The explosiveness and high dollar value of non-fungible tokens (NFTs) appears to either distract investors from improving their operational security to avoid exploits, or hackers are simply after the money and use very sophisticated strategies to break into collectors’ wallets.

- Advertisement -

At least that has been the case for me in the past when I fell for the classic message sent to me via Discord that caused me to slowly but too quickly lose my most valuable assets.

- Advertisement -

Most Discord scams happen in a very similar way, where a hacker takes a list of members on a server and then sends them direct messages in the hope that they will take the bait.

- Advertisement -

“It happens to the best of us” are not the words you want to hear about hacking. Here are the top three things I’ve learned from my experience on how to double down on security, starting with minimizing hot wallet usage and simply ignoring links sent to DMs.

A short course on hardware wallets

After my hack, I was immediately reminded and I can’t repeat it enough, never share your original phrase. Nobody has to ask for it. I also realized that I could no longer trade security for convenience.

Yes, hot wallets are easier and faster to trade with, but they don’t have the added pin and passphrase protection of a hardware or cold wallet.

Hot wallets like MetaMask and Coinbase are connected to the internet, making them more vulnerable to hacking.

Unlike hot wallets, cold wallets are applications or devices where the user’s private keys are offline and do not connect to the internet. Because hardware wallets work offline, they prevent unauthorized access, hacks, and common system vulnerabilities that can occur online.

What’s more, hardware wallets allow users to set a personal pin to unlock their hardware wallet and create a secret passphrase as an added layer of security. Now the hacker needs to know not only his recovery phrase and pin code, but also the passphrase to confirm the transaction.

Passphrases aren’t talked about as much as seed phrases, as most users may not use a hardware wallet or be familiar with a cryptic passphrase.

Access to a seed phrase will unlock a set of wallets corresponding to it, but a passphrase can also do the same.

How do passwords work?

Passphrases are in many ways an extension of the original passphrase, in that they mix the randomness of a given original phrase with the user’s personal input to compute a completely different set of addresses.

Think of passphrases as being able to unlock a whole set of hidden wallets on top of those already created by the device. There is no such thing as a wrong passphrase, and you can create an infinite number of them. This way users can go the extra mile and create decoy wallets as plausible deniability to dispel any potential hack from the main wallet.

Recovery seed/passphrase chart. Source: Trezor

This feature is useful when dividing digital assets between accounts, but terrible if forgotten. The only way for a user to re-access hidden wallets is to enter the exact passphrase, character by character.

Like the original passphrase, the passphrase must not come into contact with any mobile or network device. Instead, it should be kept on paper and stored in a safe place.

How to set up a passphrase on Trezor

Once a hardware wallet is installed, connected, and unlocked, users who wish to enable this feature can do so in two ways. If the user is in their Trezor wallet, they will click on the Advanced Settings tab where they will find a checkbox to enable the passphrase feature.

Trezor wallet landing page. Source: Trezor

Similarly, users can enable this feature if they are in the Trezor package, where they can also see if their firmware is up to date and if their pin is set.

Trezor wallet landing page. Source: Trezor

There are two different models of Trezor, Trezor One and Trezor Model T, both of which allow users to activate passphrases in different ways.

The Trezor Model One only offers users the ability to enter their passphrase in a web browser, which is not the best option in the event of a computer infection. However, the Trezor Model T allows users to use the device’s touchpad to enter a passphrase or type it into a web browser.

Safe Model T / Safe wallet interface. Source: Safe

On both models, once a passphrase has been entered, it will appear on the device’s screen, awaiting confirmation.

The flip side of security

There are security risks, although it sounds counterintuitive. What makes a passphrase so strong as a second step in seed passphrase authentication is precisely what makes it vulnerable. If they are forgotten or lost, the assets are tantamount to disappearance.

Of course, these extra layers of security take time and extra precautions and may seem a little over the top, but my experience has been a hard lesson in taking responsibility for securing each asset.

The views and opinions expressed here are solely those of the author and do not necessarily reflect those of Every investment and trading step involves risk, you should do your own research when making a decision.