Topic: Protecting hardware wallet backups. Please help. (Read 311 times)

Thanks for great input again.

What are your thoughts on this scenario below? Would it be better like this?

[1]
I write my recovery seed on a paper and store it at home 100% offline

[2]
Then I activate a passphrase which I can remember - e.g. "my-super-secret-passphrase-20190413"

[3]
Even if I can remember the passphrase, I am aware that I might forget it due to the passage of time, disease or accident ... (Not likely, but it might happen)

That's why I write down the first passphrase part ("my-super-secret-") on a paper and store it in a different place than the recovery seed is stored (to keep recovery seed and the first passphrase part separated).

Then I upload the second passphrase part ("passphrase-20190413") online.

BENEFIT 1 (for myself) - peace of mind: Even if I would forget my passphrase, I know where to look, to refresh my memory

BENEFIT 2 (for others) - inheritance plan: In advance, I can let my family know where both physical backups are (the recovery seed and the first part of the passphrase) and also that they would receive the recovery email containing the second passphrase part in case of an accident/death.

Of course, I can give them the second part right away but I don't want to do it because:

a/ The more people know it, the higher the risk that
it will be compromised (even if by an accident)

b/ I want to be sure that my family will access my assets once I am not here but not before (when I am still here )

Do you think this approach would be more usable with a reasonable balance between "Security" and "Safety"?

Thanks!

Exactly... a "seed mnemonic only" wallet, basically has a single point of failure... the seed mnemonic. Once the seed mnemonic is compromised == Game Over!

Having a passphrase is essentially 2FA. Now you need two puzzle pieces to make it all work... plus, as you say, the "obvious" puzzle (the seed mnemonic) can actually be a red herring with a small amount of coin that could trick the user into believing they got it, but you had "nothing", whilst the real fortune is hidden behind 2nd puzzle piece (passphrase).

Now the issue is... how does one "store" that 2nd puzzle piece (passphrase)? There are 2 aspects to consider... "Security" and "Safety". Security being prevention of unauthorised access of the puzzle pieces... safety being prevention of accidental loss of the puzzle pieces.

The most obvious and arguably most "secure" is... in your head. If the passphrase is relatively strong (8+ chars, mix of upper/lower/numeric/symbols etc) and never, ever leaves your head... the odds of someone bruteforcing that are VERY small.

However, this maybe isn't that "safe" for inheritance purposes as it is likely to go to the grave with you, leaving your Next-of-Kin with nothing

Once you start putting things online, the game changes significantly. Whilst it might increase the "safety" aspect of storing your puzzle piece in terms of having another (hopefully reliable) location to store it to prevent loss and the ability for your Next-of-Kin to get access should the worst happen... the "security" aspect is now greatly diminished.

It is indeed a very delicate balancing act... and different people will no doubt have different requirements.

Still, I view your service as a valid option for folks who want some peace of mind that their family will be able to get ALL the puzzle pieces should the need arise... and as I said earlier, it looks like you've put a lot of thought and care into this project... I hope it all works out!

Great points. Really appreciated.
Thanks a lot

I take a very straightforward approach to inheritance planning - my next of kin knows the passphrase and the location of the seed.

I still think the better option would be to encrypt the passphrase if you are storing it online, and then backup the decryption key offline - simply telling your next of kin (if it is easy to remember) and/or storing it securely on paper (separate from your seed, of course).

Agree. I would also prefer to encrypt everything.

I am just considering what is the right balance between security and usability in terms of inheritance planning.

Will be your family able to decrypt it without any issues and so on...

Thanks for your input.

It's definitely better to have a passphrase than not to have a passphrase at all, but as HCP has said, there are many ways to store your passphrase, each of variable security, recoverability, and ease.

You say you store it unencrypted online, which is safe for you since your seed is stored on paper in your flat. Presumably if someone has access to your seed, they therefore have access to your flat and also your computer. Depending on your computer set up (do you use whole drive encryption? do you use an encrypted password manager?), it could be fairly trivial for them to break in to your online accounts and access your seed. Similarly, by uploading your seed unencrypted online, it could be stolen by malware or poor security on the computer(s) it is stored on, malware on your computer, a man in the middle attack, etc. It's better than nothing, sure, but it's still not great.

I prefer not to back up anything online, encrypted or not, but in the rare event I might want to store something sensitive online, I wouldn't dream of not encrypting it first.

Thanks for your input. Really valuable for me.

I am not trying to convince you or argue... Just need another point of view to understand this better.

Let's put it in another way.

If my understanding is correct, according to what you are saying, having seed-only wallet would be bad security practice because if the recovery seed is stolen, there is no need for any passphrase and it means the seed is directly compromised, immediately when stolen?

Or another way.

Is it better to have just seed-only wallet (without any passphrase activated) OR is it better to have a passphrase activated and store it somewhere else (even online)?

IMO it's better to have a passphrase activated (even if stored online) because if someone finds the seed, he/she doesn't know that there a passphrase activated (because of some small amount of crypto left on the seed-only account). It means the person will not be trying to find the passphrase somewhere (he/she doesn't know it exists), it means the passphrase protected wallet with "my fortune" will remain safe.

What do you think?

While that might work for your setup... it may not work for others who store their seed offsite and would have a significant time delay between seed being compromised and them knowing that it is... and even with your setup, what happens if you go away on vacation for 2-3 weeks and your house is robbed the day after you leave?

But I digress, we could play this "but what if?" game forever Just realise that I'm not saying that your personal system is "bad" per se... simply that you could (and probably should) offer the option to users who can then decide how they want to do it

Of course, then the issue would be "how one can store an encrypted passphrase... and still allow your family to get access to it in case of death/incapacitation?" you would need some way to store the passphrase for the passphrase! and then you get into an infinite loop of how/where to store passphrases

Thanks! Happy you like it!

I think that I understand it correctly.

You are saying that it is not good/safe to store the passphrase online unencrypted ...

But I am afraid, I still DON'T understand WHY

I am storing my passphrase online unencrypted even for myself because of these reasons:

* In case of accident or death (the inheritance plan), my family will receive the recovery email with the passphrase. It will be much easier for them if the passphrase is not encrypted (they are not technically skillful so I am worried they might have troubles to decrypt the passphrase).

* I am again stressing that the recovery seed is in my flat, in a sealed envelope (see here https://seedcret.com/kb/letter-of-instruction/) so how it could be compromised?

* Even if it would be compromised, I would probably found out because I set up regular reminders to check the sealed envelope (which is signed over its fold so I would see someone opened it)

* Also I put some small bitcoin amount on the empty passphrase account/original seed-only account and I will be monitoring this address for a balance change. So if the seed is compromised, I would get immediately an email notification and moved funds from the main passphrase protected account somewhere else.

Am I still missing something?
Please advise.

That looks like a very useful service... you have obviously put a lot of thought and effort into this. Especially around the management of seeds, passphrases and inheritance/disaster planning.

I think you misunderstood what he said... he wasn't claiming that storing the passphrase online was bad practice, he said it was bad practice to store it unencrypted...

As you say, (as long as it is a unique passphrase designed and used only for your hardwallet) if someone finds it, they wouldn't be able to use it without your seed mnemonic. The danger of course is that if your seed mnemonic is compromised, then having the passphrase online could be very problematic... especially if you're unaware that the seed was compromised.


Also, the website is loading fine for me...

Thanks for your comments!

Can you please explain why it's bad practice to store the passphrase online?

I mean without the corresponding recovery seed (it's stored offline) it's worthless, right?

Let's say I generate a passphrase with a password manager (e.g. Keepass) and it looks something like this: QcWCJTCU0PVbnd4yyDOXRIai4Qj2V62xbLcIMEk6

Then, if someone finds it, why is the problem?
Can he/she misuse this passphrase without the recovery seed?

Website is up and running
https://seedcret.com/

Still having an issue?

Just adding more details on use cases:

Let me share the best practice suggestions from the official hardware wallet providers (Trezor, Ledger, ...) first.


https://wiki.trezor.io/User_manual:Security_best_practices

https://blog.trezor.io/passphrase-the-ultimate-protection-for-your-accounts-3a311990925b

https://blog.trezor.io/seed-pin-passphrase-e15d14a0b546


I will quote some essential points from these resources:


• If you do not use a passphrase, your recovery seed is all that is needed to access your coins. Never make a digital copy of your seed. We cannot stress enough to only store the seed offline.

• The passphrase is widely recommended and cherished by cybersecurity professionals and has multiple security effect as:

• Passphrase protects your recovery seed and is not stored anywhere. This means that even if somebody compromised your recovery seed, they would not be able to access your accounts unless they knew the passphrase as well.

• If you have to make a physical backup of your passphrase, do not store it right next to the backup of your seed. Instead, you might consider choosing a memorable passphrase and setting up reminders to refresh your memory every few months.

• A passphrase or more passphrases can be used with the same TREZOR device to create the so-called “hidden wallets”.

• You can share your account with the rest of the household or your team members at work. You can generate and distribute a recovery seed which would give everyone access to the “mutual”, “seed-only” wallet. Every member of this group can then separate their own secret wallet by using their custom passphrase.


Based on the above suggestions I can see multiple use cases as below:


[1] REGULAR REMINDERS TO CHECK BACKUPS

Often people lost/forgot their hardware wallet backups over time. As a result, they lost their crypto.

As mentioned above, it is a good practice to schedule regular reminders to refresh your memory every few months and not forget about the backups.

This relates to both the recovery seed and passphrase backups.

We aim to provide a simple and easy to use app for backup management which provides higher comfort than just using a regular calendar for reminders.


[2] PASSPHRASE BACKUPS

The rule is “never store your passphrase together with your recovery seed”.

I personally store my recovery seed offline at home and my passphrase online.

This brings me these benefits:

a/ Even if someone finds my recovery seed, it is still protected, because the person doesn’t know the passphrase (doesn’t even know that there is a passphrase activated)

b/ If someone finds the passphrase online, the person can’t get any benefit out of it without the recovery seed is stored somewhere else and offline

I am not afraid of storing my passphrase online because of this but if someone would be afraid, it is still possible to encrypt the passphrase before uploading it online (and write password for decryption offline together with recovery instructions).

Another way would be to protect passphrase with a randomized list as explained here for recovery seed: https://seedcret.com/kb/randomized-list-protection/

c/ I can create an inheritance plan for my family as described further


[3] INHERITANCE PLANNING

Because my backup consists of both the recovery seed and the passphrase, it is easy for me to create an inheritance plan for my family/friends.

It works as follow:

a/ My recovery seed is stored at home, written on a paper

Together with the recovery seed I also wrote the letter of instruction as here:

https://seedcret.com/kb/letter-of-instruction/

It will help my family to access my funds if needed...

b/ I used Google Inactive Account Manager (see here https://support.google.com/accounts/answer/3036546?hl=en) to schedule recovery email.

If my account is inactive longer then a waiting period I choose (e.g., 3 months), my family will receive a recovery email I prepared for them.

The recovery email contains information where they can find my physical recovery seed backup and it also includes the passphrase they need to use together with the recovery seed to access my digital assets.

You can use this as a template when creating your recovery email:

https://seedcret.com/kb/recovery-email/

c/ finally I do the same with Seedcret (the app we are developing), to schedule a secondary recovery email as a backup.

You can read more details on how to do it here:

https://seedcret.com/kb/store-recovery-seed-safe-guide/


[4] NOTIFICATIONS ON A BALANCE CHANGE

Besides the standard email notification on a balance change, this feature also offers a great security improvement for your recovery seed backups.

Even my “whole fortune” is stored on the passphrase protected account, it is still a good idea to leave some small funds/amount on the empty passphrase/original seed-only account.

Then, the empty passphrase/original seed-only account is used as a “decoy”.

If someone finds your recovery seed backup and steals your coins from the empty passphrase/original seed-only account, we'll send you email notification immediately once we detect a balance change.

Once notified, you can move your funds from your main passphrase protected account to a new, safe wallet.


[5] MAINNET AND SWAP ALERTS

When a project decides to launch its own mainnet, it is important to migrate the existing tokens from the residing blockchain to the mainnet.

Missing the mainnet may cause a complete asset loss.

With Seedcret, you can enable mainnet alerts, so we'll send you the alert email in advance to protect your funds.


These use cases came out from my own experience when I was trying to secure my and my friend’s crypto.

And that's why I believe that also other people might find such a service helpful when protecting their digital assets.


Looking forward to any comments!

I'm building a website to help with recovery seed management and also with inheritance planning.
I'd like to use it to protect my recovery seed backups and also offer it to others if they like it.

The idea is never to ask users for their recovery seeds – it is always in the user’s hands and offline.

Users just schedule reminders to check their backups regularly and thus protect themselves from forgetting the backups due to the passage of time, disease or accident.

Optionally, users also might create a recovery/inheritance plan so their close ones can access user’s assets in case of an accident or death. This works similarly as Google Inactive Account Manager but its more customized for cryptocurrencies.

Again, the recovery seed stays completely offline all the time. The only thing which might be uploaded online (depending on the user’s decision) is a passphrase (in plain or even encrypted form).


Already implemented features are here:
https://seedcret.com/demo/

Features we are currently building listed here:
https://seedcret.com/premium/


Would you share your thoughts on this?
Is there anything you are missing, is not clear enough or you would make it a better way?

Thanks