Passphrase (25th Word)

What Is a Passphrase (25th Word)?

A passphrase, often called the "25th word," is an optional user-chosen password that gets combined with a seed phrase during key derivation. While a standard 24-word seed phrase already encodes enough entropy to secure a wallet, the passphrase acts as an additional input to the key derivation function, producing a completely different master key and therefore a completely different set of addresses.

The concept was formalized in BIP-39, which defines how mnemonic seed phrases are converted into binary seeds. The specification includes a passphrase parameter in the PBKDF2 key stretching step: when no passphrase is provided, an empty string is used by default. Any non-empty passphrase produces an entirely different seed, which in turn derives a different HD wallet tree with different keys, addresses, and balances.

The term "25th word" is informal and somewhat misleading: unlike the 24 mnemonic words, the passphrase is not drawn from a fixed word list and can be any arbitrary string of characters, including spaces, numbers, and symbols.

How It Works

The passphrase modifies key derivation at a specific point in the BIP-39 process. Understanding where it fits requires tracing the full path from mnemonic to master key:

1. The user generates or records a 12- or 24-word mnemonic from the BIP-39 word list
2. The mnemonic is converted to its UTF-8 byte representation
3. A salt is constructed by concatenating the fixed string "mnemonic" with the passphrase (if any)
4. PBKDF2-HMAC-SHA512 runs 2,048 iterations using the mnemonic as the password and the salt as input
5. The output is a 512-bit (64-byte) binary seed
6. This seed is fed into HMAC-SHA512 to derive the master private key and chain code for the HD wallet

Derivation Pseudocode

The key derivation step where the passphrase enters the process:

# BIP-39 seed derivation
mnemonic = "abandon abandon abandon ... about"  # 24 words
passphrase = "mySecretPassphrase"                # user-chosen

# The passphrase modifies the salt
salt = "mnemonic" + passphrase
# Without passphrase: salt = "mnemonic"
# With passphrase:    salt = "mnemonicmySecretPassphrase"

# PBKDF2 key stretching
seed = PBKDF2(
    password  = mnemonic (UTF-8 NFKD normalized),
    salt      = salt (UTF-8 NFKD normalized),
    rounds    = 2048,
    algorithm = HMAC-SHA512,
    key_len   = 64 bytes
)

# Same mnemonic + different passphrase = completely different seed
# seed_a = derive("abandon..about", "")         -> 0x5eb00...
# seed_b = derive("abandon..about", "hunter2")  -> 0x2e8905...
# seed_c = derive("abandon..about", "hunter3")  -> 0xf3a219...

Because the passphrase changes the salt input to PBKDF2, even a single-character difference produces a completely unrelated 512-bit seed. There is no mathematical relationship between wallets derived from different passphrases on the same mnemonic.

No Checksum Validation

A critical property of the passphrase is that any input is valid. The BIP-39 mnemonic words have a built-in checksum: if you mistype a word, the wallet software can detect the error. Passphrases have no such protection. Entering "MyPassphrase" vs "mypassphrase" vs "MyPassphrase " (with a trailing space) will each silently produce different wallets with different addresses and zero balances.

This means the wallet software cannot tell you if your passphrase is "wrong." It will always derive a valid wallet. If the resulting wallet is empty, you have no way to know whether you mistyped the passphrase or simply have no funds at those addresses.

Use Cases

Plausible Deniability (Duress Wallets)

The most cited use case for passphrases is plausible deniability. A user can maintain multiple wallets from the same seed phrase by using different passphrases:

• No passphrase (empty string): a decoy wallet with a small balance
• Passphrase A: a secondary wallet with moderate funds
• Passphrase B: the primary wallet with the majority of holdings

If compelled to reveal a wallet under duress (physical threat, border crossing, legal order), the user can provide the seed phrase without any passphrase or with the decoy passphrase. The attacker sees a valid wallet with funds and has no way to determine whether additional passphrase-protected wallets exist. There is no cryptographic evidence that a passphrase is in use.

This pattern is sometimes called a "duress wallet" or "$5 wrench attack" defense, referencing the scenario where physical coercion is used to extract wallet access.

Additional Security Layer

Even without the deniability angle, a passphrase adds a second factor to wallet security. If an attacker obtains your seed phrase (through theft, social engineering, or a compromised backup), they still cannot access your funds without the passphrase. This converts your wallet backup from a single-factor system (something you have: the seed) to a two-factor system (something you have plus something you know).

This is particularly relevant for users who store seed phrase backups in locations that may be physically accessible to others: safe deposit boxes, home safes, or metal backup plates. The passphrase can be stored separately or memorized, ensuring that compromise of the physical backup alone is insufficient.

Multi-Account Segregation

Some users employ passphrases to maintain logically separate wallets from a single seed phrase. For example, a business might use one passphrase for operational funds and another for long-term reserves. Each passphrase produces an independent HD wallet tree with its own set of accounts and addresses, while requiring only one mnemonic to back up.

Backup Considerations

Passphrase security depends entirely on proper backup strategy. The core principle: the passphrase and the seed phrase should never be stored together. If both are in the same location, the passphrase provides no additional security.

Separation Strategies

• Store the seed phrase on a metal backup plate in a secure physical location (safe, vault)
• Store the passphrase in a different physical location or medium
• Consider splitting passphrase knowledge across trusted parties (e.g., half to a family member, half to a lawyer)
• Use a password manager for the passphrase, with the seed phrase stored offline and never digitally

Password Managers

A reputable password manager (1Password, Bitwarden, KeePassXC) can be a reasonable place to store a passphrase, provided the seed phrase itself is not stored digitally. This approach gives you:

• Encrypted storage with strong master password protection
• Cross-device access for passphrase retrieval
• Protection against physical theft of the passphrase

The tradeoff is that you now depend on the password manager's availability and your ability to access it. If you lose access to both your password manager and your memory of the passphrase, your funds are unrecoverable.

Inheritance Planning

Passphrases complicate inheritance. If the passphrase holder dies or becomes incapacitated without sharing the passphrase, funds are permanently lost. Users employing passphrases should include them in their estate plan: either through a trusted attorney, a sealed envelope in a separate safe deposit box, or a dead man's switch service.

Risks and Considerations

Forgotten Passphrase Means Lost Funds

This is the single biggest risk. Unlike a forgotten password on a web service, there is no "reset" option. The passphrase is a cryptographic input: if you lose it, no one (not the wallet developer, not the Bitcoin network, not any authority) can recover your funds. The wallet derived from your correct seed phrase plus the wrong passphrase will simply be empty.

If you suspect you may have a typo in your passphrase, brute-forcing variations is possible when you know the approximate passphrase and only a few characters are wrong. But if the passphrase is long and entirely forgotten, recovery is computationally infeasible.

No Typo Detection

As noted above, there is no checksum. Every passphrase produces a valid wallet. This means a typo during initial setup can go undetected: you fund an address derived from a mistyped passphrase, and only discover the error when you try to access funds later and the wallet appears empty. Always verify the receiving address matches after entering your passphrase, before sending funds.

Complexity vs. Security Tradeoff

Adding a passphrase increases the complexity of your backup and recovery process. Users who struggle to securely manage a 24-word seed phrase may find that adding a passphrase increases the risk of loss more than it reduces the risk of theft. For most users holding moderate amounts, a properly secured seed phrase without a passphrase may be the better approach. Passphrases are most appropriate for users with significant holdings and the discipline to maintain rigorous backup procedures.

Hardware Wallet Support

Most hardware wallets support BIP-39 passphrases, but implementations vary. Some devices store the passphrase temporarily in memory and require re-entry each session. Others allow saving a passphrase to a specific PIN. Review your device's documentation to understand how it handles passphrases and ensure you are comfortable with the workflow before committing funds.

For deeper exploration of key management strategies and cryptographic wallet architectures, see the research on Bitcoin multisig wallets and FROST threshold signatures.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.