Bitcoin / Crypto Wallet Passphrase — How to Generate a Strong Extra Passphrase

If you store any meaningful amount of cryptocurrency, the BIP-39 passphrase is the most important security upgrade you can make. It's optional, it's free, and it provides strong protection against seed phrase theft. This guide explains what it is, why it matters, and how to generate one safely.

What is a BIP-39 passphrase?

BIP-39 (Bitcoin Improvement Proposal 39) is the standard for generating Bitcoin wallet seed phrases — the 12 or 24 words you write down when you set up a hardware wallet. The standard also defines an optional passphrase that gets combined with the seed phrase to derive the actual private keys.

Mathematically, the wallet's master key is derived from PBKDF2(seed_phrase + passphrase). Without the passphrase, you get one set of keys (the "default" wallet). With the passphrase, you get a completely different set of keys (a "hidden" wallet). Each unique passphrase produces a unique wallet.

Why this matters

The BIP-39 passphrase provides two critical security benefits:

1. Protection against seed phrase theft. If someone steals your seed phrase (physical or digital), they get the default wallet — not your real funds. Your real funds are in the hidden wallet protected by the passphrase.
2. Plausible deniability. If forced to reveal a wallet, you can show the default wallet (with a small amount of crypto in it) while your real funds remain hidden behind the passphrase.

How it actually works with a hardware wallet

On Trezor:

1. Set up your wallet normally with a 24-word seed phrase
2. Enable the "Passphrase" feature in settings
3. Each time you connect the wallet, it asks for the passphrase
4. If you enter the passphrase, you access the hidden wallet
5. If you don't enter the passphrase (or enter it wrong), you access a different wallet

On Ledger:

1. Set up your wallet normally with a 24-word seed phrase
2. Enable the "Passphrase" feature
3. Same flow as Trezor — passphrase unlocks the hidden wallet

How strong should the passphrase be?

Very strong. This is protecting potentially significant funds with no recovery if cracked or forgotten.

Use case	Recommended length	Bits of entropy
Small holdings (<$1K)	5-6 words	55-66
Medium holdings ($1K-$100K)	6-7 words	66-77
Large holdings ($100K+)	7-8 words	77-88
Whale / institutional	8-10 words	88-110

A 7-word passphrase from a quality word list is computationally infeasible to brute force with current technology. Even a nation-state with unlimited compute would need longer than the age of the universe to crack it.

Generating a BIP-39 passphrase

Use the free Bison Passphrase Generator with these settings:

1. Set word count to 7 or 8
2. Set separator to dash (universal compatibility)
3. Enable capitalization for extra entropy
4. Click Generate New until you get a memorable one
5. Copy the result

Important: do this on a trusted device. Ideally a freshly-booted computer not connected to anything else. Some hardcore users generate the passphrase on an air-gapped machine they only use for crypto.

Backing up the passphrase (the hard part)

The passphrase is just as important as the seed phrase. Lose either one and lose your funds. Backup options:

Backup method	Pros	Cons	Recommended for
Memorize only	No physical artifact to steal	Risk of forgetting	Small holdings
Steel plate	Survives fire and water	Visible if found	Medium-large holdings
Paper in safe	Cheap, hidden	Vulnerable to fire/flood	Backup of backup
Split (Shamir/SLIP-39)	Distributed risk	Setup complexity	Whales, institutions

A common setup: memorize the passphrase AND keep a steel plate backup in a safety deposit box. Both must be destroyed for you to lose access.

The "split" approach

For very large holdings, split the passphrase across multiple locations:

• Memorize part of it
• Stamp the other part on a steel plate in a safety deposit box
• Tell a trusted family member how to find the box if you die

This provides protection against both forgetting (you have a backup) and theft (no single location has the full passphrase).

What NOT to do with a BIP-39 passphrase

• Don't use a memorable phrase from a book or song. Crackers have dictionaries of all common quotes.
• Don't use words from your life. Pet names, hometowns, birthdays — all in social engineering dictionaries.
• Don't store it in a password manager. If someone breaches your password manager, they get both your other passwords AND the crypto passphrase.
• Don't store it digitally on a device that touches the internet. Air-gap or paper/steel only.
• Don't use the same passphrase across multiple wallets. Each wallet should have its own.
• Don't reveal the passphrase exists. Plausible deniability requires not telling people you have a hidden wallet.

Test it before funding

Critical step: after setting the passphrase, test it before moving real funds.

1. Set the passphrase on your hardware wallet
2. Note the receive address for the hidden wallet
3. Send a small amount of crypto to that address
4. Disconnect the wallet, reconnect, re-enter the passphrase
5. Verify you can see the test funds
6. Disconnect again, reconnect, deliberately enter the WRONG passphrase
7. Verify you see a different (empty) wallet
8. Reconnect with the CORRECT passphrase
9. Verify you see the test funds again
10. Now it's safe to move your main funds

If any step fails, do NOT move your main funds. Restart the setup until you have a working test.