Pages:
Author

Topic: Why is it bad to store 24 words from Ledger hardware wallet in password manager? (Read 309 times)

full member
Activity: 686
Merit: 102
It's simple your device (laptop, desktop, mobile, tab) all are in danger when those are in online (in some cases). Cause hackers/scammers are can attack your device easily when its online. Now 24 words secret keys are very sensitive for your wallet so somehow if scammers will hacked it, your hole asset will be gone. That's why people recommend to collect those secret keys in offline. You can use paper or other thing which never shows in online.
legendary
Activity: 3024
Merit: 2148
My biggest issue with this set up is you are essentially reducing the entropy of your seed phrase to the entropy of your KeePass encryption key. A 24 word seed phrase has 256 bits of entropy. The average human generated password has an entropy of around 44 bits. Even if you draw from all 95 printable ASCII characters (lowercase, uppercase, numbers, symbols), and generate a truly random encryption key, a 12 character key is still only 79 bits of entropy. You would need 39 characters to equal the entropy of your seed phrase.

From quick research, it looks like a typical key derivation from seed uses only a little bit of key stretching, while KeePass and other managers use very big amounts of key stretching and they constantly keep it up to date to match the modern brute-force capacities. So, even though this method reduces entropy, it still has comparable difficulty of brute force, as long as the password is good.

You're right though that an unexperienced person can shoot themselves in a foot by forgetting their password or having a very weak password.
legendary
Activity: 2268
Merit: 18711
How are you going to back up the encryption key to your KeePass database? It should obviously be stored completely separately from your KeePass database itself, so writing it down on paper seems like the safest option? In which case, why not just write your seed down on paper?

My biggest issue with this set up is you are essentially reducing the entropy of your seed phrase to the entropy of your KeePass encryption key. A 24 word seed phrase has 256 bits of entropy. The average human generated password has an entropy of around 44 bits. Even if you draw from all 95 printable ASCII characters (lowercase, uppercase, numbers, symbols), and generate a truly random encryption key, a 12 character key is still only 79 bits of entropy. You would need 39 characters to equal the entropy of your seed phrase.

You also add in unnecessary risk in accidentally exposing your seed online, messing up the encryption process, any as-of-yet unknown flaws in the KeePass software, forgetting/incorrectly copying your encryption key, etc.

There's a reason that all good wallets tell you to write your seed phrase down on paper. It is the least risky way of backing it up. If you are concerned about your seed phrase being discovered, then use an additional passphrase and back that up (also on paper) separately.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
If you can, use at least 8 random words, there are examples everywhere of how to do this...

Can you send me some links on this. I cannot find anything on adding words to increase security of your 24 word seed

If you already want to save your backup digitally, there is additional security in the event that the seed (24 words) is somehow compromised. Ledger lets you add passphrase or we can call it 25 word (+1 on your 24 seed words), so if someone come into your seed's possession (24 words), he will not be able to steal your coins without passphrase. You will not, of course, keep that extra word together with 24 words, but separately and in a safe place.

Personally, I would advise anyone with hardware wallet to consider this additional security option, but to know well what it means and how to use it. More info can be found on the official Ledger site :  Advanced passphrase security.
sr. member
Activity: 1204
Merit: 388
I keep this information in notes in different parts of my house, I hope I won't lose anything  Grin
That's one of the best ways to pass phrase and password but it becomes lost once there's a fire outbreak.
Safest method to write them down is by using the metal/steel password managers. It can't get burnt like paper. You can one on cryptosteel.com , it sells for around 74€ and I'm sure it worth it.
newbie
Activity: 74
Merit: 0
I keep this information in notes in different parts of my house, I hope I won't lose anything  Grin
sr. member
Activity: 644
Merit: 364
In Code We Trust
That's actually the advantage of hardware wallet, it prevents outside intervention of people if they don't physically have the hardware you have. But the main problem is how will you recover your account if your hardware wallet gets missing. So 24 words phrase should be written and should not be stored digitally, why? Because there are some software that could screen capture your monitor or mobile phone, so that they can get your funds easily. Well, there will be no risk with it if there's no connection with it to the online community, no matter what hackers does, they cannot get your private keys.

I know it was hard to set up, but we will realize it's importance when 10 years from now, our investment will be still with us.
newbie
Activity: 93
Merit: 0
In theory, password managers can be less secure than hardware wallet. In this case you can just use software wallet if you store your data in program
legendary
Activity: 3472
Merit: 10611
every method you choose has its own advantages and disadvantages at the same time.
for example digital storage in general is also susceptible to loss, the hardware can be damaged for instance due to electric shock, or you can get a bad sector and lose data, or simply face data decay which people forget about.
additionally when you store encrypt and store digitally you still have to make a backup of that encryption key otherwise you may forget it over time and be locked out.
in the end you should weigh the pros and cons and decide which method is best, then you can also always create multiple backups. for example a printed encrypted key alongside the digital storage.
legendary
Activity: 2170
Merit: 1789
Would be safe to use a computer you used to boot up into Tails OS offline and save the 24 word phrase into a Keepass file. Or should I get a brand new cheap computer,  boot up into Tails OS offline and save the 24 word phrase into a Keepass file?

I think buying a new computer is a bit overkill. Using your current computer to boot up Tails (without connecting to the internet) should be safe enough imo. Just to make sure, you can disable the other HDD/SSD or network card on your BIOS if you're paranoid that somehow you put the data on the wrong place or unconsciously connect the computer to the internet before you boot it up.
legendary
Activity: 3080
Merit: 1353
If I was to open the Keepass file with the 24 word phrase on a computer connected to the internet to see what it was years later, will this be a bad idea? Should I always open the file on a offline Tails OS computer to recovery my word phrase?

Every time you connect your devices online is a risk. So it is better to do everything offline to be on the safe-side. Hackers and malwares are everywhere so the best thing we can do is go off-grid.
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
If I was to open the Keepass file with the 24 word phrase on a computer connected to the internet to see what it was years later, will this be a bad idea? Should I always open the file on a offline Tails OS computer to recovery my word phrase?

Yes!

You could leave a note on the USB drive in plain text as to how to decrypt (obviously not including the password) to remind yourself.
newbie
Activity: 10
Merit: 4
If I was to open the Keepass file with the 24 word phrase on a computer connected to the internet to see what it was years later, will this be a bad idea? Should I always open the file on a offline Tails OS computer to recovery my word phrase?
legendary
Activity: 2156
Merit: 2100
Marketing Campaign Manager |Telegram ID- @LT_Mouse
It is always advised and encouraged to use offline methods to store seed key or private key. With electronic device, it is easy to be targeted by hacker and that will not be a hard job to get access to your seed key or private key. Seed key can be hand written on paper too, make couple of copies and store them on different safe place.
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
If you can, use at least 8 random words, there are examples everywhere of how to do this...

Can you send me some links on this. I cannot find anything on adding words to increase security of your 24 word seed

No I mean for generating your password for keepass.
Here's an example of generating a master password for a password manager: https://youtu.be/Pe_3cFuSw1E
newbie
Activity: 10
Merit: 4
If you can, use at least 8 random words, there are examples everywhere of how to do this...

Can you send me some links on this. I cannot find anything on adding words to increase security of your 24 word seed
newbie
Activity: 10
Merit: 4
It is not safe if you are using KeePass on online mode not on offline/airgap PC this should be offline forever to keep your seed safe in your PC.
Any documents or important backups like 24-word seed are always safe to store on the PC which is completely offline(Never connected to the internet).

Since this is related to hardware wallet are you planning to use the ledger hardware wallet on the PC with ledger live? It needs the internet so if you use your PC online it is not safe to save the "24-word seed" on the KeePass even this software is offline. We don't know exactly if this password manager is not sending any data when the PC is connected to the internet.

Unless if you are a programmer and you can verify that it is running completely offline and not sending any data from KeePass to internet when the PC is online. But for us who doesn't know if KeePass is safe while connected to the internet. We will always choose to save it to paper wallets instead or save somewhere safe than KeePass.

Would be safe to use a computer you used to boot up into Tails OS offline and save the 24 word phrase into a Keepass file. Or should I get a brand new cheap computer,  boot up into Tails OS offline and save the 24 word phrase into a Keepass file?
legendary
Activity: 3024
Merit: 2148
If it's encrypted, it's not different from a password-protected wallet file.

By password-protected wallet files, are you refering to a encrypted JSON file?

I was thinking about Electrum, sine JSON files are usually used by Ethereum wallets, but they both count as password-protected wallet files. Just make sure to make a really-really good password, and come up with a method for backing up said password, because if someone steals the file, they could spend as much time as they want on trying to bruteforce it.
newbie
Activity: 10
Merit: 4
If it's encrypted, it's not different from a password-protected wallet file.

By password-protected wallet files, are you refering to a encrypted JSON file?
legendary
Activity: 3024
Merit: 2148
I always read online when it comes to storing your 12 or 24 words, never to store them digitally. I assume this is because most people will put then in an unencrypted file like a TXT or DOCX file and not use a password manager like KeePass.

I was thinking of using Tails OS offline to create a new KeePass file and enter the 24 words in the file, save the file and put it on a USB stick. Turn off the Tails OS. And make copies of the keepass file on top other drives.

You are correct, by storing digitally people often think about storing it in plaintext. But using strong encryption with a strong key makes it much safer. It's still better to not have your encrypted seed on an online machine or the cloud, but storing it on a USB stick and using it offline with Tails is perfectly valid. If it's encrypted, it's not different from a password-protected wallet file.
Pages:
Jump to: