I am trying to understand security best practice with Trezor wallets.
I have a Trezor T wallet with a 24 seed phrase with a passphrase. I have been told that having a cold and hot wallets on 2 different hardware wallets is best practice.
So wallet #1 is your cold storage where you keep your funds. When you buy, sell or swap you first transfer your funds to wallet #2 and from there do the trading. If you have bought then you transfer back to wallet #1.
My question is, do you need 2 Trezor hardware devices, OR can this be effectively done using 2 passphrase wallets on the single device?
Yes, it is possible to achieve a similar level of security and separation of funds using a single Trezor device with two passphrases. Trezor allows you to set up multiple āhiddenā wallets using different passphrases, effectively creating separate wallets under the same device.
Hereās how it works:
Main Wallet (No Passphrase): When you first set up your Trezor device, you create a standard wallet that doesnāt require any additional passphrase. This is your default wallet, and funds stored here are accessible without a passphrase.
Hidden Wallets (Passphrase Setup): Trezor supports the use of passphrases for additional layers of security. By entering a passphrase during the device setup, you create a separate, hidden wallet. This passphrase is needed each time you want to access this wallet. You can set different passphrases for different wallets, and they will appear as completely separate wallets, each with its own set of addresses and private keys.
For example, you can have Wallet #1 (for cold storage) where you use a strong passphrase that you rarely use and store funds with the intention of never connecting to exchanges.
You can set Wallet #2 (for trading) with another passphrase, and this wallet would be used for active transactions or trading, where you connect it to exchanges.
Advantages of this approach:
Reduced Risk of Compromise: If one wallet is compromised (e.g., through an exchange hack or exposure while trading), the funds in the other hidden wallet (cold storage) would remain safe, as they require a different passphrase to access.
Convenience of a Single Device: You only need to manage one Trezor device for both wallets, so itās simpler to use compared to maintaining two devices. However, you still get the security of separate, isolated wallets with distinct passphrase protection.
Things to Keep in Mind:
Passphrase Security: The security of the second wallet relies on the secrecy of the passphrase. If someone gains access to your passphrase, they can access the funds in that wallet.
Backup: You need to securely store the backup for the passphrase and the recovery seed for your device. Losing either one would mean losing access to your wallet.
In conclusion, while using two separate Trezor devices (one for cold storage and one for active trading) can offer added peace of mind with physical separation, using two passphrases on a single Trezor device can achieve a similar outcome and is a viable option for most users.
Yes. Donāt put all your eggs in one basket.
It is recommended to use multiple hidden wallets to store coins to share the risk. Although hardware wallets can protect private keys, smart contract chains such as bep20 can still steal funds by stealing authorizations. Especially if you often receive airdrops, you are likely to be fooled.
Although hardware wallets can protect private keys, smart contract chains such as bep20 can still steal funds by stealing authorizations. Especially if you often receive airdrops, you are likely to be fooled.
Is this where you see those transactions that are flagged by the Trezor? Does it only happen if you get lured in and actually sign the transaction? Or can the stealing authorization happen without your knowledge too?
Every wallet on a hardware wallet, is considered a cold wallet.
To answer your question: You can use different passphrases in combination with the same seed phrase on the same hardware wallet to distinct your trading portfolio from your hodling portfolio.
If you want to have a real hot wallet on your mobile phone or your PC, you should generate a entire new seed for this purpose and store it in a secure location, for example in a password manager.
For your cold wallets:
Beside your hardware wallet, never enter your seed phrase on any device that will ever have access to the internet again. If someone has your seed phrase, he can probably bruteforce your passphrase, if your passphrase isnāt strong as a seed phrase by itself.
I have used that same seedphrase online with a Exodus wallet before so I am going to buy a new Trezor and setup on that. Iāll wipe my current Trezor and use that as my backup / recovery device.
Another question in relation to this. Do I need to use 2 wallets with this method when buying and selling to a regulated exchange as well or is this just DiFi exchanges?
You are on a good way now.
Remember that if you put your seed in a device with internet connection, it becomes a hot wallet, even if you delete it later.
Seed up a new wallet and then put this seed on both of your Trezors.
You donāt need different wallets at all.
It is an option to increase security but not necessary.
If you just want to protect yourself against signing a malicious smart contract, you can just create multiple accounts and only use a account with a small balance for Defi
I asked Chat GPT in terms of my last question
and this is what it saidā¦
Yes, when I say āconnect it to exchanges,ā I mean connecting your Trezor wallet to any cryptocurrency exchange, whether regulated or not. The key idea is to separate your ācold storageā (long-term holdings) from your āactive tradingā funds.
Even when using regulated exchanges (like Coinbase, Kraken, or Binance), it is still a good security practice to keep your long-term, large holdings in a separate wallet that never interacts with exchanges. This is to minimize the risk of losing funds due to potential exchange hacks, software vulnerabilities, or even mistakes. The funds in this ācold storageā wallet remain safe, as they are not exposed to exchange risks.
For the ātradingā wallet, you can keep a smaller amount that you actively use to buy and sell on exchanges. This wallet is more exposed to risks from the exchange, but it allows for easier interaction with the platform. By having different wallets (one for cold storage and one for active trading), you ensure that even if something happens to the exchange, your main holdings remain secure.
This approach is considered best practice because it balances convenience (for active trading) and security (for your long-term savings). You can also set up additional passphrases for these wallets to further protect them.
If you just make a transaction from the exchange to your address, your funds are not at risk.
You funds are at risk when you sign any type of smart contract or interact with an unknown NFT
If your connect in a way that you need to confirm it one your Trezor, it is possible that your funds are at some risks.
For the amount you buy in the moment of the transaction you have to trust the exchange anyway, but you could limit the value per crypto account to for example 500$ and create a new account if the old is full (all accounts under the same seed)
Okay I really appreciate your advice. I have been mislead and confused due to my lack of understanding.
So if I am just sending to an exchange and receiving from an exchange and not signing contracts then I am as safe as you can be especially when have a passphrase wallet.
Iād love to hear from @BtcLtc to get your thoughts too. I am guessing you would agree with this statement?
@Montser I suggest learning about passphrase more for ex. here:
Passphrase will not protect you from signing a malicious defi contracts, that is up to you to know what you are signing.
Generally, yes, it is good practice to have separate wallets for different purposes with a passphrase or splitting your amounts between wallets. But that is completely up to you.
