Why doesn't every hardware wallet support two-factor seed phrases?

[Titanium99]

As I've been trying to get more educated on bitcoin, I came across this wiki link on seed phrases.

https://en.bitcoin.it/wiki/Seed_phrase

Seed phrases, like all backups, can store any amount of bitcoins. It's a concerning idea to possibly have enough money to purchase an entire building with the key just sitting on a sheet of paper without any protection. For this reason many wallets make it possible to encrypt a seed phrase with a password.

The password can be used to create a two-factor seed phrase where both "something you have" plus "something you know" is required to unlock your bitcoins.

This works by having the wallet creating a seed phrase and asking the user for a password. Then both the seed phrase and extra word are required to recover the wallet. Electrum and some other wallets call the passphrase a "seed extension", "extension word" or "13th/25th word". The BIP39 standard defines a way of passphrase-protecting a seed phrase. A similar scheme is also used in the Electrum standard. If a passphrase is not present, an empty string "" is used instead.

Warning! Forgetting this password will result in the bitcoin wallet and any contained money being lost. Do not overestimate your ability to remember passphrases especially when you may not use it very often. Also, the seed phrase password should not be confused with the password used to encrypt your wallet file on disk. This is probably why many wallets call it an extension word instead of a password.

It got me thinking...

1. Why doesn't every hardware wallet support the use of a seed phase + password?  It seems like a really simple way to add a layer of protection in case the seed phrase you've written down is discovered. Right now, written seed phrases are like writing your bank account and log-in credentials on a piece of paper and hoping nobody finds it.

2. Do modern hardware wallets like the Ledger Nano S Plus, Nano X, Trezor, etc. already support applying a password to seed phrases? Is it just a feature that's hidden and not promoted that much?

[1714797527]

1714797527

[1714797527]

1714797527

[1714797527]

1714797527

[LoyceV]

1. Why doesn't every hardware wallet support the use of a seed phase + password?

The question doesn't make sense. Different manufacturers can make different choices.

It seems like a really simple way to add a layer of protection in case the seed phrase you've written down is discovered.

It also adds an additional risk factor: forgetting the password means losing your money.

I see two main reasons for using a password on top of your seed words:

• To ensure the data can't be hacked by someone who gains physical access to your hardware wallet.
• To have plausible deniability in case of a $5 wrench attack.

[Titanium99]

There are definitely tradeoffs to consider. Losing your password is one more vector to lose your coins, but then again having someone find your seed phrase without a password protecting it leads to the same outcome. I've just never hear anyone talk about adding a password to your seed phrase when dealing with hardware wallets.

That said, I did come across this thread that shows it's possible to add a 25th word on the Nano S, for example. Maybe it's just an issue of discoverability/promotion...

https://bitcointalk.org/index.php?topic=5283562.0. 

[o_e_l_e_o]

I've not read that particular wiki page before, but it is very poorly written.

It interchangeably uses the words password and passphrase. Better to define them and then keep them separate. When talking about extra words added to your seed phrase, most people would call that a passphrase, and reserve the word password to mean the password you type in to your wallet software to unlock it.

Also, passphrases do not encrypt your seed phrase in any way. Your seed phrase remains entirely unencrypted and readable in plain text. What they do is change the process by which you derive your root seed number and then the rest of your wallet from that seed phrase.

"Something you know" is just plain bad advice. You should not rely on remembering any passphrases you use. You should back them up on paper separately to your seed phrase.

If a passphrase is not present, PBKDF2 does not use an empty string. It uses the word "mnemonic" in the case of BIP39, or the word "electrum" in the case of Electrum.

But on to your questions:

1 - Most good hardware wallets do.

2 - Yes. Both Ledger and Trezor devices support the use of passphrases.

It is a very good feature and I make use of it on almost all of my wallets.

[Titanium99]

Thank you for your thoughtful reply, o_e_l_e_o.

As I get deeper into this, I'm realizing there's so much bad and/or only partially accurate information out there...I'm going to make an effort to spend more time here learning from this community going forward.

[HeRetiK]

https://en.bitcoin.it/wiki/Seed_phrase

[...]

The password can be used to create a two-factor seed phrase where both "something you have" plus "something you know" is required to unlock your bitcoins.

[...]

These days two-factor is usually referring to the usage of a separate device in addition to a password, with "something you have" being e.g. a mobile phone with an app or a dedicated hardware dongle and "something you know" being the password. The reason I'm pointing this out is because there is (was?) a way to set up two-factor (2FA) wallets with Electrum, but this requires the involvement of a third party which I wouldn't recommend. Just a heads up so you don't mix these things up.

2. Do modern hardware wallets like the Ledger Nano S Plus, Nano X, Trezor, etc. already support applying a password to seed phrases? Is it just a feature that's hidden and not promoted that much?

Trezor used to mainly advertise this feature as a way to hide wallets. They actually still mention it as a security feature on their homepage too. Not sure why Ledger doesn't seem to advertise it as much.

If a passphrase is not present, PBKDF2 does not use an empty string. It uses the word "mnemonic" in the case of BIP39, or the word "electrum" in the case of Electrum.

I just looked this up because I found it interesting. The word "mnemonic" is prepended regardless of whether an additional passphrase is defined, so if you use the passphrase "satoshi" a strictly BIP39 compliant wallet will use the phrase "mnemonicsatoshi".

Code:

@classmethod
    def to_seed(cls, mnemonic: str, passphrase: str = "") -> bytes:
        mnemonic = cls.normalize_string(mnemonic)
        passphrase = cls.normalize_string(passphrase)
        passphrase = "mnemonic" + passphrase
        mnemonic_bytes = mnemonic.encode("utf-8")
        passphrase_bytes = passphrase.encode("utf-8")
        stretched = hashlib.pbkdf2_hmac(
            "sha512", mnemonic_bytes, passphrase_bytes, PBKDF2_ROUNDS
        )
        return stretched[:64]

[larry_vw_1955]

If a passphrase is not present, PBKDF2 does not use an empty string. It uses the word "mnemonic" in the case of BIP39, or the word "electrum" in the case of Electrum.

so everyone really has a password then even if they don't think they do. 

[ranochigo]

The reason I'm pointing this out is because there is (was?) a way to set up two-factor (2FA) wallets with Electrum, but this requires the involvement of a third party which I wouldn't recommend. Just a heads up so you don't mix these things up.

Barring privacy concerns, there isn't much issues with using TrustedCoin as 2FA. But even that is a pretty weak argument; using Electrum alone already means sacrificing a huge part of your privacy. It still does provide some security to your wallet, albeit not as significant as a cold wallet.

Most people associated 2FA with a rotating token which narrows the window for your attackers to act with that window. None of the wallet allows this without the participation of the third-party. Additional passphrase doesn't really work because no one should be required to remember anything related to their seeds, potential risks includes $5 wrench attacks, loss of memory, etc. If you want to secure your seeds properly, consider splitting them up into multiple locations. This would prevent the attacker from being able to get your entire seed without going through multiple barriers.

[o_e_l_e_o]

As I get deeper into this, I'm realizing there's so much bad and/or only partially accurate information out there...I'm going to make an effort to spend more time here learning from this community going forward.

I've certainly found the technical boards on this forum to be one of the best sources for accurate information. Stackexchange is another good resource. Reddit is very hit or miss, and often completely wrong posts are upvoted to the top. Youtube and other platforms used by crypto "influencers" are just a complete mess and should be completely avoided, except for one or two notable exceptions such as Andreas Antonopoulos.

Trezor used to mainly advertise this feature as a way to hide wallets. They actually still mention it as a security feature on their homepage too.

Since the revelation that an attacker with physical access to a Trezor hardware wallet is able to extract the seed phrase, it should be mandatory to use a strong passphrase on every wallet you are using on a Trezor device.

I just looked this up because I found it interesting. The word "mnemonic" is prepended regardless of whether an additional passphrase is defined, so if you use the passphrase "satoshi" a strictly BIP39 compliant wallet will use the phrase "mnemonicsatoshi".

Correct. This is defined in the original BIP39 documentation: https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#from-mnemonic-to-seed

so everyone really has a password then even if they don't think they do. 

Passphrase, not password, but essentially yes. If you don't enter a passphrase for a BIP39 wallet, the string "mnemonic" is still used as a salt for PBKDF2.

[larry_vw_1955]

so everyone really has a password then even if they don't think they do. 

Passphrase, not password, but essentially yes. If you don't enter a passphrase for a BIP39 wallet, the string "mnemonic" is still used as a salt for PBKDF2.

when something is a single word, it is a password. if it consists of multiple words separated by spaces in between then it becomes a passphrase. so i guess in general it is a passphrase but it could just be a password...

[o_e_l_e_o]

when something is a single word, it is a password. if it consists of multiple words separated by spaces in between then it becomes a passphrase. so i guess in general it is a passphrase but it could just be a password...

BIP39, which defines the standard for using a passphrase in an HD wallet, calls it a passphrase. For the sake of avoidance of confusion it is better to call it a passphrase and not a password, regardless of its actual length or composition, in order to differentiate it from the local passwords you use to unlock your wallets.

Further, calling it a passphrase helps to make it clear that it shouldn't just be a single word. Ideally you want it to be long and complex enough so that if your seed phrase is compromised, the passphrase still provides enough of a barrier against brute force attacks to keep your wallet safe. A single word does not achieve this.

[dkbit98]

Why doesn't every hardware wallet support the use of a seed phase + password?  It seems like a really simple way to add a layer of protection in case the seed phrase you've written down is discovered. Right now, written seed phrases are like writing your bank account and log-in credentials on a piece of paper and hoping nobody finds it.

All hardware wallets I know are supporting passphrase that is acting like salt to seed phrases, and that is not stored anywhere on device.
Password is something different and that is usually stored in device, that means there is a chance for getting extracted and device hacked.
You can also use multisig setup to make seed words much more secure, and some hardwre wallets have new methods of protection.

Do modern hardware wallets like the Ledger Nano S Plus, Nano X, Trezor, etc. already support applying a password to seed phrases? Is it just a feature that's hidden and not promoted that much?

Hardware wallets you mentioned are not that modern like you think, and password in not as secure as you think.
Ledger have pin when you power on device and you can add additional passphrase later that is connected with pin.
Don't mix password with pin and passphrase.

One interesting new concept is used by Cypherock X1 hardware wallet device, they are not storing anything on device, and keys are split in multiple secure cards.

[Welsh]

1 - Most good hardware wallets do.

I'd say, any worth their while have at least an option to have two factor authentication. While, that shouldn't be the determining reason of what a good, and bad hardware wallet is, I'd expect any of them that are at least somewhat security conscious, would have it as an option. Now, depending on how it's implemented that could mean additional risk as pointed out before, and that won't immediately be obvious to all users. So, I'd like to see warning messages on enabling or disabling any security feature on a hardware wallet through their software.

However, that's really only possible with software, since the actual hardware itself is limited usually, and I believe some operate without much software at all these days. Also, just to clarify what I mean by software is traditional software run on a separate computer to the actual hardware wallet itself, obviously the hardware wallet itself will have its own software running, but due to limits in size they usually can't include much documentation or information through that device.

[larry_vw_1955]

Further, calling it a passphrase helps to make it clear that it shouldn't just be a single word. Ideally you want it to be long and complex enough so that if your seed phrase is compromised, the passphrase still provides enough of a barrier against brute force attacks to keep your wallet safe. A single word does not achieve this.

a passphrase should be able to be more than 50 characters though. but if you're using a Trezor then you only have 50 characters to use for it. other hardware wallets probably has their own limitations on the length too so it's not unlimited, you can't just use any string of words you want of any length you want.

imagine you want to import your seed and passphrase into your new trezor but it won't work because your passphrase is too long. even though the BIP has no restriction on the length...

i don't see how 50 characters is sufficient to come up with a good "passphrase". maybe a good "password" but not a passphrase. 

[Titanium99]

I came across a comprehensive Q&A from Andreas Antonopoulos about using optional passphrases. I'm posting it here for reference in case it's of interest:

https://www.youtube.com/watch?v=jP7pEgBpaO0

Andreas provides a clear and approachable explanation of how passphrases work, things to avoid, how long it would take to brute force them, and best practices for using them. He recommends using a passphrase that's comprised of six to eight random words (!) to balance security and complexity.    

Thanks to o_e_l_e_o for introducing me to Andreas' work! It's really accelerating my learning.

[o_e_l_e_o]

i don't see how 50 characters is sufficient to come up with a good "passphrase". maybe a good "password" but not a passphrase. 

You can't really judge the concept based on how one particular hardware wallet implements it. If you want more than 50 characters, then don't use a Trezor.

Having said that, a 12 word seed phrase, which can be encoded in at most 48 characters using the unique first four characters of each word, is more than strong enough to use as a passphrase. And 50 random ASCII characters would be in excess of 328 bits of security.

As I mentioned above, you want your passphrase to be strong enough to protect your coins should your seed phrase be compromised, at least for long enough until you can move them to a new wallet. I would say 80 bits should be a minimum, but ideally aim for 128. Any more than that is unnecessary.

[Welsh]

i don't see how 50 characters is sufficient to come up with a good "passphrase". maybe a good "password" but not a passphrase. 

Even if that's somewhat true, I'm not much of a fan of passphrases in the first place, and believe that every single passphrase should have some sort of password element to it, i.e a randomly generated sequence of characters. Otherwise, you're effectively making it less secure by using a non random set of phrases, especially if well known. I only say this, because of course a passphrase could actually be a good way of doing it, but most humans wouldn't go for a random passphrase, and come up with commonly thought of passphrases, which is obviously problematic.

Although, I do agree generally there shouldn't be any limitations on what characters can be used or the length. While, this isn't for hardware wallets, I've come across websites including banks which limited characters like "*", "(" and "@" which is totally unacceptable in my opinion.

[larry_vw_1955]

If you want more than 50 characters, then don't use a Trezor.

i'm not using one because for one thing they are too expensive and #2 i dont like people putting limitations on something that restricts how i can set my passphrase. it's just annoying you would think that something that costed as much as it did could afford at least a kilobyte for a lengthy passphrase but i guess not  

Having said that, a 12 word seed phrase, which can be encoded in at most 48 characters using the unique first four characters of each word, is more than strong enough to use as a passphrase. And 50 random ASCII characters would be in excess of 328 bits of security.

why would i use the bip39 wordlist to select words to construct my passphrase out of?  

As I mentioned above, you want your passphrase to be strong enough to protect your coins should your seed phrase be compromised, at least for long enough until you can move them to a new wallet. I would say 80 bits should be a minimum, but ideally aim for 128. Any more than that is unnecessary.

well i mean i'm not thinking about how many bits. i'm thinking about how convenient my passphrase is for me to memorize. if i have a 20 word passphrase that i can't forget and it is 120 characters in length then what's the problem with that? maybe that is the simplest thing for me. so it's necessary for me. maybe not for you.

Even if that's somewhat true, I'm not much of a fan of passphrases in the first place, and believe that every single passphrase should have some sort of password element to it, i.e a randomly generated sequence of characters.

but when you do that, you're kind of destroying the ability to memorize your passphrase...so time to get out the old titanium metal plate and start stamping letters... here's an idea though, if you're not against tatoos is you can get your passphrase tatooed on to you. in a private area no less. wonder if anyone ever did that. they won't lose it that way that's for sure.

[o_e_l_e_o]

it's just annoying you would think that something that costed as much as it did could afford at least a kilobyte for a lengthy passphrase but i guess not

Ledger devices allow 100 characters. I'm not sure about other hardware wallets, but Electrum will only be limited by the hardware in your computer. (The actual limit on a passphrase is any message of length 2¹²⁸ - 1 bits, since it is being fed in to HMAC-SHA512. For reference, this works out to anything up to around 40 million billion zettabytes. )

Still, I would caution against using an excessively long passphrase. Something with 128 bits of security is more than enough. The longer you make it, the more risk of you incorrectly entering it, incorrectly backing it up, losing part of it, and so on.

why would i use the bip39 wordlist to select words to construct my passphrase out of?  

I would never manually select words, but if you used a good wallet to generate another seed phrase properly, then you can be certain your passphrase has at least 128 bits of entropy.

but when you do that, you're kind of destroying the ability to memorize your passphrase

You aren't meant to remember your passphrase. You are meant to back it up on paper just as you do with your seed phrase, although entirely separately. Obviously there is no point storing your seed phrase and passphrase back ups together.

[larry_vw_1955]

Still, I would caution against using an excessively long passphrase. Something with 128 bits of security is more than enough. The longer you make it, the more risk of you incorrectly entering it, incorrectly backing it up, losing part of it, and so on.

What if someone uses a paragraph out of a novel? They don't have to back anything up. yes, it is theoretically public knowlege but what good does it do anyone since they likely will not have access to the 12 or 24 seed phrase that goes along with it. So in a sense, I tend to disagree with you that a passphrase needs to be a total secret never seen before by anyone.

I would never manually select words, but if you used a good wallet to generate another seed phrase properly, then you can be certain your passphrase has at least 128 bits of entropy.

If you're using a 24 word seed phrase, you can just split it in half and let 12 of them be your "extended passphrase". As long as you hide the two halves in different places, it's accomplishing the same thing. If that's how you think of passphrases.  

You aren't meant to remember your passphrase. You are meant to back it up on paper just as you do with your seed phrase, although entirely separately. Obviously there is no point storing your seed phrase and passphrase back ups together.

Which brings us back to the question of why not just split up your 24 word seed into two groups of 12 and use one of those groups as your "extended passphrase". That's a question