Learn

A guide to wallet security & best practices

Written by Algorand Foundation | Feb 1, 2024 12:02:00 PM

A crypto wallet is used to sign transactions when interacting with a blockchain network, as well as to store digital assets including crypto coins, NFTs, and tokens.  A wallet contains a public key (the wallet address) and a private key (basically your password), which is needed to complete and sign transactions. Whoever has access to the private key, controls the assets.  

There are multiple types of crypto wallets that individuals and organizations can utilize. The level of security is different per wallet type.

Types of wallets include:

Custodial Wallet: With a custodial wallet, the private key is controlled and maintained by a third-party. Common examples of custodial wallets include those you set up when utilizing crypto exchanges, like Coinbase or Binance.

Non-Custodial (Hot) Wallet: In non-custodial wallets (that are connected to the internet), the private key is controlled by the individual owner of the wallet. Examples of non-custodial wallets built on Algorand include Pera Wallet and Defly. 

Cold Wallet: Cold wallets are by definition not constantly connected to the internet. This is the case when your private key is secured offline through a hardware wallet, or maybe even saved in a piece of paper in a safe place. Examples of hardware devices for cold storage are the Ledger and Trezor devices.

So to be clear: the key defining characteristic between a custodial and non-custodial crypto wallet is who ultimately controls the private keys to it.

 

With non-custodial wallets, the responsibility of storing and securing the private keys lies solely with the wallet owner. That means if you opt to secure your own assets, you must understand the responsibility and ensure that they’re properly stored and protected against cyber and physical threats. The benefit of this means that you fully and singularly control access to your assets, the definition of self-sovereignty.

When setting up a non-custodial wallet, you will be prompted to copy down sensitive information such as the private key and recovery phrases. (The latter refers to a series of random words which, when entered into a new device in the correct order, automatically migrates your crypto wallet and any funds it contains to the new device.)

Copying this information down onto an offline source (like written on a piece of paper) is a backup measure in case the device storing your non-custodial crypto wallet gets lost, compromised or damaged. If you lose your 25-word recovery passphrase that unlocks the account, no one can grant you access.

Tips for Users to Keep Their Wallets Safe:

  • Protect your passwords by using a password manager to generate complex and unique passwords and for secure storage. If you create a strong, complex password via a password manager you typically won’t need to rotate your password too often. If you think you have been compromised it is best to update your passwords and 2FA immediately. Be mindful to never use the same password for multiple accounts, especially sensitive accounts related to banking apps, crypto, or your email.
  • Enable 2FA on all accounts, including exchange accounts. App-based 2FA is generally safer than SMS authentication options.  
  • Utilize a sensitive, account-only email address (or multiple) for sensitive accounts related to banking, crypto, or similar. This will widen your attack surface for a bad actor.
  • Keep your seed phrase to yourself and keep it off internet-connected devices.
  • Protect your seed/recovery phrase offline and make more than one copy. Split the phrase in half and store it in two separate locations such as in safety deposit boxes. Remember:  If you lose your 25-word recovery passphrase that unlocks the account, no one can grant you access.
  • Use a secure hardware wallet such as Ledger and keep it in a secure location (Fireproof & Waterproof Safety Deposit Box).
  • Keep your browsers, devices, and computer operating systems up to date.
  • Verify sender email addresses before replying or sharing any information.
  • Enable allowlisting (or whitelisting) on all wallets and accounts when available.
  • Do not share or expose your private key to anyone.
  • Only buy hardware wallets such as the Ledger Hardware wallet from trusted vendors. (It is recommended not to purchase these devices on Amazon, eBay, etc. as there are many third-party, unverified sellers.) 
  • When buying hardware wallets online, have them shipped to an Amazon locker location (or similar). In the event that a vendor has a data breach, your home address won’t be compromised.
  • When connecting your wallets to dApps or other third party sites, only leave your wallet connected for the duration that you are using the dApp. In other words, disconnect your wallet from the application as soon as you're finished using it.  
  • Balance is important. One wallet should not hold all of your crypto or NFTs. 

Account Rekeying on Algorand

A unique feature on Algorand is the option to “rekey” a wallet account. This becomes important in the event that a wallet account becomes compromised. 

On other networks, when a compromised private key needs to be changed, an entirely new account with Different Public Address and Private Spending Key need to be opened - and assets within that account have to be moved from the old Public Address to a new address representing a new account, creating inefficiency and onerous operational overhead.

Regularly changing the Public Address and Private Spending key also creates downstream implications, for example, the potential to interrupt automated, recurring transactions. Rekeying solves for the existing Public Address and Private Spending key friction by allowing users to change their Private Spending key without the need to change their Public Address. Rekeying enables more flexibility, Public Address continuity of use and permanent identifier with less overhead when changes to the Private Spending key occurs. 

 

Users on Algorand can secure existing accounts with a new Private Spending Key at any time, including with a hardware wallet, a multisig account, or smart contract based key (smartsig). 

Learn more about Algorand Rekeying.

Additional resources related to security for some of the wallets supporting $ALGO:

Pera Wallet Security Overview (blog)

Pera Wallet (Guide to setting up Pera wallet account)

Defly App Guide

Manage Algo with Ledger Live

Connect your Ledger Nano X to the Pera wallet app