Passphrase (25th word) is a powerful protection tool, but only if created correctly. A weak passphrase is worse than none at all, because it creates a false sense of security.
Rules for a strong passphrase
Length: minimum 12 characters
Each additional character exponentially increases cracking time. 8 characters = hours, 12 characters = millennia, 16+ characters = safe from any attack.
Different character types
Use letters (upper and lower case), digits, and special characters. This increases the brute-force alphabet from 26 to 95+ characters.
Uniqueness
Never reuse a passphrase from another service. If it leaks from any database — your wallet is compromised.
Memorability
The passphrase should be memorable enough that you can reproduce it after years. Use mnemonic techniques or personal associations.
Backup copy
Store the passphrase separately from the seed phrase. If both are stored together — the entire point of protection is lost.