Allow entering BIP39 passphrases even when the wallet is not in passphrase mode

[rabutial]

Having to put the wallet in "passphrase mode" provides clear indications to an adversary that one or more BIP39 passphrase-protected wallets exist. This encourages the adversary to apply rubber hose/$5 wrench attacks to gain access to those wallets.

It should be possible to enter the BIP39 passphrase even when the wallet is in the default (no prompt) configuration. This would allow users to work with BIP39 passphrase wallets without informing an adversary about the existence of these wallets.

For example, after entering the PIN, the user squeezes on the other end of the wallet (versus where the arrows are displayed). This extra step then causes the wallet to prompt for the BIP39 passphrase.

There is clear demand for concealing the existence of BIP39 passphrase wallets, see #749. The approach in this issue here avoids the need to store BIP39 passphrases in the device at all, as opposed the linked PIN proposed in #749.

Further security would be adding forensic resistance to the wallet app when handling BIP39 passphrase wallets, see this issue.

[NickeZ]

Interesting idea to have like a hidden gesture to access the optional passphrase request. So basically you mean hold all four corners when doing the "pinch" gesture?

The reason passphrase hasn't changed much since the bb02 was released is that it is an expert feature, used by very few, and a common reason for misplaced funds.

[rabutial]

On Fri, Apr 24, 2026 at 08:08:15PM +0000, Niklas wrote: Interesting idea to have like a hidden gesture to access the optional passphrase request. So basically you mean hold all four corners when doing the "pinch" gesture?

All four corners might be an option. Or just pinch the "wrong" end (not where the arrows are). The passphrase prompt itself should probably also prompt the user to skip the prompt if no passphrase is set. Both for usability reasons (people accessing the prompt accidentally) and security (more plausible deniability that no passphrase is set).

The reason passphrase hasn't changed much since the bb02 was released is that it is an expert feature, used by very few, and a common reason for misplaced funds.

I look forward to the firmware update that fixes user stupidity.

[NickeZ]

An empty passphrase is equivalent to skipping it.

[rabutial]

An empty passphrase is equivalent to skipping it.

I am aware. My suggestion of prompting the user to do this was purely a usability/UX improvement.