Written by Jeremy Fletcher | January, 25 2023
Protecting the secrecy of your recovery phrases is of the highest importance in cryptocurrency, including Hedera HBARs. If anyone else knows your recovery phrase, they will have full access to all cryptocurrency associated with it and you could lose it all. Your recovery phrase is used to generate the public and private keys that control your funds. In Hedera, this recovery phrase can be associated with any number of Hedera accounts, which may contain HBARs. You also need to know which of your Hedera account(s) belong to which recovery phrases, so make sure to document that as well. What follows is a list of best practices when it comes to dealing with cryptocurrency.
- Protect the secrecy of the recovery phrase. This is much easier said than done. What’s the best way to protect it? Probably to memorize it and never write it down, but then if you die, you need to ensure that your most trusted heir(s) also have the phrase memorized and have never written it down. If they do write it down and someone snaps a photo of it, you’re done – kiss that crypto goodbye. So you may consider other alternatives, like printing out the recovery phrase down on a piece of paper and putting it in a safe. Except that you should never print it, because what you print is often stored in the printer and the printer itself may get hacked, so you had better write it down word for word. In fact, you may want to write it down twice, and store both copies in two separate, physical, secure locations (maybe in a safe – in the lining of a safe so it’s not easily found?) If you store it only in your house and it burns down, you may lose your recovery phrase. It may also be best to laminate the words to protect them from water damage, for example. You could cut up the words and separate them, making it hard for thieves to obtain all the pieces, but that will also make it difficult for your family members to recover it after your death as well. From what I have read, the Winklevoss twins split up their words and put them in safety deposit boxes all over the country, but I personally wouldn’t trust the banks. If you do go this route, use some of the techniques that spies use, like splattering random glitter all over a sealed, signed envelope with some kind of glue so that it sticks, take a photo of it and hang onto the photo. That way if someone does break into the envelope and grabs some of your secret words, you will know about it if the glitter patterns don’t match and the envelope has been compromised or replaced. Besides writing it down, you could store the words in an encrypted file that is also securely stored in multiple, separate physical locations and accessible to trusted family members should you die, but the password to that file must be protected and given to them as well. So, unfortunately, it not so easy to protect the secrecy of the recovery phrase. Another option may be to use (and trust) a third party like Kingdom Trust with custody of your cryptocurrency assets. Kingdom Trust will hold your HBARs for you.
- The most secure wallet is a paper wallet, but it is not practical if you plan to transact with it regularly. Next up is the hardware wallet of which the two leaders are the Trezor and the Ledger Nano. Only the Nano supports Hedera HBAR currently and as far as I know only through MyHbarWallet.com. It’s recommended that large amounts of money are stored on a hardware wallet, but that smaller amounts can be stored in your mobile phone wallet app, like Ledgerama’s Wallawallet. Very similar to going to the ATM and filling up your wallet with cash, except that you’re sending HBARs from your Nano hardware wallet via MyHbarWallet.com to one of the accounts you have set up on your Wallawallet. Wallawallet supports multiple Hedera recovery phrases and account ids.
- When creating a new wallet, make sure there are no prying eyes, human or digital. Nobody should be looking over your shoulder and there should be no drones nearby. Avoid security cameras. Hopefully there are also no hidden cameras nearby either.
- Ideally, use the lowest possible authentication timeout. In Wallawallet, that setting is to authenticate every single time (“Always Prompt”), and this can be quite annoying because you will sometimes be asked to authenticate 2 or 3 times in a row to perform what seems like only one operation but there are multiple operations, such as sending cryptocurrency followed by a refresh of your account balance.
- Set a Wallawallet PIN code. The PIN code itself in Wallawallet only enables when you click the lock icon, but by doing so you protect yourself from a $5 wrench attack once the lock has been enabled and the PIN code is required. Clicking on the lock will also timeout the authentication. The attacker would need access to both your fingerprint and PIN code to gain access to your accounts. If you are knocked unconscious, the attacker will have access only to your fingerprint, unless the PIN code is the same as the combination to President Scroob’s luggage (“1-2-3-4-5”). So choose a PIN that is not easily guessed.
- Use an additional password for your recovery phrase. This feature is not yet supported in Wallawallet, but other wallets do support adding your own additional word to protect your keys above and beyond the ones randomly generated for you. The advantage is that this word can be shared with trusted family members and not included with the rest of the recovery phrase, which will be worthless without it. MyHbarWallet.com is an example of a wallet that does support this additional password.
- Only use a wallet that has been audited by a reputable software development company.