Need an extra layer of security for your Ledger device? Wondering how to protect your Bitcoin and Cryptocurrencies using a secret passphrase on your Ledger Nano? The following guide is you.
You are well aware that when you initially setup the Ledger Nano (be it Ledger Nano S or Ledger Nano X) the device generates and provides you with the 24 word recovery phrase. These 24 words are crucial as it backs up the private keys and provides access to your accounts. In simple your entire cryptocurrency wallet accounts / addresses and its private keys are all derived from this 24 word recovery phrase. It is the only backup to all of your assets that you manage using your Ledger.
We hope you’ve stored your recovery phrase in a secure place where nobody can access it. Write down the words and keep it offline. Never take a screenshot and never enter it on a PC or any other device that is connected to the internet.
If someone gets hold of your 24 word recovery phrase they can access your accounts and steal all of your cryptocurrencies. How about even if your seed is compromised the attacker cannot access your funds. This can be achieved by adding a passphrase or an extra word of your choice on top of the 24 word recovery phrase. It can be a set of words or just a single word; this is why passphrases are also sometimes called as the 25th word.
Alright! Here lets see how to setup passphrase protection on a Ledger Nano device to increase your wallet security. We’ll show you how to setup secret passphrase and unlock hidden accounts. After the setup we’ll also show you how to switch between standard and passphrase protected accounts.
Now before we get there lets first see what a standard and passphrase protected account is? Also lets understand the difference between a recovery phrase and a passphrase.
What is a passphrase?
Passphrase is an advanced security feature that allows you to add an extra word or a phrase to your recovery phrase. It is not a password that protects your existing accounts. Instead it adds an additional word to your already existing 24 word recovery phrase. For this reason its also called as the 25th word.
Unlike the 24 word recovery phrase which is generated by your wallet; the 25th word (passphrase) is chosen by you. You can add the passphrase next to your wallet backup that is the 24-word mnemonic seed and it will open a brand-new set of accounts for you. Not just one passphrase but you can use and manage multiple passphrases on top your recovery phrase. Each setup creates a completely different set of wallets.
So why to unlock a brand new set of accounts? How passphrase works and what are the benefits of adding a passphrase?
Why consider using a passphrase?
By default, your Ledger wallet is not using a passphrase. It is just using the 24 word recovery phrase to derive the accounts and think of it as an “empty” passphrase.
Now passphrase adds an additional layer of security. When used someone with access to just your 24 word recovery phrase cannot access your cryptocurrencies. In addition to the 24 words they also need the self created 25th word or the passphrases to access your wallet. This is why the accounts managed with a passphrase are often called as hidden accounts.
Accounts that are accessed with a passphrase (hidden accounts) can be managed using Ledger Live just like your standard accounts. If you are only using 24 words then it is a your regular account. Along with recovery phrase if you are using passphrase then they are passphrase protected hidden accounts.
Let’s now take a look at how passphrases work.
How does a passphrase work?
When you setup Ledger the device generates a long random number which then coverts it to 24 words. Its a BIP39 standard and different wallet does it differently.
The recovery phrase or the mnemonic seed which your wallet generates is human readable and it can be either 12 words or 24 words. Ledger, Trezor and other hardware wallets support both 12 and 24 words. But when you initially setup the wallet the device generates 24 words. All your accounts, addresses and its private keys are derived from this 24 word recovery phrase.
In addition to this 12 words or 24 words which is auto generated if you are using your own passphrase then your wallet accounts, addresses and its private keys are derived from 24 word recovery phrase + the passphrase.
Here is a simple formula:
If you don’t use a passphrase: Wallet backup 24 word recovery + “ (empty passphrase) ” = Normal wallet.
If you use passphrase: Wallet backup + Passphrase = Hidden wallet.
With just you one wallet backup you can use multiple passphrases. Each passphrase can be a word or phrase of your own choosing and each passphrases unlocks a new wallet. Its like having a completely different recovery phrase as each passphrase generate a completely different seed.
The passphrase can be a combination of up to 100 words / characters. But remember when passphrase is used your wallet configuration is completely dependent on your passphrase. You need both the 24 word recovery phrase as well as the passphrase to restore your wallet. If you have the recovery phrase but lost your passphrase then you’ll lose access to funds that are stored in your passphrase protected accounts. So when you are using passphrase make sure to backup your passphrase.
Benefits of adding passphrase
- Passphrase adds another layer of security to your standard 24 word recovery phrase that which provides access to a new set of accounts.
- With passphrase protect your crypto assets are protected even if your 24 word recovery phrase gets compromised. Because to access your hidden wallet the attacker needs both your recovery phrase as well as your secret passphrase.
- By having different passphrase you can unlock a unique set of accounts for different crypto. You don’t have to use or maintain different 24-word recovery phrase for this. Also there is no “wrong” passphrase. You can use as many passphrases as you like and Just changing the 25thword opens you a completely different wallet.
- Aside from adding security and unlocking new accounts; passphrases also grants you plausible deniability when under duress.
What is plausible deniability?
It all depends on how you wish to manage your accounts. For example you can use your Ledger to manage both regular account as well as the passphrase protected hidden accounts simultaneously.
You can use your standard wallet as your day to day wallet or like a checking account where you only hold small amount of crypto. Whereas you can use your passphrase protected hidden accounts as your safe wallet to store majority of your holdings.
If an attacker visits your places and forces you to unlock your Ledger then you can simply display your regular account. The attacker will never know that you have a secret wallet where majority of assets are hidden. The attacker simply empties what’s left on your regular wallet thinking that’s all you have.
The passphrase protected hidden wallet remains as a secret and it takes your wallet security to the next level.
Important characteristics of passphrase
Passphrase also know as the 25th word which can be a word or phrase of your choice and it can support up to 100 characters max.
Passphrases are case sensitive. It supports uppercase, lowercase, numbers, and symbols. For example “passphrase” and “PASSPHRASE” are both distinguished and count as different. So if you are using passphrase then store it securely and ensure it is perfect, character by character.
Any passphrase is valid. Meaning if you’ve set a passphrase and when you use an incorrect passphrase don’t expect the wallet to return an error message saying “incorrect passphrase”. Passphrase are different than passwords and each passphrase next to your 24 word recovery phrase will derive a different, empty wallet.
Mistyping passphrase is only going to generate a new wallet. So when you setup make sure you got the backup right.
Unlike the recovery phrase; passphrases are not stored on your device. Just like how you enter PIN you’ll have to enter it each time to access your passphrase protected wallet.
To restore your hidden wallet you’ll need both the recovery phrase (24 word wallet backup) and the passphrase you used. If you forget or lose your passphrase then you’ll lose access to your funds.
Now before we add passphrase here are few additional FAQs.
1. I have already setup a Ledger Nano S or Nano X, but did not use the passphrase. Can passphrase be added to an already setup device?
Sure, you can setup and use passphrase to an already setup Ledger device. But remember passphrase generates a different account than the 24 words wallet. Meaning you will not lose the money you have in your existing wallet. You are just creating a new set of accounts. So if you have funds in your 24 words standard wallet then after setting up the passphrase account you can send it to your new wallet address.
2. How to choose the 25thword or passphrase?
It is totally up to you on how you choose your passphrase. The passphrase can be up to 100 characters long so you can choose a letter, a word, a sentence, or just gibberish. It also supports space, uppercase, lowercase, numbers, and symbols.
But calling passphrase as the “25 word” is quite misleading and remember that choosing a simple word can be easily brute forced. It is called passphrase and for high security you should choose a strong passphrase. Also make sure you write it down.
3. How long is a passphrase?
First of all don’t use a single word. To greatly increase the security a passphrase should be a sentence of phrase (with or without spaces) and that should be easily memorable by you. It should be typically more than 20 characters long and is limited to 100 characters.
There is no recommendation on passphrase length. Just try to find a good balance between security and ease of use for you to set up and back up in the future.
4. Ledger Nano passphrase on Trezor & other wallets?
Passphrase is a security feature that you can find across all BIP39 wallets and is also supported by BIP44 wallet including hardware wallets such as: Trezor, Cobo Vault, Safepal etc. So you don’t have to worry about recovery.
Even if Ledger goes out of business or if you lost your device then you can use any of these BIP39 wallets to recovery both your standard and the secret hidden accounts. All those wallets support BIP39 12 word and 24 recovery phrase along with passphrase.
Learn how to import Ledger or Trezor seed on Electrum wallet. Choose BIP39, import the seed, select extend seed and enter your passphrase to access your hidden wallet. You can use Ledger’s passphrase protected wallet on most wallets just fine. But with Trezor there is a limitation. While Ledger supports passphrase length up to 100 characters, Trezor only supports a max passphrase length of 50 characters,
5. How to store the passphrase?
Safeguard your passphrase the same way you secured your 24 word recovery phrase. Write it down in a piece of paper and store it in a secure physical location. Never online.
Best practice would be to keep the passphrase and the 24 word recovery phrase backup separately. By keeping it both in a separate location the attacker cannot obtain both to access your funds.
Passphrase on Ledger Nano S and Nano X
Now before you setup and use passphrase protected accounts using your Ledger wallet do note that it is an advanced feature. Make sure you fully understand because many people have locked themselves out complicating the setting.
In simple terms we’ll show you how to setup and restore Ledger with passphrase. But somehow if you find it difficult to understand then stick to your regular account by just using the 24 word backup recovery phrase.
Ledger Nano S & Nano X – Passphrase setup
Before you start we suggest you to read all of the above to get familiarize on how passphrase functions. Also we hope your Ledger device is ready and you have the 24 word recovery phrase backed up in a secure location. To manage both standard and hidden accounts you need the Ledger live software installed on your PC. We hope you have that ready as well.
Ledger Nano S
- Connect your Ledger Nano S and enter your PIN code to unlock your wallet.
- Navigate to settings and hold both the buttons to open the settings menu. Again press both the buttons on settings and navigate to Settings >> Security >> Passphrase.
- Navigate past the warning and choose set up passphrase.
Ledger Nano X
- Connect your Ledger Nano X device to PC and enter PIN to unlock your wallet.
- Access control center by holding both the buttons.
- Next navigate to Settings >> Security >> Passphrase and choose setup passphrase.
Now you’ll find two options “Attach to PIN” and “Set as temporary”. From here on its same for both Ledger Nano S and Nano X.
Attach to PIN & Set as Temporary
Upon setting up a passphrase Ledger device gives you 2 options. 1. Attach to PIN and 2. Set temporary. What is the difference is between “Set Temporary” and “Attach to Pin” configurations?
Attach to PIN: Aside than your regular PIN which you use to unlock your standard account you can setup passphrase and attach it to you a secondary PIN code to unlock the passphrase-protected accounts.
But note that Ledger can only support 2 PIN. One is the primary PIN which you setup during the initial device setup. The another one is secondary PIN for passphrase.
If Regular PIN code: 1273 → Normal accounts
And Secondary PIN code: 9135 → Hidden accounts
Connecting Ledger and using PIN code 1273 will unlock your standard wallet. To access hidden wallet disconnect, then reconnect Ledger and use the secondary PIN 9135 which will let you access your hidden wallet.
Set temporary: With this setting you’ll have to enter the passphrase each time to access your hidden wallet.
So which setting to use? Set Temporary or Attach to PIN?
Passphrase: Attach to PIN or Set temporary?
Before Ledger; Trezor actually supported the passphrase feature and their passphrase implementation is much straightforward than the Ledger’s approach.
On Trezor, Keepkey and other hardware wallets this is how you access your passphrase accounts. Connect device, unlock PIN and then it straight away asks you to enter the special passphrase. If you continue with no passphrase (blank) then you’ll access your regular wallet. If you use passphrase then it’ll unlock secret accounts. You’ll be entering passphrase on a software interface.
Learn how to access passphrase hidden accounts on Trezor.
But with Ledger for security reasons there is no keyboard typing involved. Passphrase can only be entered using the hardware interface.
Attach to PIN:
Since passphrases are quite long entering it manually each time using the hardware interface can get quite complicated. For this reason Attach passphrase to PIN option was given and this provides more practical user experience.
You have to key in the passphrase on the device only on two occasions. 1. When you create a new passphrase wallet and 2. when you recover your old passphrase protected wallet. Just enter passphrase and attach it to a PIN. Whenever you use Ledger, unlock it using the secondary PIN to directly access your hidden accounts.
Attaching passphrase to PIN is designed only for your convenience for easily accessing your hidden wallet everytime. But do note that Ledger only allows 2 PIN at a time. One primary PIN to unlock standard accounts and the secondary PIN to unlock hidden accounts.
So only one passphrase can be attached to a PIN. The passphrase that you enter will be stored on the device until the device resets or you overwrite it with another passphrase. If you add another passphrase and attach it to a new or existing PIN then you’ll overwrite both the previous passphrase and the secondary PIN code.
Also you might wonder about the security. The secondary PIN which you setup is only saved on your Ledger device. The device remembers and keeps it safe. If you or someone enters wrong PIN three times then the device will factory reset.
Set Temporary as the name suggests is only for single session. Once you disconnect the device the passphrase that you entered will be cleared off.
Next time to access the same account you’ll have to connect the device and unlock it using PIN. Then navigate to Settings >> Security >> Passphrase >> Set Temporary and manually enter the passphrase. You’ll have to do this for each session.
Whether to use Attach to PIN option or Set Temporary is completely up to you and how you wish to access your wallet in the future.
If you’ll be accessing your hidden wallet very often then attach to PIN. Or else just proceed with set temporary option.
Whichever you use make sure you have the backup of both the 24 words and the passphrase. Passphrases are case sensitive so remember to backup the *exact* passphrase. If you forget passphrase you’ll lose your wallet and if you mistype passphrase you’ll unlock a completely different wallet. So store a physical backup of both the recovery phrase and passphrase in a secure location. Also note that using recovery check app you can verify your recovery phrase anytime but not the passphrase.
First we suggest you to set a temporary passphrase and verify your receiving address of your BTC or ETH using Ledger Live. Then disconnect Ledger and proceed with attach to PIN option. Use the same passphrase you used before. After the setup verify the receiving address of your BTC and ETH and make sure it matches. Then you can proceed to use your hidden wallet.
Set temporary passphrase on Ledger Nano S / Nano X
Once you are at Settings >> Security >> Passphrase choose set temporary from the passphrase menu and select set a passphrase. On Nano X set both the buttons to validate set secret passphrase.
You’ll now find three options: ?0 (includes numbers and symbols including space) | ab (small letters) | AB (for caps)
Navigate around and choose your secret passphrase.
Once done select the tick symbol and confirm passphrase. The next screen will display the passphrase you chose. Carefully write it down in a piece of paper.
Double tap to confirm passphrase and confirm with your current PIN. Now enter your primary PIN code to validate your passphrase. The device will process and display passphrase set message.
That’s it! Your device is now managing accounts protected by this passphrase.
Now open Ledger Live. Go to add accounts and choose BTC or ETH. Then open the app on your device and add the Bitcoin or Ethereum account.
After the account is added successfully rename the account as hidden for your own reference. By renaming you can differentiate and identify which one is a regular address and which one is a hidden account. Next click receive and copy the address to a notepad.
That’s it! Now eject your Ledger device. Don’t transfer any funds yet.
Attach to PIN on Ledger Nano S / Nano X
Connect Ledger and unlock using standard PIN. Navigate to Settings >> Security >> Passphrase and this time choose Attach to PIN option.
Now choose passphrase PIN. This is your secondary PIN and it should be different from your standard PIN. Choose secondary PIN code and re-enter PIN to confirm it.
After confirming the PIN start to enter your passphrase. You can use any passphrase, But since we are testing how it works use the same passphrase that you’ve used in the temporary passphrase option. This way you can be sure that you got the right passphrase and are accessing the same hidden wallet.
After entering your secret passphrase click confirm passphrase. Your passphrase will be displayed on the next screen. Tap both the buttons to confirm it. Next confirm it with current PIN which is your standard PIN that you use to access your regular accounts.
The device will then process and display passphrase set message.
Note: When set temporary option is used Ledger will automatically switch over to passphrase wallet after the passphrase is successfully set. But with Attach to PIN option it will continue to manage your regular accounts after completing the passphrase setup. To unlock the passphrase protected account this time; eject the device, reconnect and key in your secondary PIN code.
Verify accounts / address
Plug in your Ledger and enter the secondary PIN which you just set. Then go to Ledger >> Accounts and choose the hidden Bitcoin or Ethereum account which you enabled. Next click receive and continue.
If you got the passphrase correct then it’ll display your address. It should match with the one that you saved in notepad. If the passphrase is wrong then Ledger live will display the following error message.
Something went wrong
Please check that your hardware wallet is set up with the recovery phrase or passphrase associated to the selected account.
That’s it! You are now basically managing two wallets your ledger Nano. One your regular wallet and another one is your passphrase protected hidden wallet.
Using this method you can have several hidden accounts from the same wallet, that is with the same 24-word seed. But as we said do not over complicate things and do not activate this option if not sure you understand it.
Also on Ledger Live you remove the hidden address that is being displayed. In case if the attacker opens your Ledger application they should only see your regular account. You can re-add it whenever you wish to transfer funds. Re-adding account is only going to take few seconds.
Restore / Recover passphrase protected accounts
To restore your hidden accounts you need both the 24 word recovery phrase as well as your passphrase. Follow this guide https://coinguides.org/ledger-restore-recovery-phrase/ to restore Ledger from recovery phrase. After restored follow the above instructions to set temporary passphrase or to attach it to a PIN.
We hope you’ve successfully learned to add a passphrase to your Ledger device.
For more such Ledger guides check out this page: https://coinguides.org/tag/ledger-nano/