Why doesn't every hardware wallet support two-factor seed phrases?

[NotATether]

Well, if you already type the password, then what is the point of the seed phrase, since you can just decrypt the databases that hold the private key?

And similarly, if you type the seed phrase, you don't need the password anyway and this is already the case when you recover a wallet.

What is probably better, is a way to type two different passwords at different types, where a wallet becomes "half-unlocked" when you type the first password, and fully unlocked when the second one is entered. ECC & hashing stuff don't have an algorithm for this, so you and I will have to look around and research such a process to get more info about how it can be done.

[1715480389]

1715480389

[1715480389]

1715480389

[1715480389]

1715480389

[m2017]

1. Why doesn't every hardware wallet support the use of a seed phase + password?

The question doesn't make sense. Different manufacturers can make different choices.

It seems like a really simple way to add a layer of protection in case the seed phrase you've written down is discovered.

It also adds an additional risk factor: forgetting the password means losing your money.

I see two main reasons for using a password on top of your seed words:

• To ensure the data can't be hacked by someone who gains physical access to your hardware wallet.
• To have plausible deniability in case of a $5 wrench attack.

Probably, here it is necessary to sacrifice one for the benefit of the other. Either you increase the protection with a password, but at the same time increase the risks of losing access, or leave everything as it is, but at the same time increase the chances of hacking your wallet physically. As happens in such cases, there is no universal solution and the choice will have to be made based on personal goals.

When a $5 wrench attacking, the password will not help in any way if life and health are dear to him. Everyone will remember the password, even if they really forgot it. Only the 2nd wallet with a small amount can help here to distract the attacker from the main wallet. I guess, plausible deniability is a weak argument against a $5 wrench attack.


Some models still have support for several seed-phrases at once. It seems that ledger had such a function when you enter different pins, you get access to different wallets.

[o_e_l_e_o]

What if someone uses a paragraph out of a novel?

You could, but there are significant drawbacks to doing so. Are you going to type out the entire paragraph every time you want to recover the wallet? On a hardware wallet which takes 10-20 seconds to input a single character, this could take you a very long time. Or on a computer, are you going to get lazy and just save the paragraph as a text file for easy access in the future? And are you certain that the paragraph is identical? Even an extra space, or an uppercase switched to a lowercase, or a missing comma, etc., is enough to generate a completely different wallet.

So in a sense, I tend to disagree with you that a passphrase needs to be a total secret never seen before by anyone.

If your seed phrase is kept secret, maybe, but if you are sure your seed phrase is always going to be kept secret, then you don't need a passphrase at all. A passphrase should be kept secret and be strong enough to protect you wallet in the event that your seed phrase is compromised.

If you're using a 24 word seed phrase, you can just split it in half and let 12 of them be your "extended passphrase". As long as you hide the two halves in different places, it's accomplishing the same thing. If that's how you think of passphrases.  

That's not accomplishing the same thing at all. Passphrases provide plausible deniability. Half a seed phrase does not.

[LoyceV]

Only the 2nd wallet with a small amount can help here to distract the attacker from the main wallet. I guess, plausible deniability is a weak argument against a $5 wrench attack.

A second wallet is of course part of the "plausible deniability"-plan. Or even a third wallet.

[dkbit98]

If you're using a 24 word seed phrase, you can just split it in half and let 12 of them be your "extended passphrase". As long as you hide the two halves in different places, it's accomplishing the same thing. If that's how you think of passphrases.  

You should never do this with your seed phrase, and certainly not if that is your only copy, this way you are creating single point of failure and recipe for disaster.
I heard many scary stories of people trying to act smart, mixing words, splitting words and losing all bitcoin they had with extra complexity.
If you want to split something up than you should create multisig setup, or use inferior Secret Shamir Sharing scheme, that is still much better than what you suggested.

[larry_vw_1955]

You could, but there are significant drawbacks to doing so. Are you going to type out the entire paragraph every time you want to recover the wallet?

yes.

On a hardware wallet which takes 10-20 seconds to input a single character, this could take you a very long time.

well thats a problem with hardware wallets and their user interface. even a 50 character passphrase would take from 500 to 1000 seconds if your data is accurate  

Or on a computer, are you going to get lazy and just save the paragraph as a text file for easy access in the future?

no, i'm not.

And are you certain that the paragraph is identical?

yep. i am.

Even an extra space, or an uppercase switched to a lowercase, or a missing comma, etc., is enough to generate a completely different wallet.

if you're worried about that being an issue then remove all spaces and use only upper or lowercase exclusively with no special characters like punctuations...

If your seed phrase is kept secret, maybe, but if you are sure your seed phrase is always going to be kept secret, then you don't need a passphrase at all.

well isn't it by definition that the seed phrase must be kept secret? so if you can't do that then how are going to keep a passhprase that protects the seed phrase a secret?  

A passphrase should be kept secret and be strong enough to protect you wallet in the event that your seed phrase is compromised.

I won't argue with that.

That's not accomplishing the same thing at all. Passphrases provide plausible deniability. Half a seed phrase does not.

I didn't think about that but maybe there exists 24 word seed phrases whose first 12 words (and 2nd 12 words) pass checksum so if you need plausible deniability just generate one of those type.

You should never do this with your seed phrase, and certainly not if that is your only copy, this way you are creating single point of failure and recipe for disaster.

what's the difference between that and storing your seedphrase in one place and the passphrase somewhere else? none as far as i can see. to spend funds you need to recover both parts. only have one part, then you are SOL.

[n0nce]

2. Do modern hardware wallets like the Ledger Nano S Plus, Nano X, Trezor, etc. already support applying a password to seed phrases? Is it just a feature that's hidden and not promoted that much?

Yes, I'm 99% sure that all of them support a 25th / 13th word / passphrase. The word is passphrase. Not 'two-factor'.
Before putting your question like that, you should verify if the claim ('not all hardware wallets support it') is even correct, and maybe provide some links and numbers. For instance: '25% of hardware wallets do not have it'.

If you do not know how many support it, that's something else you can ask (but preferred that you do it on your own and post your results instead).

Only the 2nd wallet with a small amount can help here to distract the attacker from the main wallet. I guess, plausible deniability is a weak argument against a $5 wrench attack.

A second wallet is of course part of the "plausible deniability"-plan. Or even a third wallet.

Wallets, all the way down!

[o_e_l_e_o]

well thats a problem with hardware wallets and their user interface. even a 50 character passphrase would take from 500 to 1000 seconds if your data is accurate  

Still preferable to an entire paragraph of text with 1000+ characters.

yep. i am.

No, you aren't. People make mistakes writing down 12 word seed phrases. People will definitely make mistakes copying an entire paragraph.

if you're worried about that being an issue then remove all spaces and use only upper or lowercase exclusively with no special characters like punctuations...

Making it harder to read and more likely that you make an error

well isn't it by definition that the seed phrase must be kept secret? so if you can't do that then how are going to keep a passhprase that protects the seed phrase a secret?  

You are approaching this as if everyone in the world has perfect and unbreakable security at all times. This is simply not how things work. Yes of course you should keep your seed phrase safe and secure, but having a contingency plan is just common sense.

I didn't think about that but maybe there exists 24 word seed phrases whose first 12 words (and 2nd 12 words) pass checksum so if you need plausible deniability just generate one of those type.

Or instead of lowering the entropy of your seed phrase by manually picking one which fulfills this very niche criteria, just use a passphrase. Additionally, your set up only provides one hidden wallet. With passphrases you can have as many hidden wallets as you like.

[dkbit98]

what's the difference between that and storing your seedphrase in one place and the passphrase somewhere else? none as far as i can see. to spend funds you need to recover both parts. only have one part, then you are SOL.

Big and obvious difference is that you can't use half of your words for anything if you lose second half, and your coins are lost forever.
Passphrase is optional, and without passphrase I can still access funds that are stored on my seed words, and I can have multiple passphrases.
Again, if you want to act smarter than security experts who created seed words than go for it, but first listen what Andreas Antonopoulos has to say about this:
https://www.youtube.com/watch?v=p5nSibpfHYE

[larry_vw_1955]

Still preferable to an entire paragraph of text with 1000+ characters.

not necessarily. not everyone needs a hardware wallet. plus if you only transact very occasionally then it's no inconvenience at all really. not much of one. but i didn't say 1000+ characters maybe a hundred or two hundred though would be fine.

No, you aren't. People make mistakes writing down 12 word seed phrases. People will definitely make mistakes copying an entire paragraph.

no, where people go wrong is they forget their passphrase completely or store it somewhere where it gets lost or partially damaged. and they can't go download the novel to look it up. but i could if use my method. but yeah i'm not storing the paragraph of text on any computer. no need to. i would think that most popular novel is readily avaiable for viewing and download on the internet from multiple sources. surprising that more people dont utilize this obvious technique of adding extra security to their seed phrase without having to do extra storage.

Making it harder to read and more likely that you make an error

then you just double check your data entry. very simple.

You are approaching this as if everyone in the world has perfect and unbreakable security at all times. This is simply not how things work. Yes of course you should keep your seed phrase safe and secure, but having a contingency plan is just common sense.

well when i create a seed phrase i am sure it is secret so i don't really need a passphrase for extra security. you even admitted that. now for plausible deniability and being able to use the same seedphrase with multiple different passphrases, it offers more use out of a single seed phrase so that's a different consideration in my opinion. 

Or instead of lowering the entropy of your seed phrase by manually picking one which fulfills this very niche criteria, just use a passphrase. Additionally, your set up only provides one hidden wallet. With passphrases you can have as many hidden wallets as you like.

yeah i mean it would have to meet the checksum on the first 12 words, second 12 words and then all 24 words overall. not sure how many such 24 word seedphrases like that exist. 

[o_e_l_e_o]

but i didn't say 1000+ characters maybe a hundred or two hundred though would be fine.

Sure, but that's a sentence, not a paragraph. A unique sentence of 100 characters is perfectly reasonable as a passphrase.

i would think that most popular novel is readily avaiable for viewing and download on the internet from multiple sources.

A sentence from a popular book is not a particularly good choice of passphrase. Neither are song lyrics, famous quotes, lines from movies, etc. You also need to back up exactly which sentence you used, and in which edition of the book you drew it from.

then you just double check your data entry. very simple.

Again, you are assuming everyone has 100% perfect security at all time. If it was easy as just telling people to just double check and verify things properly, then clipboard malware would never be successful and malicious wallet software would not exist. This is just not how the world works.

well when i create a seed phrase i am sure it is secret so i don't really need a passphrase for extra security.

But you can not be certain it will remain secret for the rest of your life.

yeah i mean it would have to meet the checksum on the first 12 words, second 12 words and then all 24 words overall. not sure how many such 24 word seedphrases like that exist.  

Twelve word seed phrases have a four bit checksum, meaning for any random twelve words there is an average one in sixteen chance that the checksum is valid. Given that you want two valid checksums in this system, then a very rough calculation would be that only one out of every 256 twenty four word seed phrases would meet this criteria.

[Titanium99]

What if someone uses a paragraph out of a novel? They don't have to back anything up. yes, it is theoretically public knowledge but what good does it do anyone since they likely will not have access to the 12 or 24 seed phrase that goes along with it. So in a sense, I tend to disagree with you that a passphrase needs to be a total secret never seen before by anyone...

...If you're using a 24 word seed phrase, you can just split it in half and let 12 of them be your "extended passphrase". As long as you hide the two halves in different places, it's accomplishing the same thing. If that's how you think of passphrases.  

...Which brings us back to the question of why not just split up your 24 word seed into two groups of 12 and use one of those groups as your "extended passphrase". That's a question  

The video from Andreas Antonopoulous that I shared in post #15 explains very clearly why both of these are overly cute solutions that actually reduce your security. It's worth the 14 minutes to watch, IMO: https://www.youtube.com/watch?v=jP7pEgBpaO0

In a nutshell:

- Common phrases, book passages, quotes, etc. are easier to crack than 6 to 8 randomly picked words.

- Making things overly complex by choosing longer passages increases your odds of incorrectly entering data (on creation and/or recovery), forgetting where the passage starts and stops and details on how it was entered, and ultimately losing access to your crypto.

- Splitting your 24 words into two lists may help some, but not as much as you might think. If an attacker finds half of your word list, the other half is much easier to crack. 24 words provides 256 bits of entropy. 12 words gives you 128 bits of entropy (which is still good), but that something like 10^35 less complex to crack, and not 1/2 as difficult to crack as you might think.

- According to Andreas, the best option is to safeguard your words and apply a 6-8 random word passphrase to provide a 2nd layer of protection. Store the seed phrase and pass phrase securely and separately and you've got a good measure of protection that balances solution complexity and security while reducing the risk of permanent loss due to human error. Towards the end of the video, he gives some cautionary examples of how overly complicating the solution can cause you to forever lose access to your crypto.

[larry_vw_1955]

Sure, but that's a sentence, not a paragraph. A unique sentence of 100 characters is perfectly reasonable as a passphrase.

I'm talking about using something like this:

Code:

In my younger and more vulnerable years my father gave
me some advice that I’ve been turning over in my mind ever
since.
“Whenever you feel like criticizing any one,” he told me, “just
remember that all the people in this world haven’t had the ad-
vantages that you’ve had.”

that comes out of the actual book apparently. other copies you might find online do not hypenate the word "advantages". why would they?

A sentence from a popular book is not a particularly good choice of passphrase. Neither are song lyrics, famous quotes, lines from movies, etc. You also need to back up exactly which sentence you used, and in which edition of the book you drew it from.

the only real benefit of them is you're probably not going to lose them. there's always a copy somewhere. how many people come onto bitcointalk who forgot their passphrase or only remember part of it or their dog ate half the piece of paper they wrote it down on? they would give anything to just pickup a copy of the great gatsby and recover their money...

Again, you are assuming everyone has 100% perfect security at all time. If it was easy as just telling people to just double check and verify things properly, then clipboard malware would never be successful and malicious wallet software would not exist. This is just not how the world works.

don't you double check who you're sending your btc too and the address you're giving to someone to send btc to you before you hit the send button? i do. with regard to passphrase entry, if you get it wrong the first time, just enter it again and pay attention a bit more. you have as many tries as you need. unlike with some other things which i wasn't referring to.

But you can not be certain it will remain secret for the rest of your life.

i assume it will remain secret. maybe that is a bad assumption but we have to start from somewhere.

Twelve word seed phrases have a four bit checksum, meaning for any random twelve words there is an average one in sixteen chance that the checksum is valid. Given that you want two valid checksums in this system, then a very rough calculation would be that only one out of every 256 twenty four word seed phrases would meet this criteria.

you have to also add in the 8 bit checksum for the entire 24 words. so that's another factor of 2^8. So 16*16*256=65536. So maybe only 1 in that many would work. that's not a very large reduction in entropy. Basically reducing entropy by 16 bits from 256 to 240. not a huge deal.

The video from Andreas Antonopoulous that I shared in post #15 explains very clearly why both of these are overly cute solutions that actually reduce your security. It's worth the 14 minutes to watch, IMO: https://www.youtube.com/watch?v=jP7pEgBpaO0

I've seen this video before. Andreas is a really smart guy.

- According to Andreas, the best option is to safeguard your words and apply a 6-8 random word passphrase to provide a 2nd layer of protection. Store the seed phrase and pass phrase securely and separately and you've got a good measure of protection that balances solution complexity and security while reducing the risk of permanent loss due to human error. Towards the end of the video, he gives some cautionary examples of how overly complicating the solution can cause you to forever lose access to your crypto.

No one can argue with that. If you want the best security then that's the way to do it  

[o_e_l_e_o]

I'm talking about using something like this:

Honestly, that's a terrible choice of passphrase.

There is too much formatting which is very prone for error. Did you accidentally include a space before the line break? Did you use ' instead of " without realizing? Did different copies of the text use different formatting, different line breaks, no hyphens, etc.? Does your software parse line breaks in the same way as other software, or indeed at all? It is excessively long, too prone to errors, and too cumbersome to enter, especially on a hardware wallet.

the only real benefit of them is you're probably not going to lose them. there's always a copy somewhere. how many people come onto bitcointalk who forgot their passphrase or only remember part of it or their dog ate half the piece of paper they wrote it down on? they would give anything to just pickup a copy of the great gatsby and recover their money...

If you can forget your passphrase, then you can just as easily forget which sentence you used or which word you started/end your passphrase with or which edition of the book you used and so on. Passphrases should be backed up on paper, just as seed phrases are.

don't you double check who you're sending your btc too and the address you're giving to someone to send btc to you before you hit the send button?

Of course I do. But many people don't. Which is why we see people falling victim to clipboard malware on a weekly basis.

with regard to passphrase entry, if you get it wrong the first time, just enter it again and pay attention a bit more. you have as many tries as you need.

Unless you entered it wrong the first time without realizing it, sent coins to that wallet, and cannot discover the identical wrong combination to access your wallet again.

i assume it will remain secret. maybe that is a bad assumption but we have to start from somewhere.

A better assumption is that no back up is ever 100% secure.

you have to also add in the 8 bit checksum for the entire 24 words.

I was assuming you were only generating valid 24 word seed phrases to begin with.

[n0nce]

I'm talking about using something like this:

Honestly, that's a terrible choice of passphrase.

There is too much formatting which is very prone for error. Did you accidentally include a space before the line break? Did you use ' instead of " without realizing? Did different copies of the text use different formatting, different line breaks, no hyphens, etc.? Does your software parse line breaks in the same way as other software, or indeed at all? It is excessively long, too prone to errors, and too cumbersome to enter, especially on a hardware wallet.

Imagine different revisions using different quotation marks..
“ ” " " ‘  ’ ' ' « »

There is also a chance of spaces being replaced with other types of whitespace. I notice that from time to time when copying some code snippets from a website into my editor. It looks like a space on the website, but the editor reveals that it's actually not an ASCII 0x20.

And of course line breaks being in different places and / or types of line breaks; CRLF vs. LF.

[dkbit98]

I'm talking about using something like this

I can only imagine how long you would have to wait to confirm every transaction with this long text...... this is almost impossible to use in real life.
Why don't you simple ask ChatGPT and other AI crap tools to tell you what you should use for passphrase, you can even ask AI to generate 24 seed words for you, I am sure it's safu (not).  

There is also a chance of spaces being replaced with other types of whitespace. I notice that from time to time when copying some code snippets from a website into my editor. It looks like a space on the website, but the editor reveals that it's actually not an ASCII 0x20.

I think that passphrase with spaces is giving much better results compared with same words combined into one.
I tried testing this for different passphrases (for password managers) and I almost always got better entropy results with spaces.
Can anyone explain why this is happening in simple words and does it really matter or not?

[n0nce]

There is also a chance of spaces being replaced with other types of whitespace. I notice that from time to time when copying some code snippets from a website into my editor. It looks like a space on the website, but the editor reveals that it's actually not an ASCII 0x20.

I think that passphrase with spaces is giving much better results compared with same words combined into one.
I tried testing this for different passphrases (for password managers) and I almost always got better entropy results with spaces.
Can anyone explain why this is happening in simple words and does it really matter or not?

Very well possible, but what I'm saying is that if he downloads a different version of the (supposedly) same text, it may have different whitespace characters (impossible to tell with the naked eye) or other little changes that will be hard to spot / recognize and fix.

[larry_vw_1955]

Honestly, that's a terrible choice of passphrase.

Yeah, that hyphen due to the column width was kind of unexpected. Other online versions don't have that hyphen. But the printed book apparently does.

If you can forget your passphrase, then you can just as easily forget which sentence you used or which word you started/end your passphrase with or which edition of the book you used and so on.

those things can be dealt with by owning the book and highlighting the passphrase and then storing the book somewhere safe.

Passphrases should be backed up on paper, just as seed phrases are.

well lets say you decide to string together the hashes of the first 3 blocks of the blockchain.

Code:

00000000839a8e6886ab5951d76f411475428afc90947ee320161bbf18eb6048000000006a625f06636b8bb6ac7b960a8d03705d1ace08b1a19da3fdcc99ddbd0000000082b5015589a3fdf2d4baff403e6f0be035a5d9742c1cae6295464449

as long as i store instructions about how to perform the above operation then i don't really need to write down all of that on paper. whether that is a suitable approach for a bip39 passphrase is a matter of other discussion but i'm not trying to argue that.

Unless you entered it wrong the first time without realizing it, sent coins to that wallet, and cannot discover the identical wrong combination to access your wallet again.

thats one of the serious drawbacks of the bip39 passphrase. there is no checksum for it. so the software has to accept whatever you type in and go with it.

A better assumption is that no back up is ever 100% secure.

you can have the last word on that.  

I was assuming you were only generating valid 24 word seed phrases to begin with.

oh ok. in that case the argument seems to be reasonable however as you said, it is a rough argument and we don't actually know how many such 24 word seed phrases exist, if any. But according to your logic, it would be very quick to find one...

[n0nce]

If you can forget your passphrase, then you can just as easily forget which sentence you used or which word you started/end your passphrase with or which edition of the book you used and so on.

those things can be dealt with by owning the book and highlighting the passphrase and then storing the book somewhere safe.

Then you could also store a seed phrase backup on a piece of paper glued between two pages in any book that you're confident is stored safely..
Or highlight 12/24 words across the book which, read front to back, result in the seed phrase. This has all been discussed over the years, though.

[o_e_l_e_o]

I can only imagine how long you would have to wait to confirm every transaction with this long text...... this is almost impossible to use in real life.

I'm not sure I follow you here. Once you've entered the passphrase, your wallet software will use it along with your seed phrase to derive your master keys for that wallet. A salt of that length will make no noticeable difference to the length of time it takes to derive the master keys, and once the master keys are derived, then everything from that point on is identical. The only difference is how long it will take you to enter the passphrase, which I agree on a hardware wallet will take a significant amount of time selecting one character at a time.

I tried testing this for different passphrases (for password managers) and I almost always got better entropy results with spaces.

What algorithms were being used to assess the entropy? Adding a space might be classed as a "special character", of which there are 33 in ASCII, meaning you go from 26 possibilities for each character (assuming only lower case letters), to up to 59 possibilities for each character, which gives you a falsely elevated entropy result. Different algorithms also make different assumptions about how much knowledge of the password the attacker has.

those things can be dealt with by owning the book and highlighting the passphrase and then storing the book somewhere safe.

Which is no different to just writing down the passphrase on paper, as I've been saying all along.

thats one of the serious drawbacks of the bip39 passphrase. there is no checksum for it. so the software has to accept whatever you type in and go with it.

Agreed. It's a drawback, but also an advantage. The mitigation is to enter your passphrase, note down the first address, reset your wallet, enter your passphrase a second time, and check the first address matches what you wrote down from the first round. Repeat a third time if you like to be extra sure.