Ledger recovery service - idea for usage with passphrase \ stacker news ~bitcoin

Ledger recovery service - idea for usage with passphrase

891 sats \ 4 comments \ @kangu 23 May 2023 bitcoin

Hi everyone,

There's been ongoing discussions in the past few days regarding the Ledger Recover service where it seems the seed phrase gets encrypted, split in 3 then placed in 3 jurisdictions (US, UK and France)

At first it seems like a compromise regarding security as it opens the door for collusion and state intervention to get access to one's funds, but what about this idea: use the backup service for the 24 words, and keep all funds under a passphrase. This way, you only need to remember one word/phrase (you can write it anywhere, with the benefit that it doesn't loop suspicious at all like the 12/24 words combination), you can recover the base 24 words at any time, and even if the state or some hackers manage to recover your seed phrase, there's no funds there since everything is under a separate passphrase.

This would also cover the case when someone impersonates you and managed to trick the KYC process - they would know the 24 words, but without the passphrase they have nothing.

So in the end it seems like the security game in this scenario has changed from having to secure 24 words (plus a passphrase optionally), to securing a single passphrase, which arguably is much easier.

view all related items

21 sats \ 0 replies \ @k00b 23 May 2023

None of the materials I read said anything about a passphrase.

0 sats \ 1 reply \ @orthwyrm 23 May 2023

So in the end it seems like the security game in this scenario has changed from having to secure 24 words (plus a passphrase optionally), to securing a single passphrase, which arguably is much easier.

It depends. The advantage the passphrase has in this scenario is that it is easier to memorise (i.e. backup). But it can also be bruteforced if not of sufficient complexity.

I think your idea has merit, but the best answer is to stay away from Ledger Recover altogether.

0 sats \ 0 replies \ @kangu OP 23 May 2023

For sure, for technically capable-people it's not a good idea as it goes against sovereignty. But for normies... they freak out when they hear they need to secure 24 words somewhere... Multi-signature is another option but again it's just not for beginners really. Beginners need to know someone has their back, even if they need to pay a monthly fee like to Ledger.

Having this as just an additional option I think makes sense, I heard Pascal the CEO of Ledger talking on the WBD podcast and he does make some valid points... the current best practices we have work just fine for a small set of people, the rest get freaked out and keep their money on CEX platforms which is a terrible idea.

Indeed the passphrase can be brute forced, but you can adjust your security depending on the threat level. If you're like a potential target in a hostile country or something like that, you want to go more secure; if you're in a relatively peaceful place where the possibility of seizure is not that high, I think you can get away with a shorter one, just so you fend off any smaller attackers that might get a hold of your seed phrase.

So for myself and close people, I'm sure I'll definitely stay away from such a service, as I can secure my seed just fine by myself. But I can see some cases where I talk about bitcoin to less technical people and seed phrases come up, and the option to use such a service might make sense for their particular situation.

0 sats \ 0 replies \ @kevin 23 May 2023

Yeah... no.