Reference: layer 2

BIP39 Passphrase (25th Word) — Reference

TL;DR — The BIP39 passphrase (sometimes called '25th word' or 'hidden wallet') is an additional secret combined with the 12/24-word mnemonic to derive a different wallet seed. Each unique passphrase produces an entirely different wallet — including the empty passphrase, which is the 'standard' wallet most users see. Recovery characteristics differ fundamentally from passphrase-less BIP39.

How the passphrase works

BIP39 derives the seed: seed = PBKDF2-HMAC-SHA512(mnemonic, 'mnemonic' + passphrase, 2048). The passphrase is concatenated with the literal string 'mnemonic' as salt.

Empty passphrase produces one seed; 'apple' produces a completely different seed; 'Apple' (different case) produces yet another. Each is a distinct wallet with distinct addresses, balances, transaction history.

The passphrase isn't stored anywhere — only the user remembers it. This makes hardware wallet 'plausible deniability' wallets work: under coercion, reveal mnemonic with empty passphrase (decoy wallet); your real funds are in a different wallet protected by the passphrase.

Recovery scenarios

You have the mnemonic but forgot the passphrase: recoverable in principle if the passphrase has limited entropy. Brute-force the passphrase against expected wallet addresses or balance presence.

You have the passphrase but forgot the mnemonic: not recoverable — mnemonic entropy is far too high (128/256 bits) for brute force.

You have neither: completely unrecoverable. This is by design.

Most realistic case: you remember partial mnemonic + passphrase. With a known recipient address (a transaction you remember), partial-mnemonic recovery is feasible if the missing material is small.

Why passphrase recovery is harder than seed recovery

Verification of a candidate passphrase requires: derive seed → derive HD chain → derive address → check against blockchain (or expected address). This is far slower per attempt than 'check hash output' typical of password recovery.

BIP39 PBKDF2 is 2,048 iterations of SHA-512 — relatively fast. The bottleneck is the address derivation chain, not the KDF.

Most owners with a good passphrase memory but forgotten exact word can recover. With no memory of structure, it's typically not feasible.

Verification methods

Address-based: derive the first N addresses from candidate seed, check if they match a known address. Fast and unambiguous.

Balance-based: query the blockchain for balance at derived addresses. Slower (requires API calls) but works without remembering specific addresses.

If you have neither a known address nor balance, recovery is much harder — you can't tell which candidate seed is correct without external signal.

Frequently Asked Questions

Is the passphrase the same as the mnemonic?

No. The mnemonic is 12 or 24 words. The passphrase is an additional arbitrary string — could be a single word, a sentence, anything. They're separate secrets, both required to derive the wallet.

Why is it called '25th word'?

Common 24-word mnemonic + 1 passphrase 'word' = 25 elements. Marketing terminology — the passphrase isn't really constrained to one word.

Do all hardware wallets support passphrases?

Most modern ones do — Trezor, Ledger, Coldcard, KeepKey. The exact UX differs (Trezor offers it as 'hidden wallets', Ledger has 'temporary passphrase' modes).

Is passphrase brute force possible?

For short or known-pattern passphrases, yes. For high-entropy random passphrases, no — same fundamental limit as any strong password.

Can I have multiple wallets from one mnemonic?

Yes — that's the design. Each unique passphrase produces a distinct wallet. Some users maintain multiple passphrase wallets for different purposes.

What's the empty-passphrase wallet?

The wallet derived with empty passphrase is the 'standard' wallet most apps show by default. Many users don't realise their wallet is just one of infinitely many — until they enter a passphrase by accident and see different addresses.

Related references

m26600Browser-extension vault m27700Bitcoin-only wallet m11300Long-iteration KDF

Have a wallet to recover?

Start with a free analysis. Encryption format is detected, free check runs first. Pay only if recovery succeeds.

Run a free wallet analysis