Celebrating Bitcoin's 14th Birthday with Proof of Keys: Volume 1
Protect Your Bitcoin from User Error: Expert Insights on Demystifying Passphrases and Avoiding Common Mistakes
This transcript is from a Twitter Spaces conversation held on January 3rd, 2023:
NVK: Why don't we kick off with maybe talking about what are the most common ways people lose Bitcoin? I will start with one example; one of the most common examples I see is people bamboozling themselves. People will screw themselves or their coins before they ever get hacked. People go out there and they'll hear an example from somebody that's either extremely smart or extremely dumb & sounds extremely smart. And they will have like a super complicated setup. You require many, many computers! They will do a super complex multisig and then the person can’t get the money out. Very good example of this: way back in the day was Bitcoin Armory. There's probably a lot of people on this call that have lost money on Bitcoin Armory. It was fantastically safe, so safe that many people never managed to get their money out. So what other stories do you guys see as very common ways people lose Bitcoin?
Dee: I'll go second here. When I first started, I was forex trading like an idiot. Someone was like: 'Hey, I have a trading platform, buy some, give me some money, and I'll double your money.' You know, the classic. And, they were only taking Bitcoin. So I was like: 'What the heck is that? Never heard of it? Well, I've heard of it, but never bought it? How does it work?' And they said: 'Oh, go on this exchange, buy some and then send it over, and I'll send you some back.' And, they were pretty smart. I started off with a small amount, and a few hundred bucks and gave him it. And surprisingly, they actually did double my money. And then that convinced me to give them a lot more money. And that's where I felt a culprit of what they did. But, I realized at that time that Bitcoin was immutable, and there's no way that I could get back my money. And it kind of hit me hard. I was really frustrated, obviously. But there was a user error, right? It was me, being an idiot, being greedy, and wanting more money at the time. I think people need to take a little bit of responsibility sometimes when they're handling their money. Obviously, I'm still a young guy and had lots to learn. And that sent me down the Bitcoin rabbit hole. And, here I am, right. And learning how to store my keys a lot more safe than I did on an exchange, right? So that's kind of my sob story.
NVK: It comes with some real pain to learn.
Dee: Yeah, absolutely, right? And I think a lot of people when they lose money, they get mad, and they try to blame someone else. But if you really learn about these things and store things properly and understand SHA256 encryption, then hopefully you don't have anything to worry about.
NVK: Yeah, thanks for that Dee. Justine?
Justine: Hey, I think you guys are on point. I generally think the majority of Bitcoin is lost by user error. At Unchained, and in personal experience, we deal with a lot of either newcomers to self custody, or people who've been dealing with single-sig, and this is kind of their first interaction with multisig. And what I found is there's just so much to learn about Bitcoin. It's the first time in history that we can truly own our assets and money, and that takes personal responsibility. It's like anything else - if you want to grow your own food or protect your home, there are skills you have to learn. Bitcoin is the same way, but it's new and people are used to calling the bank to handle things for them.
I think as a community, we have this all or nothing mentality, and we don't talk enough about the fact that there are many things you can do, and each person has to consider their own attack vectors and skill set. It's okay to take steps. In my experience, the problem is overcomplicating things or doing something because they saw it on Twitter, even if it's beyond their skill set.
The worst thing I've seen is multiple times when passphrases are messed up—people miss one letter, forget to capitalize something, or try to memorize it and fail. Then they lose access.
User error, overcomplication, and passphrases that are too complicated for the user are the biggest threats. Outside vectors are also something to consider, but user error, overcomplication, and passphrases are the main issues.
NVK: That seems like there is a trend there. So, Lopp has this fantastic list of people who have been physically attacked over their Bitcoins. Jameson can you give people a little bit of a primer on that list and where they can find it?
Jameson: Yeah, sure. Well, it's linked directly from my main page on the physical Bitcoin attacks GitHub repository. I think it's easy for people to blow this out of proportion. Last I checked, I've compiled nearly 150 different attacks that I've come across and archived over the years, and this is actually a very small number in the grand scheme of things. It's probably one of the rarest forms of loss in the Bitcoin space, but there are patterns and things we can learn from it.
The most common event that causes this is people doing high value face to face cash and Bitcoin trades. Face to face OTC trades are risky because your counterparty may be a criminal and could assault you and take all of your money. A number of people who have experienced home invasions in the space are generally well known and flaunting their wealth on social media. This shows the importance of operational security and privacy in protecting yourself physically.
Getting back to the original question, I think one of the most common forms of loss is when you're not holding your own Bitcoin, you're keeping them with a third party. This opens you up to a multitude of forms of loss, whether it's the third party having an insider attack, being hacked, or the security system to access that third party account being compromised, usually through SIM swapping or password leaks.
When you have your Bitcoin with a trusted third party, you're still vulnerable to all of the same risks as self custody, plus a lot more because of all the things that can go wrong with the third party actors controlling access to those keys.
NVK: The amount of people who have put their seeds as a picture on their cloud storage for photos, it's insane.
Remember guys: 'the cloud' just means somebody else's computer. It's not like it's somewhere safe and it's actually yours.
Craig, you probably get a lot of a lot of support our feedback from users who have screwed up. I'm curious onto some of those questions.
Craig: I just want to echo what Justine was saying earlier: I think the number one cause of people losing funds, at least temporarily, is the passphrase. In my view, people don't seem to understand the difference between a passphrase and a password.
The major difference is that if you get a password wrong, the application very clearly tells you that you've entered it incorrectly, but a passphrase is different. People don't understand that every passphrase is valid and every passphrase creates a different wallet.
A Bitcoin wallet application will not remember the passphrase. The intent of a passphrase is that it is a random additional string that you can attach, which creates a different wallet. And once you have created a wallet with a passphrase, there's no way for the application to know which is the correct one to use. So that seems to be a very misunderstood thing.
Because many people are quite upset when they find that they have entered the wrong passphrase, received Bitcoin to that wallet, and then when they reload the wallet, they can't see the funds that they have received.
I think the major misconception I encounter the most is trying to educate people that every passphrase creates a valid wallet
People don't seem to understand that passwords can change. Think of passwords as just like a key to the wrapper, right? While the passphrase is the actual secret, it's part of your seed, and you can't change that. If that's wrong, that means you don't have the secret.
One great way of handling passphrases I find that people stop screwing up is: only use BIP 39 words for your passphrase. So pick 10 words and make that your passphrase because then you know what words to expect for the passphrase. That really helps and a lot of the wallets in the hardware wallets do have auto completion for BIP 39 words.
If you are making complex passwords for passphrases, like if you are adding exclamation marks and adding symbols, upper & lower caps… When you go look at that backup, especially if it was written by hand somewhere, it's going to be hard to know what is the cap or what is not cap. Maybe your family is trying to recover that later. If they don't recognize some character with your handwriting, you know, money gone.
Another thing you should definitely do with passphrases is once the passphrase is applied to a seed write down the XFP.
The XFP is essentially the identity of that wallet. So that means that when you're trying to recover, you have something to refer back knowing that it recovered correctly.
Jameson: The other nice thing about picking BIP 39 words and making a passphrase out of it is that it's unlikely that that's going to be related to existing passwords. A thing that I've seen a lot of people do is they'll say: "Oh, well, I have a really good password for my email, I can already remember that. So I'll just add some random characters at the end of it, or I'll add the word Bitcoin to the end of it. And that'll be my my wallet passphrase."
And then later on, they forget that they added stuff to their password, or they forget what they added. And to Craig's point, they still get a valid passphrase their wallet doesn't yell at them, but they can't get their Bitcoin, or something happens to them, they end up you know, dead or in a coma or something, and nobody knows their email passphrase or that they added this extra bit of hash to the end of it.
Make sure you treat your your passphrases, like the piece of entropy that they are and have it backed up. And also make sure it's not something too clever that you're relying on your memory to recover.
Justine: I had somebody who thought that a passphrase was just an additional layer and everything rolled back to the seed phrase. They told us they had solved inheritance by setting up a passphrase for each child, and upon their death, the seed phrases would be released. I asked if they were splitting their Bitcoin into all those wallets for the kids, and they said no, it would roll back to their main wallet created with the seed phrases. And I was like: that's not that's not how it works, you know…
I think there's something to be said about like passphrases are awesome. They're an awesome tool that you can use. But when it comes to security, maybe dig into a little bit. Don't use something so advanced that you don't understand how it works, and overcomplicate things. So just like hey, passphrases are cool. Read that read the article before you before you put your life savings behind it.
Jameson: Maybe contentious but I'm generally anti passphrase because I think as has been noted here, there are so many foot guns...
One way to look at it: it's kind of like adding a 2FA to your wallet. Now, the reason, or one of the reasons why passphrases are generally propagated as a good thing is because it's how you can protect your seed phrase backup.
If you have a clear text backup, having a passphrase that as a separate piece of secret data that is stored separately means if an attacker gets that seed phrase, they can't get all your money.
But what you've done now is you've essentially created this 2-of-2 scheme.
A 2-of-2 scheme can be pretty brittle. So you do have to be more diligent about making sure you have robust backups for both of those pieces of data.
NVK: That's great. So I disagree with Jameson. And, and a little bit of Justine too on this one. I am a passphrase lover. And you guys know that.
I think the biggest problem with passphrases is that when people are moving from single-sig le'ts say, like phone, wallet or from custody...The biggest problem is that people don't try and test their setups.
So when they set up passphrases, they just send their money without testing, and then, they have a higher likelihood of screwing it up.
And another thing too, is what I love about passphrase is that they protect you against the solutions that you're using to manage the seeds as well.
So for example, say a hardware wallet has a bug or a backdoor or something, if you're using a passphrase, there is a higher likelihood that the hardware cannot sort of like take advantage of you because it was not part of the generating that passphrase.
We can get into sort of like details on how that could happen in a million different ways. But I love that, but to their point, you are adding more complexity to your secret.
So if you are adding complexity, it is important for you to do a little bit of learning and deliver testing.
It is amazing to me that people just YOLO their first transaction to a new level, without trying to recover a backup.
I think out of all the simpler, extremely secure setups, passphrase is great. I think that once you start adding more complexity, like multisig and stuff, I think people doing that on their own often have a harder time. And that's where collaborative multisig and all that stuff start to kick in. For some people, that is a great solution.
Why don't we maybe start talking about different solutions. I think we are mature enough as a market now that this idea of suggesting everyone that there is only one set up, that is the greatest setup of all, that you only believe in that set up to be the greatest set up of all...
It's a terrible, terrible thing: shoehorning different people with different lives, they live in different places, different amounts of money, with different security thresholds, different risk profiles, into the wrong set up is actually a problem, huge problem.
It doesn't matter how secure that setup is, right? If a person just bought a few hundred dollars worth of bitcoin, you're telling them to do what 12-of-12 with 50 DVDs, and 10 laptops...it's absurd, right? That person will likely lose the money.
You don't want somebody with $100 worth of Bitcoin to go and make an account on the surface that helps them do things like multisig because it's not worth a few hundred dollars.
And then, you're gonna have people who have higher security and privacy privacy threshold, maybe they are in countries that maybe don't allow them to do business with the US.
But then you have family offices, right? Or you have people who already KYC, people with much larger amounts of Bitcoin that have no interest in becoming super knowledgeable about it, but they still want to be self sovereign. So, maybe collaborative, multisig is great for that.
Anyway, my point is: there's a lot of different people out there with a lot of different needs. I think just taking the leap to start. You have your butchered Bitcoin on a custodial Coinbase or something, getting the money out of there is the first step.
Who wants to talk about the literal first thing you can do with like 100 bucks off Coinbase?
Justine: Well, I was gonna say: should we take a second to talk about why storing on an exchange is not a good idea with the most recent FUD? I know it seems silly to even go there. But it's like, I feel like there are people now questioning: 'God, if I'm going to screw it up, maybe Coinbase is better than myself?'
I was going to kind of piggyback off of what Jameson said earlier, because I think that a lot of people, when they think about the risks with a centralized exchange, they're like, 'Oh, well, what are the chances that Coinbase is going to go under?' Right? What were the chances that FTX was going to go under?
But it's more than that. Most people's password security is terrible. Let's be honest. They're reusing passwords, they have some very minimal password that's securing their wealth on Coinbase.
And you can say 'Oh, well, I set up 2FA.' Okay, well SIM swaps are a pretty big thing. Your password and your 2FA is the only thing stopping somebody else from going in and accessing your funds.
And that's not on Coinbase. Coinbase isn't helping you. There's somebody logged in, they moved your funds, right? There's a million different reasons other than an exchange going under that you can lose your funds.
But more than that, one of the huge value outs of Bitcoin is that it cannot be censored. It's censorship resistant. You can truly own your Bitcoin, right? If it's sitting on an exchange, it's not yours. You are asking permission to use it every single time. The IRS can decide that you didn't pay your taxes properly. Even if you did, maybe there was an error on their end, and they can freeze those funds.
Maybe they don't like that you went to some protest about truckers and they can freeze those funds. There are a million different ways that you can lose access to your Bitcoin that don't include an exchange going under. Even though we've seen that recently, it's a totally plausible situation even for the big guys, right? So, yes, if you have Bitcoin sitting on an exchange, you don't own it.
Now, if you own $20 worth of bitcoin and you're like, 'Well, you know, I don't want to go through the process of buying a signing device and setting it up,' download a mobile wallet that, in my opinion, is the easiest first step, and it gets you comfortable with what seed phrases are.
Download a wallet, right? Download seed phrases, wipe the wallet, reload the wallet with those seed phrases, get really comfortable with it, send a little bit from your Coinbase account or whatever exchange you're on to that wallet, send it back, really practice with it and use it and get comfortable. In my opinion, that's the first step. And that's my pitch on why you should get your funds off exchanges at all.
They're quite fantastic because if you only have 100 dollars worth of Bitcoin on an exchange and you want to take it out, these wallets do everything without even asking you to back up the backup until you're ready to deposit. They take base-layer Bitcoin and convert it into sats for LN, so you can play around with LN and the base layer, all within this very easily manageable experience. That's very new.
Even a few years ago, there were very few mobile wallets that were safe enough, secure enough, and had verifiable sources. And there are still people who aren't going to say a phone is safe enough for a lot of money.
I would highly recommend these wallets if you're brand new, you're not ready to do anything complicated but you want to take the coins off the exchange and it's around 100 dollars worth. Spend a little bit to play around.
Next, there are wallets that do have your seed and they might be desktop or phone based. They're not hardware wallets yet, but they will require you to do your seed.
What do you do with the seed? Remember, paper burns, computers can be hacked, phones can also be hacked and they also burn and break.
Consider getting a metal backup plate if you're going to work with seeds. There are many brands that offer these at various prices, they're fairly affordable.
Punching that seed into metal will give you an incredible amount of recoverability for almost no money. So if your house burned down, the chances of that seed still existing are very high. And if it floods, same idea.
Jameson also has a fantastic link where he tests these metal backup seeds by applying house-level fire temperatures on them and trying to destroy them with acid. Most of them survived pretty well. Is that true, Jameson?
Jameson: Yeah, I would say 40% tend to get straight A grades and survive all of my tests. But of course, it's the other 60% that you need to worry about.
Justine: I'm trying to use 'explain to me like I'm 5' language for people who perhaps are like: 'What the hell is a seed phrase?'
It is the physical form of your key and that is the essence of being able to access your wallet in the long run. It is extremely important to not give it access to the internet. So extremely important, extremely important to not give it access to the internet.
And by that I mean: do not take a picture of it with your phone, do not scan it and upload it somewhere. Don't put it in the cloud, keep it physical.
And then yes, I think a metal backup is the best step forward.
If you're just getting started, like I remember when I set up my mobile, I think it was Green Wallet. I love Green Wallet by Blockstream. I wrote it down in multiple different places until I could go and do a multisig or a metal backup.
Remember: you don't want single points of failure. That's the thing to avoid.
NVK: Just one last thing on those metal backup plates: one nice thing is most of those are set up for BIP 39 words, right?
If you do use passphrase and you do use BIP 39 words, you can have a separate plate and backup your passphrase on a metal plate as well: geographically distributed! Go put somewhere else, because that's kind of the whole point.
If you do have a fire or if you do die, people can recover from that metal plate without having to question if you were trying to make an 'I' or an 'L' on that word. So this greatly greatly de-risks recoverability.
Jameson: Two really quick things on that: something that's special and maybe not obvious about the BIP 39 word list is every word on there is unique in the first four characters.
You might see some seed plates or other products that don't have you write down the entire word. The idea is that with the first four characters, you can unambiguously identify what word it is.
And that also gives you a little bit of error correction; where if the last letter in your backup could be an 'I' or a 'J', right? As long as those first four letters are clear, you're good.
And then to what NVK just said about keeping your passphrase and your seed separate. In general, when you're thinking about resiliency against loss or against theft, what you want to think about is how many uncorrelated failures, you want to be able to survive.
If you have your seed backup, and you have your passphrase, sitting right next to each other, and somebody gets to them, then they get both things, right?
But if you have your seed phrase in one location and your passphrase, somewhere else, then they have to compromise two locations to get to it.
I think as you start dialing up, whether it's multisig, or SeedXOR, or different passphrase schemes, what you're really adding is you're adding the number of things that have to go wrong for you to lose funds.
I think that a good yardstick to keep in mind, as you're thinking about the spectrum of these different solutions.
Dee: We have a lot of different perspectives here, and some people love passphrases, and some people love multisig, and other setups, I think it's important that a lot of people will kind of try and put us in a box and think, you know, there's a one size fits all for everyone. And obviously, that's not the case for self custody.
If you have a large amount of funds and you're worried about someone coming to your door maybe multisig might be for you or a passphrase, of course, in a different location or something like that.
I just think a lot of people that are trying to flood the whole self custody thing right now are really trying to put us in a simple box that we just don't fit in.
Education is key here. That's why we're here right now. You're obviously going to be listing off a bunch of different ways to self custody. So choose one that might be the best for you. And just like Justine said: practice recovery.
I think a lot of people, they set it up, they clap their hands, they're done, they generate address, and send all their money right away. Whereas they don't know how to even you know, recover the funds.
Doing a simple backup on a COLDCARD, just in putting those seeds back in, and getting getting back to your wallet that you've generated, and making sure that you're accessing the correct wallet and stuff like that. So just something to keep in mind while everyone here is talking.
Justine: It's such an empowering feeling too. As somebody who's sort of taught myself random, self sovereignty skills before I got into Bitcoin, like how to make my own medicine and random prop: taking the first step gives you the confidence to move forward.
So just wiping that wallet that you've created and reloading it and be able to access that thing with that crazy word list that you wrote down is extremely empowering, and it makes you feel confident, and then it's a little less scary.
And I remember my first COLDCARD and I tell this joke all the time. It was like that crazy calculator that sat on my shelf that terrified me, right?
And then it was: just take the first step. I set it up, I wiped it, I reloaded it and was like: oh, that's, that's really not that difficult, right?
It's just, it's just about taking the first steps, you can't mess anything up, you haven't moved any money over, right? Like download a mobile wallet, write down those seed phrases, it doesn't have to be all or nothing. Bitcoin is a journey, take the first step.
NVK: A huge feature of Bitcoin and having a common protocol is that you are client-independent. Just like email, right? When you don't want to use your email client anymore, right? You can reset up that email somewhere else. And magically all the emails show up, right? Sure. You may have centralized it's on a server, blah, blah, blah.
But from just a user perspective, when you have your Bitcoin on a seed—it's not really in the seed, but let's just say it's in the seed—when you take that seed from one vendor, and you go to another vendor, right? So from one hardware wallet to another hardware wallet.
You should be able to just see that the money appears again, right? Because it's still out there, it's still the same secret. If you're doing it right, you can just wipe your wallet. And reload the wallet with the seeds and the money will magically appear again.
That's kind of like a huge advantage of this. If you are using solutions that are not using good standards, the money is not going to reappear somewhere else.
You're gonna have a very hard time looking for a derivation path on WalletsRecovery.org
There was a lot of sob stories in why that website was created.
Okay, so we talked about passphrase on single sig: that's a solution that scale for very little money to a f*-tone of money. A lot of people do like that solution for even a lot of money.
If you are doing that for a lot of money, please make sure you have a dedicated computer, likely running only Bitcoin software on it for when you do Bitcoin related operations, because you are more exposed to single points of failure.
If somebody gets hold of the total secret, which is the passphrase plus the seed, they could take all your money. You do want to segregate a little bit further in that kind of setup.
Now we got on to multisig. Or should we talk about the backup plates and Shamir secret and SeedXOR first? What makes more sense?
Justine: I think the seed splitting makes more sense as a next step.
NVK: Right, multisig doesn't make too much sense to split the seeds.
So now you have your your seeds in metal backups, right? That's clear text. And if somebody gets ahold of that, either of the two plates of your passphrase and your seed, or if you're doing just seed, then they do have access to your money.
So for that reason, Coinkite and Trezor have come up with two different setups in which you can essentially de-risk that seed by not having it in clear text.
There is Shamir secret, which is not my favorite, but it is fairly secure. And he does give you m of n, which means if you lose just one part, you don't lose it all. With SLIP-39 you're going to essentially have say three pieces of paper or metal with those words.
And then there is my favorite, which is SeedXOR. I made a little website called SeedXOR.com.
Essentially, SeedXOR is a very fundamental computer algorithm that you can use to split a seed and without needing a computer to recover it.
You can do it by hand and paper with a little worksheet.
That to me was very important because I don't want people putting seeds on computers to recover them if they do have to reunite the two secret parts.
This is a great way of splitting the clear text backups for singlesig or singlesig + passphrase.
I'm not sure if we need to get too much into more detail of that. There's a lot of videos out there. BTC Sessions has some great videos talking about BIP 39 and also SeedXOR.
If you are doing single, singlesir or singlesig + passphrase, I highly, highly recommend you look into that:
Jameson: Two cool features of SeedXOR—one of them that NVK already mentioned—is that you can actually do it by hand.
I think any comp sci 1 student could write a little java program to do SeedXOR so it's fairly bomb-proof,.
You're not going to be reliant on finding a specific piece of software in the future to reconstitute your seed.
The other thing that's kind of cool about SeedXOR is that the seeds that you split your seed into can themselves be valid, but 39 seeds, which is also a cool feature.
NVK: Yeah, they are plausible, deniable.
It's funny you brought that up about the comp sci 1 because one requirement we had when we were creating that was that it had to be World War 2 level of complexity.
We had to work with modern computers for you to be able to do the operation in case we have nuclear holocaust. That was part of the spec.
Thanks for reading! Subscribe now to receive Proof of Keys Vol. 2