Creating a Secure Environment for your Cryptocurrency Hardware Wallet

In this brief blog post I will discuss what I believe to be good practices to follow during the set-up and day-to-day usage of a Cryptocurrency hardware wallet; specifically the Ledger Nano S because it’s the one I use. This advice should still be useful for other hardware wallets as they’re all quite similar.

  • Don’t be this guy – never buy a hardware wallet from untrusted sources like eBay, Gumtree, Craigslist, etc. Always buy your hardware wallet from the official store (this is a referral link – if you found the article useful, use it!).
    Remember – you’re acting as your own bank from now on – can you really trust your vault (the hardware in this case) hasn’t been tampered with by some random seller on eBay?
    Is it worth the risk just to save £10 – £20? (the answer is no! 🙂 )
    Be very suspicious if you have received a device that does not ask you to go through the set-up process (i.e., it’s already been configured) or if you have received a device with a seed written on a piece of paper. Immediately contact Ledger support and do not use the hardware wallet.
    I would strongly recommend purchasing two hardware wallets – for peace of mind more than anything. It’s useful to test the recovery process and have a backup ready to go in case anything happens to the first. Also, it will come in very handy if your seed is lost or compromised as it could be the only way to quickly transfer your funds from the compromised wallet to a brand new one.
  • When going through the set-up process you’ll be presented with a 24-word seed. This seed is unique to you and you alone (the chance of collision with someone else is almost non-existent). The 24-word seed is essentially your private key – this is the only thing standing between an attacker and your Cryptocurrency.
    Make sure no one can see this seed as it presents itself on the screen.In the box will be a thick piece of paper with space to write down the 24 words – this is your only way of recovering your Cryptocurrency in case your Ledger wallet is lost or stolen.Write down the first 12 words on the piece of paper. If you can, laminate it and put it somewhere hidden and safe. In your house… your parent’s house… a safety deposit box in a bank, as long as you trust the person/place it doesn’t really matter too much as we’re only writing down the first 12 words here.
    The last 12 words – write this down in a password manager that you use such as LastPass. Make sure your password manager has strong protections around it – i.e., strong password and 2FA at the very minimum.

    For the extra paranoid: write down words 13-18 in your password manager from your computer then write words 19-24 in the same password manager but from your mobile device. This way if your laptop has a key-logger or similar malware then the attacker won’t have access to the entirety of the last 12 words.

    In LastPass you can mark a secure note as ‘Require Password Reprompt‘ – use this.

    Don’t do this: I’ve seen a number of articles and threads on forums which advise people to store multiple copies of their 24-word seed in multiple locations – this is bad!!! You don’t want to store the (private) keys to your digital wallets in multiple places unless you really, really trust those locations and even then I wouldn’t advise it… I wouldn’t even trust my entire 24-seed word in a bank safety deposit box.

  • Choose an 8 digit PIN (or more if your hardware wallet supports it! The Ledger wallet supports a maximum of 8 digits as of this post). Don’t use the same PIN as you do on your phone or anywhere else. For example, your mobile provider probably stores your voicemail PIN in clear-text and is probably retrievable by any customer service rep. If a malicious rep knew you had a hardware wallet, they could steal it and hope you were silly enough to use the same PIN for your wallet. Extremely unlikely I know but we want to get in to the habit of taking good security measures.
  • The Ledger Wallet comes with a key-ring strap – don’t use it. Why anyone would want to walk around advertising their hardware wallet is beyond me. If you need to carry it around then keep it hidden.
  • Advanced: use a passphrase if you’re concerned about your 24-word seed being compromised or if you live somewhere where being being beaten up in an alley and forced to give up your possessions is part of your daily routine. No matter how much money you have in your wallet, it’s not worth giving your life up for. Plausible deniability is your best friend in this instance.
    Remember how I said that your 24-word seed allows you/an attacker to reconstruct your private key and wallet? Well, a passphrase is like 24-words + 1 of your choosing. This passphrase is associated to a secondary PIN and gives you access to another ‘hidden’ wallet. Yes, that means you can log-in to your wallet using two different PIN numbers.So there are two scenarios:
    (i) your 24-word seed is compromised – well, it doesn’t really matter because the attacker will need to know the additional passphrase to get in to the hidden wallet. As long as the attacker doesn’t know the passphrase, you’re relatively safe though you should definitely work on getting your funds to another hardware wallet with a brand new seed as soon as possible if you find your self in this scenario.
    you’re forced to give up your PIN – no worries, give the attacker your main PIN and not the secondary PIN which is associated with your hidden wallet. They never need to know about your secondary/hidden wallet.
    For plausible deniability, make sure you have a bit of cash in the main wallet so it looks like it’s an active wallet. Also don’t tell the attackers you’ve visited my blog otherwise you’re really in trouble.

    For more information on this feature, see this article. I’ve listed this as an advanced feature because you’re in big trouble if you forget your passphrase!

That’s all the advice I have for now – If I think of anything else, I’ll add it to this article.