Did you know that you can create hidden wallets in your Trezor? Passphrase enables hidden wallet and is the ultimate protection for your Trezor wallet. Learn how to protect your hardware wallet accounts using passphrase.
Both Trezor devices (Model One and Model T) gives you the option to create passphrase and it allows passphrase length of up to 50 characters. If you haven’t set a passphrase yet on your Trezor device or don’t know what it is then the following guide is for you.
But wait! Why would I want to use the passphrase feature? Isn’t my Trezor device secure enough? Sure, it is. Your standard wallet that is accessible without a passphrase is secure enough. But Passphrase is an advanced feature that provides extra security and it also allows you to create hidden wallets.
Passphrases basically serves two function: 1. It acts as a two-factor protection for your recovery seed and 2. With hidden wallet it gives you the ultimate protection against physical attacks that involves access to your device or the recovery seed.
Just a few posts ago, we’ve made a guide explaining how to setup passphrase on Ledger. The same article also explains how do passphrases and hidden wallets work. Similar to that guide here let’s see how to setup passphrase protection on Trezor wallet to increase security.
Enabling passphrase protection or setting up the 25th word on Trezor hardware wallet is simple. Just enable passphrase setting and after activating it you’ll be prompted to enter the passphrase whenever you access the device. You can have as many passphrase-generated wallets as you want.
Now before we see how to use passphrase on Trezor to create hidden wallets let’s first understand the basics.
Recovery Seed, PIN & Passphrase?
To better understand how to secure your cryptocurrencies you need to know the basic security features used by your hardware wallet.
There are three most important elements. The 12 or 24 word recovery seed, PIN and the Passphrase. Among them the recovery seed is the most critical element of your wallet. To keep the device safe from unauthorized access you can use a strong PIN. To encrypt your recovery seed word and to protect it from physical attack you can use a passphrase.
Recovery seed
Recovery seed or mnemonic seed is a sequence of 12 or 24 words that are unique and is securely generate inside your Trezor when you first setup the device. This is a BIP39 implementation and is the standard amongst the industry pretty much.
The 12 or 24 word recovery seed which is securely generated by your Trezor is very important. It is your only primary backup. You need to ensure that these words are kept as a secret and is safe.
In case if your device gets broken or is lost then you can use your recovery seed to restore your wallet. You don’t need Trezor device specifically for this. You can pretty much use any wallet that supports the same BIP39 standard. There are many wallets that supports the same standard. Check out the list of BIP39 wallets to know more.
The 12 or 24 word recovery seed is your master key that creates a unique set of private keys. The private keys are what used in signing of transactions. Also the public keys, which generates addresses are also derived from your recovery seed.
So if you lose the recovery seed you’ll not be able to sign transaction and you’ll lose access to your wallet completely. Also if someone gets to know your seed words they can fully access your wallet and steel your funds. This is why you need to keep your recovery phrase in a safe and secure physical location.
PIN
Just like how you use PIN for your credit card, the hardware wallet PIN protects your device from being used by unauthorized individuals.
When you set up the Trezor device initially it generates the mnemonic seed. After you write it down and secure it the next step is to setup a PIN for your device.
PIN is a number combination that is composed of numbers from 1 to 9 and it can be up to 10 digits. We recommend to use a PIN that is atleast more than 5 digits and it should only be known by you. Don’t use PIN that are easily guessable.
Trezor uses a malware-proof PIN entry method to safely enter PIN even on a computer that is affected with virus or malware key-loggers. Only a PIN matrix with dots are show on your computer screen. The PIN layout and the placement of numbers are displayed on your Trezor device. The PIN layout will be always be randomly shuffled whenever you plug in your Trezor. You need to enter your PIN each time to access your device.
PIN is for the protection of your Trezor device from being used by people around you. Make sure the PIN is safe and nobody knows. However if you forgot your PIN; then no problem! You can always use your recovery phrase and restore your wallet completely.
Passphrase
The numeric PIN that you set is device-specific. It protects your Trezor device from being used by others. Whereas passphrase is wallet / seed specific. It protects your recovery seed/wallet from being used.
Passphrase is an advanced feature that is completely optional. When you enable and use passphrase then whenever you connect your Trezor device you’ll be asked to enter your passphrase along with your numeric PIN.
Unlike the 12 or 24 word recovery seed which is randomly generated by your device, the passphrase is chosen by you. Using passphrase creates a new hidden wallet which generates a new set of accounts and is forever tied to your backup recovery seed. Trezor combines your own input (passphrase) with the already existing recovery seed and computes a new wallet.
A passphrase can be a word, set of letters or even a sentence and Trezor supports passphrase up to 50 characters long. Think of passphrase as a way to extend your 24 word recovery seed. For this reason it is also often called as the “25th seed word”.
When you use passphrase (the 25th word) then all your wallet accounts, addresses, the key pairs and all the secret stuffs are all derived from the passphrase too. Without the passphrase you’ll not be able to access your hidden wallet. Just like how you backed up your recovery seed you also need to backup your passphrase.
But unlike the recovery seed which is remembered by your device the passphrase is never saved locally or never remembered by the device. You need to enter it every time to access your passphrase protected hidden wallet.
Also note that passphrases are case sensitive and there is no such this as incorrect passphrase. Each passphrase generates a different wallet.
By default you are accessing your Trezor wallet with an “empty” (an empty string “” is used) passphrase. Its the original seed-only wallet and the standard account. Connect your Trezor, enter PIN and proceed without entering passphrase to access the seed-only wallet.
In simple; your standard account will be accessible without a passphrase. Whereas your hidden accounts which you created will only be accessible when you use the right passphrase. Both standard and hidden wallet have completely different set of wallets. You can switch between the accounts and you can also transfer coins between your standard and hidden wallet anytime. Transaction happens on-chain.
Passphrase security benefits
Passphrase is a standard implementation that is used amongst the industry. Most hardware wallets such as Ledger, Trezor and KeepKey supports this pretty much.
It’s an advanced feature used to protect your wallet accounts against unauthorized access.
Unlike PIN, which is changeable and is stored on the chip, the passphrase is not stored anywhere. PIN protects your physical device from being accessed, whereas the passphrase protects your recovery seed from being used. Passphrases acts like a “second-factor” authorization for your recovery phrase.
So if someone gets hold of your recovery phrase they’ll not be able to access your accounts. They’ll need both the recovery phrase as well as the passphrase to access your hidden accounts. Even if a hacker hacks your Trezor device they’ll only be able to extract the seed and not paraphrase as it is not stored anywhere. This greatly enhances your device security.
The ability of creating new secret hidden wallets = plausible deniability. There is no limit to passphrase. By using different passphrase you can create any number of hidden wallets in combination with your recovery seed. For added security you can consider creating a spoof account or “decoy wallets” and leave some pocket change in it.
Passphrases also lets you to segregate funds. It helps in organizing your accounts. For example you can use your unprotected seed only wallet for smaller everyday transactions. A passphrase protected account to store you low valuable coins. Then have a moderate chunk of coins on another one and your life savings on a completely different passphrase account. This way you are also protecting your majority of your wealth during physical attack.
Tip: Keep a physical backup of your passphrase separate from the recovery phrase. Do not store both in same location. You can also consider a memorable passphrase and setup reminders every few months to remind you of your passphrase.
Here are some of the key features of passphrase that you need to know before you set one.
Trezor passphrase – key aspects
1. On top of your 24 word recovery seed you can create and mange as many hidden wallets you wish. There is no limit on the number of passphrase-protected wallets that you can create.
2. Passphrases are not stored your Trezor device and they cannot be recovered. Like PIN you have to manually enter the passphrase each time to access your hidden wallet.
3. There is no such that as incorrect passphrase and so there will be no error message to indicate that you mistyped passphrase. Entering the wrong passphrase will still create a new secure wallet and every incorrect passphrase leads you to an empty wallet.
4. Passphrase can be a single digit character, a word, a set of characters or a sentence. While most wallets supports up to 100 characters, Trezor only supports passphrase length of up to 50 characters (50 bytes long / 50 ASCII characters).
5. Passphrases are case-sensitive. Lowercase, uppercase characters are distinguished and it counted as different. And spaces are also counted as valid characters. So make sure the passphrase that you’ve backed up is correct is is exactly as you created it in the first place.
6. To recover your passphrase protected hidden wallets you need both the recovery phrase as well as the passphrase. Neither can be used without the other. Make sure you have the backup of both recovery phrase and passphrase in a safe and secure location.
How to setup passphrase on Trezor – Model One & Model T
With passphrase basically you are creating hidden wallets without generating a new recovery phrase or using a secondary hardware wallet.
Passphrase feature is available on both Trezor Model One and Trezor Model T. To setup passphrase on your Trezor device all you need to do is enable the passphrase feature in the device setting and enter your preferred passphrase whenever you plug in the device.
Now before you set one we want you to fully understand the risks. Remember that passphrases are case sensitive and spaces also count as characters.
For example “Passphrase”, “pass phrase”, “passphrase” and “pass-phrase” are all 4 different passphrases and each of them will generate a completely different unique set of wallets. If you are using passphrase then the only way to access your hidden accounts is by entering it every character exactly like before. If you forget or lose your passphrase then you’ll lose access to your wallet.
We recommend to use this feature only when you fully understand how it works and feel confident using it. Be cautions because it may turn against you when used carelessly.
Alright! Let’s setup passphrase.
Enabling passphrase protection
The procedure for enabling passphrase protection is same for both Trezor Model T and Trezor Model One.
Things you need: Trezor Model One or Trezor Model T and Trezor Suite.
Hope you have the Trezor suite installed on your PC. Always verify Trezor suite signatures when you are downloading it for the first time. We are also assuming that your Trezor device is ready and you have the mnemonic seed phrase backed up in a secure location. You can always add passphrase protection on top of your default wallet anytime.
By default the passphrase protection is disabled on your Trezor device. You can enable it in the settings anytime.
First open Trezor suite, then plug in your Trezor device and unlock it. Next on Trezor suite click on the gear wheel icon at the top right corner to open up the settings menu. Now navigate to settings >> device. Scroll down and under security settings you’ll find the passphrase feature. Toggle on the passphrase feature to enable passphrase protection to your device.
Enable passphrase protection and confirm passphrase encryption on your device. Once done, disconnect and then reconnect Trezor.
Now after entering the device PIN you’ll see the option to choose the wallet. Select standard wallet to access your original “seed only” wallet.
To use passphrase choose hidden wallet and enter your preferred passphrase into the dialogue which will generate a new hidden wallet for you.
Tip: Make sure that you’ve set the correct keyboard layout. Verify caps lock and when typing the passphrase click on “show passphrase” on the interface so that you can see what exactly you’re typing. Write down the passphrase you type in a piece of paper and back it up safely.
After entering passphrase follow the on screen instructions on your Trezor screen. It’ll grant you access to hidden wallet and your device also displays the passphrase which you’ve entered. Make sure to verify it and back it up exactly as it is on the screen.
Verify and click confirm to access hidden wallet. That’s it. From now on you can use your passphrase to access your hidden wallet.
Not only Trezor suite, but you can also use other alternatives to access your hidden wallets like for example Electrum. Learn how to access standard and hidden accounts of Trezor on Electrum wallet.
How to setup a strong enough passphrase?
There are various approaches to creating a good passphrase for your wallet. You need to find a good balance between ease of use, security and that is easy to remember. You can use something that is quick to type but not so easy to remember. Or you can use a sentence that takes longer to enter but easy to remember.
You can also refer the BIP39 word list and make up a sequence of random words for your passphrase. Not only English but you can also use Japanese, Korean, Spanish, Chinese (Simplified), Chinese (Traditional), French, Italian, Czech and Portuguese.
Check out the bip-0039-wordlists on GitHub: https://github.com/bitcoin/bips/blob/master/bip-0039/bip-0039-wordlists.md
Also for ideas on how to choose a strong passphrase we suggest you to read this Trezor post: https://blog.trezor.io/is-your-passphrase-strong-enough-d687f44c63af
Recovering a passphrase-protected account
As we said Trezor is not the only wallet to support this feature. It is the standardized recovery implementation that is almost used by every wallet.
If your Trezor hardware wallet is lost or damaged then you can either use a spare hardware wallet. Even if Trezor disappears and no longer provides support in the future then you can use other compatible wallets to recover your existing accounts.
All you need to do is import the recovery seed. After you load the seed enable the passphrase feature in your device settings. Then enter the same passphrase that you were using previously to access the hidden wallet.
That’s it! Your passphrase protected hidden wallet is fully recovered.
Remember the recovery seed of your wallet is the same for both standard and your hidden accounts. To recover standard wallet you only need the 24 word recovery phrase. Whereas to recover your hidden wallet you need both the 24 word recovery phrase as well as the passphrase you’ve chosen.
Okay, but what if I already have money in my wallet. Can I still use passphrase? Sure, passphrase creates a new hidden wallet for you on top of your current wallet. You can access both your standard (seed-only) and hidden wallet anytime and you can also transfer funds between the accounts you manage.
Hope we’ve cleared everything regarding passphrase. Now you know how to setup passphrase on Trezor and effectively manage your hidden accounts.
If you got any questions then do ping us in the comments section. We’ll help you out.
