Hardware Wallets are NOT as Secure as you Think they are. And NOT the Best Option For Storing your Cryptocurrency Long-term EithersteemCreated with Sketch.

in #cryptocurrency7 years ago (edited)

Hardware wallets are thought of as being the holy grail of coin storage. The best option to safely and secure store your cryptocurrency, provided you're intending to HODL it long-term rather than actively trade. It's also continually beat into our heads to get a 'hardware wallet' such as a Trezor or Ledger. And today I'd like to shed some doubt on whether it really is the most secure, in addition to offering some alternatives. 

Ian Balina, a semi-famous ICO advisor & promoter, just had over $2M USD worth of cryptocurrency stolen from his non-hardware wallets, which has resulted in this post becoming the top one currently on /r/cryptocurrency - https://www.reddit.com/r/CryptoCurrency/comments/8cnqpu/warning_protecting_yourself_in_crypto_world/ where OP has suggested buying not one but TWO hardware wallets minimum. 

Problems With Hardware Wallets

The underlying cryptography allowing only authorized users to access their funds is as safe and secure as can be.  Even for the most powerful supercomputers on earth it would take hundreds of years for them to crack the encryption used - something both completely impractical and cost prohibitive. The problem is how can users safely and securely store their private keys in a way that only allows them to access them.

Hardware wallets themselves are fairly secure in the sense that if someone else gets their hands on your wallet, it's highly unlikely they'll be able to break the encryption without having the necessary password. It's worth noting that in recent months, no less than 2 Ledger exploits have been posted which would allow an unauthorized users to gain access to your funds if they managed to get your hardware wallet. While Trezor is widely considered to be more secure, some people hypotheize that Trezor can still be exploited.

However, even if these hardware wallets can't be exploited, it doesn't mean they're secure. For starters, it's only secure on the password you're using. How secure is the password you're using to access it? Where else do you use this password? Do you use variants of this password elsewhere?  Who else knows of your password? And where are you storing your password should you forget it, because let's face it, if it's a bunch of random letters and numbers as it should be, you can forget it. Perhaps you just emailed it to yourself at some point as most people do? Or do you have it stored on a piece of paper in your desk or in a file cabinet, which someone else could physically access?

Now let's say you lose your hardware wallet. Either it breaks, someone steals it, or you just plain lost it. The only way to get your funds back is via your recovery phrase. Again, just like with your password, where are you storing the recovery phrase? 

Most people don't have the technical know-how to exploit a hardware wallet if they had one. The weak point is the storing of this information. Are you storing your recovery phrase in a secret crevasse or piece of furniture you might through out one day and forget about? Storing it in a email which may one day get hacked which you lose access to? Or perhaps you just store it on a text file on your computer in some random ass folder.

All of these options are HIGHLY insecure.

Storing in Multiple Locations

Remember, even if you don't get hacked & have your private keys or passphrases stolen, if you elected to keep your recovery phrase in a single safe place, and you lose access to it or forget about it, it's as good as stolen since you can't get it back!

Hence why it's so important to have your information stored in MULTIPLE LOCATIONS. However, it must be securely stored in all locations.

Paper Wallets

Paper wallets are thought of as being the 'safest' option. Even more safe than hardware wallets. You simply write your private keys & necessary passphrases down on a piece of paper, and store it in a highly secure location that only you have access to. Ideally a physical safe. But paper wallets still have risks. What if your house burns down? Or perhaps you've given a significant other or family member access to the safe - perhaps you store other things in the safe as well and they betray you and steal your funds. What if you're robbed at gunpoint and the robber sees the safe in your house? Even if you refuse to open the safe, what if they simply steal the safe itself - you have no access to it either, even if they never will either!

This is why it's always important to have your cryptocurrency stored in multiple locations, but it needs to be very safely secured in each location. One person I know elects to use paper wallets, storing one copy in a safe that only he knows access to, and another as a letter in a bank safety deposit box.

There are still risks here though, and this is a fairly expensive option for most people to set up. Safety deposit boxes aren't cheap, and neither are (good) safes.

A Better Option

The option I recommend to help get around these hurdles is essentially to have an ENCRYPTED text file on a computer & in a 2nd location as well. Personally, I would consider this to be a form of paper wallet, except a digital version of them. Simply write down your public keys, private keys & passphrases in either a text file, word file, or excel file and save. The encryption part and storing it in a 2nd location is EXTREMELY important, because

a) Your computer could be become stolen or lost

b) Your computer could break down

c) If someone ever has access to your computer and finds the unencrypted file, your funds are as good as gone

d) Hard drives have a 100% failure rate.

Now, when it comes to the encryption, you better not being using something like Winrar which my grandmother could crack. You need to properly encrypt the data with SHA-256 or SHA-512 encryption. There's a wide variety of tools out there that do this effectively, some better than others. Personally, my favourite is Veracrypt. It's free, open source, and regarded as perhaps the best encryption tool out there. There's a variety out there though, so definitely do your own research.

Storing your Encrypted File

For reasons already stated above, you want to be storing your Encrypted file in at least 2 locations. Maybe 3. You needn't worry about someone actually cracking the encryption of your encrypted file, but nonetheless, I don't enticing the public to try by making it publicly available or by posting on telegram.

One of the locations you store your encrypted file in should be on your computer, ideally in a folder not too readily accessible. One location should be a cloud location. That could be your google drive, email, or dropbox. Be careful though about storing it on the same email as you have on your phone. Someone can readily access this email without having your email password! I do generally recommend a 3rd location to be extra safe. That could be a USB, or an alternate email address, or extra computer.

Do remember to use a highly secure password and drill this password into your head. It's your most important password. Don't store it anywhere. Delete the encrypted text file from your computer, but do check to make sure you've successfully been able to decrypt the virtual drive you've encrypted it on first, since going forward you will need to decrypt first to access your funds. Only keep the encrypted file. When you need to access your funds, decrypt the file. And as always delete any unencrypted files again after use.

Let me know your thoughts? Is this a more secure way than hardware wallets or not?


Sort:  

Congratulations @blockstation! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes received

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

Upvote this notification to help all Steemit users. Learn why here!