 Ron asks about hardware wallet security. Let's say I use a securely protected, very long and strong passphrase with my BIP39 compliant 24-word mnemonic in my hardware wallet. Is it unsafe to publicly publish, meaning on Facebook, on Twitter, the 24-word seed, treating my passphrase as the thing that protects my assets in my hardware wallet? Short answer, Ron? It is absolutely unsafe. Long answer, let's look at why it's unsafe. The way the BIP39 standard works is that you have 24-words, for example. It can range from 12 to 24, but most wallets have 24-words. 24-words actually encodes 256 bits of entropy, which is used to produce the master root node for your hierarchical, deterministic wallet. Basically, let's say your master key is produced from these 24-words. In the process of producing that, your wallet that is BIP39 compliant will operate a password-stretching algorithm. That password-stretching algorithm has only a few rounds. It's not using a lot of rounds to stretch that. By default, if you don't use a passphrase, it uses the word mnemonic as the salt in that password-stretching algorithm. Think about it this way. We take the 24-words, throw in another value, which we call the salt, which is just the text of the word mnemonic, and mix it up 2,000 times through a hashing algorithm that repeatedly hashes to produce another value. The reason for that function, that password-stretching algorithm, which is called PBKDF2, is that the password-stretching ensures that it's difficult to brute-force the passphrase. If you are using a passphrase on your BIP39 compliant wallet, then in order to check if that ends up as a Bitcoin address that has actually got money in it, or verified against a known address, you have to go through those rounds of hashing. That takes time. It doesn't take a lot of time. On a powerful computer, let's say like this laptop, it takes probably less than a millisecond. On a much less powerful device like a hardware wallet, a ledger, a treasure, or a small USB device, which doesn't have enough processing capacity, it actually takes a few seconds. You'll notice when you enter your passphrase and you hit enter on your hardware wallet, it's going to give you a progress bar, and it takes maybe two or three seconds. The reason for that is, in order to make it suitable for a small hardware device like that, they had to really limit the number of rounds of stretching. Unfortunately, that introduces a weakness, because you can implement a stretching algorithm. Not only can you implement it in a laptop a thousand times faster than you can on a treasure, but worse, on a GPU, you can do it maybe a hundred thousand times faster. On an FPGA, maybe you can do it ten million times faster. If you use an ASIC for it, you could probably do it a hundred million times faster than you can on a treasure. Which then makes it possible to try an enormous amount of passphrases. Now, if the attacker needs your 24-word seed and your passphrase, that is a good security mechanism. It means that if somebody finds your 24-word seed lying around, you shouldn't have it lying around, but if they do find it and it's not sufficiently physically secured, then brute-forcing the password will require either a lot of infrastructure or a lot of time. They even need to have specialized computers, JPUs, FPGAs, ASICs, etc. Or it will take a long time. By a long time, I mean that a relatively complex passphrase will keep you safe for several weeks a month. A very strong complex passphrase will keep you safe for months, unless the person is willing to spend a million dollars on hardware to break that passphrase. So there are these trade-offs. At the bottom end of these trade-offs is this small hardware wallet that can't do this faster than about one or two seconds when you type it in. You don't want it to delay any more than that, because then the hardware wallet becomes difficult to use. So that's the trade-off there. Someone astutely pointed out that your passphrase effectively is a brain wallet. We've talked about brain wallets before. Brain wallets are where you make up a phrase, hash it lots of times, produce a bitcoin private key, and use that. Brain wallets are not secure. Because, absent a second factor, you can just pre-compute a very large number of very common things that people will use as brain wallets. Phrases from Star Trek, slogans from various cultural movements, quotes from movies, TV shows, poems, stories, whatever. You can pre-compute all of that, and they will always produce the same brain wallets because there's no other factor in there. Then all you have to do is wait for someone to use that and put money into one of the bitcoin addresses. You just track a trillion bitcoin addresses, which is a simple database problem. If someone is dumb enough to put some money in there, you just take it. We've seen that happen again and again. People use brain wallets, and the moment they put money in there, within an hour, someone has taken the money, because the brain wallet they chose wasn't secure. Now, get this. Brain wallets are more secure than what you just proposed. The number of rounds used, I believe most brain wallets use 16,000 rounds, but you can configure it. You can make your brain wallets use 100,000 rounds, which is far more than what a little hardware wallet can do. Brain wallets can be made more secure by more rounds, but they can never be made as secure as having a true two-factor system. One factor is your mnemonic, and the other factor is the passphrase, and the attacker needs both. Especially since the mnemonic itself is 256-bits of entropy, you're never brute-forcing that. You would have to have either all of it or a significant chunk of it to have any meaningful way of brute-forcing the rest of it in the passphrase. Then you can attack BIP39 in certain ways, but it costs a lot of money and takes a lot of time. To summarize all of that, the most important rule in cryptography is, don't roll your own crypto. Don't try to do smart things, because you will make mistakes, because you will not understand the impact on the complexity of solving the problem. Let me give you another classic example. I read this all the time, where they say, okay, all you have to do is take your 24 words and cut it in half, and store 12 words in one place and 12 words in another place. That's not the standard, and there's a reason why that's not the standard. It's not the standard, because that is not secure. Next time you hear that, ask the simple question, how much less effort is it to find one half of a seed? If you split it in two, and I managed to compromise one of these 12-word packs, how hard is it for me to crack the other 12 words? Is it half as difficult as 24 words? No, it's not. It's ten to the thirty-five times less difficult, approximately. Why? Because what you cut in half is not the base, it's the exponent of the complexity. You took something that had 256 bits of complexity, and you converted it to 128 bits of complexity. 128 bits of complexity isn't half of 256 bits. It's 10 with 30-some zeros after it, or 40-some zeros after it, less complex than 256 bits. Don't roll your own crypto. Don't try to get smart about trying to implement schemes and systems to split your seed. You're far more likely to lose your money because you simply forgot the scheme, because it wasn't standard. Something happened to you and your heirs or your family can't get to it. Or simply because you forgot a password, which we've seen again and again, and then you can't brute-force it. Or if you go all the way to the extreme, your scheme is not as complex as you think it is, and someone can brute-force it easily. You've effectively implemented a brain wallet, and your money is going to get stolen. BIP39 is very carefully balanced to achieve the best ratio of security and ease of use and backup. Security and resilience, security and recoverability, and to work on smaller hardware devices. It's balanced by people who are actual cryptographers and know what they're doing. When you try to change the way you use it, you tip that balance. You either tip it too much towards security. I took my BIP39 seed. I cut it into 24 bits. I mixed them up. I encrypted them. I put them on Dropbox. I then erased it from the web. I can only access it on the archives. Your money is gone. You lost it because you made it too complex. You buried your money in the desert without a map. Or you traded it the other way, and then you end up with something that's too easy to break, because you didn't realize that what you were changing in the complexity was a big change, not a small change. Don't roll your own crypto unless you are an experienced cryptographer. I'll tell you, I won't do it. I don't consider myself an experienced enough cryptographer to roll my own crypto. I use the standards that are well-tested, mature, and peer-reviewed by very good cryptographers, and they work well. So, write your seed down, use pen and paper, write it down, store it in a physically secure location, like a lock drawer, a bank safe deposit box, etch it on steel, keep multiple copies of that seed. Use a passphrase that is strong enough that it's not easily brute-forceable. 6-8 English words is just about right. Not English words from the mnemonic list. Just English words that don't mean something that is not a phrase that you won't be able to find on Google, that is not written in a book or you saw in a movie. Pick 6-8 random words, memorize them, write them down, store them in a different location, so that your family actually has a chance of getting that back. That's going to be more secure, and you're not going to get robbed as easily. Just use the standard as it was designed. Antony had a quick follow-up there. Passphrase, does that mean the password on the hardware wallet? There are two things on the hardware wallet. There's the PIN number. The PIN number is just to protect the physical device. It has nothing to do with the seed. It's just so that if someone takes your physical hardware wallet, they can't simply unlock it. The PIN number is designed so that if you make a mistake, the delay gets twice as long. That quickly escalates to the point where you can only try one PIN a week, then one PIN every two weeks, then one PIN a month, etc. That's the PIN. It has nothing to do with how you do the security of the actual keys. The passphrase, however, which is a long phrase that you type, which is an optional component of BIP39, is an additional security factor to your seed. That is separate from the PIN. That's something that in first-generation hardware wallets, you would type on to your computer. In second-generation hardware wallets, you type directly onto the screen of the hardware wallet, so it's not entered on an online system. That's mixed in with your mnemonic phrase, and it affects the security of your key, and it protects your seed from theft.