What this is
Exactly rung 1, plus a passphrase you choose when you set up the wallet. The seed phrase on its own opens one wallet — a decoy. The seed phrase plus the passphrase opens a different, hidden wallet — your real one. The passphrase is sometimes called the “25th word.”
What it’s good at
- Protection against a found seed. A metal backup someone discovers, a photographed seed, a seed pulled off a compromised device — none of them alone can spend your real funds.
- Plausible deniability. The decoy wallet doesn’t look like a decoy. Under coercion you can hand over the seed and the (small) decoy wallet without revealing the real one.
- Cheap to add. You already own the device. You just choose a passphrase during setup.
What it costs you
- A brand-new single point of failure. Lose or forget the passphrase and the coins are gone — even though the seed is safe.
- A passphrase is not a password. It can’t be reset, rate-limited, or recovered. A weak or guessable one is almost as bad as none.
- Deniability is a belief, not a guarantee. There are documented cases where a decoy didn’t convince an attacker and the victim was harmed anyway.
The passphrase-backup problem — the #1 inheritance failure The most common documented way people lose passphrase-protected Bitcoin: they pick a strong passphrase, memorise it, never write it down (“if someone finds it, the whole point is gone”), then forget it or die. The seed is backed up, so the wallet looks recoverable — it isn’t. If you use a passphrase, you must back it up as carefully as the seed, stored separately from it, in a different place.
Who should use it
Holders who want a second cryptographic layer without taking on the operational weight of multisig — especially when your realistic worry is “someone finds my seed backup” rather than a targeted attacker. Less useful if your real concern is sophisticated coercion, where the deniability argument gets shaky.
Planning for inheritance
This rung lives or dies on making the passphrase inheritable. A passphrase only in your head is a plan that fails the moment you can’t answer the phone. The cleanest fix is to back up the passphrase separately from the seed, in a place your heirs can reach with instructions — or, for the disciplined, to split it into shares (see rung 3) so no single location holds the whole secret.
When to climb
If your holdings grow to where a single seed backup — decoy or not — feels like too much resting on one thing, the answer is to remove the single point of failure entirely with multisig (rung 4). If you want split backups without full multisig, look at Shamir (rung 3).