The Bottom Line
Use a hardware wallet.
Store the PIN / password in a password manager.
Write the recovery phrase on a piece of paper, laminate it and store it in a bank vault.
Secure your network and computer.
Protecting your crypto assets – The Basics
- Protect your device and network. See this article or the summary below. You should do this even if you are not planning to own crypto.
- Use a hardware wallet if you are investing >1% of your net worth in crypto (or more than say $3000), otherwise use a software wallet. See point 6 below in the section on trade-offs, if you are open to using an exchange wallet i.e. storing your tokens at an exchange.
- Set up a Wallet or Wallet App using a strong password or PIN generated and stored in a password manager.
- The Wallet password is different from the 12 or 24 word recovery phrase that the App will generate for your crypto wallet.
- You should write the recovery phrase down BY HAND on a piece of paper (ideally make 2 copies). You should include the information about which wallet or blockchain they are for if you plan to store them in a bank vault.
- If you are going to print the recovery phrase, make sure its not on a shared printer and that your printer and computer are not compromised. Use anti-virus and anti-malware software for this.
- You should laminate the paper at home – there are products that do this without having to buy a dedicated machine.
- You should store at least one of these copies in a bank vault if you are storing a meaningful amount of money in the wallet. The other copy can be stored safely at home, in a vault.
- If you use a hardware wallet, keep the wallet and the recovery phrase in separate locations. If you have a backup hardware wallet, test the recovery phrase on the backup device before storing it away in the bank and also wipe the backup wallet.
- If you are worried about theft at your home, you could keep the recovery phrase in the password manager, although most experts recommend against this. If you have secured your computer and network and you follow safe browsing practices this may be an acceptable option.
Protecting the network and device
Strong device and network security practices are your best bet in protecting you assets – crypto and traditional.
- Update your OS and Apps regularly, including wallet apps. Use a password manager.
- Use strong PINs (at least 6 digits, if not alphanumeric) and passwords on all your devices.
- Do not visit suspicious websites or download & use pirated software / videos etc.
- Enable firewalls on your computers and if possible use a VPN service, especially if you connect to untrusted networks in cafes, hotels, airports etc.
- Use anti-virus and anti-malware software regularly and keep them updated.
- Change the default password on your router and use a strong password generated and stored in the password manager.
- Regularly update the router firmware.
- Use WPA2 or better encryption on your WiFi. If that option isn’t available, use WPA, but do not use WEP.
- If your router supports it, create different SSIDs (network names) for the device storing crypto, rest of the devices and guests.
Understanding the security measures
These strong measures are needed because crypto assets are different from traditional assets like bank deposits, stocks, mutual funds etc. in many ways. The biggest difference is that unlike all those assets, you are the last line for defense for your tokens. If you make a mistake, no one has your back in crypto.
- If you forget your password for a bank account, the Bank can reset your password after verifying your identity. This is not possible with crypto assets. If you lose your keys, you lose your coins / assets.
- If your credit card is lost or stolen, you can call the bank to block the card and the Banks typically protect you against any fraudulent transactions, if you report the loss quickly. There is no such protection / blocking with crypto assets. If you lose your keys, you lose your coins.
- If your Bank goes bankrupt, in most countries, the govt. guarantees at least a portion of your deposits. If the Bank is hacked, it will likely have insurance to make customers whole. There is no such guarantee with crypto assets. If the blockchain storing your assets is hacked, you lose your coins.
- If you transfer funds to an incorrect account, the Bank can sometimes help reverse the transaction. This is not possible with crypto assets. Transactions are irreversible and there is usually no way to identify who the incorrect wallet belongs to.
- If your computer is hacked, your Bank probably requires 2FA to add new beneficiaries, authorize large transactions etc., which makes it difficult for the hacker to steal your money. You can also call them to freeze the account. There is no such protection in crypto assets. If the hackers have your keys, they have your coins.
- If your spouse transfers money out of your joint account during divorce or your errant child forges your signature on a cheque, you can go to the courts or police and get at least some of it back. If they transfer funds out of a crypto wallet, they have your coins. And you might even not know it was them.
- If you die or become mentally incapacitated, your family has ways of accessing your banks accounts etc. through various legal processes. Those options don’t exist for crypto assets. If you die and no one knows where your recovery phrase or passwords are stored, your coins are lost.
This is why you have to take measures to protect your crypto assets against all such eventualities. Using a hardware wallet with a secure PIN / password that you store in a password manager, with the recovery phrase stored on laminated paper in a bank vault, checks a lot of boxes.
This setup protects you if your device is hacked, you lose or damage the hardware wallet, have the hardware wallet stolen, forget the password or are robbed at home. Your family can see the recovery phrase and details of the linked blockchain when they access the safe deposit box at the Bank, in case you die (God forbid!).
These measures do not protect you if your hardware wallet was subject to a supply chain attack, may be vulnerable to a man-in-the-middle attack on the hardware wallet and bugs in the hardware wallet. They also don’t help if someone hacks your computer AND steals your hardware wallet or if someone puts a gun to your head.
A useful trick in protecting your crypto assets is to think of the 12 or 24 word recovery phrase as all your money in cash. Would you leave it lying around? Would you subject it to weather / flood / fire risk over an extended period of time? Would you keep ALL of it in the vault at your home? Would you hide it in some random book or corner of your house? Protect your recovery phrase the way you would ALL your money in cash.
Trade-offs
- Hardware Wallet vs. Software Wallet: This is easy. A cheap and good hardware wallets is <$100. So if you are protecting more than $3000, the cost of the wallet is <3% of the amount and the additional security (see here) provided against a compromised device is absolutely worth it. You may want to increase the cut off to account for the cost of storing the recovery phrase in a bank vault. You should also consider that the hardware wallet will last a long time and the value of the coins may increase over time or you may buy more.
- Paper vs. laminated paper vs. metal: Plain paper can decay, get torn easily, and the ink can fade. Bad idea. Laminated paper can last for a fairly long time although a simple google search didn’t give a clear answer for how long. We have laminated documents that are at least 20 years old and in good condition. But if the storage location gets flooded, burns down or has a nuclear attack, the metal based solutions for storing recovery phrases may be safer. Since metal based options can be expensive, the additional benefit from protecting against such edge cases may not be justifiable.
- Home vs. Bank Vault for recovery phrase: While saving the recovery phrase at home is more convenient, depending on your location and lifestyle, that also increases the chance that its stolen by intruders or visitors (or occupants!) to your home, or destroyed / lost due to fire, flood etc. If you are keeping it at home, keep it in a vault or a locked drawer. Hiding the paper in a random book or obscure location is not a good idea as it risks accidental exposure. Ideally the recovery phrase is only needed when setting up a new device and that shouldn’t be very frequent. So the increased security of a bank vault may be worth the inconvenience.
- 1 copy or 2 copies of recovery phrase: This depends on where you store them. 1 laminated copy in a bank vault may be sufficient if you are comfortable in your ability to access the vault under all circumstances (e.g. loss of vault key, you hiding from police etc.). 2 copies in two Bank vaults are also fine if you can afford it. See the point above on storing the 2nd copy elsewhere.
- Storing the PIN / Password in Password Manager vs. memorizing it: The risk of memorizing the PIN / password is that you might forget it and that its gone on your death. The risk of using a password manager is that its compromised if your device is compromised. This may not be a problem if you use a hardware wallet (except if the person compromising the device also steals the wallet) but would be a problem if you use a software wallet. Use a hardware wallet and store the password in the password manager.
- Exchange wallet vs. Hardware wallet: This is a hard one. Many crypto exchanges have been hacked or their managers have run away with investors coins. At the same time we now have exchanges that have long operating histories and are regulated in credible locations like Singapore or US. If you are not concerned about the govt. requiring the exchange to freeze your assets and have access to a such a credible exchange that uses good security practices (2FA for withdrawal etc.) then that may be an acceptable and very convenient solution – at least as good as using a bank for your money. This option may not be available to people living in countries that are not as well regulated when it comes to crypto.
- Apart from the risks mentioned above for Exchanges, hardware wallets today are also better at supporting multiple blockchains and tokens. If you plan to own coins or tokens that are not supported by your exchange then your only option may be to use an unregulated exchange or software wallet that supports those tokens to buy them and then to transfer them to a hardware wallet rather than leaving them in a software wallet. However over the long term most credible exchanges will likely support most tokens and this will not be an issue.
Hardware vs. Software Wallet
Relying on software wallets can be risky. There is the usual risk of bugs in the apps but also if your device (computer / mobile) is compromised, hackers may be able to gain access to your passwords and control the wallet. Precautions like using 2 Factor Authentication and securing your device and network reduce this risk but it is probably still the single largest point of failure.
How do hardware wallets protect you against this risk? Hardware wallets use specialized chips to securely store the private keys to your tokens. Since these wallets are offline by default, they are much less likely to be hacked. The dedicated chips used in the wallets have been well tested and are very secure. The hardware wallets also authorize transactions in such a way that the private keys never leave the wallet. This means even if your internet connected device has been hacked or has malware, when you authorize a transaction with the hardware wallet, your private keys will not be compromised.
The hardware wallets have an option to set up a PIN or a password which protects your tokens if the wallet is lost or stolen. At the same time, as long as you have access to the recovery phrase, you can access your tokens on another wallet (hardware or software) by providing this phrase.
There are no known cases of private keys on a hardware wallet being compromised.
These wallets do have some risks. If hackers gain access to the hardware wallet before it reaches you (i.e. during manufacturing, shipping, retail store etc.) and modify it, it could give them access to the wallet once you start using it. This is called the supply chain attack. Everything you buy has this risk.
They are also vulnerable to a man-in-the-middle attack. In this case there is a malware on the computer that the wallet connects to and that interferes with safe operation of the wallet. An example is where the malware changes the destination address for the any transaction while showing the correct destination on the computer (but not on the hardware wallet). If the user forgets to validate the receiveing address on the hardware wallet, the crypto is stolen. Most wallets provide an option to require address verification on the wallet, which should protect against this risk.
Hardware wallets also support a large number of blockchains and tokens, so you could store all your private keys on a single wallet, which is very convenient. Many software wallets support a single or a limited number of tokens, requiring you to use multiple wallets, which increases the risks
Click Subscribe to receive our newsletter and stay up to date with everything we write.