You’re smart and holding your private keys on a hardware wallet. Something like Ledger Nano S/Ledger Nano X, Trezor, KeepKey, BitBox etc. You are pretty sure that no one can take your crypto. It is ultimately protected… sorta. There are still vulnerabilities with a hardware wallet and more than you might think. So how is your crypto wallet security?
Is “okay” security acceptable for your crypto holdings? If you’re a true HODLer you’ve got a sizeable amount of money invested in crypto. I’d consider this anything above $1000-$2000 (USD). Even though hardware wallets are touted as the most reasonably secure way to store your private keys, anyone who custody’s their own crypto should update themselves on crypto wallet security. But don’t worry, it is not complicated, I’ll explain it all below. And not to worry, you are on the right track with your hardware wallet.
This post was inspired and guided by Andreas Antonopolous’ video on Crypto Wallet Security, featured at the bottom of this post. I have added and expanded a few details in my post as well.
Cryptocurrency exchanges have high percentages of their cryptocurrency holdings offline in cold hardware wallet storage. These hardware wallets are not sitting in the CEO’s desk drawer, and they are not carried around in the pocket of the treasurer either… at least not for the large, reputable cryptocurrency exchanges. Their hardware wallets have many highly sophisticated and complex security measures. I’m referring to things like glacier protocol, air-gapped computers, faraday cages, multi-sig wallets, underground vaults with paid guards and security cameras, etc.
The vast majority of people do not have the resources to develop monumental security measures for cold storage of cryptocurrency private keys that large exchanges such as Binance, Bitstamp, Coin Base and Gemini, etc have.
If you attempt complex technical security measures you are at high risk of operational error simply from your own ignorance. Most people do not have PhDs in cryptography or computer science/engineering and the security of these exchanges is, while highly commendable, far exceeding your technical abilities and your security needs.
“Technical complexity is part of the risk model… If your security is more technically complex than your level of skill, then you introduce a very serious risk that you will lose your crypto. Not because it is stolen, but because your ambition for technical excellence exceeded your skill level for technical execution and you frankly messed it up.”
– Andreas Antonopolous
Simple, common sense measures can actually add multiple layers of security and significantly improve your personal cryptocurrency security. Andreas Antonopolous explains it well when he states that there is no single ultimate security element that is a binary thing of either “secure” or “not secure”. Security has multiple factors and levels/layers, each with its own strengths, weaknesses, complexity and durability.
The ultimate crypto wallet security is to identify where your risks are, and then take action to mitigate each risk, ideally in multiple layers. This allows some fail-safes as well since if one layer is compromised you may have other layers of security to protect your cryptocurrency. Keep your solutions simple. It should be simple enough that a loved one could access your cryptoassets relatively easily if something were to happen to you.
Identifying Risk Factors for Crypto Wallet Security:
- Prevent Theft
- Prevent Concentration or single point of failure
- Backup seed words, passphrase
- Environmental disaster (fire, flood/moisture, earthquake, termites eating through paper backups)
- Overly complex security measures (overextend and underachieve on technical execution resulting in operator (human) error and lost private keys. Do not be your own enemy.)
1) Crypto Wallet Security: Prevent Theft
Social Aspect of Crypto Wallet Security
- Do not broadcast on social media or at a bar or social gathering that you own a bunch of cryptocurrencies.
- Especially do not brag if you bought a long time ago and prices have gone up.
- If no one knows that you own cryptocurrency, how could they steal from you?
- At the very least, if people do know, do not tell them that you store your own private keys. Tell them that you keep it on an exchange. Yes, this might be lying, but it is for your own security.
- Physically protect your hardware wallet to prevent theft.
- Hide your hardware wallet. Store your hardware wallet in a safe, or under a floorboard, in a wall safe, or one of those hidden book safes – anything that would be moderately difficult for someone to find.
- If your hardware wallet is in a safe, have the safe bolted to the ground so it is more difficult for someone to steal the safe and break in later.
- Some hardware wallets (Ledger Nano S for sure) have a feature called plausible deniability. This allows you to hold two PINs for two separate wallets on the same device. When you access one wallet with a PIN you only see the crypto in that wallet, there is no exposure of the second, hidden wallet.
- Despite your best efforts to protect your cryptocurrency, sometimes someone will physically attack you and force you to open your hardware wallet and send them your cryptocurrency. Refer to my first point on theft protection: tell no one you own cryptocurrency.
- Please do not ever try to fight back. Your health and life are NOT worth any amount of crypto. Who cares if you have 100 BTC if you’re in a coma, paralysed or dead from an attack?
- With your two wallets on the same device, you keep a smaller amount of crypto on one wallet and the rest on the other wallet. Then when you have been brute forced to enter your PIN, enter the PIN of the smaller value wallet (without alluding that you have a second wallet), send the thief your cryptocurrency and walk away, ideally unscathed.
2) Crypto Wallet Security: Prevent Concentration or a Single Point of Failure
Weak-points in Concentration:
- Having one hardware wallet.
- Having one copy of your seed words or passphrase.
- Storing multiple hardware wallets or backups (seed words/passphrases) in the same physical location.
Spread your crypto
- If you hold all of your cryptocurrency on a single wallet, then you have a concentration point or single point of failure. Meaning that if someone manages to access that hardware wallet, then they can take all of your cryptocurrency.
- You will have to decide for yourself about your risk tolerance for concentration risk. If you have less than $10,000 USD of cryptocurrency then perhaps you might only want one hardware wallet. Someone else might decide to split up their cryptocurrency at the $5,000 USD level, and others may feel fine with up to $75,000 on a single hardware wallet. Personal preference. But the idea is to be aware of this risk and protect yourself within your own risk tolerance.
- Prevent this:
- Have more than one hardware wallet.
- Have multiple copies of your seed words and passphrase, because if they are damaged or lost, then you will not be able to recover your cryptocurrency.
- Do not keep your hardware wallets and/or seed words and/or passphrase in the same geographical location. Move them elsewhere since one physical location counts as a concentration risk.
3) Crypto Wallet Security: Backup seed words, passphrase
- Handwrite your seed words with pen and paper. Do not ever put your seed words on a computer, phone, tablet, etc in any form.
- Make two or three copies.
- The number of copies is a balance between having a backup in case of loss or damage to one set vs. increases your surface area for attack; the more copies of your seed words and passphrase, then higher chance someone might find it.
- Laminate your handwritten seed words and passphrase to protect against moisture/water damage. Or use something like “cryptosteel mnemonic cold storage” which is simply a steel slate designed to mark 12-24 seed words that you can engrave. This makes it waterproof, fireproof and durable.
- Tamper-proof envelope. You may store your laminated (or steel) seed words and passphrase in a tamper-proof envelope so it is obvious if your seed words have been compromised.
- Store your seed word list and passphrase pair for a hardware wallet in geographically different locations. Protects you if one is compromised.
- Store the multiple copies of your seed word list and passphrase in geographically different locations. Protects you against environmental catastrophe (i.e. fire, flood, termites, earthquake).
4) Crypto Wallet Security: Environmental Disasters
- You should also prepare to protect against things such as fire, flood/moisture, earthquakes, termites (eating away at paper copies of seed words).
- There are two primary methods to protect against environmental disasters:
- Use a fire-proof, water-proof, shock-proof/durable safe.
- Store the safes in geographically different locations, relatively far apart so as not to experience the same environmental risks.
- If you do not have the luxury of having two physical locations, at the very least having a fire-proof, water-proof, shock-proof/durable safe will do quite a bit to protect you.
5) Crypto Wallet Security: Overly Complex Security Measures
- Keep your life simple. If you overcomplicate your cryptocurrency security you will make it difficult for yourself to access it and are more likely to forget how to access something that you securely locked up. Whether it is losing the key to a safe, or forgetting a PIN or having too many copies of a seed word list and one of them gets lost or compromised.
- Complicating your security will lead to increased risk for operator (you) error – aka you mess up your own security and lock yourself out of access to your own cryptocurrency, or worse, lose/forget a password to access your cryptocurrency.
If you follow the above five steps to crypto wallet security then you greatly enhance the protection that a hardware wallet offers. The hardware wallet will protect your private keys, and you protect access to the hardware wallet.
The main principles for crypto wallet security are: keep your investments unknown/private, spread large amounts of cryptocurrencies between different wallets, backup your seed words and passphrase, protect the seed words, passphrase and physical hardware wallet in high-quality safes.
Even though I definitely endorse keeping your investments private, I definitely think that it would be a good idea to tell someone that you do have cryptocurrency. Tell one to three people who you trust, who are mature and who are at least moderately intelligent. It is important to do this so that if any tragedy were to befall you, your cryptocurrency wealth does not become lost. Many people do not like to consider this possibility, or simply do not care because they would be dead. But wouldn’t you want your loved ones to be able to access/inherit your cryptocurrency estate? If you do not want to tell anyone about your cryptocurrencies while you are alive, you could always write a letter in your Will for your executor or loved ones to learn about your cryptocurrency wealth.
This tragedy happened to the QuadrigaCX Founder and now hundreds of millions of dollars worth of cryptocurrency are locked on a cold wallet that no one else has access to.
Please enjoy the YouTube video of Andreas Antonopolous answering the question “Are hardware wallets secure enough?”
Use the advice from Andreas Antonopoulos