Bitcoin Forum

https://ledger-donjon.github.io/Unfixable-Key-Extraction-Attack-on-Trezor (https://ledger-donjon.github.io/Unfixable-Key-Extraction-Attack-on-Trezor)

Yet another hardware wallet issue folks, this time though, it's unpatchable. If you're using a hardware wallet, encrypt it. If you don't have a hardware wallet, use an offline generated private key/seed (aka "paper wallet"). Be your own bank. Stop trusting hardware wallet manufactures to protect your money.

Trezor team responded to these findings (https://blog.trezor.io/our-response-to-ledgers-mitbitcoinexpo-findings-194f1b0a97d4) in March. They have been aware of the attack since designing Trezor. Using a passphrase has always been recommended and it can protect anyone from any kind of physical attack*. Some of you might argue that recommending using a passphrase is not an appropriate solution. Convenience comes at a cost.


*except for $5 wrench attack

This is true, but their response in March was thus:

If what Ledger have published is true, then this is no longer the case. You no longer need lab equipment worth hundreds of thousands of dollars and trained technicians. Apparently all you need now is $100 and some basic electronics knowledge.

Everyone should be using a passphrase, but I'd wager few do. I'd wager barely anyone is using a passphrase of 37 random characters, and I'm sure many would view entering 37 random characters (presumably from paper since you shouldn't be relying on memory) every time you want to open your wallet is not an acceptable trade-off between security and ease of use.

I might be misunderstanding you here, but how is this safer? If your concern is regarding a physical attack on your hardware wallet, then surely with a physical attack on a paper wallet it is completely trivial to steal your coins?

It's a hell of a lot easier to hide something that an attacker is unaware of, than a laptop, a phone or a hardware wallet. A physical attack can only happen if you A. Know what you're looking for or B. Happen to stumble across something over smarter of hours or days tearing someone's house apart. It's also free rather than $100 and you don't need to worry about all of the other countless vulnerabilities that constantly pop up with hardware wallets.

I agree that a 37 character password suggestion is not going to be taken up by the vast majority of users, meaning hardware wallets just aren't as secure as truly offline generated private keys (not that they ever were). 

So you expect that a thief knows what a cryptocurrency hardwallet is, but doesn't know what a paper wallet is? Or that it's easier to "hide" a paper wallet than a "usb stick"? ???


"Countless"? Stop being so dramatic. Sure, there have been some issues identified by several different parties of several hardware wallet devices. To my knowledge, all of the identified issues have either been patched and/or are able to be mitigated. And it's not like there have never been any issues with "paper wallets". I'm sure we're all aware of issues like this: https://blockonomi.com/security-vulnerabilities-walletgenerator/


You don't need a 37 character password to make it "secure" per se... the 37 character BIP39 passphrase is suggested to make it as secure as having an "unknown" 12/24 word seed. Which, as we know, is generally measured in terms of "millions of millions of years" for brute-forcing (https://forum.cardano.org/t/bip39-brute-force-complexity-or-how-hard-it-is-to-break-someones-secret-words/12650). I can't find any firm numbers on the the time/effort required to bruteforce say an 8 or 16 character BIP39 passphrase. The PDF referenced by Ledger claims a 50% reduction in CPU intensive calculations, so does anyone have any references to calcs on how long a 16 char BIP39 passphrase would take to bruteforce? ???

In any case, saying that a private key written/printed on paper is more secure that a hardware wallet, assuming someone has physical access to both is somewhat disingenuous.


I guess the key takeaway is that NOTHING is 100% secure. As long as you know the risks inherent in the system you are using and take steps to mitigate such risks, then hardware wallets are no better or worse overall than paper wallets.

There can be nothing as secure as cold storage/offline wallets and this was something I was worried about since if the device gets stolen, it's still possible that the money can be hacked. Is it the case with only trezor or ledger nano as well?

Saying that "Hardware wallets still aren't secure, and they never will be." because a physical stolen device can be hacked is a bit sensationalist, isnt it?

What are the chances that a hacker come into my house, search and find my ledger and steal it? This is highly unlikely to happen, especially if you are a discrete person about your btc holdings.

Hardware wallets are still safe enough, especially for newbies.


LOL

Paper wallet are much more complex to be really safe. Not everyone is able to properly airgap a computer , and the risks involved in case of a mistake are very high.

It's much easier to hide something if the thief doesn't know what to look for. I'm not going to get into it, but taking off a piece of something and etched the inside, then adding it back on is a hell of a lot less obvious than a usb in a safe or in your sock drawer. Hiding a hardware wallet or usb just makes it all that more obvious when the thief finds it. If they stumble across your private key but have no idea they've even found it, that's when you've done things properly.


You seem to be taking this very personally. I'm starting to wonder why that is. I'm simply educating users of this forum on a free way to be their own bank. That's why we're all here actually. Is something wrong with that? I don't need a device that i didn't create in my house to hold my cryptocurrency and neither do you. You can create something of your own for free (or I suppose one could argue that it costs time and some paper/ink/materials).

Anyway, paper wallets cannot have issues if you use your own entropy and proper security. They're only as good as the person setting them up, which you can say about literally anything. If I owned a hardware wallet and a paper wallet, I would put all of my funds in the paper wallet unless I needed to spend them. I'm not looking into your link because it's just going to be the same bullshit FUD that's on the bitcoin wiki. Some crap about idiots setting up change addresses wrong, other crap about paper burning or water damage blah blah blah.. again, if you aren't going to bother to learn how to properly secure your funds then you will eventually lose them. I'm fully aware of the attacks that could take place on paper wallets. I'm not too worried about my dice being rigged, someone busting in and performing a cold boot attack or certain radio waves that my laptop may or may not give off. It's never going to be a zero chance that your funds are hacked, but paper wallets are substantially more secure than hardware wallets. The way I generate them anyway. If you go and generate a paper wallet online with bitaddress then you're better off just using a hot wallet or hardware wallet.


Everybody knows that the people setting these passwords will use the tried and true dog name and year of birth or their favourite grandchild or whatever other crap people use now. If you're protecting your hardware wallet with a password that wasn't randomly generated (good luck typing that 37 character randomly generated string of nonsense btw) then you're completely screwing yourself out of the somewhat half decent security that these overpriced USBs offered in the first place.

I'll give you a god password to memorize. Don't worry, it's safe because I don't know where you live. Go ahead. It's super easy to memorize. Just read it over 10x and I'm sure you'll have it. Either that or you could... Write it down. Oh or better yet, you could add it to your password manager. But then you're relying on your master password, which again wouldn't make sense to use a randomly generated password and you're back at square one. You have an unsecure hardware wallet with the password writen down. Or you memorized Molly1989AuntieSueLovesToBake (congrats) and it'll be so easy to crack your password. Not brute force. Who needs brute force when there are so many better/easier ways to crack it.


Good luck and be your own bank.


Well lucky for those thieves they know what to look for when they break in now don't they? Binance was also safe for newbies. So was blockchain.info/com. Being idiot proof is the opposite of safe. If I wanted your version of safe I'd use my debit card through PayPal because that way if I'm watching an infomercial and buy some $99 knives that can cut through a tin roof at least I can get my money back.


Complex = not safe. Got it.

I bet I can teach even you how to properly air-gap a computer. It'll take 10 mins out of your day and you'll have a very useful tool for lots of other things in life.

The risks of making a mistake are the same (don't lose your private keys). What is higher risk with paper wallets? I'm not hashing out my pubkey by hand here. It's the exact same process anyone would use to generate a private key but it's air gapped. Okay, that and I use my own entropy source, but again, super easy to learn.


100% agree.

That's not accurate though. Some paper wallets will be more secure than some hardware wallets, sure, but the reverse is also true. Given how I use and store my hardware wallet, the only vector of attack which I am susceptible to is a physical one, which sounds like it is the same case for you and your paper wallets. I'd wager that if an attacker gets his hands on either one of our wallets, it is significantly easier to clear out a paper wallet than it is to build the board to extract the seed from a hardware wallet. In addition to that, since I use multiple long passphrases, this attack wouldn't even work against me.

Your main argument seems to be that it is easier to hide a paper wallet than it is to hide a hardware wallet. A hardware wallet is small enough that I can hide it inside a light fitting, in an electrical socket, under the floorboards, bore a hole in a door/shelf/table/furniture/etc and hide it inside, and so forth. There is a close to zero chance a random attacker would find my hardware wallet without also burning down my house.

How is this different to having an unsecured paper wallet which is written down?

I'm not trying to be deliberately antagonistic here. This finding regarding the Trezor is important, and it should be discussed, but saying that all hardware wallets are useless is wrong.

FTFY


My main argument is that trusting a hardware wallet with my funds, and paying them $100 for me to trust them is very similar to trusting a bank and paying them for a safety deposit box. I much prefer trusting no one and not having a bill to go along with it.


Personally, I've seen many issues come up with hardware wallets over the years and I still can't wrap my head around why people use them. I guess it's the same reason people keep funds on an exchange or hot wallet. Ease of use trumps security for the vast majority of users (until they get hacked of course). I'd rather have people learn to store their funds in the most secure manner.

I was a newbie before. I know exactly what newbies go through. I wish someone told me how I really shouldn't be using X or Y service because they aren't secure. Hardware wallets are probably 99% secure, although no normal person could actually confirm that. Paper wallets can be extremely secure if you do it right. I suppose I can make a guide so it doesn't look like I'm just bashing hardware wallets. Actually, I think I made one before. I'll have to find and bump that thread.

Being blissfully ignorant actually works in the fiat system. You can always get your money back if it's stolen, assuming it wasn't cash. It doesn't in crypto, so take every single precaution possible. Don't. Trust. Anyone. That includes hardware wallet manufactures.

Sure, but the fact we are even discussing this means your technical knowledge is more advanced than probably 99% of crypto users. Most users would not be able to generate a paper wallet in a secure manner.

There is always trust involved somewhere. Unless you built it yourself, you are trusting the manufacturers of your computer hardware, and the shippers who delivered it to you. Unless you designed it yourself, you are trusting the people who wrote your OS and software. It's probably also worth mentioning that Trezor device is fully open source, and hardware wallets in general are subjected to far more independent auditing and attempted hacking than the vast majority of other hardware or software.

True, but the majority of issues are from people using them incorrectly. There have also been plenty of issues with paper (or otherwise self-generated) wallets, again, usually from people using them incorrectly. Any method is only as good as the person using it.

I agree with you, but the vast majority of users do not have the ability to do it right. I'm also not claiming hardware wallets are infallible, but they can be just as good as paper wallets if also used correctly.

There's a great answer to this question from Andreas Antonopoulos which I think pretty much summarizes my argument: https://www.youtube.com/watch?v=4fsL5XWsTJ4&t=402

I consider myself pretty average with tech and I managed to figure it out over time. It's all about the effort you're willing to out into it I guess.


That's not necessarily true. The only thing I really need to trust is the RAM on my laptop or desktop when I boot up a live USB. If I have no Wifi card in the computer and no ethernet cable plugged in then I've removed the internet attack vector entirely. A cold boot attack is probably my biggest concern, unless I'm told otherwise.


I don't agree with that logic at all. Let's test this out in a real world scenerio:

The safest car in the world and the least safe car in he world are driven off a 200ft cliff. User error was to blame. Everyone inside both cars dies instantly. Should both cars be considered just as safe now?


I watched it. He basically said you have to have some level of trust, meaning I won't bother with one. I just have to trust my RAM manufacturer not to add something onto it that could send off something remotely.

One car is safer than the other when both are used properly.

I'm tired of people saying paper wallets aren't secure or hardware wallets are just as secure. The only issue with them is user error. That's clearly not a paper wallet issue. It's user error.

This is insane. Paper wallets have additional security vulnerabilities that HW wallets do not have.

When using a paper wallet:

• You must use a(n) (offline) computer to generate the private key to a paper wallet, and the portions of the private key may remain on the computer long after the fact. This is not a risk with HW wallets
• You must use a printer to print the private key for a paper wallet, and portions of this image may remain on the printer long after the fact. This is not a risk with HW wallets
• You must transfer the private key of your paper wallet onto a(n) (offline) computer to spend any of your coin, risking the private key remains on your computer long after the fact, and risking that someone will take a picture of your private key/paper wallet. Neither of these are a risk with a HW wallet
• An attacker may be able to compromise your paper wallet by being in possession of it temporarily for only a few seconds via taking a picture of your paper wallet. For a HW wallet to be compromised, the attacker must be in continuous possession of your HW wallet for a longer time, and must be in proximity of special electronic equipment. An attacker could stumble across a paper wallet, and compromise it without your knowledge, while a HW wallet being compromised without your knowledge would require a more targeted attack.

---

With a HW wallet, you can use multiple passphrases, including a passphrase that is easy to crack with nominal amounts of coin. You can monitor the coin in the easy to crack passphrase, and if coins are moved from addresses associated with that passphrase, you will know you need to quickly move the coin in addresses associated with a more complex passphrase. An attacker will also not know how much coin you have secured by your HW wallet, so if they find a single passphrase that can be used to generate private keys to spend coin, it may not be a good use of resources to look for additional passphrases that can be used to spend additional coin.

I agree. Idk why people still trust these manufacturers when they're clearly incompetent.

Please tell me what part of the computer these "portions of private keys" remain on. Is it the CPU? The mobo? Oh it's the BIOS isn't it.

I'm not turning my wifi off on windows 10 and hoping for the best. I'm using an air-gapped system.


Really? I haven't used a printer for paper wallets in about a year now. You do know that "paper wallet" is just a loose term people use, right? Imagine anything more durable than paper. Use that instead of paper.


Again, sounds like you don't understand what an air-gapped system is. Also, who the hell is generating private keys in a public park where a stranger can take a picture of their screen? Wtf? Go in the corner of your house if you're really paranoid (which of course I am).


How did said attacker guess my BIP38 passphrase so quickly? They must have seen when I typed it out at the public park I generated my keys at I guess. ::)


Better yet, set a great passphrase on everything and don't worry about it. Add a watch-only address to whatever wallet you choose and get on with your life knowing you're actually secure. No need to look out for the next vulnerability from your hardware wallet manufacturer.

---

Guys, I know it sucks that you wasted $100 on a glorified USB but there's no reason to start making up BS and FUD about paper wallets. I'm just trying to teach you how to secure your funds better - without relying on a third party.

Again, user error is not a vulnerability. If you shut your wifi off and think you have an air-gapped system you're going to have a bad time.[/list]

Well, if you'd bothered to read it, then you would know that it didn't have anything to do with change addresses, paper burning or water damage or other "blah blah blah".

It was a very real "bug" that was discovered in a relatively popular Paper Wallet Generator that seemed to result in the same keys being generated for "different" users etc. I believe that there have also been issues in the past with vulnerabilities in libraries used by paper (and desktop) wallet software that has caused "weak" keys etc. There was even an issue with a particular browser that resulted in BIP38 Paper Wallets that couldn't be decrypted by other browsers (https://github.com/pointbiz/bitaddress.org/issues/56).


Like I said earlier, every system has it's particular pros and cons... as long as you are aware of these, you can take the necessary steps to mitigate them. Simply claiming that "A > B" is a bit close minded and ignorant of the fact that "everybody is not you".

There are people in this world for whom blockchain.com is the "perfect" wallet... and there are others who wouldn't even type blockchain.com into a browser. So, if paper wallets fit your use case, well that's awesome.

Chris, stop being so aggressive and childish. You could learn a lot from this conversation. Generating a paper wallet is much more complex to be safer, it will require a lot more work.
As an "average tech guy" (as you said) there are a lot of small risks and vulnerabilities that you are ignoring or you don't understand at all. Printers, spending..., Some people even consider using one computer/printer only for that, which is more expensive than a HW.


It is also less practical to spend funds. You would eventually have to air gap the computer again to generate more keys or make a transaction  and even a one small mistake could compromise its security. Using a hardware wallet is much easier and you never expose your keys, even to spend.

What is being described here it not an airgapped device. An airgapped device doesn't not have access to the internet, and will never have access to the internet again. Unplugging the ethernet cable doesn't allow you to airgap the device "again", it simply disconnects the device. If you are ever going to plug that ethernet cable back in, then it's not an airgapped device.

Disconnecting a computer in this way, even if booting from a live USB/CD, does not guarantee safety by any means.

Exactly.

The computer could get infected while online.

So much misinformation. A guy simple turn off the wifi an think this is better than a hw... This is why so many people lost BTC and get hacked. It is not easy to be responsible for your own money . You need to read and get informed

A permanently offline computer is certainly more expensive than 90usd hw and probably less safe (unless you have far more knowledge than an "average tech guy" and lots of time and are willing to work)

My opinion is that you sound very arrogant, and are unwilling to admit that you are wrong, or that you can even learn something. This is a very dangerious way to handle the security of your coin. 
Your private keys will be in your RAM, and may be on your HDD, depending on your specific method of generating your private keys.

Even if you are using an air-gapped computer, someone with physical access to the computer may be able to obtain any remnants of your private key that remain. This is the same threat model as what is being described with HW wallets, however a HW wallet is easier to secure/hide than a computer. 


I am comparing the threat model of a paper wallet to that of a HW wallet.

If you take a paper wallet out of your safe to spend some of your coin, someone could take a picture of your paper wallet to compromise the seed, minus your passphrase. If you are using a HW wallet, an attacker taking a picture of your HW wallet would provide nothing to the attacker. The attacker would need physical access to the HW wallet for an extended period of time to compromise the seed in a similar way. 

Again, I am comparing the threat model of a HW wallet to that of a paper wallet. See my above response.


I am going to disagree with this statement. If a process is so complex that the average user is going to make a mistake, this is a vulnerability. [/list]

Sensation at its best - the subject line says it all.

But besides the sensation, I'm probably missing something, but does it not make sense to just transfer your Bitcoin to a new wallet if you find that your HW wallet has been stolen?
Would you not do the same if your air-gapped home made system is stolen?
One of the best things about HW wallets is that you are bound to notice when its stolen and it will give you time to respond appropriately - not so with your software wallet.

Not necessarily... there are use cases that I've seen where users claim they either have more than one HW and then store them in various remote locations (safety deposit, "trusted" family/friend, hidden location etc).

If you have something stored in a remote location, it may be some time before you're aware of a theft.

Covered already. Don't trust crappy sources of entropy. Again, not a paper wallet vulnerability.


I know. The idea was that somehow wifi would unwittingly be connected on an air-gapped computer. If I don't have a wifi card and I don't have an ethernet cable the chance of any of my info leaking onto the web is zero unless someone is extremely close by, looking over my shoulder or picking up radio waves etc.


What do you mean by that? The only real vulnerabilities that I'm aware of would be radio waves, someone filming me/shoulder surfing and a cold boot attack. A farady tent and some hot ram would solve all of these issues. Is there anything else that I'm missing?


Air... Wait for it... Gapped. There is no "while online" on my air-gapped machine. It simply does not have the capability to connect to the internet. I also use a fresh live usb for each boot. Please read through my posts instead of clinging onto what you misunderstood in one of my posts.


They're in your RAM for a few minutes tops just FYI. Less if you apply heat. See https://www.semanticscholar.org/paper/On-the-Practicability-of-Cold-Boot-Attacks-Gruhn-M%C3%BCller/b02403d3239a6d6e78911192f4f82ce987a78944 (https://www.semanticscholar.org/paper/On-the-Practicability-of-Cold-Boot-Attacks-Gruhn-M%C3%BCller/b02403d3239a6d6e78911192f4f82ce987a78944)

If you cool your ram down (cold boot attack) you can hang onto this info longer. It's difficult to pull off in the best situation, and you have a very short window of opportunity. Take a hairdryer to your ram after you do a shutdown and you're good to go.

My air-gapped machine doesn't have a HDD. There's no reason to have internal storage.


This should never ever ever be done. Sweep everything. Newbs do this and their change is sent to a change address that they don't have private keys to. Yet another way user error is going to screw you over if you don't know what you're doing.  



FYFY.

Sorry, you're right. Not user error. "User mistake". You're totally right.

If I take 4 random chemicals in a janitor's closet, mix them together and make mustard gas is that:

A. User "mistake"
Or
B. A vulnerability and these chemicals should never be used by anyone ever again?

Wait, an even better scenerio:

A doctor goes into a complicated heart surgery. They screw up, cut through an artery and the patient dies.

Do they:

A. Go to court because of user error/gross negligence

Or

B. That surgery is never performed again because it's "too dangerous for normal people to do".?


I 100% disagree. All I see is a ton of misinformation and FUD (mainly user error = vulnerability).

You're telling my that I'm on wifi, the private keys are stored in my RAM, HDD etc. You don't even know what an air-gapped system is so what exactly am I supposed to be learning from you?

So far I've learned that you blindly trust a hardware wallet manufacturer instead yourself to generate your own private keys. That's not a lesson in my books. That's a step backwards from being your own bank.

---

Updated OP and moved the topic for less biased exposure.

Actually it is... because it applies to all wallets. Sure, it's easy to say "Don't trust crappy sources of entropy"... but then, how is your average user meant to know what is and what isn't a crappy source of entropy? ???


I'm not sure what you're trying to prove with that scenario? My take away from that is that only experienced users (doctors) should be using paper wallets (performing heart surgery) due to the risks involved. ???

So, I think you've missed what PrimeNumber7 seemed to be getting at... The fact that a given procedure is complex is a "risk" and needs to be mitigated. You mitigate the risks in heart surgery by having experience surgeons perform the procedure. In the case of paper wallets, advising the average joe on the street that paper wallets are "fine" for the average joe on the street is ignoring all of the "risks" inherent with using them... "crappy entropy", issues with change, issues with spending, lack of understanding of what air-gapped really means etc.

One only needs to view the Bitcoin Tech Support, "Wallet" support and B&H subforums here to see all the weird and wonderful ways that "the average joe on the street" finds to dig themselves into a hole when using Bitcoin (and cryptocurrency in general).

It's great that you feel confident enough to safely create and use paper wallets... I would be confident in saying that a vast majority of people on these forums are not. :-\


So you hand coded all the software necessary in the generation of your private keys? or did you check every single line of code of the software? or did you "blindly trust" the software developer(s) who developed the code you no doubt used to convert your "non-crappy" entropy into private keys?

Pretty much all bitcoin users, myself included, are blindly trusting something at some point... I doubt there are many that have the time nor inclincation to attempt a couple of manual SHA-256 rounds (http://www.righto.com/2014/09/mining-bitcoin-with-pencil-and-paper.html) to convert entropy to a private key... (Not sure there are that many who would be keen on attempting a manual RIPEMD-160 either. :P )

Simply because one set of users is trusting a hardware wallet manufacturer and another set are trusting a software developer doesn't make one group more or less their own bank.

Are there shortcomings in Hardware wallets? Yes
Are there shortcomings in Paper wallets? Yes
Are there shortcomings in <insert any type of wallet>? Yes

There isn't a "perfect" wallet that covers all use-cases. Find what suits your use-case and figure out how to use it "properly".

You are being ambiguous as to what you are specifically meaning when you refer to a "paper wallet", maybe intentionally for security purposes, but this makes it difficult to address the shortcommings of what you describe as a "paper wallet". Dito for the machine you will use to sign transactions and generate the private key.

In the above post, you strongly imply you will use each paper wallet for exactly one transaction that you spend.  In the same post, you also say your air gaped machine does not have any kind of HDD. In this post (https://bitcointalk.org/index.php?topic=5161786.msg51734098#msg51734098) you say you have not used a printer for creating paper wallet for a year.

This creates a number of issues, some of which do not exist for HW wallets:

Change addresses:
Every time you spend a transaction, you will need to either generate a new paper wallet, or access a previously generated paper wallet. If you are doing the former, you are consistently not having backups of your paper wallet immediately after you spend each transaction, and if it is the later, you are at risk that I describe in what you quoted. If you are not using a printer, you will have to write down the address, and manually type the address when you create a transaction, both of which are very prone to error; there are checks in place to prevent you from sending coin to an incorrect address due to a typo, but you may find yourself unable to send coin to a change address. If you have change addresses stored with your paper wallet, you are also at risk that someone will tamper with the change address listed, tricking you into sending coin to the address of an attacker.

Getting the private keys on paper:
If you are not reusing a paper wallet, you are strongly implying you are generating a single private key verses a seed. If you are hand writing the private key onto paper, you are at risk of transposing digits, which would lead to a near certain loss of funds. It would be possible that you use a seed a single time, but this would be strange IMO. 

Have you reviewed every line of code in your live USB OS? Have you reviewed every line of code in the software which is converting your entropy to a private key? Have you reviewed the individual hardware components in your computer and USB stick? The microcontrollers? Hell, even BIOS malware exists. You are trusting third parties just as much as hardware wallet users are. Fair enough, your set up sounds like you aren't going to leak your keys after they have been created, but there are still several ways which an attacker could generate pre-determined keys for you.

As HCP says, your analogy is an argument against using a paper wallet. You are saying that there are so many things that could go wrong, only people with years of education and training should be attempting these procedures. If we want bitcoin adoption to spread, it has to be as easy as using a credit card for your average, non-technical, Joe. Paper wallets are not. I'm not arguing they can not be a good option for people like yourself who understand the inherent risks and have taken steps to prevent them, but they are not a good option for the majority of users.

This Chris guy is crazy.

1 - he bashes HW because they are "expensive" and we all wasted 90 usd in security. However he spent much more to secure his "airgapped" computer. A machine with a keyboard, monitor, cpu, hd, etc etc, which are far more expensive than 90 usd. We are all idiots to spend 90usd in an "unsafe" device which is trusted by whole cryptocommunity for years, while he is a genious to spend 300-400 usd in a machine he build by himself which is supposedly safer, but nobody but him ever tested or inspected to look for vulnerabilities.

2 - He says that HW are unsafe because someone can find your device and hack your private key, and a paper wallet would be safer because there is no device to be found. But yes, there is a big machine with a monitor, keyboard, etc, which could be physically hacked when found as well. And even a crazy guy like him would have the private keys backed up in a paper (which he would have typed by hand and prayed to be corrected). Can't get how this is safer.

3 - Ignore all spending issues such as change addresses, inconveniences of using each private key once, risks involved when doing all this hard work etc...

Are you using that live USD in an online computer and inserting it again in your airgapped? I hope you are not doing that....



Yes. Maybe some crazy people who has nothing to do and like to take risks and like to play with those technical stuff it may be a good option. But for everyone else it is not.
Unless if you are a very advanced user, professional, developer or whatever... And I consider most of the users in this topic very advanced, and nobody is defending paper wallet against hw.

Also, I would recommend not putting all your funds in your paper wallet. You could make a mistake some day, as there are far too complex procedures for simple tasks such as spending, or consolidating, etc

Thank you for that perfect summary.

Regular user don't even know about entropy or entropy sources while most geeks/nerds only know entropy source which known to be secure (such as /dev/urandom & lots of mouse movement), but only know high level overview of the entropy source.


Don't forget :
1. Microcode & firmware which almost always closed-source which makes audit impossible
2. Manipulate k value of ECDSA (See https://aisel.aisnet.org/cgi/viewcontent.cgi?article=1035&context=mcis2015 (https://aisel.aisnet.org/cgi/viewcontent.cgi?article=1035&context=mcis2015) & https://github.com/tintinweb/ecdsa-private-key-recovery (https://github.com/tintinweb/ecdsa-private-key-recovery) for reference)


No, i think his problem are :
1. He have high standard or expectation of what regular user can do (set-up air-gapped device, etc.)
2. He have high standard or expectation of what regular user knowledge (choosing good/trusted entropy, one-time address, etc.)
3. Strongly prefer paper wallet to the point where he refuse to admit both HW & paper have vulnerability

Moving your paper wallet around, scanning it for payment purposes could put your funds at risk. No way should paper wallet be better than hardware wallets. You can't trust a newbie with paper wallet but you can with hardware wallet.

You can use a QR code reader (which im shocked so few people use) in order to completely bypass any printer exploits. You can use Coreboot or Libreboot in order to not use a propietary BIOS. You can have more control over RNG than in a hardware wallet. You can have FDE with a couple of passwords for plausible deniability and so on.

Air-gap setup when executed by an expert beats both HW and paper wallets which scream of "hit me with a $5 wrench to get a lot of Bitcoin, and in case there isn't much hit me harder because that wasn't the real password".

Memorizing passwords will always be a problem. I've myself lost access to HDDs with FDE, but that's life, take your vitamins and pray that you don't develop early alzheimer.

Scenario, Paper wallet
.
Thief see's wallet your coin is gone. (Difficulty Level=Easy)



Scenario, Hardware wallet
.
Thief must have a very technical understanding to dump the prram.(Difficulty Level=Hard)

I dont know about you guys but the people in my life wouldnt even know what to do with the paper wallet.(people that would be in my house,or visiting)
And I dont really know anyone in crypto personally besides business associates ive met over the years. (not people that would be in my house)
I'm pretty certain this is just my paradigm.

This is kind of how I relate to all of the things said here, and this is a very interesting debate BTW.  I'm pretty sure if I dropped dead today that at some point someone going through my belongings would figure out the significance of those words I have written down on paper, or the steel wallet I have, or what my Ledger is...but they'd have to know my password and such as well.

I may be naive, but I'm really not worried about getting robbed for my crypto (not that I have a whole lot anyway).  My best guess is that there may only be a handful of people in my entire town who own any bitcoin, and nobody around me knows I'm into it and thus they wouldn't know what they're looking for if they robbed my house.  I'm probably not paranoid enough.

Unless you have a randomly generated password which is long enough to not brute force and short enough to remember without writing it down or storing it anywhere it will still be the weak point of the hard wallet. I have discussed many times what I think is the best solution to storing your private keys. I think that the seed of a wallet is the weakest point and memorizing the private key is the only solution which is truly safe from physical theft. Hardware wallets can be and have been stolen and could eventually be cracked using the weak passwords everyone uses. Many people think that using a program such as lastpass or keepass is a safe solution but they are often using a easy password to get into these password managers which effectively makes your more secure passwords moot.

Trust me people will be more interested in a device such as a hardware wallet which looks interesting than words scribbled down on a piece of paper. imagine if you abbreviated your private key into words so 1 = one and N = Nigel. What if you were to compose a story and get that story printed into a book using a printer that you own and can wipe the memory and/or destroy. You could write a story like " One day Nigel went down the road to fetch a pale of water" Something as stupid as that could potentially prevent anyone seeing it realizing what it is but a hard ware wallet is much easier to identify. I understand that this suggestion or hypothetical situation is completely absurd but I can guarantee people are doing this around the world. lets just say I have a more sophisticated way of securing my Bitcoin but this is one of the solutions to the problem. Without even investment you could pull this off and is just as safe as a hardware wallet. The convenience is what you pay for because if you are regularly accessing your Bitcoin then doing this each time would be crazy but if you are a long term holder of Bitcoin then this is a very good solution to the problem at hand. Then there is things such as memory loss which we just can't combat unfortunately we can't cover all angles and people have different risk levels that they are willing to take. I for one won't use a hard ware wallet.

You might be safe from physical theft, but you run a huge risk of losing access to your coins through brain failure. The brain is an incredibly delicate organ, and there are literally thousands of reasons for you to lose your memory. You could have an aneurysm which bursts with zero warning. You could get concussed from a relatively minor blow to the head. Even a bad infection elsewhere in your body, such as the flu or even food poisoning, can lead to delirium and long term memory problems. In a professional capacity I see patients - young and otherwise fit and healthy patients - who suffer from these kind of things every day. Relying on a brain as a single point of failure is a bad idea.

I'm not sure I follow what you mean here. A hardware wallet like Ledger or Trezor uses an 8 digit PIN to gain entry, and the device wipes itself after 3 failed attempts. That's 3 chances from 100 million possible combinations.

You are still relying on your memory to tell you what your story means and which words at the important ones to extract.

If you are concerned about hardware wallets, then I would encourage you to use an airgapped machine to store your coins rather than your brain.

I find this thread really interesting and I learnt a lot.

If I may add a consideration: both solution, paper wallet and hardware wallet have pro and cons, you outlined in great details on the thread.
My humble addition is that too often the weak link in the bitcoin storing process often is the user herself.

Something like that:

https://imgs.xkcd.com/comics/security.png
https://www.xkcd.com/538/

When storing bitcoin you should care about your own OPsec first:
Don’t disclose you own bitcoin
Don’t disclose how many bitcoins you have
Be low profile
Play it safe.

Just remember information you give out today might be considered diff entry when/if bitcoin appreciates 100x.
I think this simple consideration, you might think is a prerequisite, when discussing which storage is better, might not be so obvious to the average users.
I was very surprised to see a few of very experienced people here on bitcointalk post very precise details of their BTC balance (not going to give you directions): I think it is way more dangerous than holding your private key in plain text on the HD.

If you can't rely on your brain then you aren't going to remember your passphrase to get into the hardware wallet. Your brain in all of this is the only vital thing that if it goes wrong then you lost everything. There is no safe way of guarding against memory loss. However if you are talking about just forgetting the important words in the story then this could potentially be brute forced by yourself if you haven't lost your memory completely you are very likely to be able to fill in the gaps. Especially if you are very familiar with the story. Another solution would be misspelling the story on those words and maybe purposely putting a "1" instead of a "one" for digits which are in the private key. There are numerous ways to guard against it and making it look like a child has written the story and innocently misspelled the words and mixed up words by sometimes putting "one" and then other times putting "1". This is just an example and there is many other ways to make it stand out to someone who knows what this story is. If we are talking about total memory loss then this is also true to the hardware wallet.

Airgapped computers can be compromised and there are methods to getting into the coins. There was a interesting article a number of years ago where someone used radio waves on a raspberry pi to get into the wallet. However for that to happen the device has to be physically compromised but again if someone looks onto your computer and sees you have a wallet they will be very interested in that device. I understand that I'm talking about very technical stuff and the majority of people don't possess these skills but I like being paranoid when it comes to security.

Hardware wallets wipe themself after 3 attempts? That isn't a security feature at all. What if an attacker fails 3 times is your Bitcoin then wiped?

It varies a lot between hardware wallets. Ledger wipes itself after 3 attempts while Trezor enforces a delay before you can enter the PIN again. The delay constantly increases until 16th attempt. The device is wiped after 16 unsuccessful unlock attempts. As for the KeepKey, it doesn't wipe itself. It also introduces a growing delay after the third failed attempt. If a hardware wallet is wiped then a recovery seed is needed to restore the wallet.

This is exactly how it should be! Nobody should know. Family and a few close friends you trust with anything are the only ones who should know. The people who would inherit your assets in case something happens to you and that's it.

A handful of friends know I have Bitcoin. Not a single one of them owns any on their own nor do they know how it works. My family knows I am kind of doing something online involving crypto but they don't care. I try to keep my online life and real life separate as much as possible. My real life acquaintances don't know Pmalek and yours shouldn't know The Pharmacist.

I have also never felt the need to discuss my assets in public, be it in bars, parks or anywhere else where a lot of people gather, nor do I do it over the phone or social media. 

Good practice is to have your passphrase physically backed up on paper (as you would do with your mnemonic phrase), but obviously on a different piece of paper and stored separately from your mnemonic seed and from your hardware wallet.

It's true of all wallets, from forgetting your log in to a web wallet to forgetting where you have hidden your paper wallet. The only ways to completely safeguard against it are the same ways you would use to ensure your crypto passes on to others if you were to suddenly die. Leaving instructions on how to access your crypto, potentially linked to a dead-man's switch, or telling someone else you trust how to access the crypto in the event of your memory loss or death.

There have been examples of malware using the flashing LEDs on the side of your computer casing to transmit morse code or binary, or some altering fan speed to produce different pitches of noise to encode data. There was even one I read about of malware using a connected scanner to display flashes of light which were picked up by attackers, and attackers directing flashes of a laser at the scanner to send instructions to the malware (https://www.bleepingcomputer.com/news/security/flatbed-scanners-used-as-relay-point-for-controlling-malware-in-air-gapped-systems/). Utterly ridiculous. It is impossible to protect against every vector of attack, but when you get as far as thinking about this, the commonly posted XKCD comic about the $5 wrench attack comes in to play.

It is a security feature to prevent brute forcing. Your bitcoin is safe as long as you still have access to your backed up mnemonic phrase.

I'm talking about hypothetical here and I know that this is all far fetched and very very unlikely to happen. However I don't like mnemonic seeds just because its easy to identify what these words are for on a piece of paper. A quick search and there is a lot of information on restoring funds with these mnemonic phrases. I will say that they are convenient and another way to restore your data however I still think having this done as plain text on a piece of paper is a flaw in the security plan. If you were a burglar that got into your safe and found this piece of paper with whatever many words a hardware wallet uses for its mnemonic phrase you would be very interested in what they meant. They would probably jump to this being related to banking but if they were to gain access to your computer or wherever you store your wallet files then they could put two and two together. This is assuming that they don't already know about Bitcoin. If they know about Bitcoin then they will probably be able to identify a mnemonic seed. Hiding this in plain sight might be even better option because at least then it looks like true gibberish but again not something I would be willing to risk. If you were to incorporate a mnemonic seed into a childrens book then the burglar would probably think its sentimental value and thats why its in the safe rather than something that opens up a Bitcoin wallet.

I have a sophisticated way of going about this. I haven't told anyone and if I were to suddenly die the Bitcoin community can consider it as a donation to the network that those coins have now been lost forever. In all seriousness this is something which is down to the persons discretion and could potentially become the biggest threat if they make a mistake in trusting others with this very sensitive information. I'm very paranoid by nature and haven't actually revealed to anyone close to me that I use Bitcoin.


We are coming to a bit of a stalemate here I will agree where I'm arguing that I can't safeguard about the brain failing and loss of memory considering dementia is incurable currently and we can only prevent to onset of the disease but even then any accident could lead to memory loss if the brain is damaged. I don't like introducing another thing which could go wrong and that is a airgapped computer. I think its ok to assume that the average Bitcoin user is slightly more technical than the average user of a computer and the elite of Bitcoin are some gifted people. IF and I will admit its a big if. IF the burglar had the technical capabilities of using the methods you have mentioned then that would be your coins gone. I guess what I'm trying to say is there are already known risks to air gapped computers but with my basic idea of creating a story that doesn't have any major risks other than the person catching on that this is an encrypted piece of text which could be made difficult depending on how much effort you put into it. I have given a very basis version of encrypting the private key in the story but you could make it a lot more sophisticated and I would encourage anyone using that method to do so.  

It is literally impossible to crack Truecrypt's (or currently, Veracrypt's) encryption, which you could use you for your airgap setup. If you were to be faced by a $5 wrench situation, you can even have a hidden OS and deliver an alternative password. You can use cascaded configurations for the encryption algo such as SHA256(Twofish(Serpent)) which means attacker would need to crack not only a SHA256 but the two other as well. In other words a waste of time. You could also use dm-crypt or LUKS if you know what you are doing.

The only realistic attack is an evil maid type, which you can mitigate by due diligence and generally not being an idiot.

The good old airgapped laptop remains the #1 proponent, coupled with the QR reader to broadcast your tx's. The only thing you need is to not be an idiot like me (I forgot the password to all of my encrypted HDDs) then you should be good. Certainly better than having an obvious device to be filled with coins.

There are also many places you can hide a mnemonic phrase that are just as us likely to be found as someone "cracking" a story or similar. You could take a door off its hinges and write it along the bottom before replacing it. You could hide a piece of paper inside an electrical socket or a light fighting. You could flip over your sofa, cut a small hall in the fabric on the underside, and hide the paper in there. There are endless places a burglar would never look.

You could pair a hardware wallet with an airgapped computer, and then airgapped computer doesn't know your seed/keys, and so couldn't leak them.

Sure, I appreciate that, but I would argue that the chance of someone figuring out what your story means is higher than the chance of a focused, targeted, and highly technical malware attack on an airgapped machine.

A QR reader would not keep you safe from printer attacks because you still need to print the QR code/image. I don’t think it is reasonable to expect to be able to not print a QR code, while you could hand write a private key/seed.

The advantage of using a QR code is it reduces the time your key is exposed to any potential cameras. Scanning a QR code will only take a few seconds, while the next best thing, a written seed will take probably close to a minute to enter and a private key will arguably take several minutes to type from a paper.

Whenever you are copying information on a paper wallet onto a computer to spend, you must expose it in a way that potentially someone will capture the information via a camera you are unaware of. The longer it takes to copy the information on your paper wallet, the longer it will be exposed.

Not at all. You can generate a QR code on your internet connected watch only wallet, display it on screen, scan it in to your airgapped device, sign the transaction, generate the QR code, display it on the screen of your airgapped device, and scan it in to your live device. No printers required.

True, but you should never be copying information from a paper wallet in a public place. It should be done behind closed doors in your own house, where you should be able to be certain there are no cameras you are unaware of. The only risk then is a from a camera you are aware of, but you are unaware it has been compromised, probably a laptop webcam or your phone camera. The length of time you expose the information to the camera is irrelevant.

Fair enough. Although I believe the possible attacks on what you describe would include the same attacks possible on a HW wallet such as trezor or ledger, and include additional attacks above that.
Yes, ideally you will have a house that allows you to be certain there are no cameras watching, but this is not always possible. You might live in an apartment that doesn't have any rooms without windows, or you might have roommates that live with you. If you have your blinds closed, the wind or a fan may cause your blinds to sway enough for someone with a camera to see your paper wallet. Or someone may not fully understand how to best secure their coins, and use a paper wallet in a library or coffee shop.

I did not see it in the thread but, "X" of "N" paper keys are very useful
And then you can use misdirection.
You can make a 4 of 6 wallet
Label each piece 1 of 2 or 2 of 2
Someone gets 2 of them they then generate a private key for an address that has....nothing in it. Only you know that you really need 4 out of 6 pieces of paper that all say 1 of 2 or 2 of 2.

Or get a cold card  https://coldcardwallet.com/ (https://coldcardwallet.com/)

-Dave

And if somebody knows IRL that you have big amounts of Bitcoin and could come after you, the combination of multi-sig & obfuscation will not help, since there's a good chance he's do the 5$ wrench attack (https://bitcointalk.org/index.php?topic=5161786.msg51997697#msg51997697).


Edit: I think that the easiest combo is BIP39 seed hidden in plain sight and keeping your mouth shut.

There is nothing you can do about the wrench attack. ( Unless you are Chuck Norris http://www.icndb.com/the-jokes-2/ (http://www.icndb.com/the-jokes-2/) )
However, the more difficult you make it for other forms of theft the better.

Remember, we are talking about edge cases here. You can beat somone with a wrench all you want, if their keys are in a vault in a bank, walking in covered in blood asking to get into the vault might raise a few alarms.

-Dave

Let's come back to ultimate steps to secure our wallets. Which ones do we have to secure? Private keys, that's all we need to secure. So, it is definitely true that if someone can keep their private keys in secret, and safely, and away from potential damaging threats, like water, fire, etc. There is no need to use hardware wallets to secure your funds. Backing up private keys on paper (writing them down, or printing them with high quality ink); for bunches of paper (to get more safety from potential damages); then put them in your vault. I do think that it is safe enough, and don't need hardware wallets.

What you can do is avoid the "wrench attack" by avoiding being the target of a wrench attack. You can do this by obscuring how much coin you have via things like coin control,  not reusing addresses, and minimizing the number of transactions that can be publicly attributed to you.

And not actively participating on online, public forums related to cryptocurrency... oh... wait. :P

Seriously tho, a lot of these arguments always descend into what I like to call the "What if? Game"™... where the participants start inventing more and more unlikely scenarios to attempt to justify their position and/or denigrate the oppositions position.

The truth is that there really is no "one size fits all" approach to cryptocurrency, how it should be "stored" or how it should be "used"... for some people, web wallets are perfect... for others they need cryptosteel, locked in a fire proof safe, in a drybag, buried in the woods... and then everything else inbetween.

As long as your solution fits your requirements and satisfies your personal level of risk... then you are "Being your own bank" ;)

My strategy with Paper wallets has been very effective over the last couple of years. I bought a small second hand computer and printer and I printed 1000's of paper wallets and then I destroyed it. I picked a few "good" looking ones with familiar numbers and the rest are stored all over the place. Some are loaded with very small amounts of Satoshi to serve as a "honey trap" - I check these once in a while to see if they were accessed, as a early warning system to see if someone is looking for Bitcoin at my house.  ::) <The computer and printer was chopped into small pieces>

The Paper wallets with more coins are laminated and also duplicated and stored at different geographical locations. Some of the private keys are stored in plain sight, but nobody would know, because I used a method that would only be recognized by myself. <I also shared this method with a family member, if something happens with me>

I must admit that I use hardware wallets too, because it is more convenient when you want to use coins more frequently. The seed is never stored on site and I protect it with a passphrase.

So the strategy is to use more than one method, because each method have Pro's and Con's and also to split the coins.  ;)

 

Speaking about Vulnerabilities found in hardware wallets:

Trezor found this one:
Details of the OLED Vulnerability and its Mitigation (https://blog.trezor.io/details-of-the-oled-vulnerability-and-its-mitigation-d331c4e2001a)



What we learnt from this story?

• Hardware wallets aren't magical items granting eternal security
• (Gullible)Users are the weakest links in the security mechanism
• You can patch (some) hardware defect or weak spots with software
• White hats are here to help

Everyone should definitely have a listen through Michael Flaxman's podcast at https://stephanlivera.com/episode/97/ (https://stephanlivera.com/episode/97/)

Thanks for sharing the podcast & i agree everyone should listen to the podcast/read the transcript, but which parts do you want to emphasize?

1. The fact hardware wallet is recommended for non-expert?


2. The importance of good RNG for both HW wallet & software to make paper wallet?



3. The risks of supply chain of HW wallet?


4. Difficulty of full transaction verification on HW wallet?


On a side note, the idea of using testnet to test HW wallet and check whether your system is compromised is clever idea.

We do need them for mass adoption however. Paper wallets can't take us the whole way.

It looks like the $5 wrench attack came up a few times as well. Easiest way to avoid that would be multisig. Spread those keys across the land. If someone holds you up until you give up your private keys, you can't.


100% disagree. Unless they're 100% open source you're trusting them, which means you are potentially leaking keys, meaning you're not the only one holding your private keys, meaning you might as well have stuck with legacy banking since you obviously can't be your own bank.

Not everyone participating in these forums has substantial amounts of coin, or any coin at all. You can also keep your forum identity separate from your IRL identity to mitigate your risk that you will be targeted by a wrench attack.

I think this is an edge case. For this attack to be successful, an attacker will need to compromise the computer you use with your trezor one ahead of time in a very specific way involving having physical access to your computer.

Someone who is able to execute this attack on a (non-upgraded) trezor one would also be able to learn of the private key associated with a paper wallet by compromising other computer components that would most probably be easier to compromise.

Totally agree,
my point were in fact you cannot blindly trust your Hardware wallet and a stupid user (the one using suspicious  hardware) can ruin every secure procedure or security practice.

Obviously the best way to mitigate a wrench attack is to maintain your privacy wo you don't become a target, but I've often wondered what the best way to survive it would be provided the attacker has already overcome that first step.

Unless they know for a fact your wallet set up (which is incredibly unlikely), then there is no real difference in using multi-sig and just telling them you are using multi-sig. However, if they are willing to physically attack you for money, is having everything you own locked away in multi-sig wallets really the best way to go? Perhaps you actually want to have some bitcoin available you can hand over for your own sake. Also, there's nothing really stopping them from forcing you to tell them where you've stored all your multi-sig keys instead of the keys themselves.

Good point. For an example of this if you were to get robbed on the street of your cash you would likely be willing to give up some pocket change to prevent any harm being done, but you're not exactly giving away your whole bank account. This is why I truly believe in having multiple wallets to store your funds. Everyone has their own tolerance of risk, and I don't really keep anything more than a few Bitcoin in my wallets at a time, and this will likely evolve as the Bitcoin price changes.

Agreed. I use a mobile wallet for a few hundred dollars worth of bitcoin, which I carry around daily. I know it is far from being secure, but it's an amount I can easily afford to lose and an amount I would happily give to an attacker to prevent any physical harm to myself. The amount in that wallet is in no way linked to my main cold storage via blockchain analysis. My various cold storage wallets are also in no way linked, are of various types (hardware, paper, old laptop which has been airgapped), and are all stored separately.

Not to dis trezor but they did not discover it. Christian Reitter did he disclosed it to them and other people who used oled also..

https://blog.coinkite.com/noise-troll/ (https://blog.coinkite.com/noise-troll/)

And so far it's not proven and just about impossible to exploit. And lets be serious. If someone can compromise your USB port or cable on the PC you are using for your BTC you're screwed anyway.

Hmmmm, I have access to your usb. Let's do this incredibly complicated almost impossible hack...or just emulate a keyboard and type whatever the hell I want.....

-Dave

Paper wallets aren't secure either

Yeah, great thought actually. Some people (including me) put a blind trust on few of the reputed exchanges as well to store their extremely valuable coins there without even thinking once about the risks it pertains. I've had a very brief discussion over these things and I've also learnt that distribution of wealth is one major factor we need to understand very carefully and apply too after being known to it. The hackers won't ask us whether they should take partial money out of our pockets or full, it's the same as those criminals who put gun over your head asking you to give whatever you've got, but even they won't wait for you to transfer money from your bank to theirs due to the fear of getting traced down. After this article read, I will not be able to believe even hardware wallets which many users were praising about.

For my convenience, I've just created some offline paper wallets that I'll be storing in very small steel boxes each and be kept at a safe place as well as I also keep a check every now and then, just to make sure I don't lose anything.

A question here:

If I've kept my coins in a hardware and that hardware either blasts off or gets destroyed anyhow (talking about these Ledger and Trezor thing), will I be able to ever regain them?

So long as you have your seed phrase yes you can recover what you need. Those words are the key to everything.

Which when you think about it brings us back to paper wallets. If you wrote it down then although not a long alpha-numeric private key its still something very important that is on paper.

-Dave

Here is what happened to me yesterday.

I was moving some bitcoins to my Nano S. There was a new update to the Ledger Live app and I installed it. I wanted to check the Account Manager if there were any updates to my installed apps. After clicking on the Account Manager on Ledger Live my hardware wallet wiped itself clean! It just restarted, I never experienced it before. I thought that it got broken at first.

I disconnected and reconnected it again and it showed me the welcome screen you usually see the first time you set it up. Press both buttons to start the setup etc... I had to reconfigure it with my seed and set it up again. Very weird indeed.

I am not sure if this was a bug, some hardware failure or if it has anything to do with the update I performed.

And they also need..everyone all together...repeat after me:

AN OFFLINE COMPUTER.

Be it an old PC, Mac, desktop, laptop whatever.
Make sure it's not hooked to any network in any way.
You want to print plug in a USB cable.
No Wi-Fi, no cabled network, no network.

Now, keep in mind I am talking generating wallets for significant amounts of BTC that you are putting into storage for a while.
A little bit (more or less what you would keep on your phone for quick payments) you don't have to go though all of this.

Want to put 25BTC for a year or two? Spend the time and do it right.
Want to put .01 so when you spend what you have on your phone you have quick access to more, probably don't need to be as secure.
Your own risk amounts will vary.

-Dave

I don't even know how much is in my cold storage as I haven't accessed it in a number of years. Although, I don't actually own a mobile wallet due to my precautions when dealing with anything mobile. I do have a wallet which stores a few hundred stored on my a computer which isn't regularly accessed. I'm not the type of Bitcoin fanatic which trades or sends transactions regularly though.

this is a drawback to most hardware wallets. occasionally an update will wipe the device, although the readme for the update will mention this. my trezor had one update like that, and they gave plenty of warning 1st.

that being said you should always verify the seed before any update on anything. thats a given. bad cable, power glitch, whatever.. things happen.

i always put aside a bit of time before a hardware wallet update. usually goes fine but you never know.

But if my leather wallet is empty, it's not like I'm going to get shot because they think I have $1000 stored somewhere else on my person. The mugger would run away. It's only a significant risk if they're planning the attack against you for a long time.


FTFY

Smart. Attackers can't know how much you are holding if you don't know how much you are holding. Perhaps this is the best way to protect against $5 wrench attacks. ;)

Sure, but physical attacks with the aim of stealing bitcoin aren't happening by approaching random people on the street in the spur of the moment. The attack is targeted and planned, and the attacker usually knows the victim is holding a significant amount of bitcoin. Often they are home invasions, or fake meetups under the pretense of trading. If you initially refuse to hand over any bitcoin or wallet details, the attacker is unlikely to just say "Oh well" and leave.

What if this happens: Everybody in the world now uses cryptocurrency, whether it's bitcoin or not, it's widely applied. For sure there are criminals lurking and attacking innocent people. We are definitely not there yet but who knows, it's a great thing to think about. Imagine the move "In Time". Where time was the currency, but it's cryptocurrency. Or maybe it's the blockchain they are using? Lol

Indeed paper wallet is a better option than a hardware wallet.

Paper wallet is just that, piece of paper it cannot function without other part, and that is the main problem, it's not suitable for most people. And also main question is "better for what exactly" > storing, using, or both, or neither of that?

I would say its nice thing  to create and load it with some BTC and after that gift it to someone that you want educate how crypto works.

Sure they could. An attacker could use blockchain analysis to reasonably conclude a lower bound of how much coin a person is holding. An attacker could use a set of known facts to conclude a person is holding a large amount of coin. Feigning ignorance is not going to stop you from getting robbed.
Unless you are involved in these types of attacks, you do not have any way of knowing this. These types of attacks are not well publicized.

If your coins are spread around in different wallets and these addresses are not public and can't be connected to your real name it is safe to assume that you would be safe. How would someone discover that a certain number of addresses belong to John Smith from Denver, Colorado?

You don't need to be involved in bitcoin attacks to realize that approaching random members of the public and threatening them to "hand over their bitcoin" isn't exactly going to net you high returns. Bitcoin attacks are planned in advance. I would also direct you to this page: https://github.com/jlopp/physical-bitcoin-attacks. Sure, many are not publicized, but of the ones which are, the majority take place within a building (usually a home or a predetermined meeting point), or sometimes within a vehicle. More rarely the victim is abducted.

These attacks are not akin to a mugger approaching a random person on the street, and running if they don't have anything of value on their immediate person.

@o_e_l_e_o,
I've heard somewhere about a virtual chip that can be inserted in a human body anywhere (most probably wrist) and they can generate invoices and even send/receive Bitcoins through the same. If that's true, even if the attackers know that "this guy is having Bitcoins" but are unsure where did he store them, how will they plan and attack such person? If such a device can be stored in us, why can't we have some sort of device stored in our body too that can alarm Police by sending them necessary details like our live location as well as a message like "Emergency, need help, stuck somewhere!" that we may use by just tapping that area in our body whenever such scenario takes place?

I assume the same way they would attack anyone they know is storing bitcoin but they don't know how or where: Physically.

Don't see why not, but I would assume something like that could be fairly easily countered by an attacker using a cell phone jammer or similar device.

Is there any such device that can counter the type of virtual chip I discussed above? I mean can an attacker actually come to know the exact body part and area where such a chip is stored? I have not heard of any such counter device as of yet, but if one is available, what is it?

If the chip transmits over the same frequencies as phones it can blocked using a cell phone jammer. A jammer isn't directed to a certain body part, for example towards the wrist like in your example. It blocks all signals in the entire room. We had these at school. They were used to prevent students from cheating on exams who would be in contact with someone during the exam who helped them with the questions. 

Probably the simplest method is through observation of you using it. They would also be able to detect it through scanning for what it is transmitting, be that NFC, RFID, WiFi, or whatever. Microchip detectors exist for scanning animals which have been chipped; no reason an attacker couldn't use it on a person.

They don't actually need to know where it is to disable it though. As I said before, a signal jammer would do the trick. An EMP or even just a strong magnetic field could be also be used to disable it.

Transmissions can be blocked, but its whether you want to go into the skeptical world of carrying a frequency blocker with you at all times. That would mess up quite a few frequencies, and could effect  some of the emergency services communications which could potentially be a crime depending on where you live.

It doesn't matter where you store your Bitcoin it only matters that you have Bitcoin. In most scenarios its better to just give up a small amount of money than get harmed. By refusing to tell them where your Bitcoin is it could potentially put you in a life alternating situation which to be honest I wouldn't be willing to risk for a small amount of cash. This is why the point of carrying a small amount of cash is a good idea, and not bringing your whole stash with you. If you're smart, and keep your Bitcoin separated the thief won't be able to prove that you own more than what you give to him on the spot.

Seems like a great time to bump this important thread!

Never forget, you don't know what vulnerabilities will be found in the future. Don't trust a third party with your crypto, or in this case, your data.

Hardware wallets and the centralized companies behind them are insecure. Learn how to secure your funds properly.