Topic: Why is it bad to store 24 words from Ledger hardware wallet in password manager? (Read 258 times)

It's simple your device (laptop, desktop, mobile, tab) all are in danger when those are in online (in some cases). Cause hackers/scammers are can attack your device easily when its online. Now 24 words secret keys are very sensitive for your wallet so somehow if scammers will hacked it, your hole asset will be gone. That's why people recommend to collect those secret keys in offline. You can use paper or other thing which never shows in online.

From quick research, it looks like a typical key derivation from seed uses only a little bit of key stretching, while KeePass and other managers use very big amounts of key stretching and they constantly keep it up to date to match the modern brute-force capacities. So, even though this method reduces entropy, it still has comparable difficulty of brute force, as long as the password is good.

You're right though that an unexperienced person can shoot themselves in a foot by forgetting their password or having a very weak password.

How are you going to back up the encryption key to your KeePass database? It should obviously be stored completely separately from your KeePass database itself, so writing it down on paper seems like the safest option? In which case, why not just write your seed down on paper?

My biggest issue with this set up is you are essentially reducing the entropy of your seed phrase to the entropy of your KeePass encryption key. A 24 word seed phrase has 256 bits of entropy. The average human generated password has an entropy of around 44 bits. Even if you draw from all 95 printable ASCII characters (lowercase, uppercase, numbers, symbols), and generate a truly random encryption key, a 12 character key is still only 79 bits of entropy. You would need 39 characters to equal the entropy of your seed phrase.

You also add in unnecessary risk in accidentally exposing your seed online, messing up the encryption process, any as-of-yet unknown flaws in the KeePass software, forgetting/incorrectly copying your encryption key, etc.

There's a reason that all good wallets tell you to write your seed phrase down on paper. It is the least risky way of backing it up. If you are concerned about your seed phrase being discovered, then use an additional passphrase and back that up (also on paper) separately.

If you already want to save your backup digitally, there is additional security in the event that the seed (24 words) is somehow compromised. Ledger lets you add passphrase or we can call it 25 word (+1 on your 24 seed words), so if someone come into your seed's possession (24 words), he will not be able to steal your coins without passphrase. You will not, of course, keep that extra word together with 24 words, but separately and in a safe place.

Personally, I would advise anyone with hardware wallet to consider this additional security option, but to know well what it means and how to use it. More info can be found on the official Ledger site :  Advanced passphrase security.

That's one of the best ways to pass phrase and password but it becomes lost once there's a fire outbreak.
Safest method to write them down is by using the metal/steel password managers. It can't get burnt like paper. You can one on cryptosteel.com , it sells for around 74€ and I'm sure it worth it.

I keep this information in notes in different parts of my house, I hope I won't lose anything 

That's actually the advantage of hardware wallet, it prevents outside intervention of people if they don't physically have the hardware you have. But the main problem is how will you recover your account if your hardware wallet gets missing. So 24 words phrase should be written and should not be stored digitally, why? Because there are some software that could screen capture your monitor or mobile phone, so that they can get your funds easily. Well, there will be no risk with it if there's no connection with it to the online community, no matter what hackers does, they cannot get your private keys.

I know it was hard to set up, but we will realize it's importance when 10 years from now, our investment will be still with us.

In theory, password managers can be less secure than hardware wallet. In this case you can just use software wallet if you store your data in program

every method you choose has its own advantages and disadvantages at the same time.
for example digital storage in general is also susceptible to loss, the hardware can be damaged for instance due to electric shock, or you can get a bad sector and lose data, or simply face data decay which people forget about.
additionally when you store encrypt and store digitally you still have to make a backup of that encryption key otherwise you may forget it over time and be locked out.
in the end you should weigh the pros and cons and decide which method is best, then you can also always create multiple backups. for example a printed encrypted key alongside the digital storage.

I think buying a new computer is a bit overkill. Using your current computer to boot up Tails (without connecting to the internet) should be safe enough imo. Just to make sure, you can disable the other HDD/SSD or network card on your BIOS if you're paranoid that somehow you put the data on the wrong place or unconsciously connect the computer to the internet before you boot it up.

Every time you connect your devices online is a risk. So it is better to do everything offline to be on the safe-side. Hackers and malwares are everywhere so the best thing we can do is go off-grid.

Yes!

You could leave a note on the USB drive in plain text as to how to decrypt (obviously not including the password) to remind yourself.

If I was to open the Keepass file with the 24 word phrase on a computer connected to the internet to see what it was years later, will this be a bad idea? Should I always open the file on a offline Tails OS computer to recovery my word phrase?

It is always advised and encouraged to use offline methods to store seed key or private key. With electronic device, it is easy to be targeted by hacker and that will not be a hard job to get access to your seed key or private key. Seed key can be hand written on paper too, make couple of copies and store them on different safe place.

No I mean for generating your password for keepass.
Here's an example of generating a master password for a password manager: https://youtu.be/Pe_3cFuSw1E

Can you send me some links on this. I cannot find anything on adding words to increase security of your 24 word seed

Would be safe to use a computer you used to boot up into Tails OS offline and save the 24 word phrase into a Keepass file. Or should I get a brand new cheap computer,  boot up into Tails OS offline and save the 24 word phrase into a Keepass file?

I was thinking about Electrum, sine JSON files are usually used by Ethereum wallets, but they both count as password-protected wallet files. Just make sure to make a really-really good password, and come up with a method for backing up said password, because if someone steals the file, they could spend as much time as they want on trying to bruteforce it.

By password-protected wallet files, are you refering to a encrypted JSON file?

You are correct, by storing digitally people often think about storing it in plaintext. But using strong encryption with a strong key makes it much safer. It's still better to not have your encrypted seed on an online machine or the cloud, but storing it on a USB stick and using it offline with Tails is perfectly valid. If it's encrypted, it's not different from a password-protected wallet file.