Best Practices when using a Hardware Wallet
| There are five basic golden rules:|
– Never ever share your 24-word recovery phrase, in any form, with anyone.
– Never ever store your recovery phrase on a computer or smartphone.
– Keep your Recovery sheet physically secure to make sure you can’t lose or destroy it by accident.
– Only trust what you can see on your hardware wallet screen. Verify your receiving address and payment information on your device.
– Always treat information shown on your computer or smartphone screen with caution. Assume that software can get compromised anytime.
Hardware wallets empower you with the ownership and control of your crypto assets. But with great power comes great responsibilities: being your own bank is certainly not trivial and requires discipline. Using a hardware wallet doesn’t make you invincible against social engineering, physical threats or human errors. You must always use common sense, and apply basic security principles.
The 24-word recovery phrase
When initializing your hardware wallet for the first time, you will be prompted to write down 24 words on a Recovery sheet. These 24 words are called a recovery phrase and are a human readable back-up from which all your private keys are derived. They are used to restore access to your crypto assets on another Ledger device or any other compatible wallet.
Ledger’s recovery sheet containing the 24-word recovery phrase. This unique list of words is generated by your hardware wallet.
General security principles
There are two basic reasons why you would need access to your recovery phrase:
- Loss or destruction of your hardware wallet: you can enter your recovery phrase on a new device to recover full access to your crypto assets;
- Cloning to a new device: by entering your 24 words on another device, you’ll be in possession of two hardware wallets you can use independently. Another reason to clone a device would be when upgrading to a newer model.
As you can easily deduct from this, anyone getting access to these 24 words would get immediate access to your crypto assets.
Therefore, it is of the utmost importance that your recovery phase is correctly secured. Any compromise, at any time, could lead to catastrophic losses;
- Never take a picture of your Recovery sheet
Your smartphone is not safe and, worse, it could get automatically uploaded to your cloud storage;
- Never enter your recovery phrase on any computer or smartphone
You could have keyloggers, and storing this information online (even encrypted) completely defeats the purpose of using a hardware wallet;
- Never show or share your 24 words to anyone
If you do decide to share, be fully aware that they have potential access to all your crypto assets, anytime, and without an easy way of revoking access;
- Keep your Recovery sheet in a safe place
If it gets destroyed for any reason, you must immediately move your crypto to a newly set up hardware wallet
Additionally, it is critical to make sure that you have generated the 24-word recovery phrase yourself. Never, ever, use a preconfigured device. You must ensure you are the only one in the world to have knowledge of this specific recovery phrase.
As the availability of your recovery phrase is critical, you may wish to verify that you’ve indeed written it down correctly and that you can actually read it without error.
General safety principles
Having a hardware wallet set up with a verified backup in a secure place may protect you from a digital attack, but you are still vulnerable to potential physical threats such as a burglary or a hostage situation. This is why you must follow these basic rules:
- Never tell anyone that you own cryptocurrencies. If you do, make sure to keep the real value of your assets to yourself
- If you are active in the online cryptocurrency community, protect your real identity and always be mindful of the information you share.
- Do not keep your Recovery sheet in a safe at home. A bank vault is much more secure. Not having immediate access to your backup increases your resilience to physical threats;
- If you have large amounts of cryptocurrencies that you do not need frequent access to, keep your hardware wallet in the bank safe as well. You can use another hardware wallet with lower amounts for frequent use;
Security steps to verify your receiving address
When you need to share your receiving address so you can be the recipient of a payment, you must take extra precautions to ensure you don’t fall victim to a man in the middle attack. An attacker in control of your computer screen could show you a wrong address which would make him the beneficiary of any transaction sent to it.
You must verify the receive address shown on your screen by displaying it on your device.
When requesting a receiving address on Ledger Live, you are prompted to connect your hardware wallet and open the corresponding app. The address will then be shown on the secure display of the device and you’ll be able to verify that it matches the one on your screen.
If you are using a software wallet (many third party applications are compatible with Ledger devices), we recommend sending a small amount first, to make sure that you have properly received it. This test should ideally be done on another computer. You can reuse the address that you have just verified for the test.
Security steps to verify the beneficiary address
When you wish to send a transaction, you will usually get the recipient address on a web page or through a communication service. A trivial attack for a malware would be to replace this address by one of its own. Some malicious pieces of software are simply monitoring the clipboard to replace the address you have just copied by one belonging to the attacker.
To prevent falling victim to this attack, always verify the beneficiary address on the device before approving the transaction, and also always double check it using a second communication channel.
Being your own bank is not trivial and requires discipline. Having a hardware wallet does not make you invincible. But we hope these security tips help you protect yourself while using them.
As always, use common sense. Don’t trust, verify.