Passphrases Are Not the Solution for Bitcoin Custody

The problems with passphrases

BIP39 passphrases have weaknesses that are often overlooked, including:

(1) Combination of secrets: The private key and passphrase must be combined in a single location for every single spend.

(2) Exposure of secret: The passphrase must be manually entered for every single spend.

In terms of security, requirement (2) is particularly unique. Unlike seed phrases or private keys, passphrases must be frequently entered, exposing them to the outside world.

As an example of how this weakness could be exploited: Recent advancements in AI technology have reached a point where WiFi routers can now be utilized as motion trackers, as demonstrated in a recent study. In a similar vein, researchers have shown that the sounds of keystrokes recorded over Zoom could reveal what you typed with 93% accuracy. What this means is that in the future, any electronic signal-rich environment could potentially capture passphrase inputs.

Attackers may not need to learn all characters of a passphrase; even partial knowledge or the length alone can provide clues for cracking it.

To summarize this problem:

• Keeping a secret is most effective when it is exposed to the environment as little as possible.
• BIP39 passphrases are designed to be frequently exposed.

This contradiction creates a significant attack vector that cannot be ignored. The problem already exists without AI, but with AI, it becomes an even more substantial concern.

Other weaknesses of passphrases include:

• The lack of standardized key lengths often leads to users employing weak or non-random passphrases, making them susceptible to brute-forcing.
• The absence of a checksum leaves no room for error when it comes to memorization or when sharing access for inheritance purposes.
• The need to combine the private key and the passphrase for each spend means that attackers can time when these secrets are brought together to gain access to both secrets. They can even lure victims into combining them, such as by pretending to offer high-value goods in exchange for bitcoins.
• The introduction of a passphrase might create a false sense of security and cause the users to be more lax in securing the seed phrase (e.g. making multiple copies of it).

Most critically, passphrases represent single points of failure. Instances of users being locked out of their wallets due to forgotten passphrases have been, and will continue to be common as long as passphrases are promoted without sufficient guidance and warnings.

To make matters worse, certain hardware vendors offer products without protection against physical threats, by not including Secure Elements in their designs. To compensate for this lack of security, these vendors often promote the reliance on passphrases.

However, this approach does not provide a genuine solution but merely shifts the burden of security and key management onto end users, leaving them to fend for themselves.

Conclusion

While the scenario of AI targeting Bitcoin users may seem far-fetched, attacks on Bitcoin users will undoubtedly become increasingly sophisticated. Recent incidents, such as the wave of SIM swap attacks, serve as reminders.

Passphrases have inherent weaknesses that make them ill-suited for an adversarial environment and the future of Bitcoin custody.