Need an extra layer of security for your Ledger device? Interested in how to protect your bitcoins and cryptocurrencies with a secret passphrase on Ledger?
You are well aware that when you initially set up your Ledger Nano (whether Ledger Nano S or Ledger Nano X), the device generates and provides you with a 24-word recovery phrase. These 24 words are critical because they provide backup of your private keys and access to your accounts. Simply put, all of your cryptocurrency wallet accounts/addresses and their private keys are derived from this 24-word recovery phrase. This is the only backup of all your assets that you manage with Ledger.
We hope that you have saved the recovery phrase in a safe place where no one can access it. Write down the passphrase and store it offline. Never take a screenshot or enter it on a PC or any other device connected to the Internet.
If someone gets hold of your 24-word recovery phrase, they can access your accounts and steal all your cryptocurrencies. How about so that even if your seed is compromised, the attacker cannot access your funds. This can be achieved by adding a passphrase or additional word of your choice on top of the 24-word recovery phrase. This can be a set of words or just a single word; this is why passphrases are also sometimes referred to as 25-word passphrases.
Here we’ll look at how to set up passphrase protection on your Ledger Nano device to increase the security of your wallet. We’ll show you how to set up a secret passphrase and unlock hidden accounts. Once set up, we’ll also show you how to switch between standard and passphrase protected accounts.
Before we get to that, let’s first understand what is a standard and passphrase protected account? Also, let’s understand the difference between a recovery passphrase and a passphrase.
What is a passphrase?
Passphrase is an advanced security feature that allows you to add an additional word or phrase to your recovery phrase. It is not a password that protects existing accounts. Instead, it adds an additional word to your existing 24-word recovery phrase. For this reason, it is also referred to as the 25th word.
Unlike the 24-word recovery phrase that is generated by your wallet, the 25th word (passphrase) is chosen by you. You can add a passphrase next to your wallet backup, which is a 24-word mnemonic seed, and it opens up a whole new set of accounts for you. Not just one passphrase, but you can use and manage multiple passphrases on top of your recovery passphrase. Each customization creates a completely different set of wallets.
You can use this advanced security feature on hardware wallets like the Ledger Nano S or Ledger Nano X to unlock a whole new set of accounts.
So why unlock a whole new set of accounts? How does passphrase work and what are the benefits of adding a passphrase?
Why use a passphrase?
By default, your Ledger wallet does not use a passphrase. It simply uses a 24-word recovery phrase for account output, treating it as an “empty” passphrase.
The passphrase now adds an extra layer of security. When you use it, someone with access to only your 24-word recovery passphrase will not be able to access your cryptocurrencies. In addition to the 24 words, they will also need a self-created 25th word or passphrases to gain access to your wallet. This is why passphrase driven accounts are often referred to as hidden accounts.
Accounts accessed with a passphrase (hidden accounts) can be managed with Ledger Live just like standard accounts. If you only use 24 words, it is a standard account. If you use a passphrase along with passphrase recovery, these are passphrase protected hidden accounts.
Now let’s take a look at how passphrases work.
How does the passphrase work?
When you set Ledger, the device generates a long random number which is then converted into 24 words. This is the BIP39 standard, and different wallets do it differently.
The recovery phrase or mnemonic seed that your wallet generates is human readable and can be either 12 or 24 words. Ledger, Trezor and other hardware wallets support both 12 and 24 words. But when you initially set up your wallet, the device generates 24 words. All your accounts, addresses, and private keys are generated from this 24-word recovery phrase.
In addition to these 12 or 24 words that are generated automatically, if you use your own passphrase, then your accounts, addresses and wallet private keys are generated from 24 words of recovery phrase + passphrase.
Here’s a simple formula:
If you don’t use passphrase: Backup Wallet 24 recovery words + ” (empty passphrase) ” = Normal Wallet.
If you use the passphrase: Backup Wallet + Passphrase = Hidden Wallet.
With one wallet backup, you can use multiple passphrases. Each passphrase can be a word or phrase of your choice, and each passphrase unlocks a new wallet. It’s like having totally different passphrases to restore, as every passphrase generates totally different seeds.
Passphrase can be a combination of up to 100 words/symbols. But remember that when using passphrase, your wallet configuration depends entirely on your passphrase. To recover your wallet, you will need both a 24-word recovery phrase and a passphrase. If you have the recovery phrase, but you lose your passphrase, you will lose access to the funds that are stored in your passphrase-protected accounts. Therefore, when using a passphrase, be sure to back up your passphrase.
Advantages of adding a passphrase
Passphrase adds another layer of security to the standard 24-word recovery passphrase that provides access to a new set of accounts.
With passphrase, your crypto assets will be protected even if your 24-word recovery passphrase is compromised. After all, an attacker needs both your recovery passphrase and your secret passphrase to gain access to your hidden wallet.
By having different passphrases, you can unlock a unique set of accounts for different cryptocurrencies. You don’t need to use or maintain different 24-word recovery passphrases to do this. There is also no such thing as a “wrong” passphrase. You can use as many passphrases as you want, and simply changing the 25th word opens you up to a completely different wallet.
In addition to providing security and unlocking new accounts, passphrases also give you the ability to plausibly deny guilt when you’re in a tight spot.
What is plausible deniability?
It all depends on how you want to manage your accounts. For example, you can use your Ledger to simultaneously manage both a regular account and hidden passphrase protected accounts.
You can use your regular wallet as an everyday wallet or as a checking account where you keep only a small amount of cryptocurrency. While hidden password protected accounts you can use as a secure wallet to store most of your funds.
If an attacker visits your location and forces you to unlock your Ledger, you can simply show your regular account. The attacker will never know that you have a secret wallet with most of your assets hidden in it. The attacker will simply empty what’s left in your regular wallet, thinking that’s all you have.
A hidden passphrase protected wallet stays hidden, and this takes your wallet security to a new level.
Important characteristics of the passphrase
Passphrase is also known as the 25th word, which can be a word or phrase of your choice and support up to 100 characters maximum.
Passphrases are case sensitive. They support uppercase and lowercase letters, numbers, and symbols. For example, “passphrase” and “PASSPHRASE” are distinct and are considered different. So if you use a passphrase, store it securely and make sure it is perfect, character by character.
Any passphrase is valid. That is, if you set up a passphrase and use the wrong one, don’t expect the wallet to give an “invalid passphrase” error message. A passphrase is different from a password, and every passphrase next to your 24-word recovery phrase will result in a different, empty wallet.
A wrong passphrase will only result in the creation of a new wallet. Therefore, make sure you enter the backup correctly when setting it up.
Unlike recovery phrases, passphrases are not stored on your device. As with a PIN, you will have to enter it each time to access a passphrase-protected wallet.
To recover a hidden wallet, you will need a recovery passphrase (a 24-word wallet backup) and the passphrase you used. If you forget or lose the passphrase, you will lose access to your funds.
Before we add a passphrase, here are some additional frequently asked questions:
I have already configured a Ledger Nano S or Nano X, but have not used a passphrase. Is it possible to add a passphrase to an already configured device?
Of course, you can install and use passphrase on an already configured Ledger device. But remember that passphrase generates a different account, not a 24-word wallet. This means you won’t lose any money you have in your existing wallet. You are simply creating a new set of accounts. So if you have funds in your standard 24 words wallet, once you set up a passphrase account, you can send them to your new wallet address.
How do I choose the 25th word or passphrase?
The choice of passphrase is entirely up to you. The passphrase can be up to 100 characters long, so you can choose a letter, word, sentence, or just gibberish. It also supports space, uppercase and lowercase letters, numbers and symbols.
But calling passphrase “25 word” is quite misleading, and remember that choosing a simple word can be easily overpowered by brute force. This is called passphrase, and you should choose a strong passphrase to ensure high security. Also be sure to write it down.
How long should the passphrase be?
First of all, do not use a single word. To significantly increase security, the passphrase should consist of several sentences (with or without spaces) and be easy for you to remember. As a rule, it should be longer than 20 characters and limited to 100 characters.
There are no recommendations for passphrase length. Just try to find a good balance between security and ease of use for future customization and backup.
Ledger Nano passphrase on Trezor and other wallets?
Password is a security feature that you can find in all BIP39 wallets and also supported by BIP44 wallet including hardware wallets such as: Trezor, Cobo Vault, Safepal etc. So you don’t need to worry about recovery.
Even if Ledger goes out of business or you lose your device, you can use any of these BIP39 wallets to recover both your standard and secret hidden accounts. All of these wallets support BIP39 12 word and 24 phrase recovery along with passphrase.
You can use a passphrase protected Ledger wallet on most wallets just fine. But there is one limitation with Trezor. While Ledger supports passphrase lengths up to 100 characters, Trezor only supports a maximum passphrase length of 50 characters.
How do you store the passphrase?
Store the passphrase the same way you stored the 24-word recovery phrase. Write it down on a piece of paper and store it in a secure physical location. Never on the Internet.
It is best to keep the passphrase and a backup copy of the 24-word recovery passphrase separately. By storing them in different locations, an attacker will not be able to get them both to access your funds.
Passphrase on Ledger Nano S and Nano X
Now, before you set up and use passphrase protected accounts in Ledger Wallet, note that this is an advanced feature. Make sure you fully understand it because many people lock themselves out by making it difficult to set up.
Simply put, we will show you how to set up and restore Ledger using passphrase. But if you find it hard to figure out, then continue using your normal account by simply using the 24-word backup restore passphrase.
Ledger Nano S and Nano X passphrase setting
Before you begin, we recommend that you read the above to familiarize yourself with how the passphrase works. We also hope that your Ledger device is ready and your 24-word recovery passphrase is saved in a safe place. You will need to install the Ledger live software on your computer to manage your default and hidden accounts. We hope you have it ready as well.
Ledger Nano S
Connect Ledger Nano S and enter your PIN to unlock your wallet.
Go to settings and hold down both buttons to open the settings menu. Press both buttons on settings again and go to Settings >> Security >> Passphrase.
Go past the warning and select Customize passphrase.
Ledger Nano X
Connect the Ledger Nano X device to a PC and enter the PIN code to unlock the wallet.
Go to the Control Center by holding down both buttons.
Next, go to Settings >> Security >> Password and select the passphrase setting.
Now you will find two options “Attach to PIN” and “Set as temporary”. Further everything is the same for Ledger Nano S and Nano X.
Attach to a PIN and set as temporary
After setting the passphrase, the Ledger device gives you 2 options.
1. Attach to PIN
2. Set Temporary.
What is the difference between the “Set Temporary” and “Attach to PIN” configurations?
Attach to PIN: In addition to the regular PIN you use to unlock a standard account, you can set up a passphrase and attach an additional PIN to unlock passphrase-protected accounts.
But note that Ledger supports only 2 PIN codes. One is the primary PIN code, which you set when you initially configure the device. The other is a secondary PIN code for passphrase.
If ordinary PIN: 1273 → Ordinary accounts
and secondary PIN: 9135 → Hidden accounts
Connecting Ledger and using PIN 1273 will unlock your regular wallet. To access the hidden wallet, disconnect, then reconnect Ledger and use the secondary PIN 9135, which will allow you to access the hidden wallet.
Set up a temporary one: With this setting, you will have to enter a passphrase each time to access the hidden wallet.
So which setting should I use?
Passphrase: Attach to a PIN or set a temporary one?
Prior to Ledger; Trezor did support the passphrase feature, and their implementation of passphrase is much simpler than Ledger’s approach.
On Trezor, Keepkey and other hardware wallets, here’s how you access your passphrase accounts. Plug in your device, unlock your PIN, and then it will immediately ask you to enter a special passphrase. If you continue without passphrase (blank), you will get access to your regular wallet. If you use the passphrase, it will unlock the secret accounts. You will enter the passphrase in the program interface.
But in the case of Ledger, for security reasons it is not possible to enter the password from the keyboard. The password can only be entered using the hardware interface.
Attach to PIN
Since passphrases are quite long, entering them manually each time using the hardware interface can be quite difficult. For this reason, the Attach passphrase to PIN option was introduced, which provides a more practical user experience.
You only need to enter the passphrase on the device in two cases.
1. When you create a new wallet with a passphrase.
2. When you restore an old passphrase-protected wallet.
Simply enter a passphrase and link it to your PIN. Each time you use Ledger, unlock it with a secondary PIN for direct access to your hidden accounts.
Attaching a passphrase to your PIN is only created for your convenience, so you can easily access your hidden wallet every time. But keep in mind that Ledger only allows you to use 2 PINs at a time. One main PIN to unlock standard accounts and a second PIN to unlock hidden accounts.
Therefore, only one passphrase can be associated with a PIN. The passphrase you enter will be stored on the device until the device reboots or you overwrite it with another passphrase. If you add another passphrase and attach it to a new or existing PIN, you will overwrite both the previous passphrase and the secondary PIN.
You may also wonder about security. The secondary PIN you set is stored only on your Ledger device. The device remembers and stores it securely. If you or someone enters the wrong PIN three times, the device will be reset to factory defaults.
Set up a temporary
A temporary installation, as the name implies, is for one session only. Once you disconnect the device, the passphrase you entered will be deleted.
Next time to access the same account, you will have to connect your device and unlock it with your PIN code. Then go to Settings >> Security >> Passphrase >> Set Temporary and manually enter the passphrase. This will need to be done for each session.
Suggestion: Whether to use the Attach to PIN or Set Temporary option is entirely up to you and how you want to access your wallet in the future.
If you will be accessing your hidden wallet very often, then attach it to your PIN. Or just choose a temporary option.
Whichever option you use, make sure you have a backup of the 24 words and passphrase. Passphrases are case sensitive, so be sure to back up the exact passphrase. If you forget the passphrase, you will lose your wallet, and if you enter the passphrase incorrectly, you will unlock a completely different wallet. So keep a physical backup of both the recovery phrase and passphrase in a safe place. Also note that with the recovery check app you can check the recovery phrase, but not the passphrase, at any time.
First, we suggest you set up a temporary passphrase and verify the receiving address of your BTC or ETH with Ledger Live. Then disable Ledger and go to the option to join PIN. Use the same passphrase you used earlier. Once set up, check the BTC and ETH receiving address and make sure it matches. After that, you can start using your hidden wallet.
Setting a temporary passphrase on Ledger Nano S / Nano X
While in Settings >> Security >> Secret passphrase, select set secret passphrase from the set secret passphrase menu and select set secret passphrase. On Nano X, set both buttons to confirm set secret passphrase.
You will now find three options: ?0 (includes numbers and symbols, including a space) | ab (small letters) | AB (for capital letters).
Follow the link and select the secret passphrase.
Then select the check mark symbol and confirm the passphrase entry. The next screen will display the passphrase you have selected. Carefully write it down on a piece of paper.
Press twice to confirm the passphrase and confirm the current PIN. Now enter your primary PIN to confirm the passphrase. The device will process the request and display a passphrase setting message.
Your device now manages accounts protected by this passphrase.
Now open Ledger Live. Go to the add accounts section and select BTC or ETH. Then open the app on your device and add a Bitcoin or Ethereum account.
After successfully adding the account, rename it to hidden for reference. By renaming, you will be able to distinguish and identify which address is a regular address and which is a hidden address. Next, click the get button and copy the address into notepad.
Remove the Ledger device. Do not transfer any funds yet.
Attach to PIN code on Ledger Nano S / Nano X
Connect Ledger and unlock with a standard PIN code. Go to Settings >> Security >> Password and this time select the Attach to PIN option.
Now select the PIN code with the passphrase. This is your secondary PIN and must be different from the standard PIN. Select the secondary PIN and re-enter the PIN to confirm it.
After confirming your PIN, start entering your passphrase. You can use any passphrase you want, but since we are testing its operation, use the same passphrase you used in the temporary passphrase option. This way, you can be sure that you have entered the correct passphrase and are accessing the same hidden wallet.
After entering your passphrase, press the passphrase confirmation button. Your passphrase will be displayed on the next screen. Press both buttons to confirm it. Then confirm it with your current PIN, which is your default PIN used to access your regular accounts.
The device will then process and display the set passphrase message.
Note: When using the temporary option, Ledger will automatically switch to passphrase wallet after successful passphrase setting. But when using the Attach to PIN option, it will continue to manage your regular accounts after the passphrase setting is complete. To unlock the passphrase-protected account this time, remove the device, reconnect, and enter the secondary PIN.
Verification of accounts / addresses
Connect your Ledger and enter the secondary PIN you just set up. Then go to Ledger >> Accounts and select the hidden Bitcoin or Ethereum account you have enabled. Then click get and continue.
If you have entered the passphrase correctly, your address will appear on the screen. It should match the one you saved in your notepad. If the passphrase is incorrect, Ledger live will display the following error message.
Something went wrong
Please verify that your hardware wallet is configured with the recovery phrase or passphrase associated with the selected account.
That’s it! Now you actually manage two wallets for your ledger Nano. One is your regular wallet and the other is a hidden wallet protected by a passphrase.
Using this method, you can have several hidden accounts in one wallet, that is, with the same 24-word password. But, as we said before, don’t complicate things and don’t activate this option if you’re not sure you understand it.
Also in Ledger Live, you can remove the displayed hidden address. In case an attacker opens your Ledger app, they should only see your regular account. You can re-add it when you want to transfer funds. It only takes a few seconds to re-add the account.
If you like to read such articles and want to support the author, then you can subscribe to our telegram channel and recommend us to your friends, this will help a lot to support our project! Telegram: CRYPTO WIKIES | Bitcoin & Altcoins Mining
Be the first to know all the news, read more about cryptocurrencies and mining at CRYPTO-MINING.BLOG.