Security setup help

[margotcoins]

hi guys,

just wondering if you could criticize my setup from a security point of view.

I am using exodus for keeping multi assets, and electrum for btc.

I am planning on buying a hardware wallet, not sure which yet (maybe trezor?).

Cold storage isn't a possibility right now as all my machines are online.

Anything I could do better to improve my security?

Many thanks!

[1715572196]

1715572196

[1715572196]

1715572196

[bob123]

There isn't much we can comment on your setup.

All we know is that you are using electrum and plan on buying a hardware wallet.

With a hardware wallet you are already very secured against a lot of threats.

You can choose for yourself which hardware wallet you want. Ledger's nano and the trezor are both very good and reputable wallets.


The most important thing until you finally got your hardware wallet is to use your common sense.
Don't download cracked / shady software, keep all of your software (including OS) up-to-date and you are relatively safe.

[mk4]

Besides downloading and installing random programs and clicking on shady links, I don't think you can do much. Especially when you're using a Windows operating system, then you're at risk.  Probably stop unlocking your wallets when not needed might help slightly. Just grab a hardware wallet(Trezor/Ledger) as soon as possible so you could secure your funds sooner.

P.S. Make sure to purchase the hardware wallets from the source. Not from eBay, Amazon, other other sites.

[margotcoins]

absolutely on both the shady software and the wallet vendor!!!

can you recommend a hardware wallet? I mean does one stand out compared to the other in your mind?

I am only leaning toward trezor because of the exodus compatibility, not sure if it's a strong reason though ..

What does unlocking my wallet have to do with security?

[o_e_l_e_o]

can you recommend a hardware wallet? I mean does one stand out compared to the other in your mind?

Ledger or Trezor. These are the two biggest players in the hardware wallet market, and are the two which have been most extensively examined and tested by third parties, and largely stood up against that testing. Either or both of those is what most experienced users on here would recommend.

If Trezor has a functionality that matters to you that Ledger doesn't (I've never used Exodus so I don't know about its compatibility with hardware wallets), then that is a perfectly reasonable reason to choose it.

[bob123]

What does unlocking my wallet have to do with security?

Under some rare circumstances it might be harmful to have the wallet (unencrypted).

An example would be if you are on some malicious website, with malicious javascript which exploits a 0-day vulnerability in your browser to escape the sandbox and exploits another vulnerability in your OS to gain access to your private keys.
This (highly theoretical, practically probably never happening) attack would not extract private keys while your wallet is encrypted.

I guess this was the general idea of mjglqw.

Generally, if your computer is infected, the only way the malware can extract sensitive information out of your wallet is when it is unencrypted (either not encrypted by default, or open and unlocked).


However, generally if you regularly use your wallet, it doesn't matter whether you only open (unlock / decrypt) it once every week or 10 times per day.
If you open your wallet after an infection with malware which wants to extract private keys, they will be stolen.
If your computer is not infected, practically it doesn't matter.

[TheBeardedBaby]

I have Trezor and I'm very satisfied. There is one important thing to remember when you setup the wallet, there is an additional passphrase which is critical.
You need to remember it, otherwise your wallet with all the funds can be lost forever.
This passphrase will be required when you do the firmware upgrade of the trezor hardware wallet, but the catch here is that if you enter it wrong, you won't get any error message, just a new (empty) wallet will be generated. https://blog.trezor.io/seed-pin-passphrase-e15d14a0b546

Keep it in mind when you order trezor. I can advise you to buy two wallets, one for back-up in case you forget your passphrase and erase your other device, then you can transfer the funds to the a fresh wallet from the backup.

[margotcoins]

very interesting, thank you for both the java and the trezor tips!

maybe a little off topic but something I can't wrap my head around is the possibility of creating the same private key ..

you have this astronomical number I can't even start to comprehend and yet, if you did create the same key than you would access somebody else's wallet ..

2 to 128 power = 340,282,366,920,938,463,463,374,607,431,768,211,456

small possibility but how can it be considered impossible?

[bob123]

I have Trezor and I'm very satisfied. There is one important thing to remember when you setup the wallet, there is an additional passphrase which is critical.

~snip~

Keep it in mind when you order trezor. I can advise you to buy two wallets, one for back-up in case you forget your passphrase and erase your other device, then you can transfer the funds to the a fresh wallet from the backup.

You can setup the trezor without any passphrase too, simply by letting the password field empty.

And instead of buying a second trezor, writing the passphrase on the backup paper of the mnemonic code would also be a viable (and cheaper) option.

you have this astronomical number I can't even start to comprehend and yet, if you did create the same key than you would access somebody else's wallet ..

2 to 128 power = 340,282,366,920,938,463,463,374,607,431,768,211,456

small possibility but how can it be considered impossible?

A private key is a 256 bit number.
So that's 2²⁵⁶ =  ~ 1.15 * 10⁷⁷  =  ~ 1150000000000000000000000000000000000000000000000000000000000000000000000000000 0

That's roughly the amount of atoms in the Universe.


Lets say i pick a random atom in the whole universe. Do you think you were able to guess which one i chose ?

The chances are not just very slim.. its practically impossible to even bruteforce a small fraction of the whole search space.

[TheBeardedBaby]

I have Trezor and I'm very satisfied. There is one important thing to remember when you setup the wallet, there is an additional passphrase which is critical.

~snip~

Keep it in mind when you order trezor. I can advise you to buy two wallets, one for back-up in case you forget your passphrase and erase your other device, then you can transfer the funds to the a fresh wallet from the backup.

You can setup the trezor without any passphrase too, simply by letting the password field empty.

And instead of buying a second trezor, writing the passphrase on the backup paper of the mnemonic code would also be a viable (and cheaper) option.

That's true, but many people do it and then forget their passphrases. Regarding the backup, it depends but if we are talking about funds like 10k$ and over it's always good to have a backup.

[DdmrDdmr]

<…>

That’s the way I’ve got mine configured, but using two Ledger Nano S devices instead (would take a look at Ledger Nano X nowadays, but the price is steeper too). My two devices are cloned, and one resides elsewhere (i.e. not at home). Since they are password protected (*), my offsite backup has barely any risk of someone being able to use it even if they managed to get hold of it. Of course I could use the 24 word recovery phrase for backup, but for my off-site version I prefer a hardware password protected device that a readable paper.

(*) Password (pin) can be between 4 and 8 characters in length. If you fail the password thrice in a row, the device resets to factory setting, thus deleting your private keys from the device (that is meant to be a good thing – providing you have a backup device and/or the 24 word seed somewhere).

[manishanand]

I personally would recommend to go for nano ledger because it offers a good security and is a hardware wallet. If you are not into frequent trades then you should keep your money on some hardware wallet for security.

[margotcoins]

A private key is a 256 bit number.
So that's 2²⁵⁶ =  ~ 1.15 * 10⁷⁷  =  ~ 1150000000000000000000000000000000000000000000000000000000000000000000000000000 0

That's roughly the amount of atoms in the Universe.


Lets say i pick a random atom in the whole universe. Do you think you were able to guess which one i chose ?

The chances are not just very slim.. its practically impossible to even bruteforce a small fraction of the whole search space.

and that to me it's just fascinating, every time I think about the math behind private keys it blows my mind, it must be just impossible to even comprehend a number of this magnitude!

At the same time silly me can't stop thinking about some big wallet or portfolio out there being protected 'only' by these odds .. just wow!

I mean the next guy creating a seed boom find himself/herself with a wallet belonging to some big time coins owner, yes it's fantasy but still 1 possibility is there.. 1 tiny tiny possibility.. highly improbable, almost impossible we might say, but still 1 possibility is there .. and yet it will never happen! fascinating!!!

[gaitonde]

hardware wallet is like a bullet proof security to me if you lost it then you lost your crypto otherwise no chance of hacking or stealing I think you have to buy a hardware wallet if you holding lots of assets in crypto.

[margotcoins]

You can setup the trezor without any passphrase too, simply by letting the password field empty.

And instead of buying a second trezor, writing the passphrase on the backup paper of the mnemonic code would also be a viable (and cheaper) option.

that's what I am thinking, one trezor and a mnemonic passphrase. I see they have two models available just need to pick one, also the cryptosteel gadget is really cool, a little pricey but still cool

[margotcoins]

<…>

That’s the way I’ve got mine configured, but using two Ledger Nano S devices instead (would take a look at Ledger Nano X nowadays, but the price is steeper too). My two devices are cloned, and one resides elsewhere (i.e. not at home). Since they are password protected (*), my offsite backup has barely any risk of someone being able to use it even if they managed to get hold of it. Of course I could use the 24 word recovery phrase for backup, but for my off-site version I prefer a hardware password protected device that a readable paper.

(*) Password (pin) can be between 4 and 8 characters in length. If you fail the password thrice in a row, the device resets to factory setting, thus deleting your private keys from the device (that is meant to be a good thing – providing you have a backup device and/or the 24 word seed somewhere).

well now I get how the second device is used for backup, I wasn't thinking about being an encrypted backup versus a mnemonic that everyone can read!

[o_e_l_e_o]

I mean the next guy creating a seed boom find himself/herself with a wallet belonging to some big time coins owner

Here's another way of thinking of that number:

Let's say we have a trillion planet Earths. On each Earth, there are a trillion people. Each person has a trillion computers. Each computer generates a trillion keys a second. All these computers have been creating a trillion keys per second since the birth of the universe 13.7 billion years ago. 10^12 * 10^12 * 10^12 * 10^12 * 60 * 60 * 24 * 365 * 13.7 * 10^9 = 4.3*10^65. This means thay they would have so far generated approximately 0.0000000004% of all private keys.

hardware wallet is like a bullet proof security to me if you lost it then you lost your crypto

Not quite - that's the whole point of a mnemonic phrase. If you lose your hardware wallet, provided you have you phrase written down somewhere accurately and securely, you can always recover your wallets and recover your coins.

[El duderino_]

I mean the next guy creating a seed boom find himself/herself with a wallet belonging to some big time coins owner

Here's another way of thinking of that number:

Let's say we have a trillion planet Earths. On each Earth, there are a trillion people. Each person has a trillion computers. Each computer generates a trillion keys a second. All these computers have been creating a trillion keys per second since the birth of the universe 13.7 billion years ago. 10^12 * 10^12 * 10^12 * 10^12 * 60 * 60 * 24 * 365 * 13.7 * 10^9 = 4.3*10^65. This means thay they would have so far generated approximately 0.0000000004% of all private keys.

hardware wallet is like a bullet proof security to me if you lost it then you lost your crypto

Not quite - that's the whole point of a mnemonic phrase. If you lose your hardware wallet, provided you have you phrase written down somewhere accurately and securely, you can always recover your wallets and recover your coins.

Just keep the hard wallet and PW phrase good separated

An extra copy of the PW phrase isn’t a bad thing ....

[margotcoins]

I like the analogy of the trillion earths/people/computers/time, it starts to give you an idea of how big this number is.

I read that chances of finding a collision are 1 in over 115 with 78 zeros!!! and of course you have the hash function that randomises things up even more.

at the same time I was reading about key encryption and I stumbled across a couple of disturbing websites that made me jump a little on my chair.

first one is the bitcoin collider, they found more than 50 keys?!?! and they just took those wallets? whaaaaat ..  

second one is keys, where you have a list of all the possible private key combinations .. I must admit I did click on it and went through some random pages .. it's just crazy how on the next page you could find someone else's wallet! but at the same time it gives you a glimpse of how big the number is.

Also on the first pages of keys I did see few empty wallets and I wondered whether they were test wallet that later got abandoned or if those unlucky keys at the beginning of the generator list got stolen exactly because of the place they were was easy to find, the beginning!!

Here is where I am getting at: what is the difference between a cold wallet and a hardware wallet?

They are both offline devices, is that it? Or are there major benefits to one or the other?

[o_e_l_e_o]

The sites which have found private keys are due to people generating those private keys in insecure ways. The most common is people using brain wallets - essentially thinking up a password or phrase, and then hashing it to get a private key. Because humans are bad at generating random passwords, people were using easily guessed or brute forced passwords, such as common words, phrases, song lyrics, etc.

A cold wallet is any wallet which stores your coins away from the internet and from that vector of attack. Examples include air-gapped devices, paper wallets, and hardware wallets. Hardware wallets refer to a particular device with a secure element designed for holding crypto, such as a Ledger or a Trezor.