Security Tips for Hardware Wallets
|— Never ever share your 24-word recovery phrase, in any form, with anyone.|
— Never ever store your recovery phrase on a computer or smartphone.
— Keep your Recovery sheet physically secure to make sure you can’t lose or destroy it by accident.
— Only trust what you can see on your hardware wallet screen. Verify your receiving address and payment information on your device.
— Always treat information shown on your computer or smartphone screen with caution. Assume that software can get compromised anytime.
Getting used to self-custody can be tricky, but we’ve got you covered. Here are our essential tips for hardware wallets.
Hardware wallets empower you with self-custody of your crypto. That means absolute ownership and control of your coins, tokens and NFTs. But with great power comes great responsibility: self-custody requires q firm understanding of your environment and the risks you face. Using a hardware wallet doesn’t make you invincible against social engineering, physical threats or human errors. Here, we tackle a few of the most important threats, so you can enjoy self-custody and complete security.
The 24-word recovery phrase
When initializing your hardware wallet for the first time, you will be prompted to write down 24 words on a Recovery sheet. These 24 words are called a recovery phrase and are a human readable back-up from which all your private keys are derived. They are used to restore access to your crypto assets on another Ledger device or any other compatible wallet.
Ledger’s recovery sheet containing the 24-word recovery phrase. This unique list of words is generated by your hardware wallet.
Why do you need a recovery phrase?
There are two basic reasons why you would need access to your recovery phrase:
- Loss or destruction of your hardware wallet: you can enter your recovery phrase on a new device to recover full access to your crypto assets;
- Cloning to a new device: by entering your 24 words on another device, you’ll be in possession of two hardware wallets you can use independently. Another reason to clone a device would be when upgrading to a newer model.
The recovery phrase is essentially a very powerful backup of all your crypto assets, enabling you to access everything you own from any device. The only problem? It permits absolutely anyone in possession of that phrase to do the same thing. Anyone getting access to these 24 words would get immediate access to your crypto assets, and that makes it an extremely sensitive piece of data.
Therefore, it is of the utmost importance that your recovery phase is correctly secured. Any compromise, at any time, could lead to catastrophic losses;
- Never take a picture of your Recovery sheet
Your smartphone is not safe and, worse, it could get automatically uploaded to your cloud storage;
- Never enter your recovery phrase on any computer or smartphone
You could have keyloggers, and storing this information online (even encrypted) completely defeats the purpose of using a hardware wallet;
- Never show or share your 24 words to anyone
If you do decide to share, be fully aware that they have potential access to all your crypto assets, anytime, and without an easy way of revoking access;
- Keep your Recovery sheet in a safe place
If it gets destroyed for any reason, you must immediately move your crypto to a newly set up hardware wallet
Additionally, it is critical to make sure that you have generated the 24-word recovery phrase yourself. Never, ever, use a preconfigured device. You must ensure you are the only one in the world to have knowledge of this specific recovery phrase.
As the availability of your recovery phrase is critical, you may wish to verify that you’ve indeed written it down correctly and that you can actually read it without error.
General safety principles
Having a hardware wallet set up with a verified backup in a secure place may protect you from a digital attack, but you are still vulnerable to potential physical threats such as a burglary or a hostage situation. This is why you must follow these basic rules:
- Never tell anyone that you own cryptocurrencies. If you do, make sure to keep the real value of your assets to yourself
- If you are active in the online cryptocurrency community, protect your real identity and always be mindful of the information you share.
- Do not keep your Recovery sheet in a safe at home. A bank vault is much more secure. Not having immediate access to your backup increases your resilience to physical threats;
- If you have large amounts of cryptocurrencies that you do not need frequent access to, keep your hardware wallet in the bank safe as well. You can use another hardware wallet with lower amounts for frequent use;
Security steps to verify your receiving address
When you need to share your receiving address so you can be the recipient of a payment, you must take extra precautions to ensure you don’t fall victim to a man in the middle attack. An attacker in control of your computer screen could show you a wrong address which would make him the beneficiary of any transaction sent to it.
You must verify the receive address shown on your screen by displaying it on your device.
When requesting a receiving address on Ledger Live, you are prompted to connect your hardware wallet and open the corresponding app. The address will then be shown on the secure display of the device and you’ll be able to verify that it matches the one on your screen.
If you are using a software wallet (many third party applications are compatible with Ledger devices), we recommend sending a small amount first, to make sure that you have properly received it. This test should ideally be done on another computer. You can reuse the address that you have just verified for the test.
Beware of blind signing!
When you’re transacting with crypto, you will usually see the details of your transaction on a web page, on the screen of your computer or phone. But since that device itself is connected to the internet, the display could have been tampered with by a hacker. In short, it’s never possible to know for sure what you’re agreeing to when viewing the details on a connected device – this is known as blind signing, one of the biggest security issues for crypto users.
To prevent falling victim to this attack, always verify the transaction details on the Trusted Display of your Ledger device before approving the transaction. Your Trusted Display is completely isolated from your internet connection, which means it cannot be tampered with by hackers. The result? You can always trust the details you see on your Ledger device, and verify that your transaction is safe.
Crypto self-custody requires discipline. Having a Ledger hardware wallet might not make you invincible – but heeding our essential self-custody tips will help you avoid scams and mistakes as you explore everything blockchain has to offer.