A seed phrase is the master key to a self-custody wallet. But BIP-39 — the standard behind most seed phrases — quietly defines an optional extra: a passphrase, sometimes called the "25th word." Add it and you gain a second secret that sits on top of your seed. It is a genuinely useful tool, and it is also one of the easiest ways to lock yourself out of your own coins. This guide explains what a BIP-39 passphrase is, what it actually buys you, what it costs, the mistakes that lose funds, and how it compares to the way SSP splits signing across two keys.
What a BIP-39 passphrase actually is
A standard wallet derives every address from your seed phrase — the 12 or 24 words you wrote down at setup. A BIP-39 passphrase is an optional secret you supply alongside those words. The wallet combines the seed and the passphrase to derive an entirely different wallet: different addresses, different private keys, a different balance. Change one character of the passphrase and you get yet another wallet, with no error and no warning.
The official BIP-39 specification describes the passphrase as a way to derive many wallets from a single seed, with the passphrase acting as salt in the key-derivation function. One crucial property follows directly from that design: the passphrase is not stored anywhere — not on your device, not in the seed words, not with any wallet provider. There is no record of it to recover. Forget it, and the wallet it unlocks is gone, and no amount of having the seed words will bring it back.
This is why hardware-wallet vendors treat it as an advanced feature. Trezor's documentation on passphrases and hidden wallets frames each passphrase as opening a separate hidden wallet, with the empty passphrase being just one more wallet among them.
What it buys you
Two real benefits justify the feature.
It protects a found or stolen seed card. If someone discovers the paper or metal plate where you stored your words, a passphrase-protected wallet is still safe. The seed alone derives the empty-passphrase wallet — which you keep empty on purpose. The funds live in the wallet that only appears when the seed is combined with a passphrase that exists only in your head. The thief holds half of a two-part secret and cannot move anything.
It enables hidden wallets and plausible deniability. Because each passphrase derives a distinct wallet, you can keep a small, real balance in the no-passphrase wallet and your actual holdings behind a passphrase. Under coercion — the so-called "$5 wrench attack" — you can surrender the seed and a decoy passphrase, revealing a modest balance while the bulk stays invisible. There is no way to prove a hidden wallet exists, which is the whole point of plausible deniability.
For a single-seed user who is genuinely worried about physical discovery of their backup, these are not theoretical wins. They are the strongest argument for turning the feature on.
What it costs you
The same mechanism that protects you also raises the stakes.
It doubles your single point of failure. Without a passphrase, you need to protect — and survive the loss of — one secret: the seed. With a passphrase, you must back up and be able to reproduce two independent secrets, and losing either one loses the funds. A fireproof seed backup does you no good if the passphrase lived only in your memory and your memory failed.
A weak passphrase is brute-forceable. If an attacker does find your seed, the only thing between them and your coins is the passphrase. A short or guessable passphrase — a pet's name, a birthday, a common phrase — can be ground through offline at enormous speed, because the attacker already holds the seed and can test candidates without touching the network. The passphrase has to carry real entropy to be worth anything.
It adds operational friction. Every restore now requires entering the passphrase exactly, including capitalization, spacing, and punctuation. A trailing space you cannot see, a different keyboard layout, or an autocorrected character all produce a silent, empty wallet rather than an error.
The mistakes that lose funds
Most passphrase losses come from a handful of avoidable patterns.
- Storing the passphrase next to the seed. If both halves sit in the same drawer, safe, or note, you have done nothing but add a step for the thief. The passphrase only protects you when it lives — or is remembered — separately.
- Relying on memory alone. People forget. A passphrase you never recorded anywhere is one bad week away from being unrecoverable. The safe pattern is a separate, durable backup kept in a different location from the seed.
- Invisible characters. A trailing space, a smart-quote substituted by a phone keyboard, or an emoji that renders differently across devices can change the derived wallet. Keep passphrases to characters you can reliably reproduce.
- Assuming the empty wallet is broken. After a restore, seeing the empty-passphrase wallet and panicking is common. The funds are not lost; the passphrase simply has not been entered yet.
If you use seed phrases at all, our guide to seed phrase best practices covers the backup hygiene a passphrase depends on, and what happens if one of your keys is compromised walks through the threat the passphrase is meant to blunt.
Passphrases vs SSP's two-key model
A passphrase is one answer to a specific question: what if my single seed is found or stolen? It answers it by adding a second secret that the seed alone cannot reveal.
SSP answers the same question differently. Instead of layering a second secret on top of one seed, SSP's 2-of-2 multisig splits signing across two independent keys — one in the SSP browser extension, one in the SSP Key mobile app — so that no single secret is ever enough to move funds. An attacker who compromises one device, or finds one backup, still cannot sign a transaction. The second key is an independent approval surface, not a word appended to the first.
The distinction matters. A passphrase keeps the single-seed model and asks you to defend two secrets derived from one root. SSP removes the single-seed assumption entirely: there is no one phrase whose discovery drains the wallet. For the reasoning behind that design, why self-custody matters now sets the context, and multisig failure modes and how SSP mitigates them is honest about what a two-key setup can and cannot protect against.
To be clear about what SSP is and is not: SSP does not expose a BIP-39 passphrase toggle, and you should not read this article as a setting inside the app. The comparison is about threat models, not features — two different ways to make a found backup useless to an attacker.
How to decide
A passphrase suits some users well. Consider turning it on if you hold a single-seed wallet, you are specifically worried about someone physically finding your backup, and you are confident you can store a high-entropy second secret durably and separately for years. The hidden-wallet and plausible-deniability properties are real, and for some threat models they are exactly right.
Be honest about the failure mode before you commit. If your bigger risk is forgetting a secret, losing a backup, or fat-fingering a restore under stress, a passphrase adds the very fragility you are trying to escape. Doubling the number of things that must survive is not free.
If the single-seed assumption itself is what worries you, splitting signing across two keys addresses the same threat without asking you to memorize a second secret flawlessly. Recover a crypto wallet after a lost browser shows how recovery works when no single secret is the whole story.
Keep going
A passphrase and a two-key wallet are two answers to the same question — make a stolen backup worthless to an attacker. Pick the one whose failure mode you can live with, not just the one whose benefit sounds best.
