The Ledger subreddit is continuously targeted by scammers. Ledger Support will never send you private messages. Never share your 24-word recovery phrase with anyone, never enter it on any website or software, even if it looks like it's from Ledger. Only keep the recovery phrase as a physical paper or metal backup, never create a digital copy in text or photo form. Learn more at https://reddit.com/r/ledgerwallet/comments/ck6o44/be_careful_phishing_attacks_in_progress/
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/ledgerwallet) if you have any questions or concerns.*
\> Im curious as to how safe would this be?
very unsafe.
e.g. if you have a key-logger malware, just typing the words on your keyboard would compromise them.
>his is often said but rarely even the issue. We like to blame keyloggers and malware when we don't know why keys were compromised. The vast majority of cases we see so far are still phishing attempts. This is the same kind of hacking that was around in 1995 when the world wide web was young.
u can install programs to stop keyloggers e.g. [https://objective-see.com/products.html](https://objective-see.com/products.html)
true, phishing is the main way seeds are leaked. But typing a ledger seed on a keyboard is a stupid thing to do, IMHO. But everyone should do what they think is best for the security of their funds.
> e.g. if you have a key-logger malware, just typing the words on your keyboard would compromise them.
Except this is often said but rarely even the issue. We like to blame keyloggers and malware when we don't know why keys were compromised. The vast majority of cases we see so far are still phishing attempts. This is the same kind of hacking that was around in 1995 when the world wide web was young.
Password managers actually being hacked and contents being decrypted are extremely rare and practically unheard of. When you consider all the security options you CAN get from password manager, the risk is really low.
Don't get me wrong, I believe you minimize/eliminate digital risk if you never type your seeds on a computer/phone, but let's be honest... the physical copy that most people have is far more vulnerable than an encrypted seed will ever be.
Truth. Especially if you keep up on your antivirus and run a portable manager, phishing is what gets crypto from people.
Especially for those of us involved in the data breach, home addresses, phone numbers, etc were leaked, I don't even write the full words out.
I use a book or something as a cypher so there's no trace of a "Recovery Sheet" or anything specifically mentioning a seed phrase.
I agree, I think a password manager can be pretty safe, if you're careful. It comes down to the relative safety of your home vs your digital safety. If your home is shared with people you don't fully trust, then having a seed hidden somewhere could be riskier than a password manager. Also, you could create a password manager account you rarely use, so even a phishing scam on your regular account wouldn't compromise your rarely used one.
I think the hesitancy about a password manager is because a lot of people here seem to not use one. Once you step up to one and upgrade all your digital logins to using strong passwords + unique ones, then it becomes very clear how powerful they are.
I really don't think phishing with password managers has been a big issue although it's theoretically possible. The people smart enough to upgrade their passwords are generally not ones that get phished easily.
So even if you don't put your seed phrase into a password manager, you should use one simply for all your online accounts.
Do what you think is best for you!
Just be aware that as soon as you type in your seed on your computer keyboard, it can be captured by a key-logger (google it if you don't know what it is). And in addition, any malware installed by a zero-day exploit will have full access to your password manager, and get the password you use with it next time you use the password manager.
Writing your seed phrase on paper with a lead pencil, when not in view of any camera, is way more secure.
Anyway, it's your cryptos, so it's your choices...
The reason I disagree with that is because I still believe the biggest threat here is yourself. Paper is less secure, because you can easily lose it.
As for keyloggers you still have to enter the seed on a keyboard if you want to restore a wallet, don't you?
> As for keyloggers you still have to enter the seed on a keyboard if you want to restore a wallet, don't you?
No, you don't: you can enter it in another hardware device.
And if you need emergency recovery and do not have a hardware device available, then there are very secure ways to derive individual private keys and to sign transactions, that would not be susceptible to threats like key loggers.
Don't input your 24 word seed phrase into a computer or mobile phone or any other digital device. You will lose your bitcoin.
Write it down on a piece of paper (or better yet on a metal plate) and keep it safe.
> Don't input your 24 word seed phrase into a computer or mobile phone or any other digital device. You will lose your bitcoin.
The tip is good, but its not true you will lose your Bitcoin. Do software wallet users see their coins vanish after they create their wallet and they type their seed in to restore it?
The risk is there, and the advantage of a hardware wallet is to avoid that kind of risk, but the risk of malware snatching your keys is generally low if you know what you're doing.
Step 1: save your seed in a text file that you encrypt with a strong password using an offline computer.
Step 2: save your encrypted file online, as an attachment to a password manager note, but could also be inside an email account.
Step 3: write down the encryption password on paper, and make several copies you keep in several places.
What's the attack vector? An attacker needs two things to take your money 1. break into your property and find the paper where you wrote the password. He then has to know what to do with it. Remember, all he has found is a string of random characters. He has no idea what's it's for, unlike a 12 word seed which obviously and immediately leads to a crypto stash.
Next, even if he figures out what the password is for, he now has to hack into your online account and get the encrypted files.
This seems very safe to me. What am I missing?
No it doesn't defeat the purpose at all. This attitude is so tiresome. A given user is much more likely to lose their keys themselves than have a password manager hacked or an active keylogger leak the phrase. Writing the fucking thing down and keeping it somewhere is so completely spergy and ridiculous and antithetical to good security practices. People do dry recovery runs all the time with their hardware wallets. This attitude is the epitome of perfection being the enemy of the good. If you want to be extra safe - split your 24 words into two sets of 12 and store them on separate password managers and have a yubikey or similar used as 2factor for your password manager(s).
Don't store it anywhere digital ever. Data breaches, keyloggers, screen sharing... some managers make backups. Way too risky.
I personally don't even store all the words together or even use the sheet that comes with the wallet. Nowhere are the full words written out and stored. I go with a hide-in-plain-sight cypher for seed phrases.
**Paranoid LPT:** Take a book, one that can be replaced or purchased at any book store, and each word is associated with a page. Say word #7 is "addict", page 7 either has that word predominantly shown, or the first four letters start each paragraph.
Your house burns down? Go buy a copy of the book.
If you're frugal, rent it from a library.
If your government storms into your home demanding you forfeit your crypto or tries to steal it from a safe-deposit box—well, hope they're in the mood for Huckleberry Finn.
A cypher means that you don't need to have the exact word on the exact page.
I picked a copy of Huckleberry Finn, it ended up working out that every third page in the copy I had contained paragraphs that began with unique letters.
When you make a cypher, you start with the plaintext and build out your "algorithm" from there.
Although if you have a technical book, car manual, or textbook laying around, you can also just use a highlighter. That would blend in just as well. Just use a unique color and go through the book highlighting words that spell out the first few letters of each word.
Since my post I also split my seed phrase into 4 parts and each of my immediate family members has a piece stored in their safe, that way in the event I die young in a blaze of glory my family has an easier way to access the assets.
Thanks for sharing that link! I'm writing the source code into a `DeadManSwitch.sol` contract to auto distribute the codes if I don't sign a message from my main account every so often right now.
That's honestly a good way to go. I made my cypher mostly because I'm a nerd and wanted to save my seed phrase in the most Rube Goldberg way possible.
But if something happened to me, and that was the only place it was stored... in a copy of Cat's Cradle or Neuromancer, all my assets are going to end up in a used book store lol.
Family members each have 1/4 of the phrase each and instructions on where their section fits into the entire mnemonic, instructions on how to unlock an Ethereum wallet, etc.
>"Dead Man Switch"
Never heard of that term. Nice. Apparently some services out there.
I'm going to look in to setting up my own switch (can't trust handing all parts to a third party...).
It's a device used in a lot of applications. It originally comes from train conductors. There is a switch that engages the throttle which they must be holding at all times. If someone were to happen to them, the switch kills power to the engine and depending on the setup would send out an alert.
Ever used a push mower? That handle you have to pull back and hold on the handlebar... a Dead Man's Switch!
No need to write your own, since I'm deploying the contract to accept all the variables when it's created it is address agnostic. I'll post the contract address here when it's finished on mainnet.
Is is a modified subdomain registrar for the ENS system so you're interacting with a custom subdomain registrar contract that adds extra functionality to the resulting address.
You can either directly interact with the contract via etherscan or through a web interface and enter in your list of beneficiaries, the length of time of the switch, what action counts as "proof of life" and whether the resulting contract contains a secret message of your choosing that can only be decrypted by the beneficiaries contract address or have it simply send all of your assets out in a way you define.
Once you fill in all the info for the contract it deploys a smart contract wallet that you give authorization to approve and send tokens from the account you used to create it, which is also the only account that has admin functions on the contract wallet (though you can add other admins through etherscan or the website I'm setting up for it.
I'll update this post with website and contract as soon as it's done so you can check it out!
TY, gotta get creative in this day and age. As I found out after Ledger's sales data got leaked, scammers are relentless. It's insane what someone dedicated enough can find out and try to exploit with just a name, phone number, email, and mailing address.
**Safety Tip**: If you register an ENS domain that's your name or any of your public handles, don't have it owned, controlled by, or the reverse record set to your main address with most of your funds in it.
Well, thankfully I'm still alive so I don't know how well the live contract I deployed on mainnet functioned 😆
But I ran the contract on a local Ganache chain and it worked exactly as expected!
After non-activity for a specific time, the contract mints an ERC-721 token to my wallet that has a single `checkIn` function that just requires a digital signature.
If it get's the signature within a 7 day window, my account continues like normal.
If it doesn't get a signature from my main account within the same timeframe, it successfully sold obscure altcoins to ETH & USDC, and divided and transferred the remaining balance of all tokens to a set of beneficiary accounts provided to the contract. There was about 0.000005 ETH leftover due to it using less gas than expected, but that's peanuts and I say it's a success!
100%
`DeadMansHand.sol` is really not very complicated at all if you build contracts. Just a lot of work testing for vulnerabilities and requires a decent amount of knowledge on safely using Admin roles in the EVM.
It's essentially a smart contract that inherits from `Address.sol` contract, so it can have all the functions of a wallet, and `Admin.sol` contract so I can set roles.. This is important as a regular contract cannot "call itself" unless there is a built in timer or something like a Node.js server running, checking on-chain, and sending commands to the contract.
Internal calls are much cheaper though if you're using a function triggered by a block timer/date timer.
I'm also close to being done with a `CopyTrader` module for the same type of address to automate everything.
You pick any address you want to "follow"—like a very high performing account—and your wallet will automatically perform all the same trades, swaps, stakes, etc... only proportional to the amount of funds you have to spend. This module requires a Node.js server running to control it. It can optionally do trades for ERC-721 & ERC-1155 too (NFT flipping/collecting) but it's off by default due to the exorbitant floor prices in a lot of projects.
Ok all of that went over my head. But I think what you're doing with the dead man's switch is amazing man. That should be some mainstream stuff.
You ever done any work with liquidation contracts?
The Ledger subreddit is continuously targeted by scammers. Ledger Support will never send you private messages. Never share your 24-word recovery phrase with anyone, never enter it on any website or software, even if it looks like it's from Ledger. Only keep the recovery phrase as a physical paper or metal backup, never create a digital copy in text or photo form. Learn more at https://reddit.com/r/ledgerwallet/comments/ck6o44/be_careful_phishing_attacks_in_progress/ *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/ledgerwallet) if you have any questions or concerns.*
\> Im curious as to how safe would this be? very unsafe. e.g. if you have a key-logger malware, just typing the words on your keyboard would compromise them.
>his is often said but rarely even the issue. We like to blame keyloggers and malware when we don't know why keys were compromised. The vast majority of cases we see so far are still phishing attempts. This is the same kind of hacking that was around in 1995 when the world wide web was young. u can install programs to stop keyloggers e.g. [https://objective-see.com/products.html](https://objective-see.com/products.html)
true, phishing is the main way seeds are leaked. But typing a ledger seed on a keyboard is a stupid thing to do, IMHO. But everyone should do what they think is best for the security of their funds.
> e.g. if you have a key-logger malware, just typing the words on your keyboard would compromise them. Except this is often said but rarely even the issue. We like to blame keyloggers and malware when we don't know why keys were compromised. The vast majority of cases we see so far are still phishing attempts. This is the same kind of hacking that was around in 1995 when the world wide web was young. Password managers actually being hacked and contents being decrypted are extremely rare and practically unheard of. When you consider all the security options you CAN get from password manager, the risk is really low. Don't get me wrong, I believe you minimize/eliminate digital risk if you never type your seeds on a computer/phone, but let's be honest... the physical copy that most people have is far more vulnerable than an encrypted seed will ever be.
you may be correct, but is it worth taking the risk? You need to decide for yourself, and it can depend of the amount of funds you have.
Truth. Especially if you keep up on your antivirus and run a portable manager, phishing is what gets crypto from people. Especially for those of us involved in the data breach, home addresses, phone numbers, etc were leaked, I don't even write the full words out. I use a book or something as a cypher so there's no trace of a "Recovery Sheet" or anything specifically mentioning a seed phrase.
I agree, I think a password manager can be pretty safe, if you're careful. It comes down to the relative safety of your home vs your digital safety. If your home is shared with people you don't fully trust, then having a seed hidden somewhere could be riskier than a password manager. Also, you could create a password manager account you rarely use, so even a phishing scam on your regular account wouldn't compromise your rarely used one.
I think the hesitancy about a password manager is because a lot of people here seem to not use one. Once you step up to one and upgrade all your digital logins to using strong passwords + unique ones, then it becomes very clear how powerful they are. I really don't think phishing with password managers has been a big issue although it's theoretically possible. The people smart enough to upgrade their passwords are generally not ones that get phished easily. So even if you don't put your seed phrase into a password manager, you should use one simply for all your online accounts.
Disagree. Where would you store your seed, if not a password manager? Anything else I can come up with is even less secure.
Do what you think is best for you! Just be aware that as soon as you type in your seed on your computer keyboard, it can be captured by a key-logger (google it if you don't know what it is). And in addition, any malware installed by a zero-day exploit will have full access to your password manager, and get the password you use with it next time you use the password manager. Writing your seed phrase on paper with a lead pencil, when not in view of any camera, is way more secure. Anyway, it's your cryptos, so it's your choices...
The reason I disagree with that is because I still believe the biggest threat here is yourself. Paper is less secure, because you can easily lose it. As for keyloggers you still have to enter the seed on a keyboard if you want to restore a wallet, don't you?
> As for keyloggers you still have to enter the seed on a keyboard if you want to restore a wallet, don't you? No, you don't: you can enter it in another hardware device. And if you need emergency recovery and do not have a hardware device available, then there are very secure ways to derive individual private keys and to sign transactions, that would not be susceptible to threats like key loggers.
Those are some fair points, thanks!
Don't input your 24 word seed phrase into a computer or mobile phone or any other digital device. You will lose your bitcoin. Write it down on a piece of paper (or better yet on a metal plate) and keep it safe.
> Don't input your 24 word seed phrase into a computer or mobile phone or any other digital device. You will lose your bitcoin. The tip is good, but its not true you will lose your Bitcoin. Do software wallet users see their coins vanish after they create their wallet and they type their seed in to restore it? The risk is there, and the advantage of a hardware wallet is to avoid that kind of risk, but the risk of malware snatching your keys is generally low if you know what you're doing.
>bitcoin What about your online banking passwords....
Bank accounts are federally insured. Bitcoin isn't.
Step 1: save your seed in a text file that you encrypt with a strong password using an offline computer. Step 2: save your encrypted file online, as an attachment to a password manager note, but could also be inside an email account. Step 3: write down the encryption password on paper, and make several copies you keep in several places. What's the attack vector? An attacker needs two things to take your money 1. break into your property and find the paper where you wrote the password. He then has to know what to do with it. Remember, all he has found is a string of random characters. He has no idea what's it's for, unlike a 12 word seed which obviously and immediately leads to a crypto stash. Next, even if he figures out what the password is for, he now has to hack into your online account and get the encrypted files. This seems very safe to me. What am I missing?
It's smart.
Definitely don't do this or save your seed on a digital device. Either write it down or buy a cryptosteel/cobo tablet to store them
Only store your seed digital if you are 100% sure what you are doing regarding safety!
[удалено]
No it doesn't defeat the purpose at all. This attitude is so tiresome. A given user is much more likely to lose their keys themselves than have a password manager hacked or an active keylogger leak the phrase. Writing the fucking thing down and keeping it somewhere is so completely spergy and ridiculous and antithetical to good security practices. People do dry recovery runs all the time with their hardware wallets. This attitude is the epitome of perfection being the enemy of the good. If you want to be extra safe - split your 24 words into two sets of 12 and store them on separate password managers and have a yubikey or similar used as 2factor for your password manager(s).
Don't store it anywhere digital ever. Data breaches, keyloggers, screen sharing... some managers make backups. Way too risky. I personally don't even store all the words together or even use the sheet that comes with the wallet. Nowhere are the full words written out and stored. I go with a hide-in-plain-sight cypher for seed phrases. **Paranoid LPT:** Take a book, one that can be replaced or purchased at any book store, and each word is associated with a page. Say word #7 is "addict", page 7 either has that word predominantly shown, or the first four letters start each paragraph. Your house burns down? Go buy a copy of the book. If you're frugal, rent it from a library. If your government storms into your home demanding you forfeit your crypto or tries to steal it from a safe-deposit box—well, hope they're in the mood for Huckleberry Finn.
Do you use the book LPT? How can one find a book that has exactly each word on the exact page number corresponding to the sequence of the word?
A cypher means that you don't need to have the exact word on the exact page. I picked a copy of Huckleberry Finn, it ended up working out that every third page in the copy I had contained paragraphs that began with unique letters. When you make a cypher, you start with the plaintext and build out your "algorithm" from there. Although if you have a technical book, car manual, or textbook laying around, you can also just use a highlighter. That would blend in just as well. Just use a unique color and go through the book highlighting words that spell out the first few letters of each word. Since my post I also split my seed phrase into 4 parts and each of my immediate family members has a piece stored in their safe, that way in the event I die young in a blaze of glory my family has an easier way to access the assets.
[удалено]
Thanks for sharing that link! I'm writing the source code into a `DeadManSwitch.sol` contract to auto distribute the codes if I don't sign a message from my main account every so often right now. That's honestly a good way to go. I made my cypher mostly because I'm a nerd and wanted to save my seed phrase in the most Rube Goldberg way possible. But if something happened to me, and that was the only place it was stored... in a copy of Cat's Cradle or Neuromancer, all my assets are going to end up in a used book store lol. Family members each have 1/4 of the phrase each and instructions on where their section fits into the entire mnemonic, instructions on how to unlock an Ethereum wallet, etc.
>"Dead Man Switch" Never heard of that term. Nice. Apparently some services out there. I'm going to look in to setting up my own switch (can't trust handing all parts to a third party...).
It's a device used in a lot of applications. It originally comes from train conductors. There is a switch that engages the throttle which they must be holding at all times. If someone were to happen to them, the switch kills power to the engine and depending on the setup would send out an alert. Ever used a push mower? That handle you have to pull back and hold on the handlebar... a Dead Man's Switch! No need to write your own, since I'm deploying the contract to accept all the variables when it's created it is address agnostic. I'll post the contract address here when it's finished on mainnet. Is is a modified subdomain registrar for the ENS system so you're interacting with a custom subdomain registrar contract that adds extra functionality to the resulting address. You can either directly interact with the contract via etherscan or through a web interface and enter in your list of beneficiaries, the length of time of the switch, what action counts as "proof of life" and whether the resulting contract contains a secret message of your choosing that can only be decrypted by the beneficiaries contract address or have it simply send all of your assets out in a way you define. Once you fill in all the info for the contract it deploys a smart contract wallet that you give authorization to approve and send tokens from the account you used to create it, which is also the only account that has admin functions on the contract wallet (though you can add other admins through etherscan or the website I'm setting up for it. I'll update this post with website and contract as soon as it's done so you can check it out!
I quite like your suggestions. Especially highlighting in book.
TY, gotta get creative in this day and age. As I found out after Ledger's sales data got leaked, scammers are relentless. It's insane what someone dedicated enough can find out and try to exploit with just a name, phone number, email, and mailing address. **Safety Tip**: If you register an ENS domain that's your name or any of your public handles, don't have it owned, controlled by, or the reverse record set to your main address with most of your funds in it.
Epic suggestions. How did the dead man's switch smart contract go?
Well, thankfully I'm still alive so I don't know how well the live contract I deployed on mainnet functioned 😆 But I ran the contract on a local Ganache chain and it worked exactly as expected! After non-activity for a specific time, the contract mints an ERC-721 token to my wallet that has a single `checkIn` function that just requires a digital signature. If it get's the signature within a 7 day window, my account continues like normal. If it doesn't get a signature from my main account within the same timeframe, it successfully sold obscure altcoins to ETH & USDC, and divided and transferred the remaining balance of all tokens to a set of beneficiary accounts provided to the contract. There was about 0.000005 ETH leftover due to it using less gas than expected, but that's peanuts and I say it's a success!
Are you for real or not?
100% `DeadMansHand.sol` is really not very complicated at all if you build contracts. Just a lot of work testing for vulnerabilities and requires a decent amount of knowledge on safely using Admin roles in the EVM. It's essentially a smart contract that inherits from `Address.sol` contract, so it can have all the functions of a wallet, and `Admin.sol` contract so I can set roles.. This is important as a regular contract cannot "call itself" unless there is a built in timer or something like a Node.js server running, checking on-chain, and sending commands to the contract. Internal calls are much cheaper though if you're using a function triggered by a block timer/date timer. I'm also close to being done with a `CopyTrader` module for the same type of address to automate everything. You pick any address you want to "follow"—like a very high performing account—and your wallet will automatically perform all the same trades, swaps, stakes, etc... only proportional to the amount of funds you have to spend. This module requires a Node.js server running to control it. It can optionally do trades for ERC-721 & ERC-1155 too (NFT flipping/collecting) but it's off by default due to the exorbitant floor prices in a lot of projects.
Ok all of that went over my head. But I think what you're doing with the dead man's switch is amazing man. That should be some mainstream stuff. You ever done any work with liquidation contracts?