BIP-39 Passphrase Trezor

A passphrase BIP39 is an optional password which, combined with the mnemonic phrase, provides an additional layer of security for deterministic and hierarchical Bitcoin wallets. In this tutorial, we'll discover together how to set up a passphrase on your secure Bitcoin wallet on a Trezor (Safe 3, Safe 5 and Model One).

Before starting this tutorial, if you're not familiar with the passphrase concept, how it works and its implications for your Bitcoin wallet, I strongly recommend that you consult this other theoretical article where I explain everything (this is very important, as using a passphrase without fully understanding how it works can put your bitcoins at risk) :

passphrase on Trezor is handled in the classic way if you've opted for the BIP39 standard during configuration (which I recommend if you don't need Multi-share Backup). What's special about Trezor is that you can either enter the passphrase directly on the Hardware Wallet, or via your computer's keyboard using the Trezor Suite software. This second option is considerably less secure, as the computer has an immensely larger attack surface than the Hardware Wallet. However, typing a complex passphrase may be faster on a conventional keyboard than on the Hardware Wallet, which could encourage the use of strong passphrases. So it's always better to use a passphrase, even if it has to be typed, than not to use one at all. It is important, however, to remain aware of the increased risk of numerical attacks that this implies.

These options are not available on all Trezor-compatible wallet management software. For example, for the Model One, passphrase can be entered via the keyboard on Sparrow Wallet. For Model T, Safe 3 and Safe 5 models, you must either use Trezor Suite or enter passphrase directly on Hardware Wallet, as the option of entering via Sparrow was disabled by HWI a few years ago.

In Trezor Suite, you have two different ways of managing passphrase demand. You can activate the "passphrase" option in the "Device" tab. If enabled, Trezor Suite and all other wallet management software will systematically ask you to enter your passphrase each time you start up. If you prefer a more discreet approach to using a passphrase, you can keep the setting at "Standard". In this case, you'll need to manually access your Hardware Wallet's menu in the top left-hand corner, and click on the "+ passphrase" button each time you start it up.

Before starting this tutorial, please ensure that you have already initialized your Trezor and generated your mnemonic phrase. If you haven't, and your Trezor is new, follow the model-specific tutorial available on Plan ₿ Academy. Once you've completed this step, you can return to this tutorial.

Once you've created your wallet, saved your mnemonic and set a PIN, you'll be taken to the Trezor Suite home menu. In the top left-hand corner, a window should appear inviting you to activate the passphrase BIP39.

If this window doesn't appear, you'll need to manually activate the "passphrase" option in the "Device" settings tab.

This window asks you to enter your passphrase. Choose a strong passphrase and immediately make a physical backup, on a medium such as paper or metal. In this example, I've chosen the passphrase: fH3&kL@9mP#2sD5qR!82. This is an example; however, I recommend you choose a slightly longer passphrase. Between 30 and 40 characters would be ideal (like a good password).

of course, you should never share your passphrase on the Internet, as I do in this tutorial. This example wallet will only be used on Testnet and will be deleted at the end of the tutorial.

For more specific recommendations on choosing your passphrase, I invite you once again to consult this other article:

If you want to enter your passphrase via your computer keyboard, enter it in the field provided, then click on "Access passphrase Wallet".

Your Hardware Wallet will then display your passphrase. Make sure it matches your physical backup (paper or metal) before clicking on the screen to continue.

This will give you access to your passphrase-protected wallet.

If you prefer to enhance security by entering your passphrase only on your Trezor, when prompted, click on "Enter passphrase on Trezor".

A T9 keyboard will appear on your Trezor, allowing you to enter your passphrase. Once you've completed your entry, click on the green tick to apply the passphrase to your wallet.

You will then have access to your passphrase secure wallet.

To use Sparrow Wallet, the procedure is similar, but for models T, Safe 3 and Safe 5, passphrase must be entered on the Hardware Wallet and not via the computer keyboard.

Whenever Sparrow Wallet requires access to your Trezor, and passphrase has not yet been applied since the last start-up, you'll need to enter it using the T9 keyboard.

On the Model One, the use of a passphrase BIP39 is almost indispensable. As this device does not incorporate a Secure Element, it is relatively easy to extract sensitive information. It is therefore not resistant to physical attack. However, as the passphrase is not retained on the device after it has been switched off, using a strong (non-bruteable) passphrase can protect you against most known physical attacks on this model.

On the Model One, it's not possible to enter the passphrase directly on the Hardware Wallet. You'll need to enter it via your computer keyboard.

Once you've created your wallet, saved your mnemonic and set a PIN, you'll be taken to the Trezor Suite home menu. In the top left-hand corner, a window inviting you to activate the passphrase BIP39 should appear.

If this window does not appear, you need to activate the "passphrase" option in the "Device" tab of the settings.

This window asks you to enter your passphrase. Choose a strong passphrase and immediately make a physical backup, on a medium such as paper or metal. In this example, I've chosen the passphrase: fH3&kL@9mP#2sD5qR!82. This is just an example; however, I recommend that you choose a slightly longer passphrase. Between 30 and 40 characters would be ideal (like a good password).

For more specific recommendations on choosing your passphrase, I invite you once again to consult this other article:

Enter your passphrase in the field provided, then click on the "Access passphrase Wallet" button.

Your Hardware Wallet will display your passphrase. Make sure it matches your physical backup (paper or metal), then click on the right-hand button to continue.

This will take you to your passphrase-protected wallet.

To use Sparrow Wallet thereafter, the procedure remains the same. Each time Sparrow requires access to your Hardware Wallet, and the passphrase has not been entered since the device was last started up, you will need to enter it.

Congratulations, you're now up to speed on using the passphrase BIP39 on Trezor hardware wallets. If you'd like to take your wallet security a step further, check out this tutorial on Trezor's Multi-share backup systems (Shamir's Secret Sharing Scheme):

If you found this tutorial useful, I'd be grateful if you'd leave a green thumb below. Feel free to share this article on your social networks. Thank you very much!