Using a password manager to secure Bitcoin


Bitcoin (BTC) and the world of cryptocurrency come with various “rules of thumb,” but one of them can make all the difference to whether you truly own these assets or not.

The rule is this: “Not your keys, not your coins.” In this context, keys refers to a “private key,” which is an alpha-numeric code that gives a person in control of BTC and crypto-assets access to them. The so-called “seed phrase” is derived from these private keys.

Consisting of a combination of 12 to 24 words, this serves as a backup in case you lose your private keys. Therefore, it is imperative to safeguard both, ideally keeping them completely offline.

However, while some BTC and crypto users still attempt to secure this lifeline using password managers, they ought to take note: Cybernews reported this year on a security breach involving a popular manager, LastPass, which allegedly resulted in the loss of $53,000 worth of BTC and subsequent legal action.

The company is now facing a new barrage of allegations tied to compromised data and stolen crypto funds.

That said, is it completely unwise to utilize a password manager for this purpose, and should you avoid them entirely? Cybernews spoke to influential figures within the Bitcoin community who specialize in securing private keys to find out.

Risky managers

Douglas Bakkum, CEO and co-founder of BitBox, a manufacturer of BTC and crypto hardware wallets, stresses that these devices are widely regarded as the best means to store private keys.

This preference stems from a compelling reason — exchanges, where a substantial number of BTC and crypto users store their coins, have fallen victim to hacking incidents resulting in billions of losses. Simultaneously, hackers relentlessly seek ways to infiltrate personal devices and steal your coins.

Bakkum cautions: “When Bitcoin becomes more adopted, there will be more incentive for this to happen.” He points out that smartphones, with their unvetted millions of lines of code and internet accessibility, along with third-party apps, constitute attractive targets for cybercriminals.

Speaking on the sidelines of last weekend's Bitcoin-focused conference in Riga, Latvia, Baltic Honeybadger, Bakkum addressed a couple of concerns regarding password managers. The first issue pertained to security breaches, as evidenced by incidents like the one involving LastPass, where users storing their private keys or seed phrases learned a harsh lesson.

“On the other hand, there’s also the subject of malware that exists on your mobile phone or desktop,” he says. “If you want to use it, you have to extract the secret, and for this period of time, it’s visible on your computer — it’s actually touching the internet-connected device.” So while you may feel secure for a time, eventual exposure to risk is inevitable, he warns.

People are bad at passwords

Kevin Loaec, CEO of Wizardsardine, a provider of Bitcoin security solutions, says there might be a valid use for password managers when safeguarding private keys or seed phrases linked to smaller amounts of Bitcoin or crypto. He explains, “You won’t be walking [sic] with all our life savings, just with some spending money.”

He adds: “If you use a very strong password on top of your password manager, or you use 2FA [two-factor authentication] with YubiKey [a hardware authentication device], I think it would be OK.”

However, there's a crucial “but” to consider: Loaec says users often struggle with creating strong passwords, and may not achieve the same level of security as recommended under advanced encryption standards.

“In my opinion, seed [phrases] should never be on the computer,” he stresses, especially, if it has been or will be connected to the internet. If you still insist on using a password manager, Loaec strongly recommends a YubiKey.

“Any second factor [authentication] is very important for everything today,” he adds, also emphasizing the need to exercise caution with password recovery options as, for example, losing access to your email could result in an inability to regain access to your manager.

Unique solution

SatoshiLabs, the manufacturer behind the Trezor hardware wallet, used to provide its own password manager, but this has since been deprecated or decommissioned. Pavol Rusnak, co-founder of the company, says its manager was designed for storing website login information, not private keys or seed phrases.

Originally created as a Chrome browser extension, it had to be discontinued due to policy changes in the Google API (Application Programming Interface).

“We will probably develop this product in the future, but now we focus on the Bitcoin stuff,” Rusnak told Cybernews, adding that, unlike other password managers, each row of the database is encrypted with a unique key using the Trezor wallet.

What this means is that even if someone illicitly gains access to the manager’s master key, they cannot access encrypted passwords in the database, as only the Trezor device can do this.

But in either case, Rusnak also advises BTC and crypto users against storing their seed phrase in a password manager.

In general, Bitcoin and other blockchain developers are working to improve private key storage and seed phrases in terms of security and user experience, and there are already multiple alternative solutions available that offer better security for BTC or crypto-assets.