Topic: Hardware wallets, types, security and safety (Read 492 times)

In addition to the wallets listed above, I have come across other hardware wallets like Coldcard and Archos Safe-T Mini.

Coldcard is the cheapest bitcoin hardware wallet. Coldcard lets you store and submit your transactions by revealing your private keys like other cryptocurrencies. You’ll need to confirm all your transactions on this external device physically.

Archos Safe-T Mini is a hardware altcoin wallet that is portable. It also has an offline private key storage using an encrypted chipset memory. It has a very easy setup and also multiple cryptocurrency support.

Read here to know more about these hardware wallets. I am sharing it as I came across that even these hardware wallets can be used which are not heard of much.

That is why I prefer the ledger nano products, although I prefer two, he ledger nano x and s. Trezor is good too but I have read about some people saying cloning trezor is more common than cloning ledger nano.

This is a good reference for newbies that is curious about hardware wallets. Aside from some articles in the web that also talks about hardware wallets. I might make a topic in the future and refer this topic as a point of info. Also having a hardware wallet is a must if you are into crypto for security purposes also in longevity.

Thanks for information! Right now I'm looking for hardware wallet

Those who have been following the development of hardware wallets for a long time know about the case of Side channel attack which is released back in 2018. This attack demonstrated the possibility of a remote hack of user PIN, and it was successful (Ledger Blue). But PIN is of no use without physically accessing the device, so this vulnerability was declared "less dramatic" and I think it was fixed in next firmware.

Oh definitely, in the same way that a USB drive with coins in it wouldn't necessarily be easy to break into. I was just saying that if a random thief with the capability to steal your coins gets into your home, he's more likely to take your hardware wallet than a random USB drive (if not both lmao).


No arguments here; if a precaution can make storing your coins safer, you should definitely avail of it. I'll edit my post and credit you. I was just pointing out that an attacker getting his hands on it wouldn't necessarily mean he'd be able to steal what's in it.

This is true, but I still wouldn't rely on the thief not discovering the coins for their safety. If you are storing coins on a plain USB drive, you should be encrypting it.

There has been no demonstrated successful physical attack against Ledger products, but that is not to say one doesn't exist. With an electron microscope and enough time and expertise, then it is like that even the secure element will be crackable and the seed able to be extracted, but we are now probably talking about in the order of weeks at a cost of several hundred thousand dollars. This differs obviously from Trezor wallets which can have the seed extracted for less than a hundred dollars in the space of a few minutes. Any hardware wallet shouldn't be viewed as infallible, but rather as a mechanism to buy you (hopefully plenty of) time to move your coins to new addresses.

Device will reset if wrong PIN is entered 3 times in a row, but smart hacker will not try to obtain your PIN in that way. They will try to hack it with brute force, and 8 digit PIN is very limited in number of combination. I'm not sure what kind of equipment is needed and whether Ledger has some protection to prevent such hacking attempts (in case your wallet is stolen).

But let's say a PIN of 8-10 digits is small joke for any supercomputer or botnet :


Because of facts above, using of passphrase on hardware wallet is very desirable. Of course, only if the user knows what he is doing.

https://support.ledger.com/hc/en-us/articles/115005214529-Advanced-passphrase-security

Even if an attacker is able to distinguish a USB flash drive from a hardware wallet, it will not be easy to use it. Let's say the attacker took possession of my hardware wallet (Ledger Nano S), which has an eight-digit password.  In the case of three wrong combinations, the hardware wallet resets all settings to the initial state and the attacker simply can not get my coins.

If your only intention is to keep your private keys offline, I would argue that it could be just as safe, since it does exactly the same thing.


Strong wallet passwords could also help, so it's not entirely vulnerable in the hands of a potential attacker. I mean, we've all heard about people getting locked out of their Electrum wallets, so you can possibly make this work in your favor. Hardware wallets are definitely better in this area though.

One advantage it has though, is the attacker won't necessarily know the flash drive is holding coins (you could just be using it as an OS installer after all, like majority of the populace) unlike hardware wallets, so they could be less prone to thievery.

Understanding the difference between a custodial and a non-custodial wallet is crucial for understanding a wallets security.

"A non-custodial wallet (also known as a light wallet) is simply a piece of software on your own computer or phone that puts you in full control of your cryptocurrency holdings. You hold your own private keys, which means no one else is able to make a transaction on your behalf." Meanwhile, if you use a custodial wallet your private key is stored by a third party.

If you are indeed using a hardware wallet than it is non-custodial/light wallet, which is certainly the most secure type of wallet.

Sources:
https://atomicwallet.io/custodial-non-custodial-wallets-comparison
https://www.cryptovantage.com/guides/custodial-vs-non-custodial-wallets/
https://medium.com/guarda/%EF%B8%8Fcustodial-vs-non-custodial-wallet-s-%EF%B8%8F-benefits-of-light-wallets-87cf701054d1

I can also say that it is way safer than online wallets, it is not that expensive yet it can prevent your funds to be hacked online. The only disadvantage I think is that when you lost it, that is why when you are using hardware wallet, you must still be careful and make sure that you placed it in a safe area that it will not be misplaced or be lost, there is also possibility that the device will be broken so make sure you are able to secure it and prevent from breaking so that your funds are also safe. It is also depending on the person what they really prefer to use because there are some people who are holding a lot of funds that are used to place their funds online without losing it, it is about knowledge and awareness.

It depends heavily on what you class as "adequate". Since we know the seed can be extracted from Trezor wallets if an attacker has physical access to it, 37 random characters was recommended by the Ledger Donjon Team because that is what is require to have at least as much entropy as the 24 word seed itself would have. So for the passphrase on its own to be as secure as the seed on its own, then 37 random characters are needed. However, that does not mean that anything less than 37 random characters is automatically inadequate. It depends heavily on your risk model, and how long it would take you to firstly realize that your hardware wallet has been stolen, and secondly to access your back ups and send all the coins to a new wallet.

If, for example, a hardware wallet could be missing for several weeks before you noticed (for example, if it was stored in a safe deposit box), or it would take you several weeks to be able to access your back ups and move your coins (because they are stored in a different city or country to you), then you would certainly want a very long and random passphrase to make brute forcing it unfeasible. If, however, you would know at most within a couple of hours if your hardware wallets were stolen, and could access your back ups in a further hour or two, then a much shorter passphrase would be "adequate". If an attacker only has 12 hours between stealing your wallet and you moving all the coins, then even checking 1 billion passphrases per second would only give them time to check 4.32*10¹³ possibilities. Even if your passphrase was only 10 random characters, then they would only have time to check 0.00007% of potential passphrases before you secured your coins.

I would always advocate for everyone to use a long and random passphrase with their hardware wallets, but I wouldn't call anything less than 37 characters necessarily "inadequate".

Passphrase can help as additional protection, but it is susceptible to brute force if not complex enough. In the case of Trezor or any other hardware wallet based on Trezor (all clones) someone has calculated that at least 37 characters are required for the protection to be adequate. Such an attack is currently not possible on Ledger HW, and one of the most important differences between Ledger and Trezor is in The Secure Element which is special chip built in Ledger hardware wallets.

A hardware wallet isn't expensive. I understand that in some parts of the world $50 is considered a lot of money, but if you are planning to hold hundreds and thousands of dollars it simply isn't. 

I am going to go a bit off topic and explain why they are not expensive.
While I was in high school I wanted to go running with a friend who is a bit older than me and plays basketball. He is in great physical shape, I work out, so I though I could keep up. I didn't have proper running shoes so I figured there is no need to buy a new pair. They are 'expensive' and I am not going to use them that much. I went out running in a pair of old day-to-day sneakers.

While we were running I started experiencing intense pain in the area around my heels, but I wanted to push past it so I didn't stop and just continued until the point that I could no longer stay on my feet. I am not exaggerating.

The next morning, the pain was so intense I could barely walk. I went to the doctor who told me that the main cause for my injury was a combination of excessive exercising and bad foot wear.

Instead of buying proper foot wear because I though they were 'expensive' I had to pay for doctor appointments, injections, and pain killers, and spent 4-5 days lying around on the sofa.       

It doesn't matter how old or new is somebody on the field. You have to cross check the information as good as you can, no matter who answers and what's his rank, because you don't know his intentions and also anybody can make mistakes. And we talk about money here.

So... take care. Always.

The article is informative. That means, passphrase can futher protect your cryptocurrencies. Like the Trezor used as an example, if it is stolen, but you have already set up the passphrase, the theif will be unable to access your wallet unless he knows the phrase. Wallet owner is the only one that can reveal the passphrase.

First of all, anyone who want to invest $25-$50 in hardware wallet has to wonder if he really needs it? Some start crypto trading, do it for a month, lose all their money and are no longer interested in crypto, they do not need such a device at all.

On the other hand, if there is a serious intention to make a long-term investment, I do not see how a $50 investment can be unnecessary or a bad move. Of course there are those who suggest some cheaper solutions (home made cold storage), and personally I do not mind, in the end, protection is the most important, no matter how it is realized.

For some people even $50 means a lot of money, so it should be understood that some still claim that hardware wallets are too expensive for them. But that will surely change in the future as the competition gets bigger, so anyone who wants to be able to secure their storage and transactions will be able to do so.

I would add that we currently have 2 manufacturers who definitely enjoy the highest reputation among users. In my opinion as Ledger user for years (Nano S&X) these devices are on the top on my list.


That is not entirely true, and it depends on the wallet and wallet setup. Vulnerability that is detected in Trezor hardware wallets enables one who comes into physical possession of such device to extract seed if user is not set passphrase (at least 37 characters).

Read more about this here : Trezor&Keepkey - Unfixable Seed Extraction - A practical and reliable attack!
More good info about hardware wallets : Hardware wallets

I appreciate how you explained this. I deleted the post before seeing this coming. But a lot helpful. You are not new in the field and also know better.

If hard drive works good for someone then it is fine but the user must also be careful. I get your point now, if someone don't want to spend much, hard drive wallet is an alternative.
You have claritfy this enough. It is informarive.

I wouldn't really call that a wallet though, that's just a client (such as Electrum). You would need some other method of storing your seed and transporting it around to have whenever you want to transfer some coins.

The Nano S can also be used with Android phones (but not Apple phones) via a USB cable. Further, you are limited only to 23 apps being installed at the same time. You can freely uninstall and reinstall apps without losing your coins, so you in reality you can store as many coins as the Ledger supports.

There have certainly been attacks proven to be possible against Trezor wallets. Even wallets which have no known attacks against them shouldn't be assumed to be 100% safe for ever more. As you say, if one of my hardware wallets was stolen, I'd be recovering from back ups and transferring to a new wallet within a few hours.