Topic: Hardware wallets still aren't secure, and they never will be. Use paper wallets - page 5. (Read 1801 times)

So you expect that a thief knows what a cryptocurrency hardwallet is, but doesn't know what a paper wallet is? Or that it's easier to "hide" a paper wallet than a "usb stick"?


"Countless"? Stop being so dramatic. Sure, there have been some issues identified by several different parties of several hardware wallet devices. To my knowledge, all of the identified issues have either been patched and/or are able to be mitigated. And it's not like there have never been any issues with "paper wallets". I'm sure we're all aware of issues like this: https://blockonomi.com/security-vulnerabilities-walletgenerator/


You don't need a 37 character password to make it "secure" per se... the 37 character BIP39 passphrase is suggested to make it as secure as having an "unknown" 12/24 word seed. Which, as we know, is generally measured in terms of "millions of millions of years" for brute-forcing. I can't find any firm numbers on the the time/effort required to bruteforce say an 8 or 16 character BIP39 passphrase. The PDF referenced by Ledger claims a 50% reduction in CPU intensive calculations, so does anyone have any references to calcs on how long a 16 char BIP39 passphrase would take to bruteforce?

In any case, saying that a private key written/printed on paper is more secure that a hardware wallet, assuming someone has physical access to both is somewhat disingenuous.


I guess the key takeaway is that NOTHING is 100% secure. As long as you know the risks inherent in the system you are using and take steps to mitigate such risks, then hardware wallets are no better or worse overall than paper wallets.

It's a hell of a lot easier to hide something that an attacker is unaware of, than a laptop, a phone or a hardware wallet. A physical attack can only happen if you A. Know what you're looking for or B. Happen to stumble across something over smarter of hours or days tearing someone's house apart. It's also free rather than $100 and you don't need to worry about all of the other countless vulnerabilities that constantly pop up with hardware wallets.

I agree that a 37 character password suggestion is not going to be taken up by the vast majority of users, meaning hardware wallets just aren't as secure as truly offline generated private keys (not that they ever were). 

This is true, but their response in March was thus:
Everyone should be using a passphrase, but I'd wager few do. I'd wager barely anyone is using a passphrase of 37 random characters, and I'm sure many would view entering 37 random characters (presumably from paper since you shouldn't be relying on memory) every time you want to open your wallet is not an acceptable trade-off between security and ease of use.

I might be misunderstanding you here, but how is this safer? If your concern is regarding a physical attack on your hardware wallet, then surely with a physical attack on a paper wallet it is completely trivial to steal your coins?

Trezor team responded to these findings in March. They have been aware of the attack since designing Trezor. Using a passphrase has always been recommended and it can protect anyone from any kind of physical attack*. Some of you might argue that recommending using a passphrase is not an appropriate solution. Convenience comes at a cost.


*except for $5 wrench attack

https://ledger-donjon.github.io/Unfixable-Key-Extraction-Attack-on-Trezor

Yet another hardware wallet issue folks, this time though, it's unpatchable. If you're using a hardware wallet, encrypt it. If you don't have a hardware wallet, use an offline generated private key/seed (aka "paper wallet"). Be your own bank. Stop trusting hardware wallet manufactures to protect your money.