It *would* be different if someone could brute force your seed phrase. In that case, adding words would definitely improve security. Since brute forcing a seed phrase is currently intractable, we have to assume that the attacker stole it. Presumably they would also steal your passphrase, but if not, it needs to be a pretty long, non obvious passphrase, or it will be trivial to brute force.
Now – is it more likely that your seed will be stolen in a way that makes your passphrase a useful defense, or that you'll someday forget it and lose all your funds?
it's a password.
you can't brute force a 16 character password I can't brute force it.
maybe a gvmt can do it fast enough, but if you're at that point you're more fucked than just 'oh fuck someone stole my seed phrase' level of fuck.
and if hardware become increasingly close to be able to do it you just make a new wallet.
plus the goal of the passphrase is to give you a layer of security, if someone stoles your seed phrase you should know that someone stole it, thus you gain time to change to a new wallet before they can do anything.
if you can't know that someone stole your seed phrase then your setup is just stupid.
That's bcrypt(10). Divide all of those by 1,000 to get a more realistic estimate. This assumes that each character is random, which you are most likely to forget, so really use the number of words / 4, etc.
24 words is a great place to be. This passphrase option isn't making it as hard as you think, and makes it much easier for you to forget your backup
This makes no sense.
A proper passphrase is not hackable, it has legitimate uses, like decoy wallets; it's an useful advanced feature that should be handled carefully..
A decoy wallet... for when someone gets your seed phrase? It's unlikely that someone will make their paraphrase long enough to prevent someone from brute forcing it. If you want a decoy seed phrase, why not change a few words and fix the checksum? At least then it's less obviously a decoy... "25 words" + low balance = decoy that you should run a dictionary attack on. 24 words with low balance is a wallet
Obviously you have make it long enough! 😅
So someone should be not enough educated to use a weak passphrase, but has the competency to recalculate a checksum?
I repeat: it's an advanced feature, and like all advanced features it requires a precise application in relation to goals and circumstances.
For sure, every UI that exposes the passphrase possibility must do it carefully, use the correct terns ("25th word" is just wrong) and point the user to a good informative resource.
If a tool wants to support decoy seed phrases, it can recalculate the checksum for you. Breaking the philosophy that a seed phrase is all you need is dangerous, and will be more dangerous as Bitcoin becomes more popular
Even with the best UI, storing many seeds (an well know format, easy to spot) is more complex than having one seed with a customizable additional layer of security. I repeat, for advanced setups, not the casual user.
> It's unlikely that someone will make their paraphrase long enough to prevent someone from brute forcing it
Reality check: for the casual user that doesn't have a life changing amount in Bitcoin, it is more likely that the seed is found by a roommate or some random guy that works in their property, instead of being the target of a determined, informed and well-equipped attacker.
So even a medium simple and high memorable passphrase can be effective in many situations as additional security layer.
You can even store it in a password manager or your computer.
Sure. But casual users don't use password managers, and if they do probably they don't have sufficient opsec and backup procedures in place.
A memorable (easy to transcribe and store as well) passphrase seems a good starting point.
Make a 24 word seed
Use the first 12 words as a decoy
Use the second 12 words as a decoy
Use the second 12 plus the first 12 as a 24 word decoy
Now you have three decoys using the vast ecosystem of 12/24 phrase storage tools and no one ever has to lose funds because wtf is a 25 word seed
Splitting a 24-word seed does not create two valid 12-word seeds, the checksum fails.
And even if it were the case:
You're more likely to lose your phrase than to have it stolen
I talked about stolen *seeds*.
A passphrase can be memorizable, you can always store it securely in a password manager, and offline backup are safer since the format is not easily identifiable as is the case with seeds.
That's the problem: if you can memorize the passphrase, it's generally easy to brute force. If you can memorize 12 words, just do that. If you want a 24 word seed, store the first twelve, then memorize the second.
So far the argument has been that paraphrases are great for og Bitcoiners. That's fine, but they can figure out a way to work inside a system that doesn't burn the next billion Bitcoiners
its not hard to memorize 24 words + seed phrase,people have no idea how good memory is
although funny enough I can't mention this without a swarm of bitcoiners who say iTs NoT a GoOd iDeA tO mEmOriZE tHiNgs.
like bruh you do you if you don't want extra backups that can't be confuscated, but I lived through an era where police in Canada confuscated multisig wallets and they lost access to it.
Cmon, it's very hard to memorize 30+ random words. There are better ways to accomplish your goal
I thought the same until I tried it. its incredibly easy. you just do a memory palace / story technique.
this is a very misunderstood thing about humans
Thats fine, but you can just store a 24 word phrase as two 12 word phrase decoys and the rest of humanity will thank you
A passphrase adds entropy to your seed. Two things need to be broken, not just one. (seed and passphrase too)
Yes, but the seed has enough range already. If they didn't know your seed, they're not going to find it
Right....but I think the point is a passphrase will not weaken it.
The upsides are minimal, but that's okay because you might lose all your funds? 🤣
The Bitcoin equivalent of "we lose a little on each transaction but make up for it in volume"
You are right, it is always possible to lose a passphrase but what makes it more losable than a seed?
Thinking that it's a device specific passphrase and not an essential part of the seed
Not sure what you mean.....a passphrase is not device specific and is not part of the seed but added to the seed. Any passphrase added to the seed makes a new wallet.
Re-read the original post - the Bitcoin mantra is that you only need your 12/24 words
The OP was about the pitfalls with added complexity in a setup, passphrases specifically.
I am saying it is maybe more correct to educate people on the importance of testing/proving recovery and good backup practices, and to not blame lost funds on something other than common user sloppiness.
I didn't get that from your replies, but you're right everyone should test restoration