Ledger S Passphrase 25th word

[srichar3]

I was reading that as an extra level of security you can add a 25th word to your passphrase, however when I look at the guide on the ledger website it offers two options, set temporary passphrase or attach PIN. Non of these seem to be adding an additional word to the passphrase from the descriptions. Am I missing something?

I'm new to the ledger S and I don't want to do something without fully understanding the consequences.

Basically I want to protect my assets should my 24 word passphrase fall into the wrong hands. Both the options above talk about creating a new set of additional accounts which is not really what I'm trying to do.

Thanks

[o_e_l_e_o]

I think you might be confusing your 24 word seed phrase with a passphrase. These are not the same thing. While adding a passphrase can give you a total of 25 words, the passphrase is separate to your 24 word seed, and your seed doesn't become 25 words long after the addition of a passphrase.

Your 24 word seed phrase is made up of 24 words from the BIP39 word list, and is given to you upon initialization of your Nano S. You should have written it down and be storing it securely. It will allow you to restore your wallets to another Ledger device or any other compatible wallet should you lose access to your Nano S.

Your passphrase is a single additional word, sentence, or string of characters (up to 100 characters on Ledger devices), which grants you access to a new set of wallets/addresses. You can have has many different passphrases as you like, accessing as many different new sets of addresses as you like, all stored under your main 24 word seed.

The easiest way to do this on the Nano S is via "Set temporary passphrase". Lets say you have your Ledger already initialized, your 24 word seed written down and stored, your PIN set up, and a set of wallets installed. You now want to access a new and unique set of addresses protected by a passphrase. Go to "Settings" - "Security" - "Passphrase" - "Set temporary". Enter a secret passphrase twice, and then your PIN to confirm. You will now have access to a whole new set of unique addresses. To go back to your standard addresses you will need to disconnect and reconnect your Nano S, and you will have to go through the process I described above of entering your secret passphrase twice every time you wish to access your secret addresses. You can have as many different passphrases leading to as many different wallets as you like.

[srichar3]

Hi thanks for the clarification, my main concern is how to securely store the seed so if I have an issue with the Nano S I can restore my wallets to another device but at the same time stopping anyone else from doing so if they get hold of it. If someone in the know came across my 24 word seed is this all they need to gain control of my wallets or would they still need the PIN I had set on my Nano S? or any other information?

Thanks

[o_e_l_e_o]

If someone in the know came across my 24 word seed is this all they need to gain control of my wallets

This is correct. A 24 word seed is all that is required to restore your keys to another device or software wallet and have complete control over the coins in your main addresses. The Nano S PIN is a local security measure - it protects physical access to your Nano S only.

If you have a passphrase, then the addresses behind that passphrase will still be protected even in the event of someone gaining access to your 24 word seed, provided they do not know your passphrase and it is complicated enough that they can't brute force it.

[jerry0]

Did you have to do this when you initialize the nano ledger s or you could do this anytime afterwards?  Example i set up my nano ledger s a while back and wrote down the 24 word seed. 


Can i add a 25th word now?   Could i do this without having access to my 24 word seed?  My 24 word seed is in another location, not here so i don't have access to it.


Also is this called a 25th word or phrase?  So let your secret phrase is


I like piano


Then you confirm it twice?


So if someone has access to your 24 word seed, they still need to know your secret phrase


I like piano


in order to get access to your wallet?  Thus having the 24 word seed is not enough?  If that is the case, wouldn't it make sense for everyone to do this because if somehow the 24 word is exposed somehow, then they still need to know the 25th word or phrase?



Could i do this now on my nano ledger s if i do not have the 24 word seed in my location?  I do not have access to it at the moment.

[o_e_l_e_o]

-snip-

You can add a passphrase at any time. Everything you have said following your first sentence is correct.

You can set up a passphrase without having access to your 24 word seed by following the instructions I outlined above or here: https://support.ledger.com/hc/en-us/articles/115005214529-Advanced-passphrase-security

Having the 24 word seed is not enough to access the wallets protected by the passphrase - you also need to know the passphrase.

The only downside is it is another point of failure - if you forget your passphrase, then all the accounts protected by it will be inaccessible forever.

[jerry0]

hi thanks for the response.  So do most ppl do this with the nano ledger s?  Would you recommend it?  Here are my thoughts on it.


You write down the 24 word seed on paper and most likely write it in 1 or 2 or maybe 3 pieces right?


But do you write down the passphrase on it?  


Because if you do, well anyone that gets physical access to it can get your wallet.  


But if you don't, anyone with physical access cannot get your wallet.


The other issue is you have to remember it.  But the other issue is if someone thing happens to you, well you need the other person or persons who has access to your 24 word seed, the passphrase.  Thus them having the 24 word seed is useless without the passphrase.  So what is the best way to handle this situation?


The other thing is this.  If that is the case, then could a hacker/thief try to bruteforce the passphrase?  Or thats impossible?  Because you are manually entering it on it as oppose to like a computer doing the work like trying to bruteforce an email address password?  Because they have no idea how many words or letters is used right?  


Let say your passphrase is


I like piano


or


fish1million



I mean unless you put password or 123 or something really foolish, wouldn't that mean the passphrase is going to be very strong?  Say they got the 24 word seed and need the 25th passphrase.  They are going to have to manually enter that on the nano ledger s right?


So imagine it was a long sentence or a long word.  I mean it could be something like zootopia100 or babylikestoeat.  I mean isn't that going to be already so tough as long as its not a really foolish word?

[HCP]

hi thanks for the response.  So do most ppl do this with the nano ledger s?  Would you recommend it?  Here are my thoughts on it.

You keep asking "do most ppl do X?"... there is logically no way that anyone can definitively answer these questions...

Also, you shouldn't necessarily do something, just because "most people do it"... ask the lemmings!

You write down the 24 word seed on paper and most likely write it in 1 or 2 or maybe 3 pieces right?
But do you write down the passphrase on it?  

Definitely NOT! That defeats the entire purpose of having the passphrase!

Because if you do, well anyone that gets physical access to it can get your wallet.  
But if you don't, anyone with physical access cannot get your wallet.

Exactly!

The other issue is you have to remember it.  But the other issue is if someone thing happens to you, well you need the other person or persons who has access to your 24 word seed, the passphrase.  Thus them having the 24 word seed is useless without the passphrase.  So what is the best way to handle this situation?

That all depends on your situation and how you want to plan for the future... you can put passphrases in secure locations like safety deposit boxes or stored with trusted lawyers etc that are only able to be opened if you are dead/incapacitated etc. This obviously requires trusting other individuals/institutions...

The other thing is this.  If that is the case, then could a hacker/thief try to bruteforce the passphrase?  Or thats impossible?  Because you are manually entering it on it as oppose to like a computer doing the work like trying to bruteforce an email address password?  Because they have no idea how many words or letters is used right?  

Correct... not only is the length and makeup of the passphrase unknown... but ANY passphrase used, will generate a "valid" wallet, that will generate "valid" addresses... so you don't get the instant "invalid password" error like you do when normally testing passwords. An attacker would therefore have to manually check every single wallet they generated (and then generate a set number of addresses for that wallet), and then scan the blockchain looking for these generated addresses to see if they had hit the right passphrase. The time necessary to do this greatly adds to the time required to successfully bruteforce a BIP39 passphrase.

Say they got the 24 word seed and need the 25th passphrase.  They are going to have to manually enter that on the nano ledger s right?

No. It's a standard BIP39/44 setup... this can definitely be scripted. The "btcrecover" scripts can be modified (relatively trivially) to do exactly this.

So imagine it was a long sentence or a long word.  I mean it could be something like zootopia100 or babylikestoeat.  I mean isn't that going to be already so tough as long as its not a really foolish word?

"Standard" rules to generating a "strong" password apply... absolute minimum of 8 chars, although I'd probably recommend 10+... and a "random" mix of upper/lowercase, numbers and special characters. Use of "actual" words is discouraged.

[jerry0]

HCP thanks for answering all that.


Im only confused with this.


Say they got the 24 word seed and need the 25th passphrase.  They are going to have to manually enter that on the nano ledger s right?

No. It's a standard BIP39/44 setup... this can definitely be scripted. The "btcrecover" scripts can be modified (relatively trivially) to do exactly this.




Okay so let say the nano ledger s got stolen.  This person wants to get his bitcoin now.


With no ledger nano s, he would have to download electrum and enter the 24 word seed and the 25th phrase and then the btc shows in electrum wallet?


Now let say this person buys a new ledger nano s to replace the old one that got stolen.  He can enter the 24 word phrase on the nano legder s and then the 25th phrase and now the btc will be restored in ledger live?

[HCP]

Im only confused with this.

Say they got the 24 word seed and need the 25th passphrase.  They are going to have to manually enter that on the nano ledger s right?

No. It's a standard BIP39/44 setup... this can definitely be scripted. The "btcrecover" scripts can be modified (relatively trivially) to do exactly this.

Okay so let say the nano ledger s got stolen.  This person wants to get his bitcoin now.
With no ledger nano s, he would have to download electrum and enter the 24 word seed and the 25th phrase and then the btc shows in electrum wallet?

Not necessarily Electrum... They could use ANY wallet capable of accepting BIP39 compatible seed mnemonics and supports BIP39 passphrases.

But to answer your question... Yes, if you put your Ledger 24 word seed mnemonic into a BIP39 compatible wallet... and then type in the BIP39 passphrase, you will see EXACTLY the same wallet/addresses/transactions as you would using the Ledger device and Ledger Live.

Now let say this person buys a new ledger nano s to replace the old one that got stolen.  He can enter the 24 word phrase on the nano legder s and then the 25th phrase and now the btc will be restored in ledger live?

Yes, the same wallet/addresses/transactions will then show up in Ledger Live (assuming the user installs the Bitcoin app on the device, and adds the Bitcoin account into Ledger Live)

[o_e_l_e_o]

-snip-

The way you have worded this makes me unsure if you understand this important point: Any number of wallets can have the same set of addresses/keys from the same seed +/- passphrase active on them at the same time. If your device is stolen, the best course of action is to use your seed +/- passphrase to restore your addresses/keys on to any compatible wallet of your choice, and then transfer everything out of those addresses to a brand new set of addresses under a brand new seed +/- passphrase. Just because you have access to your coins doesn't exclude anyone else from also having access.