All articles

Passphrases and hidden wallets

The passphrase feature in Trezor Suite is a method used to increase the security of your assets by creating unique hidden wallets. This helps to protect your accounts from unauthorized access.

Table of Contents

Passphrase basics

  • A passphrase functions like an extra word added to your wallet backup (formerly recovery seed).
  • Using your wallet backup alone grants access to your Standard wallet.
  • Each unique combination of backup + passphrase grants access to a corresponding unique Passphrase wallet.
  • You must have access to your passphrase, as it is never stored on your Trezor device! If you lose access to a passphrase, you will lose access to the associated funds.

Only use a passphrase once you understand how it works. Funds secured by a passphrase can't be recovered without it!

We recommend writing down your passphrase and keeping it separate from both your wallet backup and Trezor device. Decide how many copies you want to make, but consider creating an extra copy stored in a different location for added security. Do not store any of these copies digitally—this includes as a picture on your phone, a file on your computer, or in your password manager.

If you choose not to write down your passphrase, consider creating a hint that reminds you of it. Be cautious: If the hint is too difficult to decipher and you forget the passphrase, or if beneficiaries need to guess it, you will lose access to your funds. Make sure the hint is clear and memorable, accounting for details like case sensitivity, spaces, or punctuation.

Important characteristics of passphrases

  • Passphrases are not stored anywhere on your Trezor.
  • It is only used temporarily whenever you enter it.
  • A passphrase can be any character or set of characters, a word, or a sentence up to 50 bytes long (~50 ASCII characters).
  • Extended ASCII characters (decimal 128 (€) to 255 (ÿ)) can only be entered when using Trezor Suite on a trusted computer.
  • These characters may not render correctly on the Trezor display.
  • Passphrases are case-sensitive—lowercase and uppercase characters are distinguished and count as different.
  • A space (blank) is a valid character.
  • The passphrase and wallet backup belong together. Neither can be used without the other if you sent your coins to a passphrase-protected hidden wallet.

Passphrases can't be hacked, as they are not stored on the device. Each passphrase creates a new hidden wallet, so always double-check that you are entering the passphrase correctly.

A strong passphrase keeps your coins extra safe: learn more in our blog post.

How does it work?

As part of the initialization process, your Trezor device generates a random number, which is converted into a wallet backup and stored in memory. Your Trezor uses this string of standard English words to generate your private keys, serving as a kind of master access key for unlocking access to your Bitcoin and crypto funds.

By using a passphrase, you effectively add an extra word to the wallet backup, creating a brand-new Passphrase wallet, often referred to as a hidden wallet.

You can generate as many Passphrase wallets as you like, but you must be extremely careful not to lose any of your passphrases.

Essentially, whenever a Trezor device is used, it derives a cryptocurrency wallet using the following formula:

This concept is illustrated in the following schematic:

PP_4-crop.png

Each unique passphrase creates a completely separate hidden wallet, meaning minor differences in a passphrase result in entirely different wallets.

Passphrases allow you to create unique hidden wallets and control access to them without requiring a second hardware wallet or wallet backup. This means your funds remain safe even if your wallet backup is compromised.

Choosing a passphrase

Unlike your randomly generated wallet backup, you choose your own passphrase.

  • It can be any memorable word, phrase, or sentence up to 50 bytes (~50 ASCII characters).
  • It is case-sensitive (e.g., "Hello World" is not the same as "hello world").
  • Spaces are valid characters—every character matters.
  • An empty passphrase is the same as accessing your Standard Wallet (seed-only).

To access a hidden wallet, you must enter the passphrase with 100% accuracy.

If you enter anything else, you will create a brand new Passphrase wallet. If you lose access to your passphrase, the associated wallet is irretrievable. Write down your passphrase and keep it separate from both your wallet backup and Trezor device.

Disabling / re-enabling the passphrase feature

The passphrase feature can be toggled on or off via the Device settings page in Trezor Suite.

  1. Connect your Trezor and unlock it using your PIN.
  2. Once connected and unlocked, navigate to Device settings and scroll down to the Wallet loading section.
  3. Here you can change the default wallet loading behavior to either Standard or Passphrase.
PP_Device-settings-HL.png

Using passphrases in other apps

By using the same combination of wallet backup and passphrase, the same wallet with identical addresses is derived, regardless of which application is used.

Passphrase FAQs

First, don’t panic. You can use a second Trezor device to recover your existing accounts using the same wallet backup and passphrase combination.

  1. Enable the passphrase feature.
  2. Enter the exact same passphrase you originally used when creating the passphrase-protected hidden wallet.

A passphrase adds an extra layer of protection to your Bitcoin and crypto. Because passphrases are not stored on your Trezor, even if your wallet backup is compromised, your accounts remain protected and can only be accessed using the specific passphrase.

You can create multiple Passphrase wallets, allowing you to:

  • Redistribute balances for added security.
  • Organize your accounts into separate wallets.

Please take all necessary precautions to preserve your passphrase(s) for future reference.

If you lose a passphrase, you lose access to any associated funds!

;