Its funny: Before I saw the below, I was just thinking to write a Development & Technology post about BIP 39 flaws, especially the stupid cargo-cult crypto use of PBKDF2 and the ill-designed passphrase feature. I should probably do it sometime.
(To be clear: The use of seed phrases is good, very good. The standard just has some points that are ill-advised, which you can safely ignore.)
Guys ('n' gals), don't forget to add a passphrase ("25th word"), in addition to your seed.
I recommend
against this. It is security theatre that simply increases your chance of losing your coins (if you forget your passphrase), without adding any significant security.
Doing so, will protect you from someone finding the seed. Even a relatively weak passphrase will give you enough time to move your coins to another wallet when you discover that the seed has been found (and while the thief is brute-forcing the passphrase). A strong passphrase will make it virtually impossible for a thief to have access to your coins.
That is an unrealistic expectation.
If your seed phrase is compromised, how likely do you really think it is that you will discover that before your coins are gone?
How much time do you expect a passphrase to buy you? I mean, in quantitative terms based on real data about how fast password crackers can crack a weak passphrase stretched with a piddling 2048 iterations of PBKDF2 security theatre.
The security of your seed phrase rests on keeping the seed phrase secret. Generate the seed phrase using a cryptographically secure source of randomness (CSPRNG), and set it in your mind that your coins are
gone if that gets compromised.
Unless you have considerable security expertise, pinning your hopes on the passphrase only gives you a false sense of securityespecially when you start with the low standard, even a relatively weak passphrase! Whereas you already
have a strong passphrase: It is the seed phrase itself.
If you were capable of reliably memorizing a cryptographically secure passphrase for the long term (which you are
notand Im not, either!), then you could simply memorize the seed phrase (
dont try this unless you want to lose your coins). The whole purpose of engraving your seed phrase in metal is to make sure that you dont lose pseudorandom information which is strong in the first instance.
A passphrase (more than one, to be precise) will also add plausible deniability of ownership of your coins, should you ever be required (or be forced) to reveal your stash, as I've explained in
this post.
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-January/015547.html
[...]
I rather suspect the concept of plausible deniability of having been invented by a detective or agent provocateur. There are few concepts more useful for helping suspects shoot themselves in the foot, or frankly, for entrapping people.
[...]
If you are publicly known to be deepy involved in Bitcoin, then nobody will believe that your one-and-only wallet contains only 0.01 BTC. Thats not even plausible. But if you have overall privacy practices which leave nobody knowing or suspecting that you have any Bitcoin at all, then there is nothing to deny; and should a Trezor with (supposedly) 0.01 BTC be found in your possession, thats much better than plausible. Its completely unremarkable.
Whereas if you are known or believed to own large amounts of BTC, a realistic bad guys response to your decoy wallet could be, I dont believe you; and it costs me nothing to keep beating you with rubber hose until you tell me the *real* password.
It could be worse, too. In a kidnapping scenario, the bad guys could say, I dont believe you. Hey, I also read Trezors website about plausible deniability. Now, I will maim your kid for life just to test whether you told me the *real* password. And if you still dont tell me the real password after you see that little Johnny can no longer walk, then I will kill him.
The worst part is that you have no means of proving that you really *did* give the real password. Indeed, it can be proved if youre lying by finding a password which reveals a hidden walletbut *you* have no means of affirmatively proving that you are telling the truth! If the bad guys overestimated your riches (or if theyre in a bad mood), then little Johnny is dead either way.
In a legalistic scenario, if authorities believe you have 1000 BTC and you only reveal a password for 0.01 BTC, the likely response will not be to let you go. Rather, You will now sit in jail until you tell the *real* password. And again: You have no means of proving that you did give the real password!
Plausible deniability schemes can backfire quite badly.
[...]
That was in reply to this:
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-January/015529.html
I think you're under-appreciating how useful the "plausible deniability". Someone I know was (solo) traveling to the United States when a border agent asked her to unlocked her phone; thumbed through her apps, ended up finding tinder and went through all her recent conversations to make sure she wasn't involved in any "pay for sex things".
In the same light, I travel frequently and constantly have my trezor on me. If I am asked to unlock it, I will have no problems doing so (as refusal will no doubt lead to deportation) and showing my personal wallet (which sadly hasn't had much use since fees became ridiculous).
Trezor's "plausible deniability" scheme could very well result in you going to jail for lying to border security, because it's so easy for them to simply brute force alternate passwords based on your seeds. With that, they have proof that you lied to customs, a serious offense.
I would strongly advise you not to use it in that situation.
Real life is not like the movies.
You never want plausible deniability. What you want is to be above suspicion. For example, nobody who knows me IRL would ever suspect that I have secret bitcoinsneither cops nor robbers. I dont need to construct the types of cocked-up stories that investigators enjoy tearing apart, or make decoy wallets. I dont need to deny anything, plausibly (Focus on the IF!) or otherwise: Nobody will even ask.