BIP-39 Passphrase (25th Word): Advanced Wallet Security
The BIP-39 passphrase — commonly referred to as the "25th word" — is one of the most powerful yet misunderstood security features available in cryptocurrency wallets. It adds a user-chosen string to the seed derivation process, causing the same mnemonic phrase to produce an entirely different set of keys and addresses. Used correctly, it provides defense-in-depth against seed phrase compromise. Used carelessly, it can result in permanent loss of funds.
This guide covers exactly how the passphrase works, when to use it, the risks it introduces, and how to implement it safely.
How the Passphrase Works
Technical Mechanism
As described in the BIP-39 standard, the seed derivation process uses PBKDF2-HMAC-SHA512:
Seed = PBKDF2(
password = mnemonic_words,
salt = "mnemonic" + passphrase,
iterations = 2048,
key_length = 512 bits
)
When no passphrase is set, the salt is simply the string "mnemonic". When a passphrase is provided, it is concatenated to the salt: "mnemonic" + "YourPassphrase". Because the salt is different, the PBKDF2 output is completely different, producing a completely different master key, and therefore completely different derivation paths, private keys, public keys, and addresses.
Key Properties
Every passphrase is valid. There is no checksum or validation mechanism for the passphrase. Any string — including an empty string, a single character, or a 500-character sentence — produces a valid wallet. Entering the wrong passphrase does not produce an error message; it silently opens a different (typically empty) wallet.
Same mnemonic, different wallets. A 24-word mnemonic with passphrase "alpha" produces a completely different wallet than the same mnemonic with passphrase "bravo". There is no cryptographic relationship between the two wallets that an attacker could detect.
Case and encoding matter. "MyPassphrase" and "mypassphrase" produce different wallets. A passphrase with trailing whitespace is different from one without. The passphrase is normalized using UTF-8 NFKD before hashing, but beyond that, exact character matching is required.
Why Use a Passphrase
Protection Against Seed Phrase Theft
If an attacker steals your 24-word seed phrase (from a paper backup, metal plate, or compromised device), they can access all funds in the wallet — unless a passphrase was set. Without the passphrase, they will only see the "base" wallet (the one derived with an empty passphrase). Your actual funds, stored in the passphrase-protected wallet, remain inaccessible.
This transforms your security from single-factor (something you have — the seed phrase) to two-factor (something you have — the seed phrase, plus something you know — the passphrase).
Plausible Deniability
Because every passphrase produces a valid wallet, you can maintain multiple wallets from the same seed phrase:
- No passphrase — A decoy wallet with a small amount of funds.
- Passphrase "alpha" — Your main wallet with significant holdings.
- Passphrase "bravo" — A secondary wallet for additional protection.
If coerced into revealing your seed phrase (the "$5 wrench attack"), you can provide the seed phrase without the passphrase. The attacker sees a real wallet with some funds, has no way to know whether additional passphrase-protected wallets exist, and may be satisfied with what they find.
This is often called a "duress wallet" or "hidden wallet" strategy.
Protection Against Compromised Hardware
If a hardware wallet has a supply chain vulnerability (a backdoor in the random number generator, for example), the attacker might know the seed phrase generated by the device. A user-chosen passphrase that was never entered into or generated by the hardware wallet adds entropy that the attacker does not have.
How to Set Up a Passphrase
Hardware Wallets
Most major hardware wallets support the BIP-39 passphrase:
Ledger:
- In Ledger Live, go to Settings.
- Enable "Passphrase" under Advanced settings.
- There are two modes: "Attached to PIN" (stores a hash on-device for convenience) and "Temporary" (must be entered each time).
- Choose your passphrase and confirm it.
Trezor:
- In Trezor Suite, enable the passphrase feature.
- Each time you connect, Trezor will prompt for the passphrase.
- You can enter any passphrase — no confirmation is stored.
Coldcard:
- Navigate to Passphrase in the menu.
- Enter your passphrase on the device.
- Coldcard shows the first address derived — verify it matches expectations.
Software Wallets
Software wallets that support BIP-39 passphrases typically present the option during initial setup or seed import. Look for "Advanced options," "Optional passphrase," or "25th word" in the setup flow.
Choosing a Strong Passphrase
The passphrase should have sufficient entropy to resist brute-force attacks if the seed phrase is compromised:
| Passphrase Type | Approximate Entropy | Time to Brute-Force (ASIC) |
|---|---|---|
| Common English word | ~10 bits | Seconds |
| Random 4-word phrase | ~50 bits | Years |
| Random 6-word phrase | ~75 bits | Millions of years |
| 20+ random characters | ~120+ bits | Heat death of the universe |
Recommendations:
- Use at least 4-6 randomly chosen words or 16+ random characters.
- Do not use personal information (names, birthdays, common phrases).
- Do not use a single dictionary word.
- Consider using a passphrase generator (like
diceware) rather than inventing one yourself.
Passphrase Backup Strategies
The passphrase is now part of your recovery secret. If you lose either the seed phrase or the passphrase, you lose access to your funds. This creates a backup challenge: you need to store both, but storing them together defeats the purpose.
Strategy 1: Separate Storage Locations
- Store the seed phrase in Location A (e.g., a fireproof safe at home).
- Store the passphrase in Location B (e.g., a safe deposit box at a bank).
- An attacker needs to compromise both locations.
Strategy 2: Memorization + Physical Backup
- Memorize the passphrase.
- Keep an encrypted backup of the passphrase in a separate location from the seed phrase.
- If you become incapacitated, the encrypted backup ensures your heirs can recover funds.
Strategy 3: Shamir's Secret Sharing for the Passphrase
- Split the passphrase into shares using Shamir's Secret Sharing.
- Distribute shares to multiple trusted parties.
- Requires M-of-N shares to reconstruct.
What NOT to Do
- Do not store the passphrase alongside the seed phrase. This eliminates the security benefit entirely.
- Do not rely solely on memorization. Memory is fallible, especially over years or decades.
- Do not use a passphrase you cannot reliably reproduce. Remember that case, whitespace, and exact characters all matter.
- Do not store the passphrase in a password manager that also contains the seed phrase.
Risks and Pitfalls
Risk 1: Permanent Fund Loss from Forgotten Passphrase
This is the greatest risk of using a passphrase. Unlike a seed phrase with a checksum, there is no mechanism to verify whether a passphrase is "correct." If you forget it, misremember it by even one character, or introduce a hidden character (trailing space, wrong Unicode normalization), you will open a different, empty wallet, and your funds are permanently inaccessible.
Mitigation: Test your passphrase thoroughly before sending funds. Set up the wallet, verify the first receiving address, send a small amount, restore from seed phrase + passphrase on a different device, and confirm you can access the funds.
Risk 2: Keylogging During Passphrase Entry
The passphrase must be entered into the wallet at some point. On a software wallet, this means typing it on a computer — where keyloggers or screen recorders could capture it. On a hardware wallet with on-device entry (Coldcard, Trezor), the passphrase is entered on the device screen, which is significantly safer.
Mitigation: Enter the passphrase only on a hardware wallet with on-device entry, or on an air-gapped computer.
Risk 3: Inheritance Complications
Using a passphrase adds complexity to inheritance planning. Your heirs need:
- The seed phrase.
- The passphrase.
- Knowledge that a passphrase exists and is required.
- Instructions on how to use it.
If any of these are missing, the inheritance fails. See our Seed Phrase guide for inheritance planning strategies that account for passphrases.
Risk 4: False Sense of Security
A weak passphrase (a single common word, a birthday, a pet's name) can be brute-forced if the attacker has the seed phrase. An attacker with the seed phrase and a GPU cluster can test billions of passphrase candidates against the known PBKDF2 function. Use a strong, randomly generated passphrase.
Risk 5: Typos During Setup
If you set up a wallet with a passphrase that has an unnoticed typo, the wallet will work normally — you will receive funds and transact successfully. But the next time you restore from the seed phrase and enter the passphrase without the typo (or with a different typo), you will get a different wallet. Your funds are now trapped behind the typo.
Mitigation: After setup, immediately restore the wallet on a different device using the seed phrase + passphrase to verify the exact same addresses appear.
The "25th Word" Misconception
The term "25th word" is a simplification that can be misleading:
- The passphrase is not restricted to BIP-39 word list words. It can be any UTF-8 string.
- The passphrase is not encoded as an additional mnemonic word — it is used as part of the PBKDF2 salt.
- The passphrase has no checksum, unlike the mnemonic's 24th word which includes checksum bits.
- A 12-word mnemonic can also have a passphrase — it would be the "13th word" by this logic, but the term "25th word" is used generically.
The technically correct term is "BIP-39 passphrase" or "mnemonic passphrase."
Use the SafeSeed Key Derivation Tool to see how different passphrases generate completely different addresses from the same seed phrase. Enter a test mnemonic with and without a passphrase to observe the effect. All computation runs in your browser — no data is transmitted.
Passphrase vs. Wallet PIN vs. Password
These three concepts are often confused:
| Feature | BIP-39 Passphrase | Wallet PIN | Wallet Password |
|---|---|---|---|
| What it protects | Seed derivation | Device access | Application access |
| Where stored | Nowhere (you memorize) | On device | On device/server |
| Can be changed | No (creates new wallet) | Yes | Yes |
| If forgotten | Funds inaccessible | Device reset, restore from seed | Password reset |
| Brute-force target | PBKDF2 with seed | Device lockout | Implementation-dependent |
| Scope | All wallets from seed | Single device | Single application |
The passphrase is fundamentally different because it changes the derived keys. A PIN or password simply gates access to keys that already exist on a device.
Advanced Use Cases
Multiple Hidden Wallets
Power users can maintain several wallets from a single seed phrase:
- Empty passphrase: Small amount (decoy)
- Passphrase A: Main savings
- Passphrase B: Trading allocation
- Passphrase C: Emergency reserve
Each wallet is completely independent. There is no on-chain link between them. The risk scales with the number of passphrases you must remember and back up.
Combining with Multi-Signature
For institutional or very high-value storage, combine a BIP-39 passphrase with multi-signature:
- Each signer's key is derived from a seed phrase + unique passphrase.
- An attacker needs to obtain multiple seed phrases AND their corresponding passphrases.
- This provides multiple independent layers of security.
FAQ
What is the BIP-39 passphrase or "25th word"?
The BIP-39 passphrase is an optional user-chosen string that is added to the seed derivation process (PBKDF2 salt). When used, it causes the same mnemonic seed phrase to generate a completely different set of keys and addresses. It is commonly called the "25th word," though it can be any text string, not just a BIP-39 word.
Can I change my passphrase?
Not in the way a password can be changed. Because the passphrase determines which keys are derived, changing the passphrase means opening a different wallet with different addresses. To "change" your passphrase, you must create a new wallet with the new passphrase and transfer all funds from the old passphrase wallet to the new one.
What happens if I forget my passphrase?
Your funds become permanently inaccessible. There is no recovery mechanism, no reset option, and no way to brute-force a strong passphrase. This is why proper backup of the passphrase is essential.
Is the passphrase stored on my hardware wallet?
Some hardware wallets offer an option to associate a passphrase with a secondary PIN (e.g., Ledger's "Attached to PIN" mode). In this case, a hint or hash is stored on the device for convenience. However, the canonical method is "temporary" mode, where the passphrase must be entered each time and nothing is stored on the device.
Does every wallet support the BIP-39 passphrase?
Most BIP-39 compatible wallets support the passphrase feature, but some do not expose it in their user interface. Check your wallet's documentation. Major hardware wallets (Ledger, Trezor, Coldcard) all support it.
Can an attacker know whether I use a passphrase?
No. Because the default (empty passphrase) also produces a valid wallet, there is no way to determine from the seed phrase alone whether additional passphrase-protected wallets exist. Even if an attacker obtains your seed phrase and finds funds in the base wallet, they cannot know whether passphrase-protected wallets exist.
Is the passphrase case-sensitive?
Yes. "MyPassphrase", "mypassphrase", and "MYPASSPHRASE" all produce different wallets. Whitespace also matters — "my pass" and "mypass" are different. Be extremely precise in recording your passphrase.
Can I use the passphrase with a 12-word seed phrase?
Yes. The passphrase feature works with any BIP-39 mnemonic length (12, 15, 18, 21, or 24 words). The PBKDF2 process is the same regardless of mnemonic length.