User manual:Security best practices
Below is a list of recommended security practices that will ensure maximum safety for your Trezor and your funds.
Choose a good PIN
The PIN is a powerful tool to keep your coins safe. It is a barrier protecting your accounts from lurking hands and unwarranted physical access to your device.
Enable the PIN protection and choose a unique and memorable PIN.
Do not use a simple or predictable PIN, such as "1234," or any series of repeated or sequential numbers.
Suggestion: The numbers displayed on the Trezor screen when it requests a new PIN are in a random order which changes every time you use your device. You can use them as the basis for your PIN if you do not have any better ideas. For example, you can use the first two rows when you see the matrix for the first time.
If you have trouble remembering your PIN, write it on your recovery seed card.
Keep your recovery seed safe
Do not enter your recovery seeds anywhere unless the physical Trezor device instructs you to do so and you confirm your choice on your Trezor. Always trust only the instructions on your Trezor device.
If you do not use a passphrase, your recovery seed is all that is needed to access your coins. The physical security of your recovery seed is much more important than that of your device. If your Trezor is stolen, it is improbable that the thieves would be able to access it without your PIN. However, if someone steals your recovery seed, your coins can be accessed easily using a different device or wallet.
If your Trezor is lost or stops working, the recovery seed is the only way to get your coins back. It is crucial to store your seed somewhere safe from theft or physical damage (e.g., in case of a fire or a flood). We recommend using a piece of paper (e.g., the recovery card provided in the package) or cryptosteel. It might also be a good idea to examine Shamir Backup as an option.
Below are some suggestions about where to keep your recovery seed.
Where to keep your recovery seed card
- In a locked drawer, away from water and fire.
- In a place where no potential thieves are likely to access it.
- Somewhere where your family members will find it if something unexpected happens to you.
Where NOT to keep your seed
- Shared or public spaces (e.g., your office work desk)
- Anywhere online
- Offline (digital) backup (e.g., phone, digital photos, etc.)
- Encrypted folder
Use the passphrase feature
It is possible to add a passphrase to your Trezor, which allows you to make your Trezor impervious to any physical attack. Even if someone stole your device, disassambled it, and broke the chip to extract your recovery seed, your coins would still be safe. The passphrase can be any word, sequence of words or any set of letters (similarly to a password) and is not stored anywhere on the device.
The flip side to this extreme level of security is that if you forget your passphrase, you might lose your coins forever. There is no other way to recover the funds.
Using this feature effectively and safely requires an understanding of its mechanics - if you are not sure how the passphrase works, we do not recommend using it. To learn more about protecting your funds with passphrases, see Passphrase and our blog articles Passphrase - the ultimate protection for your accounts, Recovery Seed, PIN and Passphrase, and 5 Reasons Why You Should Use a Passphrase (And 3 Reasons Why You Maybe Shouldn’t).
Get a second Trezor device
Getting a spare Trezor device is an additional safety feature to protect your funds. If your Trezor device or its recovery seed is stolen, lost, or compromised, you can always send your funds to your second Trezor or recover them using your seed.
Do not talk about how much cryptocurrency funds you have
In general, it is better to keep quiet about the balances on your accounts. Talking too much is particularly dangerous on social media and internet forums.
For example, if you tell someone on the internet that you own a lot of bitcoins, some malicious party might read that conversation. These people might then try to steal your funds using a variety of tactics - including cyber attacks and physical violence.
Just remember, loose lips sink ships.
See also: Coinjoin