When securing your cryptocurrency with the BitBox hardware wallet, it's essential to understand two key security features: the device password and the optional passphrase. While both enhance security, they serve different purposes and have different implications for accessing your funds.


The BitBox device password: Your primary security layer

This is the main password for your BitBox hardware wallet.

Purpose The device password protects your BitBox from unauthorized physical access.
Functionality It encrypts the device's contents. Without the correct password, the wallet and its settings remain inaccessible.
Setup You are required to create this password during the initial setup of your BitBox. It is mandatory and cannot be deactivated.
Usage You must enter it each time you connect and unlock your BitBox.
Recovery If you forget your device password, you can reset the device and restore your wallet from your backup (microSD card or recovery words) to set a new device password. Your funds remain safe if your backup is secure.

The optional passphrase: Advanced wallet security

The optional passphrase (also known as a BIP39 passphrase) is an advanced security feature that adds another layer of protection.

Purpose It allows you to create multiple hidden wallets, providing plausible deniability. This feature is particularly useful if you are concerned your main recovery words might be compromised.
Functionality When enabled, the passphrase you enter combines with your  recovery words to generate a completely new, unique wallet. Each distinct passphrase (even a single character difference) will open a different wallet. If you enter no passphrase, you access your default wallet.
Setup
  1. Open the BitBoxApp with your BitBox connected and unlocked.
  2. Navigate to “Settings” and go to “Manage device”.
  3. Under "Wallet", select "Enable optional passphrase" and follow the on-screen instructions.
Usage If enabled, it is entered after your device password each time you want to access a specific passphrase-protected wallet.
Recovery CRITICAL NOTE! The optional passphrase is never stored on the BitBox and cannot be recovered if forgotten or lost. It essentially acts as a 25th recovery word. Losing your passphrase means losing access to all funds stored in the hidden wallet associated with that specific passphrase. There is no way to retrieve them.

Key differences at a glance

Aspect Device Password Optional Passphrase
Purpose Protects the BitBox device from unauthorized physical access. Creates additional hidden wallets for enhanced security and plausible deniability.
Usage Frequency Required each time the device is connected and unlocked. Entered after the device password, only when accessing a specific hidden wallet.
Relation to Wallet Does not alter your primary wallet; solely for device access. Creates entirely new, separate wallets based on the specific passphrase used.
Recovery Can be reset by restoring the device using your main backup (recovery words).
Cannot be recovered if forgotten. Funds in that specific hidden wallet will be inaccessible.
Cannot be recovered if forgotten. Funds in that specific hidden wallet will be inaccessible.
Cannot be recovered if forgotten. Funds in that specific hidden wallet will be inaccessible.

Cannot be recovered if forgotten. Funds in that specific hidden wallet will be inaccessible.

Export to Sheets


Best practices for security

  • Secure Storage: Store your recovery words and any passphrase you create in extremely secure, separate locations. For detailed advice, refer to our guide on How to keep your bitcoin backup safe. Never store them together if possible. 
  • Complexity:
    • Device Password: As discussed in our “Choosing a secure device password” guide, 5+ random characters (letters, numbers) are generally sufficient due to hardware protections.
    • Optional Passphrase: This should be strong and unique (long, complex, including special characters if desired). The BitBox's device-specific brute-force protections do not apply in the same way if your recovery words are compromised and an attacker tries to guess your passphrase.

Caution: Only enable the optional passphrase feature if you fully understand its implications (you can learn more about the Benefits and risks of using an optional passphrase) and are confident you can manage and remember your passphrase(s) securely. Mismanagement can lead to the permanent loss of funds in those hidden wallets.

 

Understanding the difference between your BitBox device password and the optional passphrase is key to effectively managing your crypto security. The device password protects your device, while the optional passphrase creates entirely new, hidden wallets. Use them wisely to ensure robust protection for your assets.