Topic: Seed phrase security question (Read 615 times)

It depends on what you understand as “concern”. Once you generate a wallet, there are tons of ways you can screw the whole thing up, but your money may be safe. You should minimize the odds of screwing up to cover these concerns. No, I've never heard of a hack like this, neither from singing the seed. But, you know what? Now that it's publicly known, there may be people who'll write a malicious code regarding your records.

Just for your information, I've never heard of funds' loss from the classic procedure of seed generation. But, it doesn't matter what I have heard; I always minimize these odds.

when generating a new seed or key i remove all phones from the room and power them off. all security cams that might have line of site are disabled. unplug desktop webcams or cover the webcam if laptop. all window shades in the room are drawn (include skylights too). i have no alexa/google thing (never will either) so no worries there. if you have a smart tv attached to your network unplug it. have any of those voice activated remote controls for your cable/sat tv? take the batteries out and move those remotes out of the house for the duration.

once the seed/key is generated/tested ill make dupes and stash some off site. add a passphrase too but dont store that with the seeds of course. multiple copies of that too.

then after all that i take my tinfoil hat off and re enable all the potential bugs (phones tvs etc).

I would either tape or disabled all your cameras at all times, since they are constantly being targeted by various mass surveillance programs around the world.

Who knows? No one who is careless enough to point a camera directly at their seed phrase will then go to forums and say "Hey, I took every possible precaution except pointing a camera my seed phrase and now my coins have been stolen!" The point is it is a potential risk and your coins could be stolen this way.

Again, this proves nothing. Your coins could be stolen this way. It's like saying "Well, I've driven without a seat belt for 10 years and I'm still alive to driving without a seat belt is perfectly safe." All these things could result in your coins being stolen. Just because they haven't yet resulted in your coins being stolen doesn't mean they are a good idea. I could write my seed phrase in huge letters in permanent ink on my bedroom wall and my coins would stay safe for quite some time - doesn't mean it's a good way to store my seed phrase.

There is a possibility and it is always best to be safe than sorry!

Not that I know of. People don't usually have strange setups like this where their camera is pointed directly at their screen instead of at their face.

You can go in a windowless room with no electronics in it, shut down all the lights and enter your seed

That won't prove anything.

Well i got laptop and iphone.  But the way i have my laptop on my desk, its like pointing at my computer monitors, got a dual monitor setup so the laptop is to the right of it where the laptop camera is well pointing towards the camera.



So you should tape the laptop camera at all times?  Because anything that is on my computer monitor screen, well my laptop camera is essentially pointing straight at it.



Is that a concern?  Like imagine you were typing your seed in a software wallet and the laptop camera is pointing straight at it.  Has there been known hacks like this?  Also so if you were to actually sing your seed while your iphone is on... that is a huge concern?  What if you record it with the voice memo?  That is obviously bad but has anyone tested this with a seed and put a tiny amount of crypto in it just to see if anything would happen?

We are living in technical era and every kind of hack is possible these days if you are not much aware about them.You don't know how these Voice assistant features work in the backend but your microphone records are also maintained by the company server to provide some better results.You must be aware about the Google,iphone,Facebook data leak breach on the dark web and so you can imagine that seed can also be compromised.The experts have stated one type of hack that can send some silent commands to Siri in through waveform generator that can hack your phone and listens to all your Siri conversation.


Learn about them at Siri hacks

So you must do take care about security measures and be safe with your seed phrase because they will just enter them in any Electrum wallet and then funds will be withdrawn to any address.So change the seed or take any other necessary step to avoid any further inconvenience.Next time save them in cold storage somewhere safe without storing them in mind Library.

If you think your passphrase or private key is compromised or will be compromised take action right away create a new wallet and transfer the coins to that new wallet, when in doubt do the necessary action before it's too late and takes all the necessary precautions to protect your wallet private key, we are our own bank.

I would be wary of using tools such as 7zip for encrypting files when that is not their primary purpose. Many zip and archive programs will leave temporary files all over your hard drive, which can later be recovered or restored by an attacker. 7zip also had some pretty major bugs with their implementation of the encryption process: https://twitter.com/3lbios/status/1087848040583626753. You would be much better off using a piece of software which has been properly built solely for encrypting data, such as VeraCrypt or LUKS.

Not to mention that saving your seed file in a .txt file, adding it to an encrypted archive, and then deleting the original, leaves the data of the original on your hard drive indefinitely until you overwrite it with some other data, which again can be recovered by attackers.

Another terrible idea.

The seed will save as .txt in notepad it will easy to use the third party such as 7zip. but of course, if the third party had a compromise possible the seed also.

In windows 10 the user can encrypt the text in the property in the advance option, but that EFS is only available on Pro, Enterprise, and Education editions only.


I have read much time about it because it will easy to copy-paste the seed if they want to restore it.

Just because you didn't lose your coins yet doesn't mean it's a safe way to store you wallet seeds online, especially in the cloud where security is questionable.
I hope you have , at least, encrypted the seed before uploading it!
I don't know why so many users prefer to back up their wallets digitally whereas storing them physically is safer and easier. It won't cost you anything to write the seed on a piece of paper and store it in a secure place, as suggested above.

This thread has given me some things to seriously think about. This is surely going to become more and more of an issue as more people become aware of seed phrases and what to look for.

This is only safe if you did this on a permanently airgapped computer (i.e. one without an internet connection and which will never have an internet connection again). Even if you deleted the seed phrase from your computer's hard drive after you transferred it to the memory card, then it still exists and is fairly easily recoverable until the location on the hard drive it was stored is overwritten by some other data.

This is an absolutely awful idea. You should create a new seed phrase and move your coins out of that seed phrase immediately. You have absolutely no idea how many servers around the world your seed phrase is now stored on, how many people can access these servers, how securely it was transferred between servers, how securely it is being stored, etc. Cloud storage and other online servers are hacked all the time. Your seed phrase, and your coins, are at risk.

I backed up my seed phrase in an original memory card and and uploaded some in cloud storage. So far, ive not lost any coin due to seed phrase being compromised.

I have all cameras unplugged or disabled all the time, except during the few seconds I am actively using them to scan QR codes. I unplug standalone webcams, and I have physically removed the camera which is built in to my laptop. If your phone does not have a physical shutter, you can buy an adhesive one for a few bucks.

Everyone involved in data harvesting, from Mark Zuckerberg to the director of the FBI, have either said that they cover or unplug their cameras, or have been seen to do so in pictures and videos. They know a lot of things we don't.

When dealing with seed phrases to my cold storage, I won't even have a camera in the same room as me. I'd rather be paranoid and safe than relaxed and a victim.

That sounds like paranoia to me but when you handle your seed phrase you should already be on an airgap computer which means that even if that computer has an attached webcam that could read your seed phrase it still is "air gapped" and doesn't have any connection to the rest of the world. In fact one way of keeping that system clean is using a camera and scan QR codes which is useful when signing transactions (to import unsigned tx).

That is something i never thought of.  But when you guys write your seed or look at your seed, do you all make sure your phone or laptop camera isn't pointing straight at your paper that has your seed in it?

An old Chinese proverb says that “the faintest ink is more powerful than the strongest memory.”  I would not advice anyone to memorize their seed pharse.

However if you think your it has been compromised, you need to create a new vault, and then transfer your funds to that vault immediately.

Then, write the your new seed phrase on a physical paper. You can have offline duplicate copies stored in a bank safe, a vault in the north pole, buried under the earth or in an offshore location  . Just ensure it's kept in a secure location.

That's not true. If you generate a seed phrase on Electrum on mobile, for example, the seed phrase stays encrypted within the Electrum app and is pretty unlikely to be accessed by any other app (not including malicious apps or malware, of course). If you speak your seed phrase out loud, then any number of apps on your phone such as Siri, Alexa, Google Assistant, Facebook, etc., which have access to your microphone and are recording all the time will pick it up and send it to some server somewhere, unencrypted, for analysis.

Storing an audio file of your seed phrase is just as risky as saving your seed phrase unencrypted in a text document, i.e. a terrible idea.

Depends entirely on your jurisdiction. If bitcoin is not illegal in your country, then I see no reason why you couldn't store a copy of your seed phrase or similar in a safe deposit box, though.

As I mentioned, you can always encrypt the information before you store it. If the bank asks you to decrypt it, you can say that you don't know what it is and you will be given a decryption key from a relative's estate after their death, or something along those lines. Or you could encrypt it on digital storage, using a hidden volume to hide the fact that there is a wallet encrypted at all. If ever forced to decrypt it, by utilizing a hidden volume you can decrypt the drive to other "sensitive" decoy data, and never reveal the existence of the wallet.

This reminds me of Vitalik Buterin. I saw his interview recently in which he mentioned that he has split up his keys and given to family members in another country.
He had to call up his family members and get the pair of words and attach the pair of words he had to access his funds.
What do you think about this way of storing and accessing funds ?

I guess this is the part I needed to clear up. I'm not very savvy in the legal distinctions, but would it technically be aginsts the law to store such information with a bank? Or is it a grey area that is not well defined and as such cannot be regulated.

From my research each bank would tell you what can and cannot be stored with them, how do they ensure customers do not violates their codes; this should be by checking the content would they be suspicious. They may not be able to reveal the contents, but would irbpose any legal implications, particularly for countries who are not receptive to Bitcoin.