Why is it bad to store 24 words from Ledger hardware wallet in password manager?

[hypersafe2020]

It says it is not recommended to store your 24 word seeds digitally and I can see why it is bad to save it in a non encrypted file like a word document, but why is it a bad idea to store your 24 words in a password manager like KeePass which is offline, you can copy the files into other drives for backups, and the file is encrypted? I do not see any security flaws in this except if you have a keylogger.

[jackg]

It says it is not recommended to store your 24 word seeds digitally and I can see why it is bad to save it in a non encrypted file like a word document, but why is it a bad idea to store your 24 words in a password manager like KeePass which is offline, you can copy the files into other drives for backups, and the file is encrypted? I do not see any security flaws in this except if you have a keylogger.

Hypothetically speaking, if you store your seed in an offline password manager you have to import your seed at some point and have it online.

Some hardware wallets make attempts to get you to type in extra words and import words in different orders or as repeats which makes it harder to decode a seed (but not neccessarily impossible).

Also, if a ledger works liek a trezor, you'd have to show your seed on your computer before you're able to redeem your funds which has huge implicaitons on your security sincec anyone with access to the machine through malware can gain access to the information. If you only use the seed on a live version of an OS that has been signed to be authentic then you may be able to store you information this way but I'd still be wary that you use enough encryption on the password manager...

If you can, use at least 8 random words, there are examples everywhere of how to do this...

[hatshepsut93]

If you are storing and using your wallet offline, then there's nothing wrong with using a good open-source password manager. Can you tell me who said that this is wrong, I'd like to hear their reasoning.
If this was done on an online machine, there are inherent risks to it, like malware that somehow pwns the password manager and steals your seed, or a clipboard malware, etc. But since we are talking about cold storage setup, the password manager would just be used as an encryption/decryption tool.

[BitMaxz]

It is not safe if you are using KeePass on online mode not on offline/airgap PC this should be offline forever to keep your seed safe in your PC.
Any documents or important backups like 24-word seed are always safe to store on the PC which is completely offline(Never connected to the internet).

Since this is related to hardware wallet are you planning to use the ledger hardware wallet on the PC with ledger live? It needs the internet so if you use your PC online it is not safe to save the "24-word seed" on the KeePass even this software is offline. We don't know exactly if this password manager is not sending any data when the PC is connected to the internet.

Unless if you are a programmer and you can verify that it is running completely offline and not sending any data from KeePass to internet when the PC is online. But for us who doesn't know if KeePass is safe while connected to the internet. We will always choose to save it to paper wallets instead or save somewhere safe than KeePass.

[traderethereum]

You never know if your password becomes online someday so it's better to keep it offline, and only you that will know.
You never know if someone can enter and come to your password manager.
I prefer to write it in my secret book or notepad in some place than to save it in a password manager. But if you still want to do that, go ahead, but you should be careful.

[samcrypto]

Hackers can get into your computer and you might be lose that seeds and got hack as well, this is why we should protect our seeds at on our code. Ledger have their own sheet to write down your 24 seeds, if you don’t want to use it then its better to write it down on another paper so it looks like a normal words to other people. You can encrypt the excel file, but still hackers can open that and you are risking too much money on that.

[hypersafe2020]

If you are storing and using your wallet offline, then there's nothing wrong with using a good open-source password manager. Can you tell me who said that this is wrong, I'd like to hear their reasoning.
If this was done on an online machine, there are inherent risks to it, like malware that somehow pwns the password manager and steals your seed, or a clipboard malware, etc. But since we are talking about cold storage setup, the password manager would just be used as an encryption/decryption tool.

I always read online when it comes to storing your 12 or 24 words, never to store them digitally. I assume this is because most people will put then in an unencrypted file like a TXT or DOCX file and not use a password manager like KeePass.

I was thinking of using Tails OS offline to create a new KeePass file and enter the 24 words in the file, save the file and put it on a USB stick. Turn off the Tails OS. And make copies of the keepass file on top other drives.

[hatshepsut93]

I always read online when it comes to storing your 12 or 24 words, never to store them digitally. I assume this is because most people will put then in an unencrypted file like a TXT or DOCX file and not use a password manager like KeePass.

I was thinking of using Tails OS offline to create a new KeePass file and enter the 24 words in the file, save the file and put it on a USB stick. Turn off the Tails OS. And make copies of the keepass file on top other drives.

You are correct, by storing digitally people often think about storing it in plaintext. But using strong encryption with a strong key makes it much safer. It's still better to not have your encrypted seed on an online machine or the cloud, but storing it on a USB stick and using it offline with Tails is perfectly valid. If it's encrypted, it's not different from a password-protected wallet file.

[hypersafe2020]

If it's encrypted, it's not different from a password-protected wallet file.

By password-protected wallet files, are you refering to a encrypted JSON file?

[hatshepsut93]

If it's encrypted, it's not different from a password-protected wallet file.

By password-protected wallet files, are you refering to a encrypted JSON file?

I was thinking about Electrum, sine JSON files are usually used by Ethereum wallets, but they both count as password-protected wallet files. Just make sure to make a really-really good password, and come up with a method for backing up said password, because if someone steals the file, they could spend as much time as they want on trying to bruteforce it.

[hypersafe2020]

It is not safe if you are using KeePass on online mode not on offline/airgap PC this should be offline forever to keep your seed safe in your PC.
Any documents or important backups like 24-word seed are always safe to store on the PC which is completely offline(Never connected to the internet).

Since this is related to hardware wallet are you planning to use the ledger hardware wallet on the PC with ledger live? It needs the internet so if you use your PC online it is not safe to save the "24-word seed" on the KeePass even this software is offline. We don't know exactly if this password manager is not sending any data when the PC is connected to the internet.

Unless if you are a programmer and you can verify that it is running completely offline and not sending any data from KeePass to internet when the PC is online. But for us who doesn't know if KeePass is safe while connected to the internet. We will always choose to save it to paper wallets instead or save somewhere safe than KeePass.

Would be safe to use a computer you used to boot up into Tails OS offline and save the 24 word phrase into a Keepass file. Or should I get a brand new cheap computer,  boot up into Tails OS offline and save the 24 word phrase into a Keepass file?

[hypersafe2020]

If you can, use at least 8 random words, there are examples everywhere of how to do this...

Can you send me some links on this. I cannot find anything on adding words to increase security of your 24 word seed

[jackg]

If you can, use at least 8 random words, there are examples everywhere of how to do this...

Can you send me some links on this. I cannot find anything on adding words to increase security of your 24 word seed

No I mean for generating your password for keepass.
Here's an example of generating a master password for a password manager: https://youtu.be/Pe_3cFuSw1E

[Little Mouse]

It is always advised and encouraged to use offline methods to store seed key or private key. With electronic device, it is easy to be targeted by hacker and that will not be a hard job to get access to your seed key or private key. Seed key can be hand written on paper too, make couple of copies and store them on different safe place.

[hypersafe2020]

If I was to open the Keepass file with the 24 word phrase on a computer connected to the internet to see what it was years later, will this be a bad idea? Should I always open the file on a offline Tails OS computer to recovery my word phrase?

[jackg]

If I was to open the Keepass file with the 24 word phrase on a computer connected to the internet to see what it was years later, will this be a bad idea? Should I always open the file on a offline Tails OS computer to recovery my word phrase?

Yes!

You could leave a note on the USB drive in plain text as to how to decrypt (obviously not including the password) to remind yourself.

[Kemarit]

If I was to open the Keepass file with the 24 word phrase on a computer connected to the internet to see what it was years later, will this be a bad idea? Should I always open the file on a offline Tails OS computer to recovery my word phrase?

Every time you connect your devices online is a risk. So it is better to do everything offline to be on the safe-side. Hackers and malwares are everywhere so the best thing we can do is go off-grid.

[joniboini]

Would be safe to use a computer you used to boot up into Tails OS offline and save the 24 word phrase into a Keepass file. Or should I get a brand new cheap computer,  boot up into Tails OS offline and save the 24 word phrase into a Keepass file?

I think buying a new computer is a bit overkill. Using your current computer to boot up Tails (without connecting to the internet) should be safe enough imo. Just to make sure, you can disable the other HDD/SSD or network card on your BIOS if you're paranoid that somehow you put the data on the wrong place or unconsciously connect the computer to the internet before you boot it up.

[pooya87]

every method you choose has its own advantages and disadvantages at the same time.
for example digital storage in general is also susceptible to loss, the hardware can be damaged for instance due to electric shock, or you can get a bad sector and lose data, or simply face data decay which people forget about.
additionally when you store encrypt and store digitally you still have to make a backup of that encryption key otherwise you may forget it over time and be locked out.
in the end you should weigh the pros and cons and decide which method is best, then you can also always create multiple backups. for example a printed encrypted key alongside the digital storage.

[bitcoin_paypal]

In theory, password managers can be less secure than hardware wallet. In this case you can just use software wallet if you store your data in program

[Debonaire217]

That's actually the advantage of hardware wallet, it prevents outside intervention of people if they don't physically have the hardware you have. But the main problem is how will you recover your account if your hardware wallet gets missing. So 24 words phrase should be written and should not be stored digitally, why? Because there are some software that could screen capture your monitor or mobile phone, so that they can get your funds easily. Well, there will be no risk with it if there's no connection with it to the online community, no matter what hackers does, they cannot get your private keys.

I know it was hard to set up, but we will realize it's importance when 10 years from now, our investment will be still with us.

[Tonteus]

I keep this information in notes in different parts of my house, I hope I won't lose anything 

[Krislaw]

I keep this information in notes in different parts of my house, I hope I won't lose anything 

That's one of the best ways to pass phrase and password but it becomes lost once there's a fire outbreak.
Safest method to write them down is by using the metal/steel password managers. It can't get burnt like paper. You can one on cryptosteel.com , it sells for around 74€ and I'm sure it worth it.

[Lucius]

If you can, use at least 8 random words, there are examples everywhere of how to do this...

Can you send me some links on this. I cannot find anything on adding words to increase security of your 24 word seed

If you already want to save your backup digitally, there is additional security in the event that the seed (24 words) is somehow compromised. Ledger lets you add passphrase or we can call it 25 word (+1 on your 24 seed words), so if someone come into your seed's possession (24 words), he will not be able to steal your coins without passphrase. You will not, of course, keep that extra word together with 24 words, but separately and in a safe place.

Personally, I would advise anyone with hardware wallet to consider this additional security option, but to know well what it means and how to use it. More info can be found on the official Ledger site :  Advanced passphrase security.

[o_e_l_e_o]

How are you going to back up the encryption key to your KeePass database? It should obviously be stored completely separately from your KeePass database itself, so writing it down on paper seems like the safest option? In which case, why not just write your seed down on paper?

My biggest issue with this set up is you are essentially reducing the entropy of your seed phrase to the entropy of your KeePass encryption key. A 24 word seed phrase has 256 bits of entropy. The average human generated password has an entropy of around 44 bits. Even if you draw from all 95 printable ASCII characters (lowercase, uppercase, numbers, symbols), and generate a truly random encryption key, a 12 character key is still only 79 bits of entropy. You would need 39 characters to equal the entropy of your seed phrase.

You also add in unnecessary risk in accidentally exposing your seed online, messing up the encryption process, any as-of-yet unknown flaws in the KeePass software, forgetting/incorrectly copying your encryption key, etc.

There's a reason that all good wallets tell you to write your seed phrase down on paper. It is the least risky way of backing it up. If you are concerned about your seed phrase being discovered, then use an additional passphrase and back that up (also on paper) separately.

[hatshepsut93]

My biggest issue with this set up is you are essentially reducing the entropy of your seed phrase to the entropy of your KeePass encryption key. A 24 word seed phrase has 256 bits of entropy. The average human generated password has an entropy of around 44 bits. Even if you draw from all 95 printable ASCII characters (lowercase, uppercase, numbers, symbols), and generate a truly random encryption key, a 12 character key is still only 79 bits of entropy. You would need 39 characters to equal the entropy of your seed phrase.

From quick research, it looks like a typical key derivation from seed uses only a little bit of key stretching, while KeePass and other managers use very big amounts of key stretching and they constantly keep it up to date to match the modern brute-force capacities. So, even though this method reduces entropy, it still has comparable difficulty of brute force, as long as the password is good.

You're right though that an unexperienced person can shoot themselves in a foot by forgetting their password or having a very weak password.

[btcholder]

It's simple your device (laptop, desktop, mobile, tab) all are in danger when those are in online (in some cases). Cause hackers/scammers are can attack your device easily when its online. Now 24 words secret keys are very sensitive for your wallet so somehow if scammers will hacked it, your hole asset will be gone. That's why people recommend to collect those secret keys in offline. You can use paper or other thing which never shows in online.