The compromise of private keys are becoming a trend in cybersecurity vulnerabilities. Here are our recommendations on what you can do to maximize security and keep your private keys safe.
Among all the security incidents that have occurred in the crypto space, the compromise of private keys is one of the most prominent root causes. Although hackers do not need to apply complex techniques to exploit this compromise, this does not mean it would not lead to huge losses in projects.
For instance, in March 2022, the private keys for Axie’s cross-chain bridge Ronin were compromised, leading to the exploitation of crypto assets worth around US$600 million.
Therefore, managing private keys safely and securely is very important for both users and developers when they interact with blockchain applications.
Based on Fairyproof’s experience and study, here is a list of 7 recommended best practices to manage private keys:
1. Do Not Code Private Keys in the Source Code
Occasionally, crypto application may need to use an external account to sign transactions by using the account’s private key. To make coding and operations easier, some developers may write the private keys directly in the source code.
As most of the crypto application’s source code is open sourced, if the code of the private key is open sourced, the application is exposed to enormous risks.
2. Use References to Private Keys
If the situation calls for the private key to be embedded in an application’s source code, we suggest the use of references pointing to the private key that is stored in alternate sources and is not publicly accessible.
3. Do Note Use Private Keys with Simple Digits or Characters
Crypto applications use hash functions to make it practically infeasible to calculate a private key based on its public key. Therefore, the more random a private key, the harder it is for hackers to guess the private key.
Users should then never use private keys consisting of characters that can be easily guessed — Such as characters or regular digits like “1234…” or “abcd…”. Hackers can easily hack through brute force to gain access to private keys of this kind through modern hacking tools.
A good rule of thumb is to randomly mix characters and digits. Some popular crypto wallets such as MetaMask use carefully designed algorithms to achieve this randomness.
4. Do Not Install Unidentified Software or Application on Devices Where Private Keys are Stored
Hackers tend to use malware or ransomware to steal private keys from users. These malware or ransomware is usually contained in malicious links. If users happen to click on these links, the malware and ransomware would be installed into their devices (Sometimes without the awareness of the user), and their private keys would be scanned by them.
5. Do Not Send Private Keys as Plain Text in Communication Tools or Utilities Like Instant Messengers
Instant messengers are the most common form of communication among crypto users. Users might send their private keys as plain text in their messages if they do not have a strong understanding of cybersecurity. These messages storing these private keys can be easily leaked, compromising security.
6. Do Not Save Private Keys as Plain Text in Physical Devices Like Hard Disks or Notebooks
Most crypto wallet users like keeping their private keys in physical devices like laptops or hard disks through saved notepad files or word documents. If these devices are hijacked or acquired by hackers, they can gain access to private keys easily. To mitigate this risk, we highly recommend users not to save their private keys as plain text, but to save hem as encrypted data in physical devices.
For crypto wallet users, a rule of thumb for saving private keys is to save them on paper which is a general recommendation by most crypto wallet applications.
7. Do Not Use Lucky Number Generation Tools to Generate Private Keys
Tools/utilities to generate blockchain addresses that contain lucky numbers exist. Some users prefer to use these addresses to showcase their special on-chain identities and keep their crypto assets in these addresses. Tools/utilities like these have been thoroughly hacked and studied by many hackers.
Hackers can easily deduce the corresponding private keys and their respective characters from these addresses, thus exploiting crypto assets kept in these addresses.
These 7 best practices will help you greatly reduce the risk of your private keys being compromised. Follow them strictly.
We hope both users and developers can interact and participate in crypto applications safely and securely by doing what they can to manage and handle their private keys with great care and caution.