All wallets have differing levels of security. With so many ways to access a wallet, it can be difficult to figure out what makes some of them more secure. There are things you absolutely shouldn’t do, regardless of the type of wallet used – like enter your private information directly online. Some wallet creation methods leave the user vulnerable to phishing. Other access methods, like hardware wallets, are more difficult to mess up.
Secure by design
While it’s ultimately up to the user to keep themselves safe, wallets can build security measures into their design to help users along. Direct access with software methods like private key or mnemonic phrase is the least secure option – it leaves the 'naked' keys exposed to phishing. Encryption of the private key with a keystore file is slightly more secure, but in truth, mnemonic phrases and private keys should only be used for recovery purposes, rather than as the main method of access.
Hardware wallets are seen as the pinnacle of wallet security because they offer cold storage in a physical device that keeps your keys encrypted in the device itself, off the internet, and in your own hands. Most hardware wallets still need to be used with another form of wallet service, such as a web-based interface or desktop app (covered in the first part of this series!) to offer full functionality.
Hardware devices are Hierarchical Deterministic (HD) wallets, meaning they offer multiple public addresses to choose from when deciding where to store your funds. Each wallet has a root private key and public address pairing, but these split off into thousands of other pairings that are unique to the wallet. The benefit of this lies in creating options, giving some wiggle room for temporary investments or organizing assets. However, this can also get confusing if actions aren’t taken to map it all out from the start.
Each of the hardware wallet addresses comes from a 'derivation path', which is a fancy way of saying the addresses branch off in different ways. If you use one path for your address, you’ll need to continue using that path for all future access. For example, the derivation path for Ethereum is m’/44’/60’/0’/0, but the path for Ethereum Classic is m’/44’/61’/0’/0. Both of these paths result in a different list of public Ethereum addresses, so it’s important to keep track of which path you’re using. Most wallets will tell you when you connect, but if they don’t, they’re likely defaulting to the Ethereum path above.
Hardware wallets are considered cold storage, because they keep your sensitive information separate from online servers. In this way, it’s impossible for your wallet access keys to get phished or stolen. Each hardware wallet uses a different approach to this, but cold storage is the standard for this category of wallets.
Ledger hardware wallets are a little different than the rest, as they have their own desktop wallet called Ledger Live, and they use a different default derivation path than most other Ethereum wallets (m’/44’/60’/0’, taking a ‘0’ off the end). The Ledger comes in multiple models, the newest being the Ledger Nano X, which can connect through USB or Bluetooth.
Trezor is another popular hardware wallet and the biggest contender with Ledger. They also sport multiple models to choose from, with the most popular arguably being the Trezor One. Trezor and all the other hardware wallets follow the standard derivation path for Ethereum. Among the other hardware wallets are CoolWallet, KeepKey, Digital BitBox, and more. It’s worth doing your own research to discover which one is right for you.
A Hardware Wallet Alternative On Your Phone
There are many mobile wallets out there, and we will cover them in depth in another part of this series, but only a few phone applications can work as a hardware wallet alternative. One such example is MEW wallet app which offers the convenience of a mobile app, allowing you to transact directly from your smartphone, while also giving the option of acting as a signing app if you choose to use it with MEW web via the MEWconnect protocol.
Although this is not a separate piece of physical hardware, the app still offers an encrypted access method that keeps your keys away from online servers and stored in a secure, local location on the phone itself. The wallet is secured with a mnemonic phrase for recovery purposes should the phone become lost, stolen, or broken. Just like hardware wallets, MEW wallet app functions as a HD wallet with multiple addresses, allowing you to create multiple accounts.
In Part 3, we’ll take a look at mobile wallets and the differences between custodial and noncustodial wallets. We’ll also explore the benefits and detriments of centralization, and how it can have an effect on user experience.