The seed extension (known as a “passphrase”, “password”, “25th word”) is typed on the computer’s keyboard?

I was reading the documentation and it looks like the way seed extension is handled is not secure because it's susceptible to key loggers, screen grabbers, etc.

Can you confirm that the way the seed extension is being entered is by computer's keyboard?

Does newer versions solved this problem and which?

The entire point of having a hardware wallet is to prevent the malware, running on the general purpose computer, to not intercept the private keys (and the secrets used to derive the private keys – the seed, the seed extension and the pin code).

7 thoughts on “The seed extension (known as a “passphrase”, “password”, “25th word”) is typed on the computer’s keyboard?”

  1. Please bear in mind that no one from the Trezor team would send you a private message first.
    If you want to discuss a sensitive issue, we suggest contacting our Support team via the Troubleshooter:

    No one from the Trezor team (Reddit mods, Support agents, etc) would ever ask for your recovery seed!
    Beware of scams and phishings:

    I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

  2. You can click the link at the bottom that says “Enter passphrase on Trezor”.

    In any case though, even if someone has access to that passphrase, they are still missing the 12/24 word seed phrase.

  3. Hi, with Trezor Model One yes, this is the only option. However, the passphrase alone is not enough for getting to your coins. The attackers would still need access to your recovery seed, and since Trezor Model One allows you to use the Advanced recovery, there is no way for any keylogger to get to your seed.

    Our flagship model Trezor Model T allows you to enter passphrase on the display though.

  4. How often are your email, bank account, Netflix account, etc. getting their passwords stolen out from under you? Those usernames are generally just a email address that’s not private and easily guessed.

    A wallet is like a username with 24 random words that has a 25th word (pass phrase) as the password …this is an analogy of course.

    I could start brute forcing your email address simply by knowing your email address because you sent me an email.

    Simple digital security practices eliminates most risk and 2FA is still nothing compared to the entropy of 24 word seed phrases.

    TLDR; common digital use cases are exponentially more vulnerable to key loggers but completely avoidable too. Hardware wallets are monumentally more secure even when exposed to similar threats.

  5. Well here we go again, a malware cant intercept or extract your privatekeys. Its safe because you would still need 24 out of 2048²⁴.

    If you dont like this buy a trezor t.

Leave a Comment