Does passphrase really protect you?

In article from the Trezor team you guys state, “if somebody compromised your physical copy of the recovery seed, they still would not be able to access your passphrase protected wallet unless they knew the passphrase.”
You guys also state “Passphrases serve as a function of second-factor protection of the recovery seed and are an ultimate protection against attacks involving physical access to the device or the recovery seed.”

However, I just did a test of my own on my end and I did not find this to be the case. The steps I took were the following:

  1. I opened up a new Trezor Wallet and wrote down my recovery seed phase
  2. I created a new Trezor Wallet with no passphrase
  3. I created a new Trezor Wallet with a passphrase

I then did the following

  1. Logged onto a new computer, opened up metamask and imported the recovery seed phase that I mentioned earlier
  2. Without any further steps, I was then able to transfer ETH from both Trezor accounts that I mentioned earlier - both the account that had no passphrase and the account that did have a passphrase. I was not required to sign anything nor was I required to enter a passphrase.

You guys claim that if someone gets access to the recovery phrase that they would not be able to hack you unless they got access to the passphrase. However, with the test example I did above, all that was needed was the seed phase to gain full control of the account.

2 Likes

hi @gbr

frankly, that is not possible.

By that, do you mean that you have created new wallet (meaning new seed phrase was generated and you wrote that one down) ?

Could you please clarify on this step as there is no way how to generate another Trezor wallet with no passphrase after initialization process (That I assume you did in step number one).

Wallet with no passphrase is Standard/default wallet and that one is represented (backed up) by your recovery seed. It is actually mathematically derived from it.

In other words: one recovery seed = one Standard (not passphrase protected) wallet.

This step is clear.

Just a note: since you have already imported your recovery seed into third party app (you have inserted the recovery seed into MetaMask), then you should consider the recovery seed as already compromised and you should not use this wallet anymore.

If you go to Trezor Suite interface, choose Hidden wallet and type your passphrase (form step 3):
Does the first ETH address matches the one you claim you are able to spend the funds from (after importing Trezor recovery seed) without typing your passphrase as you stated before ?