Does using multiple hardware wallets (w/o seed) make sense?

[dkbit98]

I’m thinking of using multiple hardware wallets (e.g., 3 devices)

This is overkill for most people.

1. Is using 3 hardware wallets (with seeds only on the devices) a safer option than seed + passphrase? Are there long-term risks with relying on multiple wallets (e.g., hardware failure, tech obsolescence)?

Safer for what exactly? Nuclear war?? 
Multiple devices are only needed for multisig setup, and that is complicated and not needed for most people.
Only if you are high profile or crypto billionaire than using multisig setup with multiple devices could be a good idea.

2. How likely is it for an attacker to guess a passphrase made up of 4 words from the BIP-39 list? It seems like 4 words (2048 options per word) could be brute-forced in just a few days on powerful systems — how risky is this in practice?

Attacker is not going to guess anything if you are near devices, you are going to tell him passphrase sooner or later.
I would not use words from BIP-39 list for passphrase.

3. What’s your take on passphrases in general? How long or complex should they be to make brute-forcing impractical?

Don't use simple 1234 or overly complicated passphrase, and make sure to back it up, don't keep it only in your head.

[FinneysTrueVision]

Anybody who holds a meaningful amount of crypto has probably gotten paranoid about the possibility of their seed being leaked. Depending on your threat model, you might not be comfortable with leaving a piece of paper with your seed phrase lying around. Investing in a personal safe and keeping your seed there and the passphrase in a separate, secure location is going to be good enough for 99.9% of people.

Using multiple hardware wallets is less practical because they can stop working and need firmware updates on a regular basis. They also have most of the same risks as a paper backup of getting stolen, lost, or destroyed. I wouldn’t recommend this solution, but only you know what will work best for your specific needs.

[satscraper]

~

The safest setup involving three hardware wallets would be the multisig wallet with  2‑of‑3 quorum. Such setup becomes even stronger if at least one of your hardware wallets is BIP85 compliant. In that case, you can choose its SEED as the parent SEED to deterministically derive child seeds and use two of those child seeds for your other hardware wallets. Note that the child seeds are independent in the sense that they cannot be linked to each other.

[Cricktor]

I see an additional problem with having no analog mnemonic recovery words backup. IIRC most hardware wallets won't show you the recovery words (what you call "seed") again after a wallet has been setup. So there's usually no way to retrieve the mnemonic recovery words again when you don't have an analog backup of them.

This could be problematic in the future. As others I wouldn't skip having redundant analog backups of mnemonic recovery words!

Yes, it's unlikely that three hardware wallets stop to work all at the same time, but if one stops to work, you are left with only two. If another stops to work, you're left with the last one. Without the recovery words, you can't add a new device. See the issue?
(Some devices have cheap screens that fade with time... The device is working but if you can't see what's on the screen anymore it becomes useless and defunct.)

Then there's the question: are the three devices in one place (geographic single point of failure; e.g. loss by fire) or do you intend to distribute them to different locations?


Regarding 2.
One BIP39 word represents only 11 bits of entropy if it's known to the attacker that your mnemonic passphrase is only composed of BIP39 words. Question is: does an attacker get to know this? I'd say this is unlikely, but an attacker could try and 44 bits of entropy isn't very strong.

Regarding 3.
Any unique extending mnemonic passphrase creates a different and unique HD wallet. The smallest error gives you an empty wallet. And if you use a mnemonic passphrase you should document it separately from the mnemonic recovery words.

Do not try to only memorize it, this is a recipe for later desaster and I can almost certainly guarantee you, it will lead you to trouble and loss. (I have first hand experience with a mnemonic passphrase where I foolishly only documented some good hints, even when it was constructed by something I was familiar with, but apparently I made some tweaks which I forgot after not so much time and I couldn't reconstruct the mnemonic passphrase easily anymore. It wasn't a drama because it only was a Testnet wallet but anyway it opened my eyes to properly document everything!)

I would aim for more than ~120 bits of entropy for the additional BIP39 mnemonic passphrase. It's also a question of how easy does your hardware wallet make it to use an additional BIP39 mnemonic passphrase. I don't deny that security comes with additional cost and/or pain factors. It shouldn't be pain in the arse.

I use an extending BIP39 mnemonic passphrase for multiple reasons (list below might not be exhaustive):

• the mnemonic recovery words alone only reveal a "canary" sacrificial wallet where I could detect that my redundantly distributed mnemonic recovery word backups got compromised if little funds there got moved away
  (Pay attention to not easily link your main stash with such sacrificial funds!)
• with any unique mnemonic passphrase I can create a new unique wallet and still only need one set of redundant backups for my mnemonic recovery words because those don't need to change; I use paper and stamped metal washers backups
  (I don't need that many wallets, but it's just quite convenient this way)
• of course every additional BIP39 mnemonic passphrase needs a separate redundant analog backup which is not where the mnemonic recovery words are stored, too; I don't make it too complicated: one backup at home, another somewhere else (unlikely they get both destroyed at the same time)
  (You can append a numerical counter to your mnemonic passphrase to generate an arbitrary number of unique wallets and still only need one good redundant backup of the part before the enumeration counter. That way the amount of redundant backups is significantly reduced while still allowing a lot of unique wallets if you need them)

Last post edit: typo removal

[Pmalek]

I wouldn't recommend it. A real self-custodial set up should include multiple copies of your seed, stored in different locations if possible. I would never rely only on digital/virtual backups, with the keys held on the hardware wallets exclusively. The seed is the most important part. It's universal and can be imported everywhere where that universal standard is supported. If your hardware wallet(s) fail, your crypto is gone. It's that simple.

You can make your passphrase as complex as you want. A passphrase of 6-8 English words, from the BIP-39 list or any dictionary words, is very safe against brute forcing with today's technology. We can only speculate and try to guess what will be possible in the future.

I would recommend sticking to the basics and not trying to invent a new and seemingly better backup system. The consensus is that physical seed backups is the right thing.

[BobbysTransactions]

I have read the news and this loss has nothing to do with keeping things simple. It was a stupid mistake that should never have happened, and can only happen when a bunch of amateurs are dealing with crypto. How could you expose a seed phrase to the public during a press release, lol.

I suspect that the press release "leak" was more likely a cover story to hide corruption and internal theft by the police.