Key insights on digital wallets security
The buzz around the recent Ledger case has sparked concerns about the security of crypto wallets, particularly focusing on the reliability of cold wallets. Not only are their different types juxtaposed, where the differences are clearly perceptible even for an averagely versed user, but the focus is now solely on cold wallets – considered the safest so far.
Once again it turned out that in the realm of digital wallets and the protection of our valuable assets, security takes center stage. With this in mind, let’s explore the key notes that shed light on the vital topic of digital wallet security.
Cold is not enough
For the record, a cold wallet is an offline wallet that is usually provided by hardware – for example: Ledger wallet or Trezor wallet. Without access to the Internet, it guarantees an elevated level of security than a hot wallet, which makes it makes it an immensely stronger solution for safeguarding assets.
However, there are numerous examples of methods that hackers might employ to compromise cold wallets. There would be no story if there was a system entirely immune to hacking. What is more, in the blockchain realm, even the most advanced access can be the least protective against its user. This notion may sound disconcerting, but fear not, as further revelations await.
Eager to learn more about cybersecurity and blockchain technology? Soon we will launch our proprietary training series with industry-recognized authorities. Now you can influence it! Share your opinion to tailor the educational program to your needs and interests. Note that the survey is in Polish.
HEADS UP: survey participants will be granted a special discount!
Complete the survey 👉 bit.ly/bitfold_survey.
Help us shape the future of blockchain technology.
With or without you
The exceptional emphasis on private key protection is a direct result of the decentralized nature of cryptographic assets. In the blockchain network, there is simply no intermediary institution involved in the process as a third party. On the one hand, third parties somehow guarantee the safety of these funds in the case of hacker attacks or other unwanted situations, but at the same time, they technically become their actual owners.
However, the landscape of cryptocurrencies presents a different scenario. Cyber thieves can thrive in this environment, capitalizing on the fact that virtual funds exist outside the bounds of conventional, state-regulated circulation. Here, the blockchain network unveils its other side, offering a level of pseudo-anonymity that is essentially unattainable in traditional banking systems.
This is why it becomes paramount for anyone venturing into cryptocurrency investment to view the safeguarding of their digital assets as a fundamental responsibility in this exciting journey.
As if from a movie
Some may recall a science fiction film from the 1990s starring Keanu Reeves, that revolves around a courier named Johnny, whose brain is implanted with a mnemonic device. Equipped with this, Johnny can securely store vast amounts of data in his mind, utilizing a mnemonic phrase as the key to access and retrieve the information. This extraordinary capability allows him to store and transport highly sensitive data, making him a sought-after target by various factions as the story unfolds, raising questions about the potential vulnerabilities associated with mnemonic storage.
The dystopian plot now smoothly transitions us into the realm of security devices. A mnemonic, also known as a seed phrase, or recovery phrase, consists of 12, 18, or 24 words. Setting up a mnemonic is a crucial requirement during the initialization process of a hardware wallet. The phrase plays a critical role, serving not only for wallet recovery, seed generation, and overall security but also for convenience, privacy, and deniability. Once set, it empowers users to securely store and restore their wallets, providing resilience against device loss, damage, or obsolescence.
Which came first
One minor distinction would be useful there, not entirely practical for the average user, but beneficial for those who want to understand the technology better. While considering two terms – seed and mnemonic – we notice using them interchangeably. Digging a little deeper, we can see that at the very beginning there is a mnemonic, not a seed. It is from the mnemonic that the seed is generated, and only from this seed are the private keys derived, as well as specific blockchain addresses in the next step.
Mnemonic acts as a human-friendly representation of the seed. In case a hardware wallet becomes unavailable or unsupported, users can extract their seed from the mnemonic phrase. This flexibility allows users to regain control of their funds even if the specific hardware wallet device or software is no longer accessible or maintained.
Let the dice roll
Alright, but where does the mnemonic come from? Let’s shed some light on the entropy source, which refers to the measure of randomness or unpredictability utilized to generate secure keys and ensure the strength of cryptographic systems. Extensive scientific research has demonstrated that humans are remarkably ineffective as entropy sources. Therefore, when generating a mnemonic, it is imperative to employ cutting-edge methods that harvest entropy from silicon-based devices.
For now, let’s just mention that true random number generators (TRNGs) are considered the optimal entropy sources, although not absolutely safe. Ideally, these generators leverage environmental factors like electric resistance or atmospheric noise to introduce additional randomness into operations. Now witness the true power of nature!
This topic warrants a more comprehensive exploration, which I encourage you to delve into through enlightening webinar of Rafał Kiełbus, our Head of Blockchain. You will find valuable insights, including a hint for self-generating mnemonics using dice, coins, or cards.
Shielding the core
Sounds obvious that what is most precious deserves multiplied protection. In some of the most security-advanced devices, a special chip has been used – a secure element (SE). Nestled within hardware wallets, it assumes the responsibility of safeguarding valuable data – our seed phrases and private keys. By leveraging the security features SE isolates the data from potential threats on the main device and implements robust access controls and cryptographic operations. With its deployment, you can forge ahead with confidence, knowing that our digital assets are shielded by an advanced layer of security.
However, it’s important to note that the effectiveness of a secure element relies not only on its design but also on the implementation, and adherence to best security practices throughout the device’s lifecycle, as well as – and that was the case of the Ledger firmware updates.
Foolproof range
The use of decentralized technologies has many advantages from the point of view of actual control over the accumulated funds. However, they shift the burden of care for security to the wallet user, which must not be forgotten when reaching for these solutions.
To mitigate the variety of risks, users should follow best practices such as securely storing backups of their mnemonic phrases, above all using strong and unique mnemonics, and keeping them confidential. Additional security measures like passphrase encryption or using hardware wallets with robust security features are strongly advised to consider. Users can significantly reduce the chances of mnemonic-related issues and potential backfires by being vigilant and proactive in safeguarding their mnemonics.
Power unleashed
In the persevering quest for digital security, there is one fundamental truth we must repeat like a powerful mantra: true ownership of our devices and assets lies solely with a properly generated and securely stored mnemonic phrase. It’s a golden key that grants us access to our cherished digital realm, rendering the possession of the physical device irrelevant.
Let this principle echo in our minds: once we possess the mnemonic, we hold the power to unlock all the stored assets, regardless of device ownership.
—