Most of these apply to cold storage (i.e., using a hardware wallet or similar device whereby you have full control over the private keys to access your crypto wallets.
1) The “25th word”
Recovery seeds – which are used to access a crypto wallet when you cannot remember your device’s PIN or password – usually consist of a 12,18 or 24-word seed phrase, ideally the latter.
Keeping this backup set of words is as important as ensuring your wallet’s private key remains secure.
However, what happens if someone steals your device or finds a way to access the recovery seed?
Well, you’d be in a lot of strife…unless you’d created the so-called “25th word”.
It is a passphrase that works on top of your recovery seed when trying to regain access to a crypto wallet private keys.
Unlike every seed phrase provided to you in a specific order when you set up your crypto wallet the first time, you choose the 25th word.
Strictly speaking, this should be a phrase instead of a word, just like when you set up a passphrase to access any account in general. Following this will make it unfeasible for hackers to try and compromise a password with this combination and more than 18 characters in length. This colour-code table puts it all into perspective.
After seeing this, no sane person would underestimate the importance of creating a robust and lengthy passphrase, not to mention setting up two-factor authentication (2FA).
Source: Hive Systems
Trezor’s equivalent is the custom passphrase you can set up when signing into your wallets through a Trezor device. This option is available for both available models: One and Model T.
As a best practice, you should create a unique passphrase containing numbers, upper and lower-case letters, and symbols, e.g., ‘Trezor.BTC.secure.crypto.2023’.
Trezor refers to this as a passphrase connected to your recovery seed and crypto wallet, not the physical hardware wallet.
Your PIN protects your device from being used. Your passphrase protects your seed/wallet from being used.
Trezor Blog
This extra level of security acts as a double-edged sword. Despite the additional protection this offers, you need to use a unique, memorable passphrase that only you know.
It is usually advised never to write it down, which can be a stretch, particularly if you are worried about not memorising the exact sequences of case-sensitive letters, numbers and special characters.
If it were me, I would write it down, but I’d keep it separate from the associated wallet and recovery seed(s). As this acts as a de-facto 2FA, the 25th word/passphrase is useless without the recovery seed, and vice versa. Thus, you need to consider the balance between security and convenience.
As always, you do you.
2) Shamir backup
This system is based on Shamir’s Secret Sharing, named after the Israeli cryptographer Adi Shamir.
It is an enhanced form of seed recovery, which, if you choose to opt into this, means that you need to supply a minimum number of 20-word seed sets, which is usually a majority (e.g., 2/3, 3/5, 4/7, etc.), to re-access your wallet.
Thus, adopting this type of backup provides additional wallet security when one recovery seed has been compromised. One recovery seed is meaningless when we need multiple sets to access a crypto wallet. Moreover, this setup further distributes points of failure and allows you to share a set with different people.
In terms of popular hardware wallets, The Trezor Model T is a notable choice that offers this type of advanced backup strategy. Note that the entry-level Trezor One does not provide this option.
Regardless of whatever crypto wallet you choose, they should support the Bitcoin Improvement Proposal: 39 (BIP-39), which includes the application of mnemonic seed phrases, i.e., recovery seeds, that I have discussed so far.
Just because a hardware wallet does not support Shamir backup does not mean it is an inferior choice. There are other security characteristics incorporated into different wallets that will help protect you from hackers and fraudsters aiming to steal your digital assets. The following two are some of the most important ones.
3) Secure chip
Bitbox and Ledger’s products contain a secure chip that protects your wallet from physical tampering.
Does the absence of a secure chip in Trezor devices mean you should refrain from using them? No, unless you are deeply concerned about someone physically stealing your device and breaking it open, which, in most cases, is unlikely.
These are still very good alternatives to many options, and they have extensive compatibility with a vast swathe of blockchains and their corresponding coins and tokens.
Having said this, if you know that an option on the market is open-source and contains a secure chip, such as BitBox, it might be worth exploring, particularly for peace of mind.
4) Multi-signature wallets (multi-sig/multisig)
Multi-sig wallets represent an advanced form of personal crypto security, which involve authorising transactions using more than one key.
According to Bitcoin and open-blockchain expert Andreas Antonopoulos, this can come in two forms:
– Multi-party multi-sig – This involves allowing other trusted people who are (ideally) confident in generating keys for authorising signatures. However, as Andreas explains, this comes with its drawbacks.
– Multi-factor multi-sig – You maintain control of the various types of equipment that can each produce keys. This idea incorporates elements of 2FA (a.k.a., multi-factor authentication), whereby you have two or more devices that can provide you with a unique code to authorise a transaction and the quorum system found in Shamir backup.
Electrum Wallet is one of the longest-lasting reliable open-source Bitcoin wallets that contains multisig as one of its key benefits for enhanced security. This can be used as a standalone feature by storing your private keys on your desktop or laptop through various options. It can be accessed via a compatible hardware wallet, which includes most of them nowadays.
For anyone wanting to create multi-sig via Electrum Wallet, I came across this resource containing a step-by-step guide. BitBox also provides a run-down of how multi-sig works through its devices in this blog entry.
As this is a more sophisticated feature – something that many deem overkill for most people, myself included – this can be too inconvenient for most people, especially if one opts for a multi-party multi-sig approach.
5) Frequently check for the latest firmware and app updates
Consider this a useful and essential reminder for all of your devices that we regularly use. It is one of the first things I check when connecting to a hardware wallet I haven’t used in a while.
In fact, most in-house hardware wallet apps should prompt you to do a device firmware and app update if their systems detect that a new version is available.
Doing this is not just for security reasons. Device updates are also highly recommended to improve the user experience by resolving system bugs, which often lead to programs crashing or malfunctioning in some way.
On this note, I have a cyber security PSA. It is common to receive a bogus email from a scammer posing to represent a non-custodial wallet service you have interacted with at least once. They will compel you to click a link to avoid “risking account deactivation”, “service, termination”, etc. and try to get you to reveal your recovery seed or even certain words.
Never reveal this seed to anyone. Any official hardware wallet will remind you of this when you write down this seed phrase, as shown below.
Photo by rc.xyz NFT gallery on Unsplash
6) Using a unique address for each transaction
If you’re on top of this one, you’re already ahead of most people.
Why should you avoid reusing wallet addresses? This prevents creating digital signatures that are linked to coins being spent from a particular address.
When a wallet address is reused (especially several times), it reduces anonymity on Bitcoin and could open up the possibility of a hacker obtaining private keys from these signatures.
The risk, for now, is still low, but this will become increasingly likely with the growth of quantum computing being able to (one day) crack modern-day cryptography; thieves will be looking for the lowest-hanging fruits first.
“When you spend from an address, you leave behind a public key and an additional signature, whereas Satoshi never spent, never moved any of the initial mined coins.”
Andreas Antonopoulos
What happens if you have already reused an address? There is a way to make it much more difficult for anyone to trace Bitcoin transactions, particularly to stop hackers from linking a Bitcoin wallet to one’s identity.
Enter Coinjoin.
7) Coinjoin
Coinjoin is an optional feature available exclusively for Bitcoin transactions on the Trezor Model T, whereby you maintain full control and responsibility for the private keys and can increase your privacy when interacting on Bitcoin’s network.
In a nutshell, it works by numerous (reportedly, hundreds of) users simultaneously by sending their Bitcoin to themselves via a transaction “pool” that divides the total amount into smaller, equally-sized fragments of BTC and is jumbled with others.
The original quantity is returned to each participant, albeit with mixed pieces previously belonging to another user.
Here is a clear and concise video illustrating what you need to know.
It is available through Trezor wallets and is accessible via their in-house app, Trezor Suite. For anyone who uses a Ledger or BitBox, this can be accessed through the Sparrow Wallet.
Before continuing, I neither recommend nor discourage you from using Coinjoin or similar services for additional privacy or anonymity. Do your due diligence before proceeding with any related systems, as you are fully responsible for how you use these.
Furthermore, I came across this YouTube video from Bitcoin University, who is against using Coinjoin, let alone Trezor in general. You be the judge on this one.
8) Air-gapped crypto wallets
I have left this one as a final option as this type of hardware wallet is not as common as most alternatives. I don’t see this as an essential security feature, but advantageous nonetheless.
In brief, air-gapped wallets are a subset of cold storage choices that are always fully disconnected from the Internet – no USB socket, wireless connectivity, nada.
So how do these devices connect to the outside world? This is usually achieved through QR codes or micro-SD cards.
Two choices that come to mind are the Ellipal Titan, the SafePal S1 and the Keystone Pro, although others exist, and more will enter the market in due course.
Check out this piece from Binance Academy for a useful synopsis of how these work and comparisons with other alternatives. SafePal also offers an explanation of the air-gapped signing mechanism.
Final thoughts
Every wallet has a range of pros and cons, and each device contains varying security features for different needs and wants. Certain individuals will prefer convenience and moderate-to-high security over an alternative it is primarily designed to keep your assets safe.
Ultimately, do what works best for you and how you interact with your digital assets, provided you maintain sufficient control over them.
The crypto industry has rapidly matured, so many more devices, features and use cases have come onto the market since Bitcoin’s humble beginnings in 2009.
I am a fond believer in giving people options, and we have reached a point where there is something for everyone wanting to get involved with crypto.
All of the information throughout this article reinforces the need to keep a significant portion of your BTC or other preferred crypto assets in cold storage, as this combination of security features discussed throughout this provides unrivalled control over your digital assets.
How much you choose to keep on a hot (online) wallet, usually through an exchange, is up to you. Just be mindful of the trade-offs of using these third-party services to custody your funds.
What important security considerations should I have included in this list? What are your priorities when keeping your crypto wallets safe from bad actors? I look forward to your comments.
If you enjoyed this article, I recommend following my Medium page for regular reports about crypto assets, blockchain technology, and more. Feel free to check out my publication as well, Crypto Insights AU.
Thanks for your support.
Disclaimers
- N.B. None of this is financial advice; I am not a financial advisor. You are solely responsible for crypto investments, let alone in any asset class.
- The opinions expressed within this piece are my own and might not reflect those behind any news outlet, person, organisation, or otherwise listed here.
- I received no incentive to discuss any of the products listed here. I have included an affiliate link below, where I receive a small commission if you purchase any goods via the included referral link.
- The use of Hive Systems’ table does not represent an endorsement of this article.
- Please do your research before investing in any crypto assets, staking, NFTs and other product affiliated with this space.
Featured image by VectorManZone on Shutterstock