In Bitcoin, where fortunes reside in strings of code, security should always be your number one priority. When you decide to store your wealth in Bitcoin, your first task is to eliminate third-party risk, which involves generating a set of private keys only you can access; once you have those keys, you can generate public addresses to receive Bitcoin.
Self-custody is one of Bitcoin’s killer features, and it can feel daunting to take personal responsibility. Still, this feeling shouldn’t discourage you from avoiding a possible loss of funds with a custodian. Considering that all your other assets, such as stocks, bonds, and ETFs, all have a custodian managing them for you, leaving your Bitcoin with another one, regulated or unregulated, makes very little sense.
Bitcoin is one of the cheapest assets to self-custody; it can be as simple as spinning up software on your computer or something more robust like an air-gapped signing device. Depending on your resources, you may choose from a range of setup options, and once you have those mythical 12, 18 or 24 words set up to hold your Bitcoin fortune, it’s in your hands to keep it safe from in-person attacks.Â
Keeping your keys safe
Having a set of private keys, you command absolute ownership; it is an empowering feeling at first; instead of trusting a company and their promises, you have the backing of the Bitcoin blockchain securing your funds, which you can verify at any time using the software you can run yourself.
For those benefits, you have made a trade-off; you are now the single point of failure.
- If you ever lose those keys
- If those private keys are damaged in a fire or flood.
- If you leak your keys online
- If you are a victim of a home invasion or mugging and your keys are stolen, that money is gone for good.
All that stands between you and losing your Bitcoin fortune is your ability to secure that set of words.
- Creating copies of it is one way to avoid losing it, but it gives anyone more chances to find your keys if you’re using a single-signature wallet.
- Creating a robust steel copy is one way of protecting your keys from damage.
- Using an air-gapped wallet is one way to keep your keys from touching an online device and internet connection.
But what can I do if someone bashed down my door with a wrench, threatening you to hand over your stash? Handing over 12, 18 or 24 words is easy, so keeping your Bitcoin ownership as private as possible is essential. However, if you’ve made yourself known as a Bitcoin holder, you might need to employ tactics like a Duress Wallet or Passphrase.
While private keys and seed phrases act as gatekeepers, safeguarding your precious satoshis, there’s an often-overlooked guardian angel: the Bitcoin passphrase. But what exactly is this enigmatic term, and how does it bolster your digital defences?
Beyond the Seed Phrase: Unveiling the Passphrase’s Power
Imagine your seed phrase as the master key to your Bitcoin stash, but it’s one that anyone can use should they grab a hold of. This carefully chosen sequence of words opens the portal to your funds.
Offline seed phrases are great for securing funds against online attackers but not too helpful if someone is standing right in front of you, ready to turn your kneecaps into mashed potatoes.
Even the sturdiest locks benefit from additional fortifications, and this is where the passphrase makes its debut: a secret layer of encryption that acts like a secondary vault within your existing one.
It is an additional word or words that can be tied to your seed phrase, so even if your entire seed is lost or leaked, your fund’s security remains intact.
How Passphrases workÂ
When setting up a Bitcoin wallet with passphrase functionality, you’ll be prompted to craft a unique phrase distinct from your seed phrase. This chosen phrase gets mathematically intertwined with your seed phrase, generating a new set of private keys and, consequently, a hidden wallet. It’s like adding a combination lock to your existing vault, accessible only with the correct Passphrase.
Passphrases are tied to your seedphrase and should not be confused with Pins, which some signing devices offer as a layer of protection to login to the device.
The Passphrase and recovery seed belong together, meaning one must be used with the other to generate a receiving address, send Bitcoin, or recover your wallet to a new device. If you’ve generated a Passphrase-enabled wallet, you will always have to use the Passphrase for the lifetime of use of those private keys.
What are the benefits of a Passphrase?
Adding this extra layer of complexity might seem scary, but the advantages are worth your weight in sats, especially for those who live in a hostile environment.
Fort Knox security
Even if your seed phrase is compromised, your hidden wallet remains untouched without the Passphrase. It’s like having a decoy wallet to mislead potential thieves.
Compartmentalising your Bitcoin
Having a Passphrase also allows you to separate your wallet threat; while you can keep your seed phrase at home, your Passphrase could be somewhere else or simply in your head.
Plausible deniability
In hypothetical situations involving duress, revealing your seed phrase might be enough to satisfy criminals pressed for time; the thief might feel they got what they came for and leave you in peace, only later to discover that they left empty-handed.
Considerations when setting up a Passphrase
Every security measure comes with a trade-off, and Passphrases are no different. Setting a passphrase burdens you with the risk that you could fail to back it up correctly or that your backup could fail. While passphrases offer unparalleled security, they demand a mindful approach:
Passphrases can protect you against unwanted withdrawals from your wallet, but there are pitfalls involved in this method. When you generate a seed phrase, you either intrust the software entropy or add your own entropy to generate the words and order them randomly.
But with a Passphrase, you choose your own keyword:
- It can be any memorable word / phrase / sentence up to 50 bytes (about 50 ASCII characters)
- It is case sensitive i.e. “My Passphrase” is not the same as “my passphrase.”
- Spaces are valid characters – every character matters.
- An empty passphrase is the same as ‘seed-only’ access to your Standard wallet.
- Just because you can add another layer doesn’t mean you should be lazy or complacent. Short one or 2-word passphrases from the BIP39 list or the dictionary are next to useless and can be brute-forced by even modest attackers, so look for longer words or words relative to you, and not assigned by the BIP39 list.
- Longer passphrases are exponentially more secure, but remember, you need to enter this into your signing device every time you want to manage or spend from that wallet, making your day-to-day wallet management more tedious.Â
- Losing your Passphrase is akin to losing your vault key. Your funds become inaccessible, potentially lost forever. Please treat it with the same reverence as your seed phrase.
- Never store your Passphrase online or in the cloud. Please write it down on physical paper and keep it in a secure, fireproof location, separate from your seed phrase.
Beyond the Basics: Diving Deeper into Passphrase Nuances
- BIP39 Standard: Passphrase implementation follows the BIP39 standard, ensuring compatibility across various wallets.
- Hidden Wallet Derivation Paths:Â Different wallets might use slightly different algorithms to derive hidden wallets from passphrases. Understanding your wallet’s specific method can be helpful.
- Multisig Wallets and Passphrases: Combining passphrases with multi-signature wallets can add further layers of security and control.
- Colour code your Passphrase: If you would like to give yourself and criminals the runaround, you could encode your Passphrase with something like BIP39 Colors, making it even harder to guess.
Passphrases are an optional layer for additional safety.
As the landscape of Bitcoin merges with traditional finance, and as the wealth stored in the Bitcoin network grows, more people will find out about it, including criminals. This increase in wealth makes Bitcoiners an attractive target; breaking into a home and stealing a few electronics, jewellery and cash might not be worth it, but if thieves know they can quickly make out with a seed plate holding a few Bitcoin, it might encourage them to take more risk.
While you might have been protected in the past with a simple seed phrase setup, those security options that have previously protected you might need to be more robust going forward.
Prioritising security is not just wise; it’s essential, but you must be willing to accept the trade-offs before adding additional security. If you are not ready for the complexity of Passphrases or feel an alternative security option like multi-sig works for you, go ahead.
But if you are going to remain a single-sig user and you live in an area where home invasions, kidnappings and muggings are common, you might want to start to get comfortable with Passphrase protection. Integrating a Bitcoin passphrase into your security arsenal adds an invaluable layer of protection, safeguarding your sats against potential threats that none of us want to consider since we don’t want to think about the worst-case scenarios and do not plan for them accordingly.