Electrum: Urgent question on seed phrase and pass phrase

[bmeyersbtc]

I have an electrum wallet that has both a seed phrase and a passphrase, now I mistakenly exposed my seed phrase to someone but I still have my passphrase safe. My question is this, with only the seedphrase compromised, can someone send my bitcoins out of my electrum wallet?

[1715107430]

1715107430

[1715107430]

1715107430

[1715107430]

1715107430

[1715107430]

1715107430

[1715107430]

1715107430

[hosseinimr93]

Anyone has the seed phrase needs the passphrase too.
Without the passphrase, your seed phrase will generate completely different addresses.

Although it's not possible to access your fund without the passphrase, I recommend you to create a new wallet and move all your fund to it as soon as possible.
I don't know how complicated your passphrase is. But there's a probability that it can be brute-forced.  

Edit:
As mentioned by jackg in the below post, if by passphrase you mean the password used for encrypting your wallet file or the password asked when sending bitcoin, then the seed phrase is enough for spending your fund.
What I said above is true only if by passphrase you mean the custom words or characters you add to extend your seed phrase.

[jackg]

Tldr just move the funds to a new wallet as soon as possible and you feel up for it - not too tired to make a bad mistake.

Is the passphrase on the wallet or is it actually on the seed mnemonic.

If it's the mnemonic then it should be temporarily fine until you move the funds to a new wallet. If its the passphrase it asks you for before sending funds that you haven't released then the other person might have access to your funds if they have a way to access the seed - if they just saw it then it's unlikely they memorised it.

[bmeyersbtc]

Tldr just move the funds to a new wallet as soon as possible and you feel up for it - not too tired to make a bad mistake.

Is the passphrase on the wallet or is it actually on the seed mnemonic.

If it's the mnemonic then it should be temporarily fine until you move the funds to a new wallet. If its the passphrase it asks you for before sending funds that you haven't released then the other person might have access to your funds if they have a way to access the seed - if they just saw it then it's unlikely they memorised it.

Anyone has the seed phrase needs the passphrase too.
Without the passphrase, your seed phrase will generate completely different addresses.

Although it's not possible to access your fund without the passphrase, I recommend you to create a new wallet and move all your fund to it as soon as possible.
I don't know how complicated your passphrase is. But there's a probability that it can be brute-forced.  

Edit:
As mentioned by jackg in the below post, if by passphrase you mean the password used for encrypting your wallet file or the password asked when sending bitcoin, then the seed phrase is enough for spending your fund.
What I said above is true only if by passphrase you mean the custom words or characters you add to extend your seed phrase.

For the new wallet, would it be wise to add 2fa to the new electrum wallet?

[Charles-Tim]

For the new wallet, would it be wise to add 2fa to the new electrum wallet?

To know more about 2fa enabled on Electrum, read this: TrustedCoin

There are fee charges while making transactions which you can see in the link above, if you are okay with it, 2fa is another layer of protection which is 2-of-3 multisig. Make sure you backup your 2fa, I will recommend open source ones like Agies and andOTP. Backup your seed phrase, know that your seed phrase is not stored on your Electrum wallet if it is 2fa wallet.

It will be better to use Segwit addresses for low fee, latest version 4.1.4 is Segwit by default.

If it's the mnemonic then it should be temporarily fine until you move the funds to a new wallet. If its the passphrase it asks you for before sending funds that you haven't released then the other person might have access to your funds if they have a way to access the seed - if they just saw it then it's unlikely they memorised it.

I do not get this clear, the passphrase I know are just two:

1. The BIP38 passphrase needed to encrypt paper wallet
2. The mnenomic passphrase which is also regarded as extended word.

[hosseinimr93]

For the new wallet, would it be wise to add 2fa to the new electrum wallet?

What do you want to achieve?

If you create a 2FA wallet, you will be asked to enter the 2FA code whenever spending bitcoin.
This will make your fund secure in the case your device is stolen or someone manage to access your wallet file.

Note that even if your wallet is 2FA, your seed phrase is enough for spending your bitcoin. If your seed phrase is compromised, your fund will be stolen.

Also note that, as stated by Charles-Tim, you will have to pay an additional fee to trustedCoin (Electrum 2FA wallet provider).

I do not get this clear, the passphrase I know are just two:

1. The BIP38 passphrase needed to encrypt paper wallet
2. The mnenomic passphrase which is also regarded as extended word.

jackg meant the password you use for encrypting the wallet file.
Since OP doesn't seem to have much information about electrum, seed phrase, passphrase, etc, there's a probability that he is confusing password with passphrase .  

[bmeyersbtc]

For the new wallet, would it be wise to add 2fa to the new electrum wallet?

What do you want to achieve?

If you create a 2FA wallet, you will be asked to enter the 2FA code whenever spending bitcoin.
This will make your fund secure in the case your device is stolen or someone manage to access your wallet file.

Note that even if your wallet is 2FA, your seed phrase is enough for spending your bitcoin. If your seed phrase is compromised, your fund will be stolen.

Also note that, as stated by Charles-Tim, you will have to pay an additional fee to trustedCoin (Electrum 2FA wallet provider).

Yes I want to secure it with the Google 2FA so that before sending btc I would enter both the passphrase and the 2fa btc my fear now is this, if I lose the 2fa then what? is there a way to recover the 2fa in my electrum account?

[Charles-Tim]

In my opinion, I do not think jackg is right, or may I am the person that is wrong. Like I commented also above, the passphrase that I know are:

• The BIP38 passphrase needed to encrypt paper wallet
• The mnenomic passphrase which is also regarded as extended word

I remembered when I was using Coinomi (close source not recommended), I set a password which is always require before broadcasting a transaction, but, this is not called passphrase but password. I have been using Electrum quite awhile now, I make transactions without this type of password needed while electrum also do not support BIP38 passphrase which can be enabled using paper wallet to encrypt the private key. So, it is clear enough that the OP is asking about mnemonic which you perfect answered.

Yes I want to secure it with the Google 2FA so that before sending btc I would enter both the passphrase and the 2fa btc my fear now is this, if I lose the 2fa then what? is there a way to recover the 2fa in my electrum account?

You only needs the 2fa OTP code to make transaction, passphrase is not needed. You passphrase is mnemonic passphrase and only needed along with seed phrase during wallet recovery.

If you lose your seed phrase (and passphrase if included) and 2fa backup, you may lose your funds. Backup your seed phrase (and passphrase if included) which is most important because you can still be able to bypass the 2fa during wallet restoration.

[hosseinimr93]

Yes I want to secure it with the Google 2FA so that before sending btc I would enter both the passphrase and the 2fa btc my fear now is this, if I lose the 2fa then what? is there a way to recover the 2fa in my electrum account?

So, by passphrase you meant the password you need when spending the fund. If that's the case, seems that your seed phrase hasn't been extended by any passphrase.
The person who has access to your seed phrase is now able to spend the fund.

Now, let's go back to your question about 2FA.
If you lose 2FA, you can recover your wallet with your seed phrase.

In my opinion, I do not think jackg is right, or may I am the person that is wrong. Like I commented also above, the passphrase that I know are:

• The BIP38 passphrase needed to encrypt paper wallet
• The mnenomic passphrase which is also regarded as extended word

You are 100% right.
The problem is that a newbie may confuse password with passphrase.
Just read the last post of OP. He is saying that he enters the passphrase when he wants to send bitcoin.

OP hasn't used any passphrase when creating the wallet.
He has only encrypted the wallet file with a password. Now he is calling that password a passphrase.

[bmeyersbtc]

So, by passphrase you meant the password you need when spending the fund. If that's the case, seems that your seed phrase hasn't been extended by any passphrase.
The person who has access to your seed phrase is now able to spend the fund.

Now, let's go back to your question about 2FA.
If you lose 2FA, you can recover your wallet with your seed phrase.

In my opinion, I do not think jackg is right, or may I am the person that is wrong. Like I commented also above, the passphrase that I know are:

• The BIP38 passphrase needed to encrypt paper wallet
• The mnenomic passphrase which is also regarded as extended word

You are 100% right.
The problem is that a newbie may confuse password with passphrase.
Just read the last post of OP. He is saying that he enters the passphrase when he wants to send bitcoin.

OP hasn't used any passphrase when creating the wallet.
He has only encrypted the wallet file with a password. Now he is calling that password a passphrase.

@Charles-Tim @hosseinimr93 Ok, so luckily, I was able to transfer my bitcoins to a new electrum wallet that I created with a password and an extended mnemonic seedphrase. My question is this safe enough or would I have to create a new wallet with a password, extended mnemonic seedphrase AND also add 2FA?

@hosseinimr93 As for the passphrase that you mentioned, what do you mean exactly? is this different from the seed phrase and the password?

[hosseinimr93]

I was able to transfer my bitcoins to a new electrum wallet that I created with a password and an extended mnemonic seedphrase. My question is this safe enough or would I have to create a new wallet with a password, extended mnemonic seedphrase AND also add 2FA?

As long as no one has access to your seed phrase (a series of 12 words) and your passphrase (the words or characters you entered to extend your seed phrase), your fund is secure.

@hosseinimr93 As for the passphrase that you mentioned, what do you mean exactly? is this different from the seed phrase and the password?

The 12 words electrum gave you is called seed phrase.
The words or characters you added to your seed phrase when creating the wallet is called passphrase.
What you need to enter when opening the wallet or sending bitcoin is called password.

If you don't use any passphrase, the seed phrase is enough for recovering the wallet.
If you use a passphrase, for recovering the wallet, you need both seed phrase and passphrase.

Note that your password is stored locally and is used only for encrypting the wallet file.
Anyone has access to the seed phrase (+passphrase if there's any) doesn't need the password.

[bmeyersbtc]

I was able to transfer my bitcoins to a new electrum wallet that I created with a password and an extended mnemonic seedphrase. My question is this safe enough or would I have to create a new wallet with a password, extended mnemonic seedphrase AND also add 2FA?

As long as no one has access to your seed phrase (a series of 12 words) and your passphrase (the words or characters you entered to extend your seed phrase), your fund is secure.

@hosseinimr93 As for the passphrase that you mentioned, what do you mean exactly? is this different from the seed phrase and the password?

The 12 words electrum gave you is called seed phrase.
The words or characters you added to your seed phrase when creating the wallet is called passphrase.
What you need to enter when opening the wallet or sending bitcoin is called password.

If you don't use any passphrase, the seed phrase is enough for recovering the wallet.
If you use a passphrase, for recovering the wallet, you need both seed phrase and passphrase.

Note that your password is stored locally and is used only for encrypting the wallet file.
Anyone has access to the seed phrase (+passphrase if there's any) doesn't need the password.

What if my system gets compromised and someone has access to the 12 word seed phrase BUT not the pass phrase (extension words), is it still safe? As for 2FA, I feel like I should add that for extra security, is it necessary? My concern for 2FA is if it goes missing, then what?

[hosseinimr93]

What if my system gets compromised and someone has access to the 12 word seed phrase BUT not the pass phrase (extension words), is it still safe?

If your seed phrase has been extended by passphrase, both seed phrase and passphrase will be needed.
Note that if the passphrase is simple, there's a probability that it can be brute-forced.  

As for 2FA, I feel like I should add that for extra security, is it necessary?

Even if your wallet is 2FA, anyone who has access to your seed phrase (+passphrase, if there's any) can steal the fund without any need to 2FA code.

My concern for 2FA is if it goes missing, then what?

You can disable 2FA using your seed phrase (+ passphrase, if there's any)
You can also keep the secret key in a safe place and recover the 2FA in future.

[Abdussamad]

I was able to transfer my bitcoins to a new electrum wallet that I created with a password and an extended mnemonic seedphrase. My question is this safe enough or would I have to create a new wallet with a password, extended mnemonic seedphrase AND also add 2FA?

As long as no one has access to your seed phrase (a series of 12 words) and your passphrase (the words or characters you entered to extend your seed phrase), your fund is secure.

@hosseinimr93 As for the passphrase that you mentioned, what do you mean exactly? is this different from the seed phrase and the password?

The 12 words electrum gave you is called seed phrase.
The words or characters you added to your seed phrase when creating the wallet is called passphrase.
What you need to enter when opening the wallet or sending bitcoin is called password.

If you don't use any passphrase, the seed phrase is enough for recovering the wallet.
If you use a passphrase, for recovering the wallet, you need both seed phrase and passphrase.

Note that your password is stored locally and is used only for encrypting the wallet file.
Anyone has access to the seed phrase (+passphrase if there's any) doesn't need the password.

What if my system gets compromised and someone has access to the 12 word seed phrase BUT not the pass phrase (extension words), is it still safe?

Both the seed and seed extension (passphrase) are stored in the wallet file so if someone compromises your system and gets past your wallet password they will have everything they need to steal from you. They can get the wallet password by installing a key logger on your system so that when you enter the password it gets recorded and they can use it to decrypt the wallet file.

if your worried about a system compromise then create a 2fa wallet or a multisig wallet. this way if one device is compromised the attacker can't steal from you. they have to compromise multiple devices.

you will have to create a new wallet with a fresh electrum generated seed if you want to use 2fa or multisig. Note that 2fa wallets can be recovered using the seed phrase so that's how you get access to your coins in the event you lose your phone. In the case of 2fa wallets the seed is only displayed during the wallet creation process and is not stored in the wallet file. During normal use you need the services of trusted coin to cosign your 2fa wallet transactions which they will do when you enter the correct OTP code from google authenticator.

[HCP]

You can simplify it down to this... To be able to send bitcoins from, or recover, a "standard" wallet... a person would need:

- A copy of the wallet file + the wallet password, if any.
or
- 12 word seed phrase + the "seed extension words" (aka "passphrase"), if any.


To be able to send bitcoins from, or recover, a "2fa" wallet... a person would need:

- The wallet file + the wallet password, if any + Google Authenticator 2FA code
or
- 12 word seed phrase + the "seed extension words" (aka "passphrase"), if any.


Note that in both instances, as long as someone has the 12 word seed phrase + the "seed extension words"/passphrase (if used), then the wallet can be fully recovered and coins accessed... regardless of any wallet encryption passwords or 2fa.

So, if no seed extension/passphrase is used, then the 12 word seed phrase is all that is required for recovery and full access.


In the case of 2fa wallets, if you lose the 2fa device for whatever reason (ie. phone is wiped/broken/lost etc)... then if you don't have a backup of the 2fa "secret key", then the only guaranteed way to recover is using the 12 word seed (+ seed extension words). Note that while some users have had success in the past contacting TrustedCoin from the email address they originally used to sign up for the 2fa wallet and were able to get their 2fa key reset, this should NOT be counted on as a recovery method, as there is no guarantee that TrustedCoin will do so again in the future.

[pooya87]

What if my system gets compromised and someone has access to the 12 word seed phrase BUT not the pass phrase (extension words), is it still safe? As for 2FA, I feel like I should add that for extra security, is it necessary? My concern for 2FA is if it goes missing, then what?

In any scenario that your system is compromised and the attacker gains access to your 12 word seed phrase, it is safe to assume they can also gain access to your extension words, because you had a serious security flaw in your setup.
2FA in this case may not help you either since the same security flaws may be exploited to gain access to your 2FA also or your seed backup.

But in case that only your seed phrase is compromised and not the extension words, the attacker has to brute force those words and it could be possible depending on the entropy those extra words provided. For example simple known words (like password123) will not provide any security but a random and long passphrase could (like J7}mn3V-xy1x)

[Coin-Keeper]

My vote on this is that you avoid 2FA requiring third party assistance to move coins.  Not knowing what the future holds I believe its better to maintain 100% self custody of your coins.  Electrum using two computers, with one being cold/air gap is quite secure.  By far the easiest for new users is to simply buy a hardware wallet.  A Trezor one is about 50 dollars and will keep your SEED from ever being discovered by malware of any kind.  Very easy!  Connect the dots simplicity with either Electrum or the Trezor-Suite.  Regardless of which way you choose to go, make sure to employ a "passphrase" of complex length.  By passphrase I mean extended words (they don't have to be words at all just digits, characters, etc....).  Mine are 20+ digits ---- > do it regardless of which hardware wallet you buy.  Don't believe the hype that "our chip" cannot be hacked to get to the SEED.  If you use a STRONG passphrase you could hand them your SEED and still sleep well at night (of course you wouldn't).

[DireWolfM14]

I get the sense that the OP has confused his "password" with "passphrase," and I'm not sure that that jackg's warning was understood.  Needless to say the funds need to be moved regardless of whether they're hidden behind a passphrase or not.  The sooner the funds get moved the better.

As for the 2FA, I recommend you avoid it.  The fee they charge (which allow you 20 transaction per fee paid) are more than the cost of quality hardware wallet.

While I'm here I figure I'll take a stab at explaining the difference between "password" and "passphrase" as far as Electrum wallets are conserned:

On the screen shot below is how you create a password to encrypt the wallet file.  The password will be needed to open the file, and send bitcoin.  This is not to be confused with a "passphrase."  The password will NOT protect your funds if the seed phrase has been compromised.


To create a bip39 "passphrase," or as it's referred to by Electrum, a "seed extension" you have to create (or enter) it by selecting the "options" button on the seed entry dialogue box:




The seed extension, or "passphrase" can be one or more words, a strong random password with letters, numbers, and symbols, or a combination.  This will change the HD wallet's addresses from those that are generated by the seed phrase alone.  If you have set a passphrase and your seed phrase is compromised your funds will be safe, although I wouldn't consider them safe for long.  Consider it as an additional safety measure to help buy you some time in case your seed does get compromised.


ETA:  Remember that the passphrase is as important to secure as the seed phrase.  If a passphrase is set, it will be required to restore the wallet in the future.  Just like the seed phrase, if the passphrase is lost, so are the funds.

[NotATether]

Anyone has the seed phrase needs the passphrase too.
Without the passphrase, your seed phrase will generate completely different addresses.

But now somebody can brute-force the extended words of the seed phrase. True, the existing bitcoin wallet crackers such as hashcat and btcrecover, do not support this kind of recovery with seed phrase input at this time, but a) the seed phrase can always be sold on the darknet, and b) it could end up with someone who has a custom tool for solving this kind of stuff.

The last thing you want to happen to you is having your seed phrase end up on Google Search. It is NOT safe to continue using it, not even with additional password or 2FA. I recommend moving all your funds out immediately before they get stolen.

[ranochigo]

My vote on this is that you avoid 2FA requiring third party assistance to move coins.  Not knowing what the future holds I believe its better to maintain 100% self custody of your coins.

Not a big fan of TrustedCoin but that isn't true. You're still maintaining 100% custody of your coins with 2FA since it is a 2-of-3 multisig and you hold 2 of the keys while they hold a single key. They cannot do anything without your approval but you can spend the coins as and when you wish, provided that you have access to your seeds. I'd argue that 2FA provides a marginal increase in security and I agree that an airgap setup would be vastly more secure than 2FA.

But now somebody can brute-force the extended words of the seed phrase. True, the existing bitcoin wallet crackers such as hashcat and btcrecover, do not support this kind of recovery with seed phrase input at this time, but a) the seed phrase can always be sold on the darknet, and b) it could end up with someone who has a custom tool for solving this kind of stuff.

The last thing you want to happen to you is having your seed phrase end up on Google Search. It is NOT safe to continue using it, not even with additional password or 2FA. I recommend moving all your funds out immediately before they get stolen.

Your seed is designed to allow the user to access the coins with the seed only in the case of 2FA.

It depends on the passphrase. If your passphrase is long and random enough, there is very little chance someone would ever be able to be able to bruteforce it. I don't think Electrum limits the length of the passphrase. If it is long enough, then it would be equivalent to be bruteforcing without any prior information.