I don't understand why this is true for other hardware wallets like Ledger, ColdCard, etc. Can someone explain?
source:
https://blog.trezor.io/is-your-passphrase-strong-enough-d687f44c63af
3 thoughts on ““With sufficient resources and the right expertise an attacker will be able to extract the recovery seed from any hardware wallet.””
Comments are closed.
The private keys on the device are protected by strong encryption – usually something like AES. The encryption key is derived from your passphrase or PIN that you use to unlock the hardware wallet and sign the transaction.
If the attacker can gain access to the ciphertext (by reading the encrypted data from the hardware device), then they can start to brute-force the passphrase. Basically guess and guess using a big server farm, trying possible passwords until they get a correct decryption.
That’s why creating a strong, high entropy passphrase for the device encryption is so critical. Given sufficient entropy (randomness) in the passphrase, it becomes unfeasible for an attacker to guess the passphrase even with a LOT of resources.
Provided that the encryption is correctly implemented, the factor that decides whether or not the encryption is able to be cracked is the strength of the passphrase.
Using a random passphrase generator or diceware for a high entropy but also human readable/rememberable passphrase. One that’s strong but easy to write down or store in an encrypted password manager for later use. Never put the seed in a password manager since it defeats the purpose of a HW wallet.
> like Ledger, Coldcard
Nothing can be 100% secure. Just “mostly” secure. There will always be possible vulnerabilities. The key take away is that all of these vulnerabilities have been fixed in subsequent software / hardware updates. Just stay well informed and keep your software / firmware stack up to date and you will be fine.
This type of stuff is well beyond the capabilities of most people thankfully.