The cryptocurrency world and NFTs both come with security risk due to the financial value of some tokens. We have similar risks in the real world, where you could get mugged and have your smartphone and wallet stolen, but in that scenario, one criminal can’t easily target hundreds or thousands of people simultaneously the way online criminals are able to target people on a large scale.
Because of the risk to your NFT collection and the cryptocurrency you use to acquire NFTs, it is important to make sure that your cryptocurrency wallet is secure. This starts with never sharing your private keys with anyone. It also means you never share the seed phrase associated with your wallet, which you can think of as password recovery for your private key. If anyone else gains access to either your seed phrase or your private keys, they can access your wallet and all the contents, which means they can sell or transfer your NFTs to another wallet.
No legitimate business will ever ask you for private key or seed phrase as part of a cryptocurrency transaction.
A Deeper Dive on Wallet Security
Any discussion of securing a cryptocurrency wallet is basically talking about two things:
- Security: The steps required to be certain someone else can’t access your cryptocurrency wallet by gaining access to your private keys
- Resiliency: Protecting control of your private keys through careful behavior
Where are Your Cryptocurrency Tokens?
Understanding the role of security and resiliency requires additional background information about where your cryptocurrency tokens and NFT tokens exist. Would you be surprised if I told you the tokens aren’t actually in your wallet? This is true whether your wallet is a software wallet like Metamask or a hardware wallet like Ledger. They also aren’t stored on your computer or smartphone.
The media file associated with your NFT, the JPG, the MP4, or whatever it happens to be, is also not in your wallet. I cover this in more detail in an article about centralized vs. decentralized storage.
The actual token exists on the blockchain, which in the case of Ethereum has copies running on about 8,500 different computers around the globe. The great thing about this is that it also means there are 8,500 copies of every NFT token in existence, which is a pretty great redundancy from a backup perspective. When you buy or sell an NFT, that NFT doesn’t physically move from the seller’s wallet to the buyer’s wallet, the blockchain is updated to reflect that the buyer is now the owner of that NFT.
Public Addresses and Private Keys
A cryptocurrency wallet is the place you store private keys that go with your public blockchain address. The public address will look something like this:
Your public address is the blockchain equivalent of an email address. It’s what you share when you want someone to send you an NFT or some cryptocurrency. Your private key is what you are actually securing in your wallet. Think of it like password protection for your public wallet address. Your private key is what you use to grant permission to transfer tokens from your wallet to another wallet. The private key is also what allows you to sign messages to confirm that your wallet address approves something.
To make things more complicated, when you created your wallet, you also established a seed phrase. The phrase is typically a series of words that when read together seem like a nonsense sentence. If you think of your private key as your password, your seed phrase is the password recovery method. In a hypothetical situation where you lose your private keys, you can recreate them using your seed phrase.
Two Major Risks to Wallet Security
If another person has access to your private key or your seed phrase, you’ve got a security breach. Your wallet is compromised because that individual now has the ability to transfer tokens out of your wallet to another blockchain address.
If you lose your private key and/or your seed phrase, you won’t be able to access your wallet and you effectively no longer have access to your tokens. This is why many people put their seed phrase on paper and store it in a secure fireproof location in case of emergency.
Differences Between Hardware and Software Wallets
All wallets are software containing the private keys that allow you to complete blockchain transactions from the wallet address. This is true whether the wallet is considered a hardware wallet or a software wallet. The terminology is a little confusing, but the key difference is in how you access the software.
Hardware wallet actually means software running on a dedicated hardware device intended only to run cryptocurrency wallet software.
Software Wallet refers to software that runs on a general purpose computing device like a smartphone or laptop.
Software wallets, like Metamask, are incredibly convenient because they run as browser extensions and apps on your phone. This convenience also creates risk. If your phone or computer is infected with a virus, your private keys can be stolen. If you click a phishing link in an email, your private keys can be stolen.
Hardware wallets, like Ledger and Trezor, are less convenient because you need to buy a physical device and have it shipped to you before you can configure your wallet. Once you get the device, you go through a setup process that creates a wallet on the device. Any time you want to make a cryptocurrency transaction, like buying or selling an NFT, the physical device needs to be available to approve the transaction. The benefit to a hardware wallet is that it won’t be accessible if you click a link in your email or if your computer is infected with a virus.
Many people find it useful to have both a hardware wallet and a software wallet. The hardware wallet is used as storage for valuable items you plan to keep for a long time. The software wallet can be used for lower value transactions or for interacting with sites that may present some level of risk. When you do acquire something in your software wallet that you consider valuable, you can transfer it from your software wallet to your hardware wallet for safekeeping.