Introduction
One of cryptocurrency’s most important advantages is that crypto tokens can be held by a user without any trust in a bank, company, or online service. They belong to you, like cash in your hand. Of course many people choose to trust their crypto to services like exchanges or custodial services – but you always have the option of holding your crypto yourself.
Holding your own crypto ultimately means that you – and only you – control the cryptographic “key” that has the exclusive power to send tokens from your account on the blockchain to somebody else. The common phrase “not your keys, not your crypto” means that if you’re trusting an exchange or other third party with your crypto, they control those keys and ultimately you’re trusting that they’ll do the right thing with your tokens.
Holding your own crypto is typically done with what’s called a “wallet”. People often talk about a wallet “holding tokens”, but really the tokens are always held in an account on the blockchain network. The wallet’s real function is to securely hold the cryptographic key that lets you unlock that account and do things with tokens held there.
So while wallets take many forms, they all share that most important function: holding a key. That key is just a long string of letters and numbers. It’s like a very long password, but it can’t be changed. If a wallet has an account’s key, it can cryptographically “sign” transactions using it, which lets you send tokens to anyone or use your tokens to interact with smart contracts. You’ll sometimes hear terms like “seed phrase”, “mnemonic”, “backup phrase”, or “private key”. Really these are just different ways of defining that key that the wallet must securely hold.
Software vs Hardware Wallets
The first form of wallet created alongside blockchain technology was the software wallet. This is a piece of software that helps a user create a key, securely hold it, and use it to conduct transactions. Most blockchains have at least one software wallet option available that lets users easily hold tokens on that network. These might be desktop apps (like Exodus or Electrum), mobile apps (like Mycelium or Argent), or even web browser extensions (like Metamask).
As cryptocurrencies became more and more valuable, being very careful with an account’s key became extremely important. Because it is increasingly common for PCs and mobile phones to be hacked, another option was desired. A new type of wallet was invented: the hardware wallet.
Hardware wallets (like Ledger or Trezor) are essentially miniature PCs that can run very tiny, simple apps that know how to hold the keys for different blockchain networks. They typically must connect to a desktop wallet app, browser extension, or webpage on a PC that provides most of the user functionality – like viewing account balances and creating transactions.
When it comes time to make a transaction, the desktop application creates an “unsigned” transaction (which is not yet valid without the signature) and passes it to the hardware wallet for signature. The hardware wallet shows the tranasction’s contents to the user for approval and signs the transaction using a key that never leaves the device. It then passes the signed transaction back to the desktop application which can then submit it to the blockchain but has no ability to modify its contents post-signature.
This makes it nearly impossible for someone else to steal and use that key – unless of course they steal the hardware wallet device from you and discover your PIN to unlock it!
(Hardware wallets are also highly attractive targets for attack since they are virtually guaranteed to protect valuable tokens; always make sure you buy your hardware wallet from somewhere you can trust to provide a genuine device.)
Using a Software Wallet Securely
Using a hardware wallet, however, isn’t the only way to securely protect your keys and your crypto. While hardware wallets make it easy, careful use of a software wallet can also be very safe. I’ll mostly talk about the use of desktop software wallets, since these are the most common and flexible – and much less likely to be accidentally lost!
It’s best to think of the software wallet as part of a system that includes the wallet software, the computer it runs on, and how you backup the key the wallet holds. This means that in order to trust that system, you need to be able to...
- Trust the wallet software
- Trust the computer
- Trust the backup
Trust the wallet software
The first step is to make sure that you can trust the wallet software itself. Because this software creates your key and must have access to it, a malicious wallet could easily steal your crypto.
The most common mistake here is downloading the wallet from a website you think is genuine, but is actually serving a malicious copy. Ways to avoid this include:
- Directly type in the URL of the wallet’s website.
- If using Google, make sure you don’t follow ad links that look like search results.
- Double check for URLs that look very similar to the real URL – like www.coo1wallet.com instead of www.coolwallet.com
- Never follow links directly from social channels like Telegram.
- Use links from reputable news websites.
And of course never trust wallet software that is not recommended by the blockchain’s creators, or otherwise is not well known. Good software wallets are open source, so that the community may ensure that it has no secret backdoors or openings for attack.
Trust the computer
Second, and perhaps most importantly, the computer the software wallet runs on must be secure. Many pieces of virus software or malware can infect desktop PCs and can be used to grab your keys without your knowledge. This can happen in many ways, such as:
- Key-loggers can capture everything you type and watch for sequences of numbers and letters that look like a crypto key
- Screen-grabbers can observe your screen and capture a seed phrase or mnemonic when creating it, or when asking the wallet to display it later
- Malware can scan your harddrive for unencrypted files that contain crypto keys
There are three layers to maximizing the security of your computer for use of a software wallet.
Protect the PC itself. Encrypt your computer’s hard drive with a strong password in case it is lost or stolen (this is a built-in feature of most OSes these days). Don’t back up your computer to a cloud service like iCloud. Never interact with your software wallet in a public place where you might be observed by people or cameras.
Prevent viruses and malware from getting onto your PC. The best way to do this is called “air-gapping”, meaning that you only connect the computer to the internet when required to use the wallet – otherwise turn off WiFi and disconnect the ethernet entirely. Typically this is done with a dedicated computer used only for your crypto wallets. Next best is to minimize the use of web pages, cloud services, browser extensions, and downloaded programs that may be vectors for malware. And if you must use your general PC for your software wallet, consider using reputable anti-virus software (be careful and do your research - some anti-virus can actually open new vulnerabilities) and always be careful about the links you click and software you download.
Minimize the opportunities for malware to grab your keys. If you must view your seed phrase, mnemonic, or private key – do so for as little time as possible. Avoid copying them to your clipboard, and certainly never paste them into a notepad or a file that you save on your computer. Don’t use your crypto wallet while running many other pieces of software. And be especially careful when first creating your account (and its key) in the software wallet when it can more easily be captured.
Trust the backup
The first two parts of your software wallet system are the most important, but this one is easy to do badly. Holding your own key doesn’t just mean that you must protect it, it means you have to back it up. If you lose your key, your account and its tokens will forever be out of your reach.
Most software wallets provide a method of backing up your key so that you can recover it if something happens to the computer or the wallet software. Sometimes this is in the form of a seed phrase, backup phrase, or mnemonic that you are encouraged to write down and can type in later to recover your account. Sometimes you can create a backup file that you can import to recover your account. Sometimes it’s simply showing you the private key itself.
The important thing to remember here is that the backup provides access to your account and tokens just as much as the software wallet itself. So you must ensure that nobody else can possibly get their hands on it. There are many ways to do this, and only you can decide which best suits your needs.
Some good examples of backing up:
- Write a seed phrase or backup phrase down on a piece of paper, in a private place where nobody can observe you, and store it somewhere that nobody would guess. (Some people even etch them into pieces of metal so that they are less fragile!)
- Save a backup file to a flash drive and store it somewhere that nobody would guess. (And test recovering from it occasionally to make sure it works!)
- Enter a seed phrase or private key into a secure password manager like 1Password. (But keep in mind that your 1Password master password now protects your crypto - it must be extremely secure! Some people use an offline 1Password vault, without a cloud sync, for better security.)
- Periodically make an encrypted backup of the computer running the software wallet to a portable backup hard drive connected directly to the computer, and store this drive someplace nobody would guess.
Some bad ways of backing up:
- Storing a seed phrase, backup flash drive, or backup hard drive in an obvious location in your home, or in a bank’s safe deposit box (you’d be surprised how often people use social engineering to gain access to others’ safe deposit boxes – they’re nearly guaranteed to have something valuable inside!)
- Saving a backup to Dropbox, iCloud, or another “cloud backup” solution
- Putting seed phrases, keys, or wallet passwords in Notepad or an unencrypted file on your computer – or worse, a cloud document
- Not backing up at all!
Conclusion
While hardware wallets are a great tool for good crypto security, securely-used software wallets still provide a good option that can offer more powerful features, offer options for smaller blockchains, and avoid a single point of failure of a hardware device. Just make sure you understand how to create a system where you can trust the wallet software, trust the computer, and trust the backup.
A concrete example of a strong software wallet system?
- Grab an old laptop, completely wipe its hard drive, reinstall the OS from scratch. Don’t be lazy about this!
- Make sure you know how to turn off its WiFi capability (not just disconnect from your hotspot), turn on full disk encryption, and disable all cloud features.
- Turn on WiFi only when needed, and fire up its web browser only to download software wallets from the creator’s official websites, carefully checking for copycat sites. Avoid running email, browser extensions, or any unnecessary software.
- When setting up each wallet, write down backup phrases provided and immediately store them out of sight in a surprising location. Buy a portable hard drive and periodically back up the computer to it, and store it in a different location than your backup phrases (this could be a safe deposit box since it is encrypted).
- Keep the laptop out of sight when not in use, and do not travel with it (travel is one of the best reasons to use a hardware wallet device).
A system like this can give you confidence in holding and using the widest possible range of cryptocurrencies – and at the same time you’ll be learning good practices protecting your general PC from an increasingly dangerous digital world of invasive viruses and ransomware.