BIP-85 Passwords
This feature derives deterministic passwords from your seed using the BIP-85 standard, specifically the PWD BASE64 application. BIP-85 allows for the creation of multiple child keys from a master seed, and in this case, it's used to generate up to 10,000 secure passwords.
In addition, the COLDCARD® can emulate a keyboard so that the generated passwords can be sent as keystrokes via USB to a computer, effectively using the COLDCARD as a specialized password manager.
Requirements#
- USB-C cable with data link (won't work with the power-only cable from Coinkite).
- USB Port must be enabled on the COLDCARD.
Type Passwords Over USB#
This section guides you through enabling the COLDCARD to emulate a USB keyboard, and securely typing BIP-85 derived passwords directly into a computer.
Steps to Type Passwords Over USB
-
To enable the "Type Passwords" feature, connect your COLDCARD to your host PC with a USB cable (check requirements) and go to:
Settings > Keyboard EMU > Enable
. -
The
Type Passwords
option is now available on the Main Menu. -
When it is time to enter a secret password, select
Type Passwords
from the Main Menu. The USB switches to keyboard emulation, and displaysSwitching...
on the screen. -
Next you will provide the Password Index. This can be any number from
0
to9999
, and will deterministically generate the same password each time.Enter the index number for the password you want to use, and hit ✔/ENTER.
-
It takes a moment to generate the password, and then you can double-check the password to be typed and the BIP-85 path used.
-
To send the keystrokes to your computer, use your mouse to select the password prompt. Then press ✔/ENTER on the COLDCARD. This fills the prompt with your password, and sends an Enter keystroke.
-
You are back at step 4, and can continue to generate passwords, or you can tap X/CANCEL to exit.
Exiting from "Type Passwords" will cause the COLDCARD to turn off keyboard emulation and enable normal USB mode if it was enabled before. Otherwise, USB stays disabled.
View BIP-85 Passwords#
The dropdown below explains how to generate and review BIP-85 passwords on the COLDCARD screen, with options to export them in cleartext via a variety of methods.
Steps to View BIP-85 Passwords
-
Go to:
Advanced/Tools > Derive Seed (BIP-85)
. -
Press ✔/ENTER, then select
Passwords
from the next menu. -
Next, choose the Password Index. It can be any number from
0
to9999
, and will determine the password that is shown.Enter the desired index number, and hit ✔/ENTER to generate the password.
-
The screen shows the generated password, path, and entropy from which the password was derived.
-
Select how to export the password:
All Exports Are Cleartext!
There is no encryption used on the password exports. They should only be used temporarily to move a password and then securely deleted.
COLDCARD Specifics#
Keyboard Language Settings#
Emulated Keystrokes are mapped to specific characters based on your host PC keyboard language settings. For COLDCARD to be able to type the correct BIP-85 password, your host computer MUST use language settings that correspond to a QWERTY key layout, including number row directly above QWERTY:
1 2 3 4 5 6 7 8 9 0 - =
Q W E R T Y U I O P [ ] \
A S D F G H J K L ; '
Z X C V B N M , . /
Passwords generated and shown on the COLDCARD will always be correct with respect to BIP-85. However, when sending keystrokes, for example on a German keyboard, what was typed will not match the text that was generated and shown on the COLDCARD's screen.
For example, if the correct password is zYLoepugzdVJvdL56ogNV
, using
German keyboard settings will result in a different typed output:
yZLoepugydVJvdL56ogNV
. You can see that the German keyboard is not
QWERTY, but it is QUERTZ (y
and z
are swapped).
Even with "non-standard" keyboard language settings, COLDCARD always sends the exact same keystrokes for a specific password index. It is deterministic, as long the keyboard language settings do not change. However, BIP-85 won't be respected in this case.
Password Strength#
COLDCARD generates passwords with a fixed length of 21 characters, providing approximately 126 bits of entropy. This offers a high level of security, making the passwords resistant to brute-force attacks.
Examples#
Using the below seed, path, and index, the COLDCARD will generate the passwords shown in the table:
wife shiver author away frog air rough vanish fantasy frozen noodle athlete pioneer citizen symptom firm much faith extend rare axis garment kiwi clarify
Index | Path | Password |
---|---|---|
0 | m/83696968'/707764'/21'/0' | BSdrypS+J4Wr1q8DWjbFE |
1 | m/83696968'/707764'/21'/1' | TkDX7d9fnX9FZ9QEpjFDB |
2 | m/83696968'/707764'/21'/2' | cvfdmoZL3BcIpJ7G+Rb8k |
3 | m/83696968'/707764'/21'/3' | wsCALdN+GgbSOGyGE9aRN |
4 | m/83696968'/707764'/21'/4' | HfYbWx7gVmUmb2Bw4o4QD |
5 | m/83696968'/707764'/21'/5' | vLOf9WPO5QiPbOTEbz/yJ |
6 | m/83696968'/707764'/21'/6' | 1oSUs7Cy3fnpdh/fAS7EK |
7 | m/83696968'/707764'/21'/7' | seh9WN6mlvPPB5jdVz3xN |
8 | m/83696968'/707764'/21'/8' | U4RD0R0A0RjpHOFtwnv9k |
Incompatible Applications#
Although the COLDCARD is emulating a keyboard at the lowest possible level, for some reason occasionally high-level applications have trouble with our high-speed typing.
- KeePass2 2.45 (on Ubuntu): Capital/lowercase letters may be incorrectly typed. Use KeePassXC instead.