Security
How to keep your bitcoins secure
So you've bought some bitcoin, and you're sitting on an amount that's starting to make you feel a bit anxious.
What can you do to protect them?
Below are the simplest and most effective steps you can take toward securing your bitcoins.
1. Hardware Wallet
First and foremost, the biggest step you can take to protect your bitcoins is to get a hardware wallet.
These are my top recommendations:
| Wallet | Level | Released |
|---|---|---|
| Trezor | Beginner | 2014 |
| Coldcard | Advanced | 2018 |
A hardware wallet is a small device that you connect to your computer when you want to send and receive bitcoins. However, all of the private keys are stored inside the device and are never exposed to the Internet.
As a result, you're disconnecting your private keys from the Internet and protecting your bitcoins from digital attacks. So the only way someone can steal your bitcoins if they can get physical access to your device (or seed).
Software wallets are convenient for day-to-day usage, but if you're using a software wallet on your everyday computer, you're leaving your bitcoins vulnerable malware and viruses. It's not guaranteed that your bitcoins will get stolen from your software wallet, but the fact that they could should be enough to make you strongly consider investing in a hardware wallet for storing your bitcoins.
So if you're in any way anxious about the amount of bitcoin you hold, a hardware wallet is the solution.
It would still take some time and effort to extract the private keys from your hardware wallet if someone manages to steal it, which would give you a window of opportunity to move your coins to a different wallet.
2. Passphrase
Using a passphrase in conjunction with your seed is a simple and effective way to add an extra layer of security to your bitcoins.
If you use a passphrase, the only way someone can steal your bitcoins is if they can gain access to both your seed and your passphrase. So if someone stumbled upon your seed, they wouldn't be able to recover your private keys unless they were able to find your passphrase as well.
In other words, a passphrase adds an extra lock on the door to your bitcoins.
Naturally this also means that you'll need to backup your passphrase in addition to your seed, but by storing them separately it makes it much harder for a thief to be able to gain access to your bitcoins.
Using a passphrase is not essential, but it's an easy and effective security upgrade.
Your passphrase is as equally important as your seed. If you lose your passphrase, you'll lose the ability to access to your bitcoins. So store your passphrase as safely as you would your seed.
- Your passphrase should be as secure as a good password. If someone gets a hold of your seed, they can attempt to brute-force the passphrase to try and steal your bitcoins. The more secure your passphrase is, the harder it will be for an attacker to crack it.
- A popular setup is to keep a small amount of bitcoin in the same wallet without a passphrase. The benefit of this is that it allows you to detect if your seed has been compromised (so you can move your coins to a different wallet before your passphrase gets cracked), and it can also be used as a duress wallet in the event of a physical attack.
- It helps if you can keep your passphrase memorable. Keeping it in memory provides an additional form of backup, and makes it easier to access your hardware wallet. However, having a secure passphrase is more important than having a memorable one.
3. Seed Storage
It's a good idea to consider storing your seed on something solid.
The first step in setting up a wallet is to write your seed down on paper. This is good advice, as this means you will only have a physical copy of the seed, which means it's kept away from the Internet and all the attacks that can come from it.
However, paper isn't great if your house catches on fire.
So it may be worthwhile investing in a more robust storage method for your seed in the event your boiler blows, up or that cheap electrical appliance you bought decides that it's time to convert your home in to a flaming inferno.
Steel is the material of choice for solid seed storage (high tensile strength and high melting point), and there are a few ready-made metal seed storage options on the market.
Alternatively, you can stamp your seed words on to some solid steel yourself.
Either way, converting your seed from paper to steel is great for peace of mind, and makes for a good backup in the event of unexpected disasters in the real world.
Whichever way you decide to store your seed, always make sure you keep it somewhere safe.
Tips
A few extra tips when it comes to security:
1. Keep it simple
It's fun to imagine how you could create the most elaborate system to secure your bitcoins by splitting up your seed in to multiple encrypted pieces and spreading them across numerous geographic locations with only a riddle that you understand for putting them back together again.
But the biggest risk to your bitcoins is not someone else, it's you.
In short, you want your setup for recovering your bitcoins to be as simple as you can make it without compromising on security. For most people, this is going to be something along the lines of:
- A hardware wallet.
- Two backups of your seed. Keep in different locations, preferably with one stored on steel.
- Two backups of your passphrase. Keep in different locations, and keep them separate from your seed. Also try to memorize it.
Of course, the best system will be based on your own personal circumstances, and only you can determine what your biggest risks are.
But if you ask yourself "how simple can I make this?" without feeling like you're leaving yourself vulnerable, then you'll sleep easily whilst also protecting yourself from yourself.
The 3-2-1 backup system is always a good place to start when it comes to backing up your data. This involves having 3 copies across 2 different types of storage and keeping 1 in a separate location. For example, storing your bitcoins on a hardware wallet with two paper copies of your seed (with one of those seeds stored in a different physical location) would meet this requirement.
2. Don't rely on memory
Your memory is only good as an additional backup, not as your only backup.
Our memory is never as good as we think it is (especially for things we do not need to recall very often), and it has a terrible habit of letting us down when we need it the most.
And trust me, there's nothing more soul-destroying than forgetting your seed.
If you haven't got your seed (and/or passphrase) stored somewhere, then you should consider yourself as not having any backups at all.
Just because you can memorize something, it doesn't mean that you should.
3. Don't tell anyone how much bitcoin you own
Physical attacks are more common than you might think.
Bitcoin is completely different to holding money in a bank; because if someone wants to steal your bitcoins, they only need to extract it from you by whatever means necessary.
And if you advertise to the world your bitcoin balance, you're turning yourself in to a walking target.
So if anyone ever asks you how much bitcoin you've got, the correct answer is "not enough". Better yet, for maximum personal security you're better off not letting anyone know you're interested in bitcoin at all.
It's tempting to want to proclaim your love for bitcoin by disclosing the size of your holdings, but you need to be aware of the danger you're putting yourself in. The accolades you think you're getting will never be enough to outweigh the risk you're creating to your personal safety.
FAQ
Should you use a 12 or 24 word seed?
A 12 word seed is perfectly fine.
You can use a 24-word seed if you wish (or if it's your only option), but you're not compromising on security in any practical way by using a 12-word seed.
For example, if you had access to the most powerful computer in the world, it would take the following amount of time to brute-force a randomly generated seed phrase:
| Seed Size | Time to Crack |
|---|---|
| 12 words | 17,141 billion years |
| 24 words | 5,833,062,171,146,503,562,042,479,477,903,164,878,880,768 billion years |
See calculation for how I got these numbers
And seeing as the Universe is roughly 14 billion years old, you can be pretty confident that nobody is going to crack your 12-word seed phrase any time soon.
So don't get bogged down in the security benefits of a 12-word vs 24-word seed; they're both extremely secure.
I wouldn't feel the need to move to a 24-word seed if you're currently happy with your 12-word seed. If anything, a 12-word seed phrase is more practical, as it has the additional benefit of being easier to remember as an additional form of backup.
Calculation
The two different seed phrase sizes contain the following bits of entropy:
12 words = 128 bits 24 words = 256 bits
In other words, there are this many different combinations for each seed size:
12 words = 340282366920938463463374607431768211456 24 words = 115792089237316195423570985008687907853269984665640564039457584007913129639936
These numbers are calculated by raising 2 to the power of the number of bits of entropy (e.g. 2^128)
Now, let's assume the combined hashrate of all the miners on the bitcoin network constitutes the biggest "computer" in the world (or at least one of the biggest). With all this computing power, we can see that this "computer" has the ability to perform this many hashes per second:
Bitcoin hashes per second = 644578231172141023232
You can get this data using bitcoin-cli getmininginfo
In addition, you actually need to perform 2,048 hashes to generate each individual seed. Using this information, we can divide the hashes per second by the number of hashes required to generate each seed to calculate how many seeds the fastest computer in the world can generate per second:
seeds per second = 314735464439521984
So if we divide all of the possible combinations of each seed by the number of seeds the biggest computer can generate per second, we can work out how many seconds it would take to run through all the possible seeds:
12 words = 1081169443446451667231 seconds 24 words = 367902897258552293621235895896789572962440522198909075720164 seconds
And if we divide that by the number of seconds in a year (31536000), we get:
12 words = 34283658150889 years 24 words = 11666124342293007788598297054058522734729849131117106 years
Lastly, when determining how long it would take for an attacker to crack a password, we base this on how long it would take for them to run through half of the total combinations. So if we divide this time by 2 we get:
12 words = 17141829075444 years 24 words = 5833062171146503894299148527029261367364924565558553 years
And that's how long it would take to crack each type of seed.
So whilst there is a significant difference between a 12-word and 24-word seed in terms of how long it takes to brute-force each one, in practical terms you're only going from "impossible" to "even more impossible".
- I'm assuming it would be faster to perform 2048 hashes of the mnemonic sentence to calculate each seed than it would be to run through all possible combinations of raw 512-bit seeds.
- These calculations assume you're using a seed phrase without a passphrase. If you add a passphrase, you add more entropy, and it will take even longer again.
Code
# Calculate the number of years to crack different lengths of seeds in bitcoin
# 12 words = 128 bits of entropy
# 24 words = 256 bits of entropy
entropy = 128
# use the bits of entropy to calculate the total combinations of seeds
number_of_seeds = 2**entropy
# the hash power of the fastest computer you can think of
# the bitcoin network is a good example - you can get the current hashes per second using `bitcoin-cli getmininginfo`
hashes_per_second = 696360280251533623296
# you need to perform 2048 hashes to generate each individual seed
# NOTE: The bitcoin network uses SHA-256, but seeds are actually created using 2048 iterations of SHA-512
hashes_per_seed = 2048
# calculate the number of seeds the fastest computer can hash per second
seeds_per_second = hashes_per_second / hashes_per_seed
# calculate the number of seconds the fastest computer would take to generate all of the possible seeds
seconds_to_generate_all_seeds = number_of_seeds / seeds_per_second
# convert seconds to years (31536000 seconds in a year)
years_to_generate_all_seeds = seconds_to_generate_all_seeds / 31536000
# assume that an attacker will get a specific seed in half the number of tries needed
years_to_crack_seed = years_to_generate_all_seeds / 2
# show the result
puts years_to_crack_seed
Summary
It only takes a few simple steps to go from being vulnerable to having a rock-solid security setup.
Not everyone needs to take all of the above steps to improve their security; it all depends on how much bitcoin you hold and how comfortable you are with the risks. But if the security of your bitcoins is playing on your mind, then it's time you took a few steps in a more confident direction.
And if you're unsure and don't know where to start, just get a hardware wallet.
Improving the security of you bitcoins doesn't have to be complicated. In fact, it's much better if it's not. But it's good to know about the best options you have available for improving your security.
And it's not as hard as you think.