Wallet Safety 101

Since Yoroi wallet just launched I thought I would address some security that a user should employ.

First, always look to the official wallet documentation, Yoroi Wallet Security FAQ:

" Is Yoroi Safe?

Yes, Yoroi is safe. The private key associated with a user‘s wallet is stored only on the user’s computer and they are encrypted with the wallet password that only the user should know. They are not stored on centrally hosted servers. If an attacker gains access to a user’s computer and Yoroi wallet, no funds can be moved without the wallet password."

1. Your computer should be secure, when you leave it lock your screen.
2. Yoroi encrypts your keys BUT that encryption is dependent on the password you set on your wallet!
   2.a. Use only strong passwords and use that password only on this wallet. Should you ever get locked out of your wallet, forgot or lost your sending password, merely restore Yoroi with the 15-words that created your wallet in the first place, simple as that.

xxkcd-password-strength.png.pagespeed.gp jp jw pj ws js rj rp rw ri cp md.ic.IeRpVZUOWB.jpg650×528 129 KB

For me, I only use a physical device, hardware layer of protection, that securely generates and stores all my keys. I use Nitrokey as they open source their code, no backdoors. I just ordered Librem Key from Purism, which was built by Nitrokey, making it also open source; therefore a very secure key.

As an aside, I know many are waiting for some hardware key maker to add Cardano, but why wait for them when you can do it now yourself?

Below is Yoroi asking for confirmation to send out:

See that “SPENDING PASSWORD” input, a hardware key can populate that field for you; making your Yoroi wallet ultra safe as no one can access the sending key because it’s on your hardware key, not on your computer or saved to some online web service.

The Yoroi wallet is a great wallet, just like the Daedalus wallet, but how safe these wallets are once in your possession is dependent on you. Cardano has done its part, now do yours, use only strong passwords, consider getting a hardware key, so you do not have to remember or generate those long passwords ever again.

Happy October everyone.

Wow! You really maintain good InfoSec hygiene!

Thanks for sharing info about the Librem key. How do you find it? Are you able to completely eliminate software password manager?

thanks for sharing!! I will translate the two points you mentioned to the Chinese community

Thank you for sharing, really useful!

Does nitrokey or libremkey store the private key of a wallet or just the password / passphrase ? How would I put my Daedalus private key on it so that no hacker could get it ?

It can, just not for the wallets we currently have Cardano Rust wallets are coming and Nitrokey (open hardware key) will generate our public & private keys on board if I have any say on the next irritation of Daedalus, I call it R-Daedalus.

Attention Cardano Rust developers, IOHK I’m thinking of you, nitrokey-rs is s libnitrokey wrapper for Rust providing access to Nitrokey devices.

Think of it, R-Daedalus + Nitrokey, Cardano needs this open hardware solution.

Best,

I am Dirk and I live in Belgium. Install Yoroi perfectly.

And can do some ADA on it.

Now I try to send ADA to Binance, they ask the "spending password"

oops where can I find that password? or what password do they mean?

Ps my Dutch translated with google, haha

Greetings,

Yoroi vraagt ​​om naar toe te sturen Binance, right?
Dat wachtwoord zou ingesteld moeten zijn toen je het installeerde Yoroi.
Als u uw wachtwoord niet weet, kunt u Chrome-extensie verwijderen en Yoroi herstellen met behulp van de wachtwoordzin herstellen.

Zorg ervoor dat u uw Yoroi-wachtwoordzin hebt voordat u de Yoroi-extensie verwijdert en opnieuw installeert.

Cheers,

Hoy,

I have found it now, haha.

Thought it … A rotation code was, and that’s why I searched for it, oops.

Then I used “the password” from Yoroi and the transfer to Binance was successful.

Thanks for the fast rection.

Cheers,

I have been asked to explain open hardware key, Nitrokey, specifically how I use it and why is it so secure?

Let’s start with the top three reasons why is it so secure:

1. True Random Number Generator (TRNG) for generating keys on the device, not on the computer running the device. This means that even if your computer is compromised it cannot gain access to your keys.
2. Open-source hardware and software, you understand this otherwise you would not be reading this post. I should point out, that open-source hardware is very rare, 99.9% of all hardware keys use proprietary hardware, sad but true.
3. To use the device you must first unlock the device with your PIN, 3-strikes and the device is locked, and unusable. If you ever lose your device you know that you are still protected.

Once the USB key is inserted into your computer input your PIN to unlock the device for use:

I have 3 of the 16 possible passwords safe set:

Once a password is selected a timer starts that removes the password from your computer’s memory, below it is set to 10-seconds in the application interface:

Screenshot 2018-10-05 12.57.27.png715×119 11.9 KB

If the time runs out, select on the password again.

Sixteen password safes are available for all your online activity:

Screenshot 2018-10-05 13.43.33.png747×659 79.9 KB

Notice the “Generate random password” button, that password is from the hardware True Random Number Generator (TRNG), not from your computer, making it very-very secure!

Keep in mind, taken from Nitrokey site:

• Secret keys are always stored securely inside the Nitrokey. Their extraction is impossible. All sensitive cryptographic operations are securely computed in the Nitrokey via TRNG.
• User-chosen PIN protects in case of loss and theft against brute force attacks.
• Immune to computer viruses, Trojan horses, phishing attacks and other malicious software.
• Tamper-proof design prevents sophisticated physical attacks with laboratory equipment.

I said this before, use strong passwords on your Cardano wallets, get a hardware key to manage those passwords for you, one of the best hardware keys available today is Nitrokey Pro 2, another choice is SmartCard-HSM EA+ key.

Once you use a hardware key, you will never go back to using insure passwords again.

Screenshot 2018-10-05 13.53.59.jpg958×1274 363 KB

Hi, thank you for the introduction! So, with Yoroi, can one starts to participate PoS mining?

Probably not, Daedalus will have that ability as soon as staking starts though.
Also, Daedalus on Linux is coming for another solid choice

I think the specifics haven’t been disclose. however, take into consideration that “POS Mining” would involve intermediaries that would form “stake pools”.

I read it that @ahcaiahcai was interested in delegating to pool(s), participate, not running a pool, I could have read that wrong though.

Hi Jotunn,

Thanks for explanation and introduction. I wasn’t aware of these devices.

It looks great for asymmetric cryptography purposes as everything happens in the device, but for password management, it has some disadvantages (at least for me):

• Only 16 records is quite low. I would like hundreds, so I can use a different password for every site/application.
• It does not protect you in case you got some virus/malware, which can read your clipboard. HW wallet is superior solution if that’s the main purpose.
• In case it breaks/you loose it, you loose all the passwords

It would be nice if it would have initial seed (so you can recover it on new device) and could use URL + user as “salt” for unlimited password storage

BTW puri.sm phone and laptop look nice as well

Hello @hivos

Yes, Nitrokey has limited storage, with that in mind I use it as a key maker’s key, unlocks all other keys storage that requires 100% control.

I also use it to unlock my encrypted drive, with it inserted I get to Qubes OS/Debian (I flip between them), without it laptop boots into windows, for plausible deniability.

Puri.sm phone just updated their website, do check it out:

https://puri.sm/products/librem-5/

Using it as a master password for password manager is a great idea, but then I would be scared that it breaks or I loose it. Is more probable that I loose Nitrokey or that I forget the master password?

True, which is why I always back-up to an air-gapped machine, that never goes online, a Raspberry Pi Zero with no wifi works great and is only $5.00, Nitrokey is one way to be 100% decentralized for generating randomness, the key of all keys demands nothing less

I have the same question as Dirk from Belgium. I created a Yoroi wallet, then transferred my ADA from Bittrex into it. At no point during the creation of the wallet was I asked to create a “spending password.” Just a password for the wallet. Are they one and the same, or do I create a spending password the first time I try to send ADA from the wallet?

The wallet password is indeed the spending password.

If you are using Yoroi Chrome extension, note that it shows your ADA holding without asking for your wallet password. It will only ask you for that password when you are sending ADA.