Bitcoin Forum
December 11, 2024, 10:29:22 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Protecting hardware wallet backups. Please help.  (Read 211 times)
seedcret-ce (OP)
Jr. Member
*
Offline Offline

Activity: 35
Merit: 16


View Profile
April 12, 2019, 02:24:09 PM
 #1

I'm building a website to help with recovery seed management and also with inheritance planning.
I'd like to use it to protect my recovery seed backups and also offer it to others if they like it.

The idea is never to ask users for their recovery seeds – it is always in the user’s hands and offline.

Users just schedule reminders to check their backups regularly and thus protect themselves from forgetting the backups due to the passage of time, disease or accident.

Optionally, users also might create a recovery/inheritance plan so their close ones can access user’s assets in case of an accident or death. This works similarly as Google Inactive Account Manager but its more customized for cryptocurrencies.

Again, the recovery seed stays completely offline all the time. The only thing which might be uploaded online (depending on the user’s decision) is a passphrase (in plain or even encrypted form).


Already implemented features are here:
https://seedcret.com/demo/

Features we are currently building listed here:
https://seedcret.com/premium/


Would you share your thoughts on this?
Is there anything you are missing, is not clear enough or you would make it a better way?

Thanks
seedcret-ce (OP)
Jr. Member
*
Offline Offline

Activity: 35
Merit: 16


View Profile
April 12, 2019, 06:47:43 PM
 #2

Just adding more details on use cases:

Let me share the best practice suggestions from the official hardware wallet providers (Trezor, Ledger, ...) first.


https://wiki.trezor.io/User_manual:Security_best_practices

https://blog.trezor.io/passphrase-the-ultimate-protection-for-your-accounts-3a311990925b

https://blog.trezor.io/seed-pin-passphrase-e15d14a0b546


I will quote some essential points from these resources:


• If you do not use a passphrase, your recovery seed is all that is needed to access your coins. Never make a digital copy of your seed. We cannot stress enough to only store the seed offline.

• The passphrase is widely recommended and cherished by cybersecurity professionals and has multiple security effect as:

• Passphrase protects your recovery seed and is not stored anywhere. This means that even if somebody compromised your recovery seed, they would not be able to access your accounts unless they knew the passphrase as well.

• If you have to make a physical backup of your passphrase, do not store it right next to the backup of your seed. Instead, you might consider choosing a memorable passphrase and setting up reminders to refresh your memory every few months.

• A passphrase or more passphrases can be used with the same TREZOR device to create the so-called “hidden wallets”.

• You can share your account with the rest of the household or your team members at work. You can generate and distribute a recovery seed which would give everyone access to the “mutual”, “seed-only” wallet. Every member of this group can then separate their own secret wallet by using their custom passphrase.


Based on the above suggestions I can see multiple use cases as below:


[1] REGULAR REMINDERS TO CHECK BACKUPS

Often people lost/forgot their hardware wallet backups over time. As a result, they lost their crypto.

As mentioned above, it is a good practice to schedule regular reminders to refresh your memory every few months and not forget about the backups.

This relates to both the recovery seed and passphrase backups.

We aim to provide a simple and easy to use app for backup management which provides higher comfort than just using a regular calendar for reminders.


[2] PASSPHRASE BACKUPS

The rule is “never store your passphrase together with your recovery seed”.

I personally store my recovery seed offline at home and my passphrase online.

This brings me these benefits:

a/ Even if someone finds my recovery seed, it is still protected, because the person doesn’t know the passphrase (doesn’t even know that there is a passphrase activated)

b/ If someone finds the passphrase online, the person can’t get any benefit out of it without the recovery seed is stored somewhere else and offline

I am not afraid of storing my passphrase online because of this but if someone would be afraid, it is still possible to encrypt the passphrase before uploading it online (and write password for decryption offline together with recovery instructions).

Another way would be to protect passphrase with a randomized list as explained here for recovery seed: https://seedcret.com/kb/randomized-list-protection/

c/ I can create an inheritance plan for my family as described further


[3] INHERITANCE PLANNING

Because my backup consists of both the recovery seed and the passphrase, it is easy for me to create an inheritance plan for my family/friends.

It works as follow:

a/ My recovery seed is stored at home, written on a paper

Together with the recovery seed I also wrote the letter of instruction as here:

https://seedcret.com/kb/letter-of-instruction/

It will help my family to access my funds if needed...

b/ I used Google Inactive Account Manager (see here https://support.google.com/accounts/answer/3036546?hl=en) to schedule recovery email.

If my account is inactive longer then a waiting period I choose (e.g., 3 months), my family will receive a recovery email I prepared for them.

The recovery email contains information where they can find my physical recovery seed backup and it also includes the passphrase they need to use together with the recovery seed to access my digital assets.

You can use this as a template when creating your recovery email:

https://seedcret.com/kb/recovery-email/

c/ finally I do the same with Seedcret (the app we are developing), to schedule a secondary recovery email as a backup.

You can read more details on how to do it here:

https://seedcret.com/kb/store-recovery-seed-safe-guide/


[4] NOTIFICATIONS ON A BALANCE CHANGE

Besides the standard email notification on a balance change, this feature also offers a great security improvement for your recovery seed backups.

Even my “whole fortune” is stored on the passphrase protected account, it is still a good idea to leave some small funds/amount on the empty passphrase/original seed-only account.

Then, the empty passphrase/original seed-only account is used as a “decoy”.

If someone finds your recovery seed backup and steals your coins from the empty passphrase/original seed-only account, we'll send you email notification immediately once we detect a balance change.

Once notified, you can move your funds from your main passphrase protected account to a new, safe wallet.


[5] MAINNET AND SWAP ALERTS

When a project decides to launch its own mainnet, it is important to migrate the existing tokens from the residing blockchain to the mainnet.

Missing the mainnet may cause a complete asset loss.

With Seedcret, you can enable mainnet alerts, so we'll send you the alert email in advance to protect your funds.


These use cases came out from my own experience when I was trying to secure my and my friend’s crypto.

And that's why I believe that also other people might find such a service helpful when protecting their digital assets.


Looking forward to any comments!

I'm building a website to help with recovery seed management and also with inheritance planning.
I'd like to use it to protect my recovery seed backups and also offer it to others if they like it.

The idea is never to ask users for their recovery seeds – it is always in the user’s hands and offline.

Users just schedule reminders to check their backups regularly and thus protect themselves from forgetting the backups due to the passage of time, disease or accident.

Optionally, users also might create a recovery/inheritance plan so their close ones can access user’s assets in case of an accident or death. This works similarly as Google Inactive Account Manager but its more customized for cryptocurrencies.

Again, the recovery seed stays completely offline all the time. The only thing which might be uploaded online (depending on the user’s decision) is a passphrase (in plain or even encrypted form).


Already implemented features are here:
https://seedcret.com/demo/

Features we are currently building listed here:
https://seedcret.com/premium/


Would you share your thoughts on this?
Is there anything you are missing, is not clear enough or you would make it a better way?

Thanks
stomachgrowls
Hero Member
*****
Offline Offline

Activity: 3066
Merit: 803



View Profile
April 12, 2019, 08:17:02 PM
 #3

This service is only good for those people who do easily forgets  Cool

Give me a reason why this project of yours is much more better compared on storing up my own passphrase? and making some schedule reminders
on my own setting it up either on my casual calendar or simply on my mobile phone. Things like these are very hard to forget IMHO.

But overall this is beneficial for some people.

███████████████████████████
███████▄████████████▄██████
████████▄████████▄████████
███▀█████▀▄███▄▀█████▀███
█████▀█▀▄██▀▀▀██▄▀█▀█████
███████▄███████████▄███████
███████████████████████████
███████▀███████████▀███████
████▄██▄▀██▄▄▄██▀▄██▄████
████▄████▄▀███▀▄████▄████
██▄███▀▀█▀██████▀█▀███▄███
██▀█▀████████████████▀█▀███
███████████████████████████
.
.Duelbits.
..........UNLEASH..........
THE ULTIMATE
GAMING EXPERIENCE
DUELBITS
FANTASY
SPORTS
████▄▄█████▄▄
░▄████
███████████▄
▐███
███████████████▄
███
████████████████
███
████████████████▌
███
██████████████████
████████████████▀▀▀
███████████████▌
███████████████▌
████████████████
████████████████
████████████████
████▀▀███████▀▀
.
▬▬
VS
▬▬
████▄▄▄█████▄▄▄
░▄████████████████▄
▐██████████████████▄
████████████████████
████████████████████▌
█████████████████████
███████████████████
███████████████▌
███████████████▌
████████████████
████████████████
████████████████
████▀▀███████▀▀
/// PLAY FOR  FREE  ///
WIN FOR REAL
..PLAY NOW..
seedcret-ce (OP)
Jr. Member
*
Offline Offline

Activity: 35
Merit: 16


View Profile
April 12, 2019, 08:38:00 PM
 #4

This service is only good for those people who do easily forgets  Cool

Give me a reason why this project of yours is much more better compared on storing up my own passphrase? and making some schedule reminders
on my own setting it up either on my casual calendar or simply on my mobile phone. Things like these are very hard to forget IMHO.

But overall this is beneficial for some people.

Yes, that's true - it's possible to manage the backups even without the app.

Originally I created the app for myself to make the backup management and other stuff easier.

And I believe these are helpful features (as described in the previous post):

* INHERITANCE PLANNING
* NOTIFICATIONS ON A BALANCE CHANGE
* MAINNET AND SWAP ALERTS

I think especially inheritance planning is really important. A lot of crypto was lost because of no inheritance plan.

Do you have any? Can you share your approach?

And of course, I also believe that I won't forget about my backups. But what about memory loss due to a disease or an accident?

I know it's not likely but might happen. In my opinion, it's good to be ready.

stomachgrowls
Hero Member
*****
Offline Offline

Activity: 3066
Merit: 803



View Profile
April 12, 2019, 08:49:38 PM
 #5

I think especially inheritance planning is really important. A lot of crypto was lost because of no inheritance plan.

Do you have any? Can you share your approach?


About that inheritance thing, i will follow this thing:

Digital or Electronic method.

1. Private keys stored encrypted. You could use RAR, or AxCrypt or TrueCrypt. Spread this. Give a flash drive to everyone.
2. Instructions on how to use. Complete tutorial for newbies as needed.
3. Use one of those delayed email services, deadmansswitch, email-from-future, etc. It will send the email (with the 64 character alphanumeric password) when you don't contact the system in 60 / 90 / whatever number of days.
4. As long as you are alive and conscious, log in to your service to tell them you are alive.

Paper method.

1. Print your private keys on paper. Seal the envelope. Tape it. Wax it.
2. Store in vault. Mark with "in case of death / emergency / whatever".

Quite old, but gold.  Cool

███████████████████████████
███████▄████████████▄██████
████████▄████████▄████████
███▀█████▀▄███▄▀█████▀███
█████▀█▀▄██▀▀▀██▄▀█▀█████
███████▄███████████▄███████
███████████████████████████
███████▀███████████▀███████
████▄██▄▀██▄▄▄██▀▄██▄████
████▄████▄▀███▀▄████▄████
██▄███▀▀█▀██████▀█▀███▄███
██▀█▀████████████████▀█▀███
███████████████████████████
.
.Duelbits.
..........UNLEASH..........
THE ULTIMATE
GAMING EXPERIENCE
DUELBITS
FANTASY
SPORTS
████▄▄█████▄▄
░▄████
███████████▄
▐███
███████████████▄
███
████████████████
███
████████████████▌
███
██████████████████
████████████████▀▀▀
███████████████▌
███████████████▌
████████████████
████████████████
████████████████
████▀▀███████▀▀
.
▬▬
VS
▬▬
████▄▄▄█████▄▄▄
░▄████████████████▄
▐██████████████████▄
████████████████████
████████████████████▌
█████████████████████
███████████████████
███████████████▌
███████████████▌
████████████████
████████████████
████████████████
████▀▀███████▀▀
/// PLAY FOR  FREE  ///
WIN FOR REAL
..PLAY NOW..
seedcret-ce (OP)
Jr. Member
*
Offline Offline

Activity: 35
Merit: 16


View Profile
April 12, 2019, 09:00:17 PM
 #6

I think especially inheritance planning is really important. A lot of crypto was lost because of no inheritance plan.

Do you have any? Can you share your approach?


About that inheritance thing, i will follow this thing:

Digital or Electronic method.

1. Private keys stored encrypted. You could use RAR, or AxCrypt or TrueCrypt. Spread this. Give a flash drive to everyone.
2. Instructions on how to use. Complete tutorial for newbies as needed.
3. Use one of those delayed email services, deadmansswitch, email-from-future, etc. It will send the email (with the 64 character alphanumeric password) when you don't contact the system in 60 / 90 / whatever number of days.
4. As long as you are alive and conscious, log in to your service to tell them you are alive.

Paper method.

1. Print your private keys on paper. Seal the envelope. Tape it. Wax it.
2. Store in vault. Mark with "in case of death / emergency / whatever".

Quite old, but gold.  Cool

Yes, I agree - the "Digital or Electronic method." is actually similar to the app what I am building.

You can achieve this also with Google Account Inactive Manager. But it's not focused/customized for crypto.

Thanks for comments!
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!