UX proposal: Always prompt for passphrase by default to improve plausible deniability #282
Description
Clarified proposal text (ready for GitHub)
Currently, using a BIP39 passphrase is optional and often treated as an “advanced feature”.
This creates a UX distinction between “standard wallets” and “passphrase wallets”.
Under coercion or extortion scenarios, this distinction becomes a security issue:
the act of using a passphrase itself can signal the existence of hidden wallets.
Proposal
Change the default UX so that the device always prompts for a passphrase, even if it is empty.
-> “No passphrase” becomes simply an empty passphrase
-> Users who use 0, 1, or multiple passphrases follow the same flow
-> No visual or behavioral signal distinguishes passphrase usage
Benefits
-> Improves plausible deniability under physical threat
-> Normalizes passphrase usage without forcing it
-> Maintains full BIP39 compatibility
-> Does not change cryptography, only UX
Rationale
Security should not depend on whether a user chose an “advanced option”.
A uniform flow reduces information leakage and improves real-world safety.
Important clarification
This proposal does NOT make passphrases mandatory.
Users remain fully free to:
-> use no passphrase at all (empty passphrase), or
-> use one or multiple passphrases
The goal is not to force behavior, but to ensure that:
-> all users go through the same interaction flow, and
-> passphrase usage cannot be inferred from the UI or user behavior.
This preserves user choice while improving safety under coercion.