ledger-nano-guide.com
Login
Independent review. This site is not the official website and is not affiliated with, endorsed by, or operated by the wallet vendor reviewed here. Never enter your seed phrase or private keys on any third-party site.

Passphrase (25th word) — benefits, risks and recovery traps

Leon Kozlov Leon Kozlov
Try Tangem secure wallet →

What is the passphrase (25th word)?

The "passphrase" often gets called the "25th word" because it is an extra input added on top of a standard 12- or 24-word seed phrase (recovery phrase). Technically this is an optional BIP-39 passphrase: it is not one of the 24 words, but rather an additional string you supply when deriving your wallet keys. See the BIP-39 specification for the exact derivation method (PBKDF2 with salt "mnemonic" + passphrase) (BIP-39).

Why do people use it? Because a passphrase creates a "hidden wallet": the same 24-word seed + different passphrases => different wallets. That property is powerful. And it is dangerous if used without planning.

How the passphrase actually works (simple tech)

  • BIP-39 defines a seed derivation that takes your mnemonic (seed phrase) and an optional passphrase as inputs. The passphrase is concatenated to the word "mnemonic" and used as the PBKDF2 salt to produce the binary seed (BIP-39 spec).
  • The resulting seed is what hierarchical deterministic (BIP-32) wallets use to derive private keys and accounts (BIP-32).

In practice that means: forget the passphrase and you can still reconstruct the original wallet(s) that were created with an empty passphrase — but you cannot reconstruct any wallets that required a non-empty passphrase. The passphrase is not stored in the seed phrase or on the device.

Benefits: what you get with a passphrase

  • Hidden wallets and plausible deniability. One physical seed phrase can unlock multiple wallets depending on the passphrase entered. This helps separate funds without carrying multiple seeds.
  • Additional layer beyond the seed phrase. If someone finds your 24-word seed phrase, they still need the passphrase to reach the funds protected by it.
  • Flexible compartmentalization. You can use different passphrases for savings, daily spending, custodial-style accounts, or testnets.

In my testing, the passphrase feature is most useful when combined with a clear operational plan (what passphrase controls which funds, and where that passphrase is stored). Without a plan, the benefit quickly becomes a liability.

Try Tangem secure wallet →

Risks and common recovery traps

  • Forgotten passphrase = permanent loss. If you lose the passphrase for a particular hidden wallet, no amount of searching the 24 words will recover those funds. That’s a factual, repeatable property of the BIP-39 derivation.

  • Weak or guessable passphrases are attackable. A short, dictionary phrase or personal datum (birthdate, pet name) is susceptible to brute-force or informed guessing.

  • Storing the passphrase insecurely (cloud, phone notes, synced password managers) can negate the security benefit. Password managers that sync to the cloud increase the attack surface.

  • Cross-device differences and UI traps. Some wallet apps accept any Unicode passphrase, some restrict characters or length, and some implement passphrase entry off-device (host typing) which can expose the passphrase to a compromised computer. Always verify how a particular hardware wallet implements passphrase entry (device vs host) before relying on it.

  • False sense of redundancy. People sometimes write down the 24 words and assume that’s sufficient. But if funds were put into a hidden wallet protected by a passphrase, the written 24 words alone are not enough for recovery.

For technical reference, consult BIP-39 and the SLIP-0039 Shamir backup proposal (an alternative approach to redundancy) (SLIP-0039).

Practical setup: step-by-step checklist

  1. Decide whether you truly need a passphrase. Ask: will this add meaningful security, or just complexity? (Short answer: high-net-worth holders and people who need plausible deniability often benefit.)
  2. Choose the input method. Prefer entering the passphrase directly on the hardware wallet screen whenever possible (reduces host compromise risk).
  3. Pick a strong passphrase (guidance below).
  4. Test with small funds. Create a hidden wallet, receive a small amount, then fully restore that hidden wallet on a separate device using only your 24-word seed + passphrase.
  5. Document your recovery plan. Who inherits this information? Where are the backups? Link that plan to your sealed, offline backups (see backup-and-recovery and seed-phrase-management).
  6. Never use cloud-synced text notes to store the passphrase.

Need a more device-specific walk-through? See the general device setup guides: setup-initial and restore-recovery.

Choosing a passphrase: format and storage advice

  • Prefer length over complexity. A long, random phrase (four or more unrelated words) typically gives more entropy than a short string with special characters.
  • Avoid personal or guessable data (names, dates, favorite sports teams).
  • Consider using a physical backup: metal backup plates are resilient (see metal-backup-plates).
  • If you must use a digital password manager, keep the passphrase entry offline and avoid cloud sync.

What I advise in practice: create a clear naming/usage convention (e.g., “savings-v1”), store it on metal, and test recovery annually. But everyone’s threat model is different.

Alternatives and a quick comparison

Option How it works Best for Downsides
Passphrase (BIP-39, “25th word”) Adds an optional string to the mnemonic derivation so the same seed produces separate wallets Single-seed compartmentalization; plausible deniability Forgetting it loses funds; user-managed security
SLIP-0039 (Shamir backups) Split seed into multiple shares; a threshold is needed to recover Redundancy and distributed custody More complex recovery; tool and compatibility limits (shamir-backup-slip39)
Multisig Funds require multiple signatures from different keys/devices High-security custody; fault tolerance Requires compatible wallets and coordination (multisig)

Choose based on your operational needs. Multisig is often safer for long-term, high-value storage, but requires more setup and compatible wallet support.

Common mistakes and how to avoid them

  • Mistake: Writing the passphrase on the same paper as the 24-word seed. Don’t do that.
  • Mistake: Relying on memory without any backup, especially for high-value holdings.
  • Mistake: Entering passphrase on a compromised host; test on an air-gapped or device-first workflow (air-gapped).
  • Mistake: Assuming passphrase behaviors are identical across wallets—check docs and test restores.

For other frequently seen errors, read the guides on common-mistakes and where-to-buy-safely.

FAQ — real user questions

Q: Can I recover my crypto if the device breaks? A: Yes, if you have your 24-word seed phrase and the passphrase (if used). If the passphrase is lost for a hidden wallet, that wallet’s funds cannot be recovered. See device-broken and restore-recovery.

Q: What happens if the company that made my hardware wallet goes bankrupt? A: Your keys are derived from your seed phrase and passphrase; hardware vendor failure doesn’t inherently delete your funds. Still, vendor support affects firmware and tooling (see company-risk).

Q: Can someone brute-force the passphrase? A: Short or guessable passphrases can be brute-forced. Long random passphrases greatly increase the time and cost to attack. Use length and randomness.

Q: Is Bluetooth safe for a hardware wallet when using a passphrase? A: Bluetooth adds a wireless layer that some users prefer to avoid for high-value operations. The bigger risk for passphrase security is host compromise and where the passphrase is entered. See connectivity-usb-bluetooth-nfc.

Conclusion and next steps

A passphrase (the so-called 25th word) is a powerful security tool when used deliberately: it gives hidden wallets and an extra factor, but it also creates a single-point-of-failure if the passphrase is lost or handled poorly. I believe a passphrase makes sense for users who have a clear backup and inheritance plan and who are willing to test restores regularly. For others, multisig or Shamir-style backups may be safer.

Start small: test your chosen workflow with tiny amounts, confirm restores on a separate device, and document who can access recovery information. If you want detailed, device-specific instructions and walkthroughs, see our related guides: seed-phrase-management, backup-and-recovery, shamir-backup-slip39, and multisig.

(Technical references: BIP-39 and BIP-32 specifications linked above; SLIP-0039 for alternative backup strategies.)

If you have a specific scenario—inheritance, high-net-worth storage, or daily-spend split—I can outline a custom plan step-by-step. Want one? Click through the related guides and I’ll help map a safe approach.

Try Tangem secure wallet →