Taipei Talk

Taipei Talk

Focus on various AI application sharing, Blockchain learners, web3 new leeks

Security and Wallet (Part One)


There has always been a saying in the cryptocurrency world, "not your key, not your coin." The core of cryptocurrency is that everyone can have absolute control over their assets. However, strangely enough, even though cryptocurrency allows us to truly "control" our assets, we are more concerned about the security of our assets. The reason behind this is that decentralized assets also come with decentralized risks. It is difficult to guard against risks such as mnemonic leakage, signature fraud, and phishing authorization. Even the developers of security plugins cannot guarantee security.


Wallets and Security#

How to prevent phishing is similar to anti-fraud apps. It always comes down to a few methods: signing what you see, identifying phishing URLs, safeguarding mnemonics, private keys, and checking authorizations. In addition to the above issues, hot wallets also face problems such as wallet software vulnerabilities and tampered installation packages by hackers. Therefore, many people choose cold wallets or hardware wallets. However, the ledger connect-kit and ledger recovery incidents have made me rethink cold wallets (hardware wallets and cold wallets are different categorizations, please pay attention to the distinction in the following text).

Ledger Connect Kit Hack

ledger recovery

Hardware Wallet = Security?#

First of all, why do customers choose hardware wallets? It's all about valuing their security. The core of hardware wallet security lies in offline storage of mnemonics and offline signing. In order to ensure security, hardware manufacturers have racked their brains, using various levels of certified encryption chips, and developers actively adapt to various wallets and networks to ensure that users can use them normally. However, the ledger connect-kit and ledger recovery incidents have greatly compromised their security. No matter how careful users are, they can resist phishing authorization on phishing websites, but they cannot resist vulnerabilities in the development tools themselves. Ledger recovery has also shown that the claim made by hardware wallets that "private keys can never leave the wallet" is a lie.
On the other hand, security and interaction are contradictory. The more interactions on the chain, the more likely it is to be targeted by hackers, resulting in asset theft. Moreover, for public chains like Ethereum, where gas fees are expensive, there is no need for frequent on-chain transactions. Therefore, reducing the number of interactions is the "right path"! Personally, I adhere to this philosophy and choose a purely offline cold wallet.


Cold Wallet#

Cold wallets are divided into paper wallets, steel wallets, brain wallets, etc., based on the storage medium. "Multiple media, off-site backup" is the principle of securely storing mnemonics. Therefore, I use the above-mentioned wallets as backups for each other. Generally speaking, it is best not to store mnemonics in plain text. Therefore, when copying mnemonics with a paper wallet, encryption should be used as much as possible. The encryption here should not be too complex either. Shifting the order of letters or replacing one or two words is enough. Being too complex will only affect your own use. Many people do not recommend using brain wallets because we should not trust our brains too much. We may forget over time. I agree with this view, but I also think it can be used as a backup method. In simple terms, we can use a brain wallet, but we must also have other ways to back up. As for how to memorize, you can watch videos related to memory masters. It is actually not difficult. Simple training is enough, but regular comparisons should be made to prevent memory deviations. Finally, there is the steel wallet, which is my personal favorite storage method because its security is generally higher than the previous two. Simply put, it is engraving the mnemonic on metal. In the next article, I will provide a detailed introduction to steel wallets and give some selection recommendations.

Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.