The only wallets that meet this requirement are those that do not have any secure element.
It is unfortunate that influencers who are not cryptographers, or even computer scientists, are recommending and analyzing hardware wallets.
A Trezor T (despite its vulnerability) with a passphrase of more than 128 bits of entropy is more secure than any hardware wallet with a secure element and a PIN.
Whichever HWW you use, you have to realize that you must use a seed + passphrase with more than 128 bits of entropy, and therefore a secure element becomes unnecessary as well as inadequate because they sell it to you as if a passphrase is not necessary, and on top of that you have to trust something that is a black box, such as the secure element.
It's incredible how much nonsense I have to listen to in this Bitcoin space.
nostr:nevent1qqs25668ywg6prc7c4n39e5ndt83g7geneqyvsxva8pmc0mhcud4l2q09ljnw
Why use a passphrase with more than 128 bits of entropy?
- To forget about the stupid market for hardware wallets with secure elements.
- So you don't have to worry if your seed is stolen.
"Politicians are thieves and bastards" has an entropy of 205.
nostr:nevent1qqs0zysnu92r60vnnkuptcwekara23wdjxdux3x3agfdahuy2vfdtpqpp4mhxue69uhkummn9ekx7mq8s7kms
A passphrase is still a multi-signature, but much easier to manage, and you should treat its backup in the same way as a multi-signature.
Multi-signatures are overrated and passphrases are underrated.
nostr:nevent1qqstl27cj5vyy4rxg7qq489cvn59x37hekty5xzh6spavzg52an6hrsmxkmak
Default seed phrase length is 12 which is about 128 bits of entropy. If you have to memorize a 128 bit passphrase just to unlock your Trezor then what's the advantage over just using a paper wallet. If you're already basically memorizing a seed phrase, just skip all hardware vulnerabilities and use a paper wallet.
The whole point of a hardware wallet is to use the security of the wallets software and hardware to encode a memorizable low entropy pin or password into the 256 bit or higher seed that's encrypted on the device. You rely on the firmwares brute force resistance. The secure element claims to do this better but is a major centralized black box that almost certainly has a backdoor.
Point is if you're at the level where you've memorized 128 bits of entropy, just use a paper wallet and plug it into an airgapped laptop when you need to spend. You've basically surpassed the need for a hardware wallet. Very conflicting information you're spreading.
How do you just “use”
A #paperwallet ? Asking as a newbie and a genuine. Setting aside all the angst about “you will lose it etc”. Assume a competent adult that can keep a handwritten pen and paper document (and a copy remotely) and has dollars and wants bitcoin and only wants to use paper wallet or wallets. How would this happen?
Ideally you have a computer with no networking hardware installed running TAILS OS or Kicksecure in live mode. Then you open some sort of Bitcoin wallet software (I'd choose Sparrow) then you make a wallet, copy down the seed phrase then an address.
You could export view keys to a USB then load those into another computer with networking access. You're going to have to be careful with your network privacy while doing this as a malicious Electrum server can link your transactions to you, but using a view only wallet will give you assurance your transactions are recieved while the private keys are only written down on paper. You could also just watch the address you're sending to on a blockchain explorer like mempool.space
The problem with this is that on-chain all of your transactions are accumulating on one address. Terrible for privacy. There are stealth addresses in some wallets but the adoption is low thus far, I think Cake wallet and one other are the only ones that can recieve steath address payments.
Understood but basically need two computers, one which you had somehow made sure has no networking hardware, some OS that you also have and trust, a USB you also acquired and trust and even then it’s minimally paper and sounds very hard to do with any privacy. I am not trying to just complain and maybe this is all simple to more tech savvy people but my guess is like 99 out of 100 people would read that explanation and have no idea how to even start. And buried in the lines is a bunch of other stuff (just downloading without being on the network confuses me and sparrow isn’t so straightforward iirc comes with other steps like verification of keys and then will say you have to run your own node to really be able to trust sparrow anyway again iirc…. So I bet I’m being generous thinking 1% can handle all that). But even with all that, you have a wallet which is sort of 2 computers and a USB and some passphrase on paper, and you have some dollars, but still no bitcoin right? How do you cross that bridge? Literally once read to wear a disguise and find some sort of shady ATM somewhere (but somehow find these without using any internet search or maps that can track you) and expect to put in cash and get something out while getting photographed but just pull the brim low…
Best way to get non KYC maximally private Bitcoin is to buy Monero either on an exchange or ideally via Retoswap non-KYC then swapping from a site on trocador.app or via Retoswap into Bitcoin.
For those ideologically opposed to non Bitcoin projects, Bisq is your best bet: Tor onion routing by default, high fiat liquidity etc. Others exist like Mostro, Vexl, Peach but they have more tradeoffs from an OPSEC perspective but generally are easier to use. Robosats is good if your lightning setup is private but most have an LSP setup or even worse, a custodial setup like Wallet of Satoshi in which you get less privacy than with on-chain Bitcoin from your custodian.
In my opinion, if you're trying to go as simple as possible, I'd get a Foundation Passport hardware wallet and just buy Bitcoin via Bisq using either cash by mail, USPS Money Orders (assuming US), or Zelle (assuming US). Ideally use a Linux computer for this but windows works (really use Linux though). Then transfer the Bitcoin to your Passport.
If you don't mind KYC or other projects you're better off buying Monero from Kraken, sending that to a Cake Wallet (app on iOS or Android or Desktop) address then swapping to Bitcoin mid app into your Foundation wallet. That's going to give you better on-chain privacy than even buying from Bisq (your UTXO will be linked to the information you give depending on payment method) while having a pretty simple UX and excellent air gapped security with the foundation wallet.
These are just my ideas I'm coming up with off the dome, there may be a better solution but these options provide a high degree of privacy and security with a smaller learning curve.
For spending you can sign a transaction and export it via a USB stick with Sparrow and broadcast it on another computer that has networking access. This is an airgapped solution that uses maximal security. You can also make a seed signer device with a raspberry pi. Lots of airgapped options.
Granted this setup is pretty unintuitive and laborious. Only for specific threat models and use cases. You can compromise by loading the seed phrase into a hot wallet, but greater risk of loss of funds due to malware or a 0day vulnerability.
Security is a spectrum depending on your risk tolerance and threat model. If you've got a few bitcoins, you're probably going to want to do an airgapped solution as I've described, likely with multi signature too so you need to recover multiple seed phrases to sign a transaction. All tradeoffs between usability and security.
What isn't going to help much is using a Trezor but adding what amounts to a second seed (128bit passphrase) onto your seed. You still will get wrenched and lose everything. The difference between brute forcing 256 bit keys and 384bit keys is the difference between impossible and impossible. You don't gain any cryptographic security, just security theater, thus my criticism of nostr:nprofile1qqs0eac2gh86s9l24qfmnw52xawhz0f3d862yleaetpafygjmanaxlspzdmhxue69uhhqatjwpkx2urpvuhx2ue0qy88wumn8ghj7mn0wvhxcmmv9uq3uamnwvaz7tmwdaehgu3dwp6kytnhv4kxcmmjv3jhytnwv46z7ramexg's "advice".
Thanks. I am not critical or defensive of any approach I am trying to figure out what would really work for real people. It seems to me the most private cypherpunk (a word I parrot without pretending to really know) solutions are labyrinthian tech solutions using tech that probably was not available 5-10 years ago and may not be available 5-10 years from now. Seems unrealistic for almost everyone across space and time (successors need to be also expert). Again not trying to be cynical but there is hand waving towards free and open source software as if that’s a guarantee it will be usable and maintained into the future but I have no idea if that’s really more trustworthy than the alternative of profit motivated companies.
Should be clear I wrote cypherpunk above referring to the generic self described term many use - not referring to the particular poster.
You're totally right. For most, secure element hardware wallet with a simple 6 digit pin will do. They're open to attack from the secure element manufacturer and state intelligence backdoors but they're also likely completely KYCed and have no on-chain privacy so the state is not in their threat model anyway.
If one has larger holdings hiring nostr:nprofile1qqs0w2xeumnsfq6cuuynpaw2vjcfwacdnzwvmp59flnp3mdfez3czpsprpmhxue69uhkummnw3ezumr0wpczuum0vd5kzmp0ksxxx2 and having his company or another competitor set up an elaborate multisig setup would be ideal. That way they handle all the cypherpunk security stuff.
For us autistically obsessed cypherpunk types, yeah we are going as hard as possible mainly for fun.
Thanks. As a thought experiment is there a super low tech solution to make KYC irrelevant? I am thinking of something like a person buys a cold card; buys a bitcoin on coinbase; creates a 24 seed phrase “base” wallet. Then 100 wallets from that with passphrase and sends 1/100th of the bitcoin to each sub wallet. Each subwallet has had its public address used once to receive the 1/100 bitcoin. How would you make the 100 different passphrases such that 1) the person does not remember them 2) they are not physically written down anywhere near the person 3) the process that created the phrases the first time can be re created anytime and anyplace with not more than a public computer and a pay phone. Such that the person can say honestly they do not know / have access to the coins themselves at anytime, and yet they or their future heirs could. It need not be that all the phrases can be re created at the same time- in fact it would be better if the process actually required time.
A dumb example would be say the person creates 100 different nostr accounts; makes only one post with each account posting a single passphrase to a single subwallet. Then deletes the nostr public and private keys. Then creates 100 free throw away email accounts. With each email account they send a single email to their work account, home account, friend account etc. the email is set to be delivered in the future - in 1 month for account 1, 2 months for account 2, etc….
Email 1 has the npub of nostr1
Email 2 has the npub of nostr1&2
Email 3 has npubs 1,2,3… etc …
Then deletes all the emails.
So that all takes a day. Maybe destroy the computer used for all that after.
Practically then you have 24 seed words you need to keep but does no good on its own. Month after month you get a rando email leading you to nostr and to a a passphrase but only if you know what the email refers to. It’s vulnerable if the email fails but subsequent emails include previous links.
I’m sure there a much better way but on the surface this seems to make kyc less useful even to wrench attacks and creditors.
Each of those 100 transactions would still be linked to the original on chain you have to break the on chain link either by swapping to Monero and back but in a different amount or by using a coinjoin transaction like Ashigaru whirlpool. Coinjoined UTXOs are not accepted for selling at any exchanges and many merchants don't take them either so going Bitcoin to Monero back to Bitcoin is your best bet as most non-KYC exchanges on trocador.app or through Cake Wallet dont flag as tainted Bitcoin. I've used Pegasus swap, exolix, fixed float and more and never recieved a tainted UTXO.
As long as you're using Tor routing on whatever Bitcoin wallet you're using you have a strong degree of unlinkabikity from your final Bitcoin UTXOs at this point.
Going to the basics here since it seems you're a little new to blockchain analysis, each Bitcoin transaction spends one or more Unspent Transaction Outputs (UTXO) and results in a recipient UTXO (The full amount you're sending to the recipient) one change UTXO (the remainder that you're recieving back as change) and the fee which goes to the block miner. On-chain each transaction you make is linked to at least the UTXO that was spent to create it. If you spend two or more UTXOs then you also link those to the same owner.
If you split a UTXO that is legally linked to you (KYC process and wallet verification exchanges require before withdrawal) into 100 and anything happens with those that would be considered illicit, say the IRS claims you owe taxes on those, you're going to be the first suspect and you'll have to basically prove your innocence that you don't own them anymore.
A coinjoin breaks this link by mixing your UTXO into basically one giant transaction with many other users UTXOs and outputs equal value UTXOs at the end making each equally likely to be owned by each input. Because there are almost certainly tainted UTXOs as at least one input, you basically taint your coinjoined UTXO with that coins history in the eyes of Chainalysis.
Swapping to Monero looks like you send the Bitcoin UTXO to an exchange's wallet (known by law enforcement) but due to Monero's untraceability (I can explain more about this if you're curious) there's no inclination as to what happened to it on chain, while you now have that value of Monero in your wallet. If the exchange has their transactions subpoened by law enforcement (happens all the time so you have to assume it's the case) then they do know that you swapped to Monero. This is why I propose buying Monero in the first place, as in the US this is a taxable event. If you're insistent on buying Bitcoin I would ensure your cost basis at time of swap is as close to 0 gains as possible compared to time of purchase to avoid tax authority scrutiny. From then literally nobody, even state intelligence, knows what you do with Monero. Now if you swap that same value of Monero back to Bitcoin in one transaction, on chain that could be guessed to be you, but if you say had $800 of Bitcoin to $799 of Monero, then like 30 min later swapped $400 of Monero to Bitcoin on one exchange then $300 on another and $99 another day there's just no way that that's linked to you with any degree of remote certainty that could stand up in court. You get away with completely KYC free Bitcoin UTXOs.
Does that answer your question? A little long winded but I hope that helps.
Understood- I am just veering off from the privacy and into what can be done in a KYC world.
Assuming all KYC transactions can and will be linked to person A’s initial buy as you stated.
Is it still possible for person A to easily divide the coins then ….
1) render themselves presently unable to access the coins (such that they honestly cannot access and no state actor pressure or other pressure can change that)
2) yet ensure they will recover that access over time incrementally
3) and similarly grant that future access across space to heirs or friends?
I think I understand what you're getting at, but I'm not sure with just Bitcoin if there's a way to lock up funds on chain until a future date or something. I also don't know what attack vector that really defends from, you're better off just not having any evidence that you own Bitcoin from any threat actor. Perhaps someone else can weigh in more.
How do you calculate entropy? I looked in some websites but somehow the “years to crack the password” that each one had showed great discrepancies (still in the billions)
Keepassxc uses the zxcvbn algorithm (modified by them), and you can also use:
