What's the best way to ensure that your cryptocurrency hardware wallet is safe and secure? There are three essential steps that you should take to keep your crypto safe.
- Create and Secure a 24 Word Seed Phrase
- Create and Secure an extra Passphrase to create a hidden wallet
- Create and Secure your PIN
Create and Secure a 24 Word Seed Phrase
The first step in securing your hardware wallet is creating a secure 24 word Seed Phrase. This a randomly generated phrase chosen from a list of 2048 words that is used to help create the set of keys needed to store your crypto.
Even though shorter phrases (12 or 18 words) are usually possible for most hardware wallets, you should use the 24 word option, which is the most secure.
Seed phrases used with hardware wallets are based on Bitcoin Improvement Proposal #39 specifications (BIP39). This means that if your wallet breaks and the manufacturer has gone out of business, it is possible to restore your wallet on another BIP39 compliant hardware wallet and still access your coins.
There are 2048 words to choose from, so selecting a 12, 18, or 24 word seed phrase will result in a cosmicly large number of possible permutations. The number of possible 24 word phrases is roughly equivalent to 30% of the number of atoms in the known universe!
This 2048 word list is just an indexed set of words, so when you are assigned a Seed Phrase word, you're really just provided with an ordinal position on this list. If you prefer to see your phrase in Spanish, your phrase can be chosen from a different set of Spanish words. The same generated Seed Phrase will have different words with different meanings, but each word will have the same numeric position in the language-specific list. This is done in an effort to support Hodlers of every language.
| Word Count | Combinations |
|---|---|
| 12 |
\( 2048^{12} = 5,444,517,870,735,015,415,413,993,718,908,291,383,296 \)
|
| 18 |
\( 2048^{18} = 401,734,511,064,747,568,885,490,523,085,290,650,630,550,748,445,698,208,825,344 \)
|
| 24 |
\( 2048^{24} = 29,642,774,844,752,946,028,434,172,162,224,104,410,437,116,074,403,984,394,101,141,506,025,761,187,823,616 \)
|
This means the actual number of permutations of Seed Phrases is a slightly smaller than the numbers above.
How to Secure your Seed Phrase
NEVER store your Seed Phrase electronically in ANY FORM.
Do not save it in a text file.
Do not save it in a Google Docs file.
Do not save it in a password management tool (e.g. LastPass or 1Password).
Do not take a photo of the written down phrase.
This means you need to write it down on paper, or better yet, you should scribe it or stamp it on metal. This copy of your Seed Phrase should be stored in a home safe or a safe deposit box (and additional precautions should be taken when using a safe deposit box).
This also means that you should not take a picture of it! Digital photos often end up on a Cloud server (either purposely or accidentally), where they can be scanned with OCR software and easily checked for words on the seed phrase list.
And for this same reason, you should make sure you don't write the phrase down within visibility of a security camera, even within your own home.
Exposure
Any person who has access to your Seed Phrase can recreate your wallet without requiring physical access to your hardware wallet AND without knowing your PIN. They can access all the crypto in your (main) wallet. This is why protecting your Seed Phrase IS THE MOST IMPORTANT STEP in securing your hardware wallet.
Phishing scams that get crypto hodlers to volunteer their seed phrase are amongst the most prevalent of ALL crypto scams. Seed Phrase phishing scams have resulted in the looting of millions of dollars worth of crypto. You need to ensure you keep your seed phrase 100% offline.
And you should be extremely cautious about storing your seed phrase in a bank safe deposit box.
Not only is the safe deposit box seceptible to "legal" seizure by law enforcement, it is also seceptible to theft from a bank employee with a drill or even just a careless employee who seizes the contents of the wrong box.
The passphrase protects you in situations like this.
A seed phrase stored with a third party isn't safe unless you combine the next security measure (the passphrase).
Create and Secure a "Passphrase" for your Seed Phrase
The major hardware wallets all support an additional passphrase, sometimes referred to as a "25th Word".
Of the three precautions that I've listed as "essential", this is the only one that is not strictly required by hardware wallet manufacturers.
This passphrase can be used to create a "hidden" wallet (or multiple hidden wallets). This is a passphrase of your own choosing, and isn't limited to the 2048 word list in the above seed phrase. It is suggested that your passphrase be a randomly generated string of characters, similar to a password genertated by a password manager. You may also use a string of words separated with spaces if so desired.
The implementation of the passphrase defined by BIP32.
The passphrase protects your crypto from falling into the wrong hands if someone gets a hold of your Seed Phrase. Without the extra passphrase, anyone with physical access to your Seed Phrase would have the ability to reconstruct your wallet and gain access to your crypto - even if you believe it's "protected" by being in a safe deposit box.
How to Secure your Passphrase
Your Passphrase may safely be stored digitally using a password manager like LastPass or 1Password. NEVER STORE YOUR PASSPHRASE WITH YOUR SEED PHRASE!
Exposure
If someone is able to obtain your Passphrase, it's pretty worthless unless they also know your entire seed phrase. This is why you should never store your Seed Phrase and your Passphrase together.
Create and Secure a PIN for your Hardware Wallet
Every hardware wallet requires a PIN. You should choose a 6-digit PIN (or longer if possible) that you must enter to access coins in your crypto hardware wallet.
You may need to enter your PIN several times when performing operations with your wallet, such as sending your crypto to another address.
How to Secure your PIN
Your PIN may also be stored digitally using a password manager like LastPass or 1Password. You should NOT write down your PIN.
Exposure
Anyone who has physical access to your active hardware wallet can access and remove your funds if they know your PIN. This is why it should be safe to keep it stored in a cloud-based password manager. Hackers half-way around the world wouldn't be a threat because they can't connect your hardware wallet to their USB port, so storing your PIN in the cloud is just fine.
It's crucial to understand that a PIN ONLY protects you if your physical hardware wallet falls into the wrong hands. If a bad actor knows your seed phrase and your Passphrase (assuming that you've set this), then they can re-create your wallet without ever knowing your PIN.
Summary of the Most Critical Security Measures
| Seed Phrase | Passphrase | PIN | |
|---|---|---|---|
| Thief Requires Physical Wallet Access? | NO | NO | YES |
| Exposure | Still need Passphrase (if set) | Still need Seed Phrase | Need physical hardware wallet |
| Storage | Written on paper or scribed on metal | Password Manager | Paper/Password Manager/Memory |
| Precautions | Never record this digitally. | Never store this with the seed phrase. | Never write this near the physical device. |
Additional Tips for Securing and Protecting Your Hardware Wallet
Along with the three above critical security measures, there are additional tactics you can use to keep your crypto safe.
Use a Decoy (Non-Hidden) Wallet
Protects from $5 Wrench Attack
If you use a Passphrase, if someone found your full 24 Word Seed Phrase and attempted to recover your wallet, they would see it would be empty. If they knew about Passphrase security, they might go through the efforts of trying to find out your Passphrase. They might resort to using a "$5 Wrench Attack".
Imagine a scenario where home invaders (who know you have crypto) tie you up and break open your safe. In your safe, they find a sheet of paper with your 24 Word phrase. Being knowledgable about crypto, they restore the phrase and find a wallet with no crypto.
Since they know your Seed Phrase is valid, they resort to physical force (e.g. a $5 wrench) to get you to surrender the Passphrase, which would allow them to access all your crypto.
But if you put a fraction of your crypto (perhaps 1% to 5%) in the main wallet associated with your 24 Word Seed Phrase, when they recover the wallet, they may believe they found your main stash. They may not go through the extra effort of trying to find your Passphrase if they think they already hit the jackpot.
You can even have a decoy hidden wallet as an additional layer of prrotection.
Don't Write Your Seed Phrase in the Correct Order
Protects Seed Phrase
In the classic 1981 film Raiders of the Lost Ark, Nazis were able to copy the instructions for creating the Staff of Ra, a device used in a special map room to help pin point the location of the prized Ark of the Covenant. But the Nazis only copied part of the instructions and didn't have an important piece of the puzzle (the back side of Ravenwood's medallion) which said to cut part of the staff.
You can do something similar with your 24 Word Seed Phrase. Write it down in order with one or two words reversed in order or replaced. Then in a password manager, include instructions on what changes to make when restoring the wallet. If a thief finds the physical copy of your seed phrase, when they try to restore your wallet, they'll be "digging in the wrong place!" Bonus points if you spinkle some cyrpto-dust into the decoy wallet.
Use a Decoy PIN
Accelerates "Self-Destruct" Mechanism for your Hardware Wallet
It's a somewhat common tactic to write a fake PIN on your bank's ATM card. If your card is lost or stolen, a thief might try to use your card and withdraw funds. But if you write a fake PIN on your card, the thief could try to use it, and after several failed attempts to access your account, your card would be automatically locked in accordance with your bank's security policy.
You might write down a fake or invalid PIN somewhere near your physical hardware wallet. If you do this, write down the longest number that is still valid as a PIN length for your device. And make sure you make a few of the numbers ambiguous (Is that a '1' or a '7'? Is that a '6' or a '0'?). This will increase the chances that the thief will make multiple attempts to unlock your wallet.
You can also write several different fake PINs to add to the confusion.
Most hardware wallets make you wait a while between PIN entries, with your wait time growing exponentially longer between unsuccessful attempts. Also, there is usually an upper limit to attempts, with the device wipiing itself when the user makes too many bad attempts in a row.
A decoy PIN can help accelerate the activation of this self-destruct mechanism.
Completely Wipe your Hardware Wallet
Eliminates the need for a PIN
If you don't plan on moving any crypto out of your wallet for a long time, you can completely reset the hardware wallet and wipe your Seed Phrase and Passphrase from it.
Your crypto will still exist, preserved by the blockchain. You can even move more crypto into your existing addresses without needing to restore your wallet on the device. So long as you know your destination addresses, you can continue stacking coins in your wallets.
You just need to make sure you have your Seed Phrase and Passphrase safely and securely recorded. There is no need to remember your PIN, because when you set up a new hardware wallet, it will ask you for a new one.
Coming Up
There are dozens, if not hundreds of other measures you can follow to help improve the security if your hardware wallet and its contents.
We're even going to show you a cheap, easy, and super secure way of storing your Seed Phrase! No need to buy an expensive metal wallet, so stay tuned!
