Wallets and Backups: How to Secure Your CryptocurrencyReading Time: 8 minutes
When buying Bitcoin or other cryptocurrencies, proper security is essential. Perhaps you already have some sitting on the exchanges. However, we all know that exchanges are vulnerable to attack. Whats more, unless we control the private keys, the coins aren’t technically ours. In this guide we’ll take a tour through the options when it comes to securing cryptocurrency.
Crypto vs. Fiat
Traditional currencies, issued by governments and used for paying taxes, are referred to as “fiat” currency. Among the risks of keeping our wealth in state sponsored currencies, fiat money is not linked to physical reserves and has an uncapped volume, constantly at risk of hyper-inflation. For example, the US dollar is the current global currency, and has seen an average of 2.88% inflation per year since 1900. You currently need $30 to buy what $1 used to purchase.
Many cryptocurrencies, including Bitcoin, are non-inflationary. Once 21 million Bitcoin have been mined (around 2140), no more will ever be produced. Until then, their supply grows at a fixed and decreasing rate. Bitcoin is non-inflationary, decentralized, and unattached to any governing body. These properties make it a good store of value for those who don’t want to rely on central banks. We’re used to getting paid with our local currency, produced by a central bank, secured at a local bank. The security of our crypto-assets is entirely in our hands. That is a privilege granted by Bitcoin and its progeny. Besides the matter of reducing the trust required for securing currency and transactions, with the potential of blockchain and the many innovations it inspires — it’s easy to find a reason for owning cryptocurrency.
The first thing we need is a password manager. Today, more than ever, these tools are a necessity. They are especially important for managing the keys to your wallets, as well as any exchanges or other crypto services. These tools can create and hold onto all of the long, complicated, passwords necessary to keep your assets safe. There are two different types of password managers: cloud-based, and local storage. They both encrypt your long and complex passwords making them accessible with one easy to remember password. Cloud-based managers make it convenient to access your passwords from any device. LastPass is cloud-based and the among the most trusted and widely-used password manager, despite having been breached in the past.
I use KeePass. It’s simple to use, available in desktop and mobile versions, and stores my encrypted passwords on a local disk — not on a central repository of encrypted passwords in the cloud. It’s important to regularly make a backup of your password file, and keep a spare copy in a safe place. The keys in this password manager are the only way to access your digital currency, and are automatically cleared out of memory after you use them. You may want to have paper unencrypted copies in different secure locations, such as a fire-proof safe in your house and\or a safe at the office. Passwords in a safety deposit box should be encrypted for added security. Although typically considered secure, there have been reports of safe deposit boxes mysteriously being emptied by bank staff with no record.
Two-Factor Authentication (2FA)
Having a strong password is only one aspect of proper security precautions. There are often phishing sites that pretend to be a service you typically use for accessing funds. There are also password sniffers that can be hidden in software that you are tricked into using. An essential part of your security mindset should be suspicion towards any site asking for your credentials, even when it looks like the site you were heading to. Often the address of these sites are only slightly different than the site they are spoofing. Don’t forget about data breaches; several major web services have had their entire database of login credentials stolen, leaving millions vulnerable. Many users whose data became exposed still use the same or similar passwords for multiple services.
The idea of 2FA is to add a second layer of security, in the case that your password should become compromised. Authentication by SMS is the least secure of these, and some notable figures in cryptocurrency have lost significant sums when their numbers got spoofed. Perhaps being compromised by telco insiders, or compromised by social engineers who call the company and pretend to be that person and get the sim forwarded. Email authentication is more secure than SMS, but still not the best. The most effective method is using a 3rd party authenticator, such as Google Authenticator. This tool can be installed on another device besides your phone and doesn’t require an internet connection to function. When activating 2FA, many services give you a recovery key. Make sure you keep a copy of this recovery key safe, in case your device is lost, stolen, or must be replaced.
There are five different types of wallets available for crypto: Web, Mobile, Desktop, Hardware, and Paper. They each have advantages and disadvantages. Generally speaking the most secure and private are the least convenient. Within each category, there are a variety of options; each balancing privacy, convenience, and security in their own way. Finding the proper wallet is a personal journey, it’s important to do your own research to find wallets that suit your particular needs. The information in this guide will help you to understand the security trade-offs when using each of these types of wallet. We’ll start with the most convenient \ least secure and work our way down.
Online Wallets and Exchanges
These are cloud-based services, accessible from any device with an internet connection. Online wallets are the most convenient, and least secure way to store cryptocurrency. The problem with most online wallets is that the wallet providers possess your keys, and you are not in full control of your currency, meaning you need to trust the service to keep it safe. Exchanges are a convenient place to keep some cryptocurrency, but not safe to leave large sums for an extended period of time. Online wallets, including the wallets hosted by exchanges, are extremely attractive targets for cyber criminals. When hacks occur, and funds are stolen, users typically have nowhere to turn; the funds are simply gone. Some exchanges insure the funds in their possession, keep a percentage of it offline, or have other ways of keeping it safe. It’s essential to know what policies are in place to protect you when deciding to keep a large sum of crypto on any web-based wallet.
An online wallet that many feel safe using is Coinbase.com. They are a regulated financial services company operating in the United States, keep 98% of customer funds in offline storage, and are insured against loss. However, their insurance policy protects against hacks of Coinbase itself, not your account; it’s still important to keep your keys safe and enact 2FA. Coinbase is limited to customers from certain countries and requires identity verification. If your country of residence is eligible to use its service, it is one of the easiest ways to buy cryptocurrency with USD, GBP, and EUR.
Any web-based wallet (including Coinbase) should be used at your own risk. You must bookmark every site that you log into related to cryptocurrency, these sites are often spoofed waiting to trap someone who typed the address just one character off. Typically, the best thing to do with an online wallet is to use their providers to acquire your cryptocurrency, and then move it to a safer option. Of course, it’s convenient to keep some funds accessible for spending, while maintaining the bulk of your investment at max security.
Mobile wallets are great because you can move funds on the go with the assistance of QR codes. These are important for any regular user of crypto who wants the ability to send and receive payments quickly. According to Andreas Antonopolous, “smart phones are generally more secure than the average desktop.” My preference would be to have one device without phone service, but having all of my wallets and authenticator. That way I could keep all of my applications requiring added security off-line when not in use.
The above is a good resource to begin getting know the mobile wallet playing-field.
Desktop wallets are great. A good desktop wallet keeps your keys encrypted, and locally stored. They shouldn’t pass your keys over the network, rather it uses your keys locally to create and send an encrypted signature. Some desktop wallets work more like web-wallets, where they manage the various keys for the different currencies they support, and you use one memorable password to secure them all. However, each desktop wallet is only as safe as the computer its on, and the password you use for it. Having one computer that is used only for cryptocurrency transactions, and otherwise not connected to the internet is the safest way to keep your cryptocurrency.
There are generally two classes of desktop wallets. There are multi-coin wallets and wallets for specific cryptocurrencies. The most secure way to store a cryptocurrency is in an official wallet or a third party wallet that is respected among the community. Many cryptocurrencies don’t have third party support, so if you are collecting cryptocurrencies, you’ll also be collecting wallets. It’s best to use only open-source cryptocurrency products. Open source means that the code is available for anyone to look at, making it easier to identify and eliminate vulnerabilities.
Multi-currency wallets can be a convenient way to keep some coin where it can be easily spent. I’ve used Exodus for convenient access to 30+ cryptocurrencies and it’s built-in exchange. It’s transaction fees are low, and the exchange fees are also reasonable. It’s not open source, and it doesn’t support Two-Factor Authentication; but it is a popular choice among many cryptocurrency users.
Hardware wallets such as TREZOR or Ledger Nano are a popular choice. These are USB devices that keep your private keys safe and inaccessible. You only connect them when making a transaction, and they don’t transmit your keys under any conditions. They work by signing off on transactions, transmitting the signature, not the keys. They are safe from viruses that could steal your credentials with a key-logger. They operate by a pin number you enter on the device, and even you don’t see your keys. If your device is lost or damaged, you can restore access to your account with a seed phrase that is established during set-up. As with any seed phrase, you should keep it two different secure locations to protect the information.
These devices should only be purchased directly from the manufacturer; and undergo a hard-reset as an added precaution, before use.
I’m trying out a new player in the field, the Coldcard Wallet. I’ll follow-up with a complete review after I give it a try.
A paper wallet in the simplest form is a physical copy of your public key (your address), and your private key stored on a piece of paper. These can be kept in a fire-proof safe, safety deposit box, or anywhere you would feel safe stashing a large wad of cash. Often, they will have QR codes printed on them, for easy input via a mobile device.
For a thorough guide on paper wallets, I will direct you to the Bitcoin Wiki:
I would highly recommend using Linux on the computer you plan to use for storing and using crypto. It is the most secure operating system available, because it’s open-source and there are so many variants of Linux that it would be difficult to create far-reaching malware against it. Linux used to be very difficult to get running, but these days the UX is greatly improved. Ubuntu is a very popular choice, and user-friendly. For the most part, it’s plug-n-play. Occasionally you have to enter commands in a terminal, but a simple Google search usually answers any questions you may have. It’s Not Too Complicated! and is 100x safer than windows. Linux Mint is a popular choice among new users; its user-friendly interface has a wide range of supported applications. You might not be ready to switch now, but if you collect a lot of cryptocurrency, you’ll be tempted to try it out.
Keeping cryptocurrency secure can be a complex matter. Over time the UX of crypto security will be improved, for now you must be educated. Nothing in life is 100% secure, but we can take precautions and follow best practices. It’s not good to advertise how much crypto you have; create backups, and don’t keep them all in the same place to insure against fire or other natural disasters. If you use public wifi networks, or don’t trust your employer or the internet provider, its advisable to use a VPN which encrypts your network traffic against snooping.
New tools and methods of keeping our digital assets safe will surely arise, but this fundamental security mindedness will stand the test of time. Dealing with crypto puts security back in the hands of its users, and requires a fundamental shift from the old way of securing assets.