Skip to content

BIP-85 Passwords

This feature derives deterministic passwords from your seed using the BIP-85 standard, specifically the PWD BASE64 application. BIP-85 allows for the creation of multiple child keys from a master seed, and in this case, it's used to generate up to 10,000 secure passwords.

In addition, the COLDCARD® can emulate a keyboard so that the generated passwords can be sent as keystrokes via USB to a computer, effectively using the COLDCARD as a specialized password manager.

Requirements#

  • USB-C cable with data link (won't work with the power-only cable from Coinkite).
  • USB Port must be enabled on the COLDCARD.

Type Passwords Over USB#

This section guides you through enabling the COLDCARD to emulate a USB keyboard, and securely typing BIP-85 derived passwords directly into a computer.

Steps to Type Passwords Over USB
  1. To enable the "Type Passwords" feature, connect your COLDCARD to your host PC with a USB cable (check requirements) and go to: Settings > Keyboard EMU > Enable.

    mk4 enable emu q enable emu

  2. The Type Passwords option is now available on the Main Menu.

    mk4 new menu q new menu

  3. When it is time to enter a secret password, select Type Passwords from the Main Menu. The USB switches to keyboard emulation, and displays Switching... on the screen.

  4. Next you will provide the Password Index. This can be any number from 0 to 9999, and will deterministically generate the same password each time.

    Enter the index number for the password you want to use, and hit /ENTER.

    mk4 pass index q pass index

  5. It takes a moment to generate the password, and then you can double-check the password to be typed and the BIP-85 path used.

    mk4 pass info q pass info

  6. To send the keystrokes to your computer, use your mouse to select the password prompt. Then press /ENTER on the COLDCARD. This fills the prompt with your password, and sends an Enter keystroke.

  7. You are back at step 4, and can continue to generate passwords, or you can tap X/CANCEL to exit.

    Exiting from "Type Passwords" will cause the COLDCARD to turn off keyboard emulation and enable normal USB mode if it was enabled before. Otherwise, USB stays disabled.

    mk4 pass index q pass index

View BIP-85 Passwords#

The dropdown below explains how to generate and review BIP-85 passwords on the COLDCARD screen, with options to export them in cleartext via a variety of methods.

Steps to View BIP-85 Passwords
  1. Go to: Advanced/Tools > Derive Seed (BIP-85).

    mk4 nav derive q nav derive

  2. Press /ENTER, then select Passwords from the next menu.

    mk4 derive menu q derive menu

  3. Next, choose the Password Index. It can be any number from 0 to 9999, and will determine the password that is shown.

    Enter the desired index number, and hit /ENTER to generate the password.

    mk4 pass index q pass index

  4. The screen shows the generated password, path, and entropy from which the password was derived.

    mk4 pass more info q pass more info

  5. Select how to export the password:

    All Exports Are Cleartext!

    There is no encryption used on the password exports. They should only be used temporarily to move a password and then securely deleted.

    • 1 : Save to MicroSD card (Slot A on the Q).
    • B : Save to SD card in Slot B (Q only).
    • 2 : Save to Virtual Disk (if enabled).
    • 3/NFC : Share via NFC (if enabled).
    • 4/QR : Display as a QR code.
    • 0 : Send keystrokes over USB (enables keyboard emulation, types password + Enter, then disables emulation).

COLDCARD Specifics#

Keyboard Language Settings#

Emulated Keystrokes are mapped to specific characters based on your host PC keyboard language settings. For COLDCARD to be able to type the correct BIP-85 password, your host computer MUST use language settings that correspond to a QWERTY key layout, including number row directly above QWERTY:

1 2 3 4 5 6 7 8 9 0 - =
 Q W E R T Y U I O P [ ] \
  A S D F G H J K L ; '
   Z X C V B N M , . /

Passwords generated and shown on the COLDCARD will always be correct with respect to BIP-85. However, when sending keystrokes, for example on a German keyboard, what was typed will not match the text that was generated and shown on the COLDCARD's screen.

For example, if the correct password is zYLoepugzdVJvdL56ogNV, using German keyboard settings will result in a different typed output: yZLoepugydVJvdL56ogNV. You can see that the German keyboard is not QWERTY, but it is QUERTZ (y and z are swapped).

Even with "non-standard" keyboard language settings, COLDCARD always sends the exact same keystrokes for a specific password index. It is deterministic, as long the keyboard language settings do not change. However, BIP-85 won't be respected in this case.

Password Strength#

COLDCARD generates passwords with a fixed length of 21 characters, providing approximately 126 bits of entropy. This offers a high level of security, making the passwords resistant to brute-force attacks.

Examples#

Using the below seed, path, and index, the COLDCARD will generate the passwords shown in the table:

wife shiver author away frog air rough vanish fantasy frozen noodle athlete pioneer citizen symptom firm much faith extend rare axis garment kiwi clarify
Index Path Password
0 m/83696968'/707764'/21'/0' BSdrypS+J4Wr1q8DWjbFE
1 m/83696968'/707764'/21'/1' TkDX7d9fnX9FZ9QEpjFDB
2 m/83696968'/707764'/21'/2' cvfdmoZL3BcIpJ7G+Rb8k
3 m/83696968'/707764'/21'/3' wsCALdN+GgbSOGyGE9aRN
4 m/83696968'/707764'/21'/4' HfYbWx7gVmUmb2Bw4o4QD
5 m/83696968'/707764'/21'/5' vLOf9WPO5QiPbOTEbz/yJ
6 m/83696968'/707764'/21'/6' 1oSUs7Cy3fnpdh/fAS7EK
7 m/83696968'/707764'/21'/7' seh9WN6mlvPPB5jdVz3xN
8 m/83696968'/707764'/21'/8' U4RD0R0A0RjpHOFtwnv9k

Incompatible Applications#

Although the COLDCARD is emulating a keyboard at the lowest possible level, for some reason occasionally high-level applications have trouble with our high-speed typing.

  • KeePass2 2.45 (on Ubuntu): Capital/lowercase letters may be incorrectly typed. Use KeePassXC instead.