UA
The 25th Word (Passphrase)

[ GUIDE / PASSPHRASE ]

The 25th Word (Passphrase)

11 min read · Guide 6 of 7

How an optional BIP39 passphrase creates an additional layer of security on top of your seed phrase — enabling hidden wallets, plausible deniability, and protection against physical seed compromise.

What is the 25th word (BIP39 passphrase) and how does it work?

What Is the 25th Word?

The "25th word" is an optional passphrase that you can add on top of your standard 12 or 24-word seed phrase. It is defined in the BIP39 specification and supported by most modern wallets.

Unlike the seed words themselves (which come from a fixed list of 2,048 words), the passphrase is completely freeform — it can be any string of characters: letters, numbers, symbols, spaces, even Unicode characters. There are no restrictions on length or content.

Think of it this way: the seed phrase is the key to your vault, and the passphrase is the combination on the vault's secondary lock. Even if someone finds the key, they still cannot open the vault without the combination.

The critical property of the passphrase is that every different passphrase generates a completely different wallet. Your 24 words with no passphrase leads to wallet A. The same 24 words with passphrase "apple" leads to an entirely separate wallet B. Passphrase "Apple" (capital A) leads to yet another wallet C. Each is independent, with its own keys and addresses.

How does a BIP39 passphrase change your wallet?

How Does It Work?

When your wallet converts your seed words into cryptographic keys, it uses a process called PBKDF2 key stretching. The passphrase is incorporated directly into this process as part of the salt:

  1. You enter your 12 or 24 seed words
  2. You enter your passphrase (or leave it blank for no passphrase)
  3. The wallet combines them: seed words as the password, and "mnemonic" + passphrase as the salt
  4. This combination is run through 2,048 rounds of PBKDF2-HMAC-SHA512
  5. The result is a unique 512-bit master seed — from which all keys are derived

Because the passphrase changes the salt, even a single character difference produces a completely different master seed and therefore a completely different set of keys and addresses.

1
Seed Phrase
12–24 words
+
2
Passphrase
Your secret text
3
PBKDF2
2,048 iterations
4
Unique Seed
512-bit master key
Key Point The passphrase is case-sensitive and whitespace-sensitive. "MyPassphrase", "mypassphrase", and "MyPassphrase " (trailing space) all produce different wallets. Be extremely precise when setting and entering your passphrase.

How do hidden wallets and plausible deniability work?

Hidden Wallets and Plausible Deniability

One of the most powerful features of the passphrase is the ability to create hidden wallets that provide plausible deniability under duress.

How It Works in Practice

You set up your wallet with a seed phrase and two different passphrases:

  • No passphrase (or a simple passphrase) — leads to a "decoy" wallet with a small, believable balance
  • Your real passphrase — leads to your primary wallet with the majority of your holdings

If someone forces you to reveal your seed phrase (physical coercion, legal compulsion, etc.), you hand over the seed words. This is a key part of your threat model. They access the decoy wallet and see a balance that looks legitimate. There is no way to prove that additional passphrase-protected wallets exist — the attacker cannot even detect whether a passphrase was ever used.

Since every passphrase (including an empty one) produces a valid wallet, there is no technical indicator that reveals whether you are using a passphrase or how many passphrase-wallets you have. This is cryptographic plausible deniability.

Important To make the decoy wallet convincing, it should contain a reasonable balance and show normal transaction activity. An empty decoy wallet is not plausible and may escalate the threat.

What are the risks of using a passphrase with your seed phrase?

Risks and Responsibilities

The passphrase is a powerful tool, but it adds complexity and risk that you must manage carefully.

If You Lose the Passphrase

Unlike a website password, there is no recovery mechanism for a forgotten passphrase. If you forget it, you lose access to every asset stored in that passphrase-derived wallet permanently. Your seed phrase alone will only recover the base wallet (no passphrase).

Storage Guidelines

  • Store the passphrase separately from the seed phrase — if they are stored together, the passphrase provides no additional security
  • Use a durable medium for the passphrase — just like the seed, it should survive fire, water, and time
  • Consider storing in a different geographic location from the seed backup
  • Do not make the passphrase too complex to remember — the risk of losing access due to a forgotten passphrase is real and more common than theft
Critical Balance A passphrase protects you from theft but exposes you to loss from forgetfulness. You must balance these risks: a simple, memorable passphrase that you also record on a physical backup stored separately from the seed. Overly complex passphrases increase the risk of permanent self-lockout.

Who Should Use a Passphrase?

  • Yes — users with significant holdings who have a mature backup and recovery practice
  • Yes — users who face physical security threats and need plausible deniability
  • Maybe not — beginners who are still learning seed phrase management basics
  • Maybe not — users who lack a reliable system for storing an additional secret separately

How does the passphrase cryptographic mechanism work?

Cryptographic Mechanism

The BIP39 passphrase is integrated into the key derivation process at the PBKDF2 layer. Understanding the exact mechanism reveals why it is so effective:

PBKDF2 Seed Derivation
seed = PBKDF2( PRF: HMAC-SHA512, Password: mnemonic_sentence, // space-joined words, NFKD-normalized Salt: "mnemonic" + passphrase, // literal "mnemonic" prefix + user passphrase Iterations: 2048, dkLen: 64 bytes // 512-bit output )

Key Properties

  • No validation — any passphrase produces a valid seed. There is no checksum or error detection for the passphrase itself. A typo does not produce an error — it produces a different (empty) wallet.
  • Deterministic — the same mnemonic + passphrase always produces the same seed, on any device, with any compatible software.
  • Salt-based — the passphrase modifies the salt, not the password. This means pre-computed rainbow tables for common mnemonics are useless because the salt space is effectively infinite.
  • NFKD normalization — per BIP39, both the mnemonic and the passphrase are Unicode NFKD-normalized before processing. This ensures consistent behavior across platforms for non-ASCII characters.
No Typo Protection Unlike the mnemonic words (which have a checksum), the passphrase has zero error detection. If you enter "MyPassphras" instead of "MyPassphrase", you will get a valid but completely different (and empty) wallet with no warning. This is by design — it enables plausible deniability — but it means you must be absolutely precise.

How much entropy does a passphrase add to seed phrase security?

Passphrase Entropy Analysis

The security benefit of a passphrase depends on its entropy. A weak passphrase can be brute-forced by an attacker who already has the seed phrase.

Attack Scenario

If an attacker obtains your 24 seed words but not your passphrase, they must brute-force the passphrase to access your funds. The cost of this attack depends on:

  1. The entropy of the passphrase (search space)
  2. The cost of each guess (PBKDF2 with 2,048 iterations of HMAC-SHA512, followed by BIP32 derivation and address checking)

Passphrase Entropy Guidelines

  • 4-character PIN — ~13 bits of entropy. Crackable in seconds. Not recommended.
  • Common English word — ~11 bits. Dictionary attack trivial.
  • 3-word Diceware passphrase — ~39 bits. Resistant to casual attackers but vulnerable to determined, well-funded adversaries.
  • 5-word Diceware passphrase — ~65 bits. Provides strong protection even against well-resourced attackers.
  • 8+ random alphanumeric characters — ~48 bits. Adequate for most threat models.

PBKDF2 Brute-Force Cost

The 2,048 PBKDF2 iterations provide a modest computational barrier. On modern GPU hardware, an attacker can test approximately 100,000-500,000 passphrases per second per GPU. With a cluster of 10 GPUs:

Passphrase entropyTime to exhaust (10 GPUs @ 500k/s)
20 bits~0.2 seconds
30 bits~3.5 minutes
40 bits~2.5 days
50 bits~7 years
60 bits~7,300 years
80 bits~7.7 billion years
Recommendation Aim for at least 40-50 bits of passphrase entropy for meaningful protection. A 4-5 word Diceware passphrase or a 10+ character random string achieves this comfortably. Avoid common phrases, dictionary words, song lyrics, or predictable patterns.

How do different wallet software implement BIP39 passphrases?

Implementation Across Wallet Software

While the BIP39 passphrase is a standard, its implementation varies across wallet software and hardware devices:

Hardware Wallets

  • Ledger — supports passphrase entry via the device itself (temporary or attached to a PIN). Temporary passphrases must be re-entered each session. PIN-attached passphrases create a persistent second "hidden" account.
  • Trezor — passphrase entered on the host computer or on the Trezor touchscreen (Model T / Safe 3). Host-entry is less secure (keylogger risk); on-device entry is preferred.
  • Coldcard — supports on-device passphrase entry with the option to save an encrypted version on the device. Also supports multiple passphrase slots.
  • Keystone — passphrase entered via the device's touchscreen, fully air-gapped from the host.

Software Wallets

  • Sparrow — supports passphrase during wallet creation and restore. Displays the passphrase-derived fingerprint so you can verify you entered it correctly.
  • Electrum — supports BIP39 passphrase during seed import (must enable BIP39 mode).
  • BlueWallet — supports passphrase for BIP39 wallets during creation.
Fingerprint Verification Many wallets display a "master fingerprint" (the first 4 bytes of the BIP32 master public key hash) after entering the passphrase. Record this fingerprint when you first set up your wallet. When restoring, compare the fingerprint to verify you entered the correct passphrase — a different fingerprint means a different passphrase (or typo).

What are advanced passphrase strategies for maximum security?

Advanced Passphrase Strategies

Beyond the basic hidden wallet use case, the passphrase enables several advanced security configurations:

Multi-Tier Wallet Architecture

Use multiple passphrases with the same seed to create a tiered structure:

  • No passphrase — decoy wallet with minimal funds
  • Passphrase A — medium-security wallet for regular transactions
  • Passphrase B — high-security cold storage for long-term holdings

Each tier has its own addresses, keys, and balances. Compromise of one passphrase does not affect the others.

Passphrase + Multi-Sig

For maximum security, combine the passphrase with a multi-sig setup. Each cosigner's key can be passphrase-protected independently, creating a layered defense: an attacker must obtain M seed phrases and their corresponding passphrases to sign a transaction.

Geographic Separation Pattern

  • Location A (home safe) — Seed phrase backup on metal plate
  • Location B (bank safety deposit box) — Passphrase backup on metal plate
  • Location C (trusted family member) — Second copy of seed phrase (for disaster recovery)

An attacker must compromise two separate secure locations to access funds. A natural disaster destroying Location A still allows recovery using Locations B + C.

How does a passphrase integrate into your threat model?

Threat Model Integration

The passphrase protects against specific threat scenarios and is ineffective against others. Understanding its place in your threat model is essential:

Effective Against

  • Physical seed compromise — if someone finds or photographs your seed phrase, they still cannot access passphrase-protected funds
  • Coercion (with decoy) — you can surrender the seed phrase and demonstrate a plausible decoy wallet
  • Insider threats — a family member or roommate who discovers your seed backup cannot access the passphrase wallet
  • Supply chain attacks — even if a hardware wallet ships pre-compromised, the passphrase is entered separately and the attacker cannot predict it

Not Effective Against

  • Malware on the passphrase-entry device — a keylogger captures the passphrase as you type it
  • Compromised wallet software — malicious software can exfiltrate both the seed and passphrase during entry
  • Camera surveillance — if your passphrase is captured on video during entry
  • Repeated coercion — an attacker who suspects a hidden wallet may not accept the decoy and escalate threats
Defense in Depth The passphrase is one layer in a multi-layer defense. It should complement (not replace) proper seed storage, hardware wallet usage, and operational security practices. No single measure is sufficient on its own.

[ FREQUENTLY ASKED QUESTIONS ]

FAQ

[ INTERACTIVE SIMULATOR ]

Passphrase Effect Simulator

Type any passphrase and watch the BIP39 seed and Bitcoin addresses change in real time — one character at a time. The seed phrase below is a well-known BIP39 test vector, safe for demonstration only. Never enter your real seed phrase into any website.

Seed Phrase  —  fixed 12-word BIP39 test vector
BIP39 Passphrase  —  the “25th word”
Empty passphrase → standard wallet  ·  Every character produces a completely different seed and addresses  ·  Case-sensitive
BIP39 Seed  PBKDF2-HMAC-SHA5122048 iterations512 bit
seed = PBKDF2(HMAC-SHA512, password=mnemonic, salt=“mnemonic” + passphrase, iter=2048, dkLen=64)
Derived Addresses  m/44’/0’/0’/0/xP2PKHBitcoin mainnet

[ READ NEXT ]

Continue Learning

Anatomy of a Seed Phrase

What makes up a BIP39 mnemonic, how entropy and checksums work, and why your 12-24 words matter.

Operational Security (OpSec)

Protect yourself from phishing, social engineering, and physical threats. Practical security habits.

Multisignature (Multisig)

Eliminate single points of failure with multi-key setups and distributed trust models.

Test Your Knowledge

Take a quick quiz to check your understanding of this guide.

Take the Quiz