Why I Am Not Using Hardware Wallet For Cold Storage

[Dorky]

Not sure if I should post it here, but I just wrote a steemit article on "Why I Am Not Using Hardware Wallet For Cold Storage" @ https://steemit.com/wallet/@dorky/why-i-am-not-using-hardware-wallet-for-cold-storage to help people make better decisions.

Check it out.

[1715082510]

1715082510

[1715082510]

1715082510

[1715082510]

1715082510

[1715082510]

1715082510

[1715082510]

1715082510

[HeRetiK]

The guy lost me at recovery seeds being "paper claims" to private keys. The source code for deriving said private keys from your recovery seeds are out there. You can derive your private keys yourself without the need for any third party support. Also, at least with Trezor, you can import your recovery seeds / private keys into a software wallet such as Multibit, so you're not forced to buy a new one.

Of course you don't need a hardware wallet to store your coins securely. I personally just find it way more convenient to use my cold storage with the ease of a hot wallet.

[HCP]

Yeah... I'm not sure about some of his claims either... It would seem that the OP must trust the RAR devs more than Crypto-wallet devs... Is RAR opensource? ummm NO. OP, do you know for sure that RAR has no:

"bugs, glitches, backdoors, ... etc that either allows them to be hacked or they screws up on their own, or both."

I'll go ahead and guess no...

"maximum security (free of 3rd-party trust)/maximum trustless"

Are you sure about that? All you are doing is switching your trust from one software/hardware provider to another (with closed sources)...


But hey, you found a system that works for you...  

[paulreeves]

Currently there is absolutely no procedure to make a cold storage that is 100% safe. Best case scenario, you get pseudo-random keys. If I get some time in the future, I'll write a small library that translates dice rolls in real world into private key and calculates public address from it. Then you'll be able to run it on a CPU that does not have, will not have and never had any network access and THAT will be safe cold storage.

[ranochigo]

Are you sure about that? All you are doing is switching your trust from one software/hardware provider to another (with closed sources)...


But hey, you found a system that works for you...  

To be very fair, open sourced=/safe. The user still has to independently verify and install the firmware himself to be 100% safe. Though I find that rather redundant.
Not sure if you are misled or just don't bother researching on the topic but:

First, I desire to be in control of my private keys.

Do you have any proof that the hardware wallet providers have access to your private key?

As long as you can audit the source code and install it yourself, and can capture the packets sent, I can't see how they can do this without users noticing.

Second, different hardware wallets, or any type of wallets, be it hardware, desktop, mobile, or online, have different approach to encryption.

Most hardware wallet uses a standard method of generating seeds. It is widely used and with the seeds, you can import it into LOTS of wallet or just simply write a script to extract it yourself.

Third, replacement cost is very high with hardware wallet.

Refer to my second point.

I can email myself my strongly encrypted private keys (so even if my email gets hacked, no hacker can crack my private keys unless they have some super hyper ultra quantum computer that can hack into any strongly encrypted private keys within minutes/seconds/hours).

Jesus, I don't even know if I should continue but oh well.

Fourth, to rely on any 3rd-party wallet to secure and/or cold storage my cryptocurrencies is itself a big security hole.

How are they helping you to secure when you are free to review the code to find and test for bugs? If you don't like to rely on third-parties, it might be better for you to write your own OS or wallet.

Fifth, I am not a fan nor a believer of some apocalyptic event to be caused by some major EMP attacks, either from some man-made terrorist attacks or from a natural cause like solar spot, solar flare, or solar storm.

Sixth, direct control of your private keys allows you to enjoy any free cryptocurrency due to hard fork.

Point 2 and point 2.

Even if I am using the world's most secure wallet ever, doesn't mean I can let down my defense and start tolerating any infested computer.

It's kinda hard to hack a wallet when the keys are never exposed to the outside world.

[piotr_n]

Currently there is absolutely no procedure to make a cold storage that is 100% safe

And there never will be.
Any security can be attacked, just like any bank can be robbed.

What you want to have is a cold storage wallet that is too expensive to attack.

And as for the hardware wallets, they are not "cold" per se - you always connect them to a PC that is connected to the internet.

[|Bitkoin|]

The guy lost me at recovery seeds being "paper claims" to private keys. The source code for deriving said private keys from your recovery seeds are out there. You can derive your private keys yourself without the need for any third party support. Also, at least with Trezor, you can import your recovery seeds / private keys into a software wallet such as Multibit, so you're not forced to buy a new one.

Of course you don't need a hardware wallet to store your coins securely. I personally just find it way more convenient to use my cold storage with the ease of a hot wallet.

You do realize MultiBit no longer exists... right?

[RDDRocket]

This guy doesn't even understand how Bitcoin works. Rambled on about a bunch of useless points to get paid through that Steemit platform. No, I didn't even read, because thankfully the other guy pasted his main points. By all means, don't use a hardware wallet. Maybe you shouldn't be using Bitcoin either, since you need everything done via holding your hand.

[HeRetiK]

The guy lost me at recovery seeds being "paper claims" to private keys. The source code for deriving said private keys from your recovery seeds are out there. You can derive your private keys yourself without the need for any third party support. Also, at least with Trezor, you can import your recovery seeds / private keys into a software wallet such as Multibit, so you're not forced to buy a new one.

Of course you don't need a hardware wallet to store your coins securely. I personally just find it way more convenient to use my cold storage with the ease of a hot wallet.

You do realize MultiBit no longer exists... right?

I did not, thanks for point it out. You can still import from Trezor to (an old version of) Multibit to Electrum... or actually to Electrum directly, apparently [1]. Point being that with the key derivation logic being public there will always be a way to replace your hardware wallet with a software wallet. Of course this also means to stay away from any hardware wallet that isn't open source.

[1] https://doc.satoshilabs.com/trezor-apps/electrum.html

[swogerino]

The guy lost me at recovery seeds being "paper claims" to private keys. The source code for deriving said private keys from your recovery seeds are out there. You can derive your private keys yourself without the need for any third party support. Also, at least with Trezor, you can import your recovery seeds / private keys into a software wallet such as Multibit, so you're not forced to buy a new one.

Of course you don't need a hardware wallet to store your coins securely. I personally just find it way more convenient to use my cold storage with the ease of a hot wallet.

Not only Trezor has that capacity to import your seeds in another compatible wallet with the seed of a hardware wallet. Ledger Nano S has also support for it. I think that paper wallets are a pain in the a** while hardware wallets can be used both ways, even hot and even cold storage depending on the user.

[Dorky]

I can see clearly well you are arguing just for the sake of arguing and ended up missing some of the points.

Do you have any proof that the hardware wallet providers have access to your private key?

No I don't have. And I do not intend to spend my time becoming a top expert in finding the evidence before deciding not to use it.

Most hardware wallet uses a standard method of generating seeds. It is widely used and with the seeds, you can import it into LOTS of wallet or just simply write a script to extract it yourself.

This is where I said you argue for the sake of arguing and ended up missing some of the points. Oh well, so I guess the recovery seeds have no problem after all and rely on no 3rd party. Well, guess I am going to protect the seeds after all. But NO, I am going to protect my private keys directly instead. You are in fact avoiding the point that recovery seeds need to be properly secured as well. By avoiding that point, you are indirectly implying the recovery seeds need not be secured nor elaborate how to secure them.

Jesus, I don't even know if I should continue but oh well.

Don't continue, then.

How are they helping you to secure when you are free to review the code to find and test for bugs? If you don't like to rely on third-parties, it might be better for you to write your own OS or wallet.

Duh, why should I need to write my own OS or wallet when I already have wallet generators like Electrum to do it for me? And do I trust Electrum? I don't need to if you understand my points accurately instead of arguing like a very smart guy.

Point 2 and point 2.

Whatever your point is, does not invalidate my point that if a person can secure his seeds well, he might as well just do it directly with his private keys. And besides, do you really expect everyone to be a tech savvy that they are able to write their own OS, etc? Be reasonable. What I am offering is a way that is far less complicated that an average Internet user can use.

It's kinda hard to hack a wallet when the keys are never exposed to the outside world.

Hard to hack? My approach is not even hackable.

[Dorky]

Currently there is absolutely no procedure to make a cold storage that is 100% safe.

Or maybe you can just be clear and point out how my approach of cold storage will be hackable.
Saying no procedure is 100% safe sounds like speculation to me.

This guy doesn't even understand how Bitcoin works. Rambled on about a bunch of useless points to get paid through that Steemit platform. No, I didn't even read, because thankfully the other guy pasted his main points. By all means, don't use a hardware wallet. Maybe you shouldn't be using Bitcoin either, since you need everything done via holding your hand.

You don't need to read if you don't want to. No, I don't use any hardware wallet. And no, whether I should or shouldn't be using bitcoin is 1) out of topic, and 2) is none of your business.

Not only Trezor has that capacity to import your seeds in another compatible wallet with the seed of a hardware wallet. Ledger Nano S has also support for it. I think that paper wallets are a pain in the a** while hardware wallets can be used both ways, even hot and even cold storage depending on the user.

Yes, the hardware wallet has support, but please note the support is limited. I didn't suggest paper wallet. I suggested a digitally-encrypted paper wallet. Yeah, hardware wallet can be used for cold storage (but not recommended, except as hot wallet just as an example), in which you will secure the recovery seeds. And securing the recovery seeds is no different from securing the private keys. Some pro-hardware wallet people never realize they actually have to secure their recovery seeds precisely and exactly the way they would secure the private keys. In fact, for such people not realizing this means their security isn't really high despite using hardware wallet.

[HCP]

Or maybe you can just be clear and point out how my approach of cold storage will be hackable.
Saying no procedure is 100% safe sounds like speculation to me.

So you can say... with 100% certainty... that there are no "bugs, glitches, backdoors, ... etc that either allows them to be hacked or they screws up on their own, or both." in RAR software... with it's closed sources?

And for the record... your method would probably fail the "$5 wrench attack":

[Bagrras]

The theme is good and I myself do not use a hard wallet.

[Dorky]

So you can say... with 100% certainty... that there are no "bugs, glitches, backdoors, ... etc that either allows them to be hacked or they screws up on their own, or both." in RAR software... with it's closed sources?

And for the record... your method would probably fail the "$5 wrench attack":

I would say I have used WinRar for many several years and it never disappoint me, not even once.

All those videos saying WinRar's .rar files can be hacked is fake because they use brute force on negligible passwords like "abc" and "123".

And thank you for bringing up that $5 wrench attack because I came across such argument while writing my article.
Here's the thing, can anyone using hardware wallet be safe from the "$5 wrench attack"?
Here's an honest + objective answer... NO.

And is it better to use my approach vs hardware wallet? Yes.
Why? Using hardware wallet is a physical dead giveaway that you have bitcoin and/or other cryptocurrencies.
Using digitally-encrypted private keys that I suggested is not, unless you try to brag and boost that you are rich because you have plenty of cryptocurrencies, in which case you are the security risk, not my approach.

[pebwindkraft]

People discussing security when using Windows - come on! Don't you see the gap here? Windows has a long, long record of insecurity, and there is no sign, that this will ever stop. (Oh, yes - Microsoft last recently announced, they'll embrace Linux. That might be a first step.)

In the professional world of security you do not talk Windows. Otherwise it is snake oil (thx to Bruce Schneier for this wording).

>> Saying no procedure is 100% safe sounds like speculation to me.
this sentence makes me puzzled
Security is not about emotions, not about opinions or speculation.
it is a race between experience and development. Similiar to banks, who protect the wealth. The layers of protection were increased step by step, until it gets too expensive to try and steal money. So security is all about trade-offs: you have a certain amount of value to protect, then you also need to invest a certain amount for the protection layer. You can not protect a 1 million value with 5 cents of security thoughts. And then there is not only security against theft, it is also about privacy.

So best practices might look a bit like this:
Trades at the 100 Dollars/Yen/Euros/Satoshis level can be on a phone wallet.
The 1000 range can start to be used with multisig.
The 10.000 range requires some cold storage.
All beyond requires cold storage and multisig.
And when it comes to privacy, you may want to add a layer of tumbler/coinjoin/mimblewimble.

[HCP]

I would say I have used WinRar for many several years and it never disappoint me, not even once.

I'm sure there were people saying similar things about Mt. Gox... and Bitfinex... and <insert scam/hackedService/buggySoftware here> right before all their coins/$$$/data disappeared.

And thank you for bringing up that $5 wrench attack because I came across such argument while writing my article.
Here's the thing, can anyone using hardware wallet be safe from the "$5 wrench attack"?
Here's an honest + objective answer... NO.

Actually, they can be safer than you... because the hardware wallet gives them the safety of "plausible deniability". You can create "dummy" wallets with "small amounts" of bitcoin... say 1-10% of your total holdings. If someone threatens you, you give them the password to the dummy wallet... they find your coins and think "Job done"... meanwhile your 90-99% of actual holdings are safely stored in a hidden wallet that they can't possible know or prove exists... rendering a $5 wrench attack nullified for a relatively minor cost.

Whereas, with your method, they'll keep hitting until they get the password (or passwords in the case of multiple encryption) that decrypts it correctly.

And is it better to use my approach vs hardware wallet? Yes.

See... I was going to let the "Saying no procedure is 100% safe sounds like speculation to me" slide... but now you're just coming off as a little bit arrogant.

"Saying your procedure is 100% safe sounds like arrogance to me"

Why? Using hardware wallet is a physical dead giveaway that you have bitcoin and/or other cryptocurrencies.
Using digitally-encrypted private keys that I suggested is not, unless you try to brag and boost that you are rich because you have plenty of cryptocurrencies, in which case you are the security risk, not my approach.

No, you just used a very public forum like Steemit to declare to the entire world that you use Crypto... and how you choose to store them. Guessing you trust them more than hardware wallet devs/manufacturers too... so I'm sure your IP address is safe when them.



I'm not declaring that hardware wallets are 100% safe, or the only answer to everyone's crypto storage needs... there are still attack vectors that exist (no solution is 100% secure). What they are is safer than using just a software wallet on a desktop PC/tablet/mobile device... and more convenient than locking everything away on paper wallets in secure storage (or triple encrypted, digitally stored private keys)...

But hey, like I said... Horses for courses... you've got a system that works for you, so that's great. Is it "better" than a hardware wallet? A viable alternative sure, but better? I'd say that is somewhat debatable and likely dependent on the use case(s) of a given person...

[JohnnyNnex]

How it possible to capture sent packets without noticing user?

[ranochigo]

No, I'm not here to argue or anything.

No I don't have. And I do not intend to spend my time becoming a top expert in finding the evidence before deciding not to use it.

You can't criticise them if you cannot find any fault with them. How are you going to be generating the keys with 100% security if you do not wish to verify the source code? No wallet will ever be safe for you then. You can only generate it by hand.

But NO, I am going to protect my private keys directly instead. You are in fact avoiding the point that recovery seeds need to be properly secured as well. By avoiding that point, you are indirectly implying the recovery seeds need not be secured nor elaborate how to secure them.

I don't really understand where you got that inference from. I merely said that the derivation method can be known. You can get the private keys from the seeds=getting your gold from the paper that holds your gold without any restriction at all.

Don't continue, then.

Nah, I just feel that theres some misconception.

Duh, why should I need to write my own OS or wallet when I already have wallet generators like Electrum to do it for me? And do I trust Electrum? I don't need to if you understand my points accurately instead of arguing like a very smart guy.

Wait... Didn't you mention that hardware wallets are flawed because you are depending on a third party to generate it for you? I think you misunderstood something.

Whatever your point is, does not invalidate my point that if a person can secure his seeds well, he might as well just do it directly with his private keys. And besides, do you really expect everyone to be a tech savvy that they are able to write their own OS, etc? Be reasonable. What I am offering is a way that is far less complicated that an average Internet user can use.

Of course. I didn't say everyone SHOULD write their own OS in the first place, I don't even expect anyone using Bitcoin to be able to. If you love your privacy and security, you would be having thousands of private keys whenever you spend the coin. Isn't a 12 word seed way easier?

Hard to hack? My approach is not even hackable.

You uh, forgot to cover the way to spend your coins. Of course I can craft a transaction at the moment when you decrypt your encrypted rar file to send the coins to my address.

[bitcoinmaniac52]

Not sure if I should post it here, but I just wrote a steemit article on "Why I Am Not Using Hardware Wallet For Cold Storage" @ https://steemit.com/wallet/@dorky/why-i-am-not-using-hardware-wallet-for-cold-storage to help people make better decisions.

Check it out.

Lot of people posting their Steemit articles here trying to make bank.

Anyway, this is common sense. TRUE COLD STORAGE = PAPER WALLET

Anyone who lost  a significant amount of Bitcoin will tell you a paper wallet is the safest way of storing it. Think of it like cash money, except you are holding a paper with your keys on it. No one can hack you if you use this method.