Cryptocurrency Wallet Security 101

Oct 12, 2018   |   by William Glynn   |   Basics & Beyond

When deciding to go down the financially anarchic path of cryptocurrency, you are relieving banks of the duty to protect your assets and assuming that responsibility onto yourself. This comes with the risk of being hacked. Private keys are the secret combinations that yield access to each wallet that your coins or tokens are stored in. If you are hacked and your private keys are stolen, the person who stole them has access to your coins or tokens and there is no way of recovering them. No fraud protection to call and no authority to reach. The rules of the Bitcoin network are intentionally simple. He who has the keys has the Bitcoin. The network doesn’t care that you’re Joe Shmoe and those bitcoins are rightfully yours, if someone else gets your keys, they get your funds.

Your keys, your bitcoin. Not your keys, not your bitcoin.

Andreas Antonopoulos

There are 4 primary categories for wallet types, and they are named:

  1. Desktop Wallet
  2. Mobile Wallet
  3. Hardware Wallet
  4. Web Wallet

There is an important distinction between wallets and clients. This distinction is made below:

  • A wallet is a collection of data such as a user’s private and public keys and his address. A wallet can send and receive crypto in the form of spendable outputs.
  • A client is the software that connects a user to the cryptocurrency network in question. It handles all the communication, updates the wallet with incoming funds, and uses information from the wallet to sign outgoing transactions.
    • A Full client, or “full node” has the entire history of blockchain transactions. It also manages the user’s wallets and can initiate transactions directly on the network.
    • A Lightweight client stores the user’s wallet but relies on third-party servers’ to access the network.
    • A Web client is accessed through a web browser and stores the user’s wallet on a server owned by a third-party.
    • A Mobile client, usually used on smartphones, can either operate as a full client, a lightweight client, or a web client. Some mobile clients are synchronized with a web or desktop client, providing a multi-platform wallet across multiple devices, with a common source of funds!
Web Wallet
  • Web wallets vary from coin to coin. We will use Bitcoin as an example on how to setup a web wallet.
    • Go to a web wallet provider like https://blockchain.info/
    • Click on option “Get a Free Wallet”.
    • Sign up providing your username and choose a secure password.
    • BTC, Ether, and BCH can be exchanged and stored in this wallet.
  • Explore the advanced security options such as recovery phrase, Google authenticator, etc.
  • To receive bitcoins or other cryptocurrencies, you must notify the sender about your wallet’s address, just as how you would exchange email addresses to send email.
  • Cautionary note on exchanges: Avoid storing your cryptocurrencies with an exchange, even for a limited amount of time, it exposes you to many dangers.
  • Web wallets are the least secure. Especially exchange web wallets.
  • Web Wallet examples: Green Address, Circle, Coinbase, Coinkite

Web wallets store your private keys (i.e. password) for you on their servers

  • Pros:
    • Easy access to funds from any device
    • Some wallets are attached to exchanges and offer additional security such as offline storage
      • Coinbase does both
  • Cons:
    • You trust a company not to steal your funds and disappear
    • You trust a company to keep your funds safe from attacks
Desktop Wallets
  • Software downloaded and installed on a PC or laptop.
  • Most wallet softwares are made by volunteers or cryptocurrency startups and are tailored to their specific coin
  • Some lightweight wallets like Coinomi and Exodus are multi-currency and can store a wide variety of coins in the same location
  • Desktop wallets can be full nodes. In this case they consistently update the transaction history of the blockchain to contribute to the maintenance of the decentralized network and its consensus
  • Pros:
    • Better control and protection. Be sure *private keys are encrypted with strong pass phrases and regularly backed up*.
    • It is more incentivizing for hackers to target centralized third party servers to steal many wallets than to target an individual’s computer
  • Cons:
    • Still a bit vulnerable to Internet attacks (spying, malware or hardware malfunctions).
    • It takes a long time to download and can be inconvenient to keep synchronizing with the network.
    • Reduces your hard drive capacity.

Desktop wallets can be lightweight

  • Pros:
    • Same advantages of a desktop wallet, yet you don’t have to download a full node
    • Private key is held on your computer, meaning you have total control
    • Some can hold a wide range of assets
  • Cons:
    • Cannot verify transactions as it does have the transaction history on it.
    • Therefore must trust the third-party servers to verify transactions for you
    • Still a bit vulnerable to Internet attacks
Mobile Wallets

Installed on a mobile device- usually operate as a lightweight client or a web client

  • Pros:
    • Portable
    • Smartphone cameras can scan QR codes
    • Good for day-to-day transactions
    • If mobile device is lost or stolen the funds are not gone, backups can help you access your funds. (In case of theft, contact third party immediately)
  • Cons:
    • Due to low battery, if the phone dies or is turned off payments are affected.
    • Do not type your PIN when the device is visible to others
    • Choose reputable and proven secure wallets.
Cold and Colder Storage a.k.a. Hardware (best recommendation) or paper
  • Keeping your private keys entirely offline is the best way to protect them
  • “True Cold Storage” means that the private keys have never been on a networked computer or device
  • Signing of outgoing transactions also occurs offline.
  • This procedure is best for long-term storage of large funds that you will not be sending out very frequently. Offline storage is impractical for everyday use
  • “Conventional Cold Storage” is usually an offline medium for storing cryptocurrencies that only goes online to sign transactions. This is more realistic for an active wallet, but still comes with online threats

Cold Storage Types:

  • On an offline hardware wallet
  • Paper wallet
  • A physical bitcoin known as a bearer item
  • USB drive or other data storage medium

Hardware Wallets:

  • Pros:
    • Provide extra security, not connected to anywhere, cannot be hacked like a computer
    • Private keys generated, stored within the device and never leave the device
    • Transactions signed within a PIN protected external device (requires physical confirmation)
  • Cons:
    • Less convenience than desktop and mobile wallets
    • Price/buy from original stores to avoid compromised shipments
    • Examples: Trezor, Ledger Nano S

Paper Wallets:

  • Created by printing a new public address and private key onto paper, or writing it down.
  • Store documents with public and private keys on a safe place, Make at least 2 copies.
  • Pros:
    • Maximum protection from cyber-attacks/hardware failures/operating system errors/breakdowns
    • Easily generated
    • Free
  • Cons:
    • Loss, theft, paper destruction
    • Must be imported to software at some time, unlike hardware wallets
  • Make sure you are working offline when generating a paper wallet!
  • Generate a different wallet for expenses that you pay using bitcoins, and use different ones for long term storage of bitcoins

Recap for all wallets:

  • Avoid use of online services
  • If you use an online web wallet, it is advised to save that page and generate the private keys offline
  • Back up your wallets regularly
  • Encrypt your wallet

William Glynn

I came into crypto for a decentralized web and stayed for everything else. I come from a background of political and entrepreneurial interests, but crypto eventually took immediate precedent, as it was a new infrastructure for every aspect of humanity in the form of trust-less trust. I am majoring in Finance and currently working with Garden of Crypto. I hope to scale into running network infrastructures like Lightning Network and several other crypto network nodes.