Why is it bad to store 24 words from Ledger hardware wallet in password manager?

[Debonaire217]

That's actually the advantage of hardware wallet, it prevents outside intervention of people if they don't physically have the hardware you have. But the main problem is how will you recover your account if your hardware wallet gets missing. So 24 words phrase should be written and should not be stored digitally, why? Because there are some software that could screen capture your monitor or mobile phone, so that they can get your funds easily. Well, there will be no risk with it if there's no connection with it to the online community, no matter what hackers does, they cannot get your private keys.

I know it was hard to set up, but we will realize it's importance when 10 years from now, our investment will be still with us.

[1714554325]

1714554325

[1714554325]

1714554325

[1714554325]

1714554325

[1714554325]

1714554325

[Tonteus]

I keep this information in notes in different parts of my house, I hope I won't lose anything 

[Krislaw]

I keep this information in notes in different parts of my house, I hope I won't lose anything 

That's one of the best ways to pass phrase and password but it becomes lost once there's a fire outbreak.
Safest method to write them down is by using the metal/steel password managers. It can't get burnt like paper. You can one on cryptosteel.com , it sells for around 74€ and I'm sure it worth it.

[Lucius]

If you can, use at least 8 random words, there are examples everywhere of how to do this...

Can you send me some links on this. I cannot find anything on adding words to increase security of your 24 word seed

If you already want to save your backup digitally, there is additional security in the event that the seed (24 words) is somehow compromised. Ledger lets you add passphrase or we can call it 25 word (+1 on your 24 seed words), so if someone come into your seed's possession (24 words), he will not be able to steal your coins without passphrase. You will not, of course, keep that extra word together with 24 words, but separately and in a safe place.

Personally, I would advise anyone with hardware wallet to consider this additional security option, but to know well what it means and how to use it. More info can be found on the official Ledger site :  Advanced passphrase security.

[o_e_l_e_o]

How are you going to back up the encryption key to your KeePass database? It should obviously be stored completely separately from your KeePass database itself, so writing it down on paper seems like the safest option? In which case, why not just write your seed down on paper?

My biggest issue with this set up is you are essentially reducing the entropy of your seed phrase to the entropy of your KeePass encryption key. A 24 word seed phrase has 256 bits of entropy. The average human generated password has an entropy of around 44 bits. Even if you draw from all 95 printable ASCII characters (lowercase, uppercase, numbers, symbols), and generate a truly random encryption key, a 12 character key is still only 79 bits of entropy. You would need 39 characters to equal the entropy of your seed phrase.

You also add in unnecessary risk in accidentally exposing your seed online, messing up the encryption process, any as-of-yet unknown flaws in the KeePass software, forgetting/incorrectly copying your encryption key, etc.

There's a reason that all good wallets tell you to write your seed phrase down on paper. It is the least risky way of backing it up. If you are concerned about your seed phrase being discovered, then use an additional passphrase and back that up (also on paper) separately.

[hatshepsut93]

My biggest issue with this set up is you are essentially reducing the entropy of your seed phrase to the entropy of your KeePass encryption key. A 24 word seed phrase has 256 bits of entropy. The average human generated password has an entropy of around 44 bits. Even if you draw from all 95 printable ASCII characters (lowercase, uppercase, numbers, symbols), and generate a truly random encryption key, a 12 character key is still only 79 bits of entropy. You would need 39 characters to equal the entropy of your seed phrase.

From quick research, it looks like a typical key derivation from seed uses only a little bit of key stretching, while KeePass and other managers use very big amounts of key stretching and they constantly keep it up to date to match the modern brute-force capacities. So, even though this method reduces entropy, it still has comparable difficulty of brute force, as long as the password is good.

You're right though that an unexperienced person can shoot themselves in a foot by forgetting their password or having a very weak password.

[btcholder]

It's simple your device (laptop, desktop, mobile, tab) all are in danger when those are in online (in some cases). Cause hackers/scammers are can attack your device easily when its online. Now 24 words secret keys are very sensitive for your wallet so somehow if scammers will hacked it, your hole asset will be gone. That's why people recommend to collect those secret keys in offline. You can use paper or other thing which never shows in online.