Protect your funds: public/private keys and seed phrases
In this article, Inal Kardanov, Waves developer advocate, explains what you need to do to protect your funds stored on the blockchain.
The first thing a user new to blockchain has to deal with is keys. Unlike classic web applications where a username and a password are used for login, blockchains only have keys that allow identifying a user and the validity of their actions.
Because of the immutable nature of blockchain, there is no way transactions can be reversed, which creates room for scamming. Some scammers ask users to send tokens to an address, promising a double amount (as it was the case with a Twitter hack). Others lure users into sharing their private keys and seed phrases by promising profits.
The very first thing to do to avoid scam attempts is to understand what seed phrases, addresses, private and public keys are. The second and more important thing is understanding how to keep your funds safe and avoid losses.
What are seed phrases, keys and addresses?
Most users encounter seed phrases for the first time when creating a blockchain account using wallets (not exchanges!). A seed or mnemonic phrase is a source of randomness for public and private keys. We’re not going to dig too deeply into cryptography, therefore, the only thing you have to know is that a public key is a unique identifier of an account seen by everybody, while a private key is used to sign transactions (only signed transactions are valid).
Usually, seed phrases are a list of words (12–16 in most cases). Waves clients typically use 15 English words. Any combination of symbols, words, or bytes can be a seed phrase, but words are simpler to remember or write down.
Why exactly 15 and would a larger number of words lead to more security? Let’s consider Waves Exchange, which has a built-in list of words for random seed phrases. A total of 2048 words are available, and every user who creates an account receives a random subset.
15 words out of 2048 in a random order is enough to make the probability of generating two identical seed phrases negligible. True, 24 words would further reduce this probability, but the more words we use, the more the user needs to write down and/or memorize, which is an extra hurdle. What is the likelihood that someone will be able to brute-force 15 words of any wallet? This question is asked by many users. Simply put, it will take millions of years on an average CPU.
It is possible to use private keys directly without a seed phrase to sign transactions, but the point of using a seed phrase (rather than a private key) is to simplify user experience. Usually, private keys look like
BFGNZojQ2LHM2zZ2tvAEng3uZpT8zFFp1GnTEXvmMu5G, which is almost impossible to remember or write down correctly.
If you use centralized exchanges or custodial wallets, you won’t get access to a seed phrase or a private key, as they are stored in a centralized database and only the exchange has access to it. They usually show only an address of an account and sign transactions on your behalf.
An address on almost all blockchains (including Waves) is a hash of the public key with some additional properties like a checksum or version. They are shorter than a public key and help users by having a checksum to validate its integrity and completeness. For example, in the Waves protocol, it is quite easy to notice that mainnet addresses start with
3P…, while testnet and stagenet addresses start with
How to keep your funds safe?
There is no simple answer to this question or straightforward step-by-step guidelines. But we will consider various ways to handle keys and avoid fund losses, from the least secure to the most secure ones.
If you decide to use centralized exchanges or any other custodial solutions, you have to realize that you cannot get any safety guarantees for your seed phrases or private keys. They are stored in a centralized database and can be hacked in one way or another. Overall, there are two possible attack vectors on centralized exchanges:
- An exchange itself. It is beyond our control and the only thing we can do is use more reliable and older exchanges with a good reputation.
- Your account. The security of your account is only your responsibility, so always use 2-factor authentication, check the correctness of a domain, use only HTTPS versions of web addresses and password managers (1Password, LastPass).
Some applications generate an account and save it in the local storage of a browser secured with a password, so it never leaves your computer. For example, Waves Exchange has such an option. In theory, a web application can start sending seed phrases and private keys to a server and try to steal your funds.
Waves Exchange’s provider for Waves Signer is based on this architecture and has one of the best combinations of security and user experience. Give it a try if you haven’t yet.
This option is slightly better than trusting centralized exchanges and the only new recommendation here is to set a strong and unique password as well as always check the correctness of a domain and use the HTTPS versions of websites.
The more secure way is to store keys in a browser extension like Metamask or Waves Keeper. Those products’ architecture is designed to never give access to your keys as applications can only request a signature or authorization information and every action requires explicit approval from a user.
The most dangerous part is downloading a proper browser extension because there are lots of malicious ones in the Chrome Web Store. The best recommendation is to use links from projects’ official websites.
Please note that some websites launch Waves Keeper or Metamast when you open a page — don’t authorize those sites because it can harm your privacy.
Hardware wallets like Ledger or Trezor are the most secure ways to keep your funds safe. At the same time, this is not the best user experience. Hardware wallets can be used as cold wallets when you store the vast majority of your funds and from time to time transfer relatively small amounts to hot wallets in a browser extension or web-based application.
But remember that a hardware wallet does not mean that it is absolutely impossible to hack. For example, there have been cases of Trezor hacks and nobody can give a 100% guarantee that it won’t happen again with Trezor or other vendors.
Let’s summarize general rules for minimizing risks of losing your digital funds:
- Use the most secure option available for your use case and remember that “not your keys — not your coins”
- Don’t share seed phrases and private keys. You can reveal them only to add to Waves Keeper or Waves Signer. NEVER SEND IT TO ANYONE!
- Always use HTTPS version of web sites
- Don’t use on a website you don’t trust
- Some websites launch Waves Keeper or Metamast when you open a page — don’t authorize those sites
- Public keys and address are public and that’s fine
- Storing seed phrases is not easy, but necessary (backup phrases for hardware wallets are seed phrases too). Some people recommend splitting words into a few chunks, writing them down to multiple pieces of paper and hiding somewhere, but that increases the risk of forgetting where some parts are. Consider using the Shamir secret sharing algorithm or just multiple password managers instead.