Passphrase
Deterministic, or “seeded,” wallets are wallets that contain private keys that are all derived from a common seed, through the use of a one-way hash function. The seed is a randomly generated number that is combined with other data, such as an index number or “chain code” to derive the private keys.
BIP-39 proposes a standardized way of creating seeds from a sequence of English words that are easy to transcribe, export, and import across wallets. This is known as a mnemonic. Below, there is an example of a seed:
0C1E24E5917779D297E14D45F14E1A1A
whose respective mnemonic is:
army van defense carry jealous true
garbage claim echo media make crunch
In a deterministic wallet, the seed is sufficient to recover all the derived keys, and therefore a single backup at creation time is sufficient. The seed is also sufficient for a wallet export or import, allowing for easy migration of all the user’s keys between different wallet implementations.
A passphrase (also called "seed extension," "extension word," "extension phrase," "13th word," or "25th word.") is an extra security feature that can be used complementary to a crypto seed for restricting access to a crypto wallet. It acts like an extra-long password and may contain multiple words.
If you do not set any passphrase when you configure your wallet, a blank passphrase is used by the wallet to generate your private key. If you do set a passphrase, your wallet generates a different private key that will be used to derive different addresses.
In practice, when a passphrase is set up for a wallet, two wallets will exist: one uses a passphrase, and one does not. It is possible to switch between them by exiting and re-opening the same wallet application, based on whether a passphrase is entered or not.
Hence, if a passphrase is set for a wallet A at the moment of its configuration, any crypto added to it will be visible for whoever knows both the seed and the passphrase. However, any attempt to access wallet A using only the seed (without passphrase) results in a different wallet B with no available cryptos. In the same way, if cryptos are added to wallet B, they are not available in wallet A. In fact, A and B are wallets completely distinct in the blockchain network.
By configuring a more complex setup with one seed phrase and multiple passphrases, indeed multiple wallets are created.
The $5 Wrench Attack
Hypothetically, someone finds out you have a lot of cryptos and threatens you with a cheap wrench they tell you that if you don't hand over your coins, passwords, mnemonics, etc. you're going to be hurt or killed.
Whatever your setup is for storing the majority of your cryptos - be it hot or cold, online or offline, software or hardware - if you can access and spend it in a matter of minutes, so can a robber armed with a $5 wrench.
The following image illustrates what has come to be called a "$5 wrench attack." It humorously shows that a bad actor could just physically force you to open your wallet for them.
To protect against the $5 wrench attack, you could establish a "dummy wallet" by using an "extra" passphrase with your hardware wallet. The ability to show someone a "fake wallet" instead of your real crypto holdings if you are under duress is a form of "plausible deniability."
For example, you could configure three wallets with the same seed phrase and different passphrases. If you access the wallet using no passphrase, it could show you a small amount of crypto that you might use for day-to-day spending. If you access the wallet using the passphrase "My$trongW0rd," it could show you a moderate balance that you might choose to sacrifice to a physical attacker. But if you access the wallet using the passphrase "My$trongW0rd_real," it could show you the majority of your crypto holdings.