Using Hardware Wallets (Setup, Passphrase, Best Practices)

Using Hardware Wallets: Setup, Passphrase & Best Practices

Lock down your keys the right way, from first unbox to recovery rehearsal.

TL;DR: Buy from official channels, initialize on-device, record the seed offline, consider a passphrase, verify addresses on-screen, and test a recovery before storing real value.

1) Unbox & Supply-Chain Safety

The number one rule: trust the device only after you’ve initialized it yourself. Purchase from the official store or a reputable retailer and inspect packaging for tamper evidence. Many attacks begin before you even plug in pre-seeded devices, “filled-in” recovery cards, or add-on stickers that instruct you to enter your seed on a website. Discard anything suggesting a seed has already been generated for you.

  • On first boot, choose “set up as new.” If you ever see pre-filled words or addresses, stop and factory reset.
  • Avoid second-hand devices. If you must, perform a verified firmware reinstall and factory reset before use.
  • Prefer official cables/dongles; malicious USB gear exists. Keep one dedicated cable for the wallet.

2) On-Device Setup & Backups

Hardware wallets keep your seed phrase (BIP39 mnemonic) inside a secure element or microcontroller and never expose it to your computer or phone. All critical steps should happen on-device:

  • Generate the seed on the device. Write the words by hand. Do not photograph, screenshot, scan, or type them into any computer or cloud notes.
  • Confirm the seed. Most devices ask you to re-enter several words using the device buttons/touchscreen. Take your time, this is the master key to all wallets derived from it.
  • PIN code. Set a PIN that resists shoulder-surfing. Learn your device’s “wipe on X wrong attempts” behavior.
  • Derivation paths. The seed deterministically creates many accounts:
    • Ethereum/EVM commonly: m/44'/60'/0'/0/0 (account index changes the last number).
    • Bitcoin native SegWit: m/84'/0'/0' (vendors may expose this via “account 1 / account 2”).

    Note the path if you plan to import into another wallet later; wrong paths show different addresses and can confuse recovery.

  • Firmware updates. Update via the official app only. If a hash/signature is shown, verify it. Never install firmware sent by a stranger or from a random link.
  • Backups. Paper works but is fragile. Consider a metal seed plate for fire/flood resistance. Store out of sight, out of search terms (don’t label “seed”).

3) Passphrase (25th Word) & Shamir

The optional BIP39 passphrase (often called the “25th word”) mathematically creates an entirely different wallet from the same 12/24 words. It is not stored on-chain anywhere. If you forget it, no one can help, your standard seed alone will not restore the hidden balances.

  • Why use it? Adds strong protection if someone finds your seed. Without the passphrase, they restore an empty decoy wallet.
  • How to store? Either memorize a robust passphrase and rehearse it regularly, or store it separately from the seed (never on the same card or in the same safe). Letter case and spaces matter.
  • Decoys & duress. Some users keep a small “decoy” balance on the non-passphrase wallet. Avoid relying on duress PINs unless you fully understand the feature and its pitfalls.

Some devices support Shamir Secret Sharing (SSS), which splits your seed into m-of-n shares (e.g., 2-of-3). Any m shares reconstruct the seed; fewer are useless. This eliminates a single point of failure but increases operational complexity:

  • Store shares in separate locations with different threat profiles (home safe, bank box, trusted relative).
  • Write down which shares you created (e.g., A/B/C). Don’t mix different Shamir sets.
  • Rehearse reconstructing periodically so you’re not learning under pressure.

4) Verifying Addresses On-Device

When receiving funds, always confirm the address on the hardware wallet’s own screen before sharing or copying it. Browser extensions and desktop apps can be spoofed by malware; the device display is your source of truth. For Ethereum, match the full 0x... string (or at least several leading/trailing characters). For Bitcoin, confirm the address format (bc1… for native SegWit) and, if shown, the change/external path.

During sending, read the on-device prompts carefully: network (Ethereum vs. another EVM chain), destination address, amount, fee/max fee (EIP-1559 fields on ETH), and any contract data (token approvals, NFT transfers). If anything looks off, reject the transaction on-device.

5) Recovery Rehearsal

A recovery that’s never been tested is a risk you haven’t priced in. Before storing significant value:

  • Dry run restore. Factory reset the device (or use a spare), then restore using your seed (and passphrase, if used). You should see the same first receiving address as before.
  • Test funds. Send a small amount to a freshly derived address, then confirm you can spend it. This validates both the backup and the signing workflow.
  • Shamir check. If using SSS, reconstruct with the designated threshold shares to ensure locations and instructions are correct.

Document the steps you took in a plain-language “recovery playbook” stored offline for your future self or heirs. Keep specifics (passphrase, share locations) separate to avoid single-point compromise.

6) Ongoing OPSEC

Good security is a routine, not a one-time event. These habits reduce day-to-day risk without making usage painful:

  • Connect only when needed. Keep the device disconnected and powered off when not in use. Consider an air-gapped workflow (QR codes) if supported.
  • Use reputable companion apps. Stick to the official desktop/mobile apps or widely trusted wallets. Beware of lookalike sites and extension clones.
  • Restrict approvals. On EVM chains, token approvals can drain funds later. Grant only what you need; periodically review and revoke unused approvals.
  • Separate spending from vaulting. Keep a small “hot allowance” for frequent activity; store long-term holdings on a separate account, passphrase, or even a different device.
  • Multisig for higher stakes. For team treasuries or large personal holdings, consider a threshold wallet (e.g., Safe) with multiple hardware signers to prevent single-device loss from becoming catastrophic.
  • Travel & customs. Don’t carry your seed when you travel. If you must travel with a device, ensure it holds no critical balances (use a distinct account with empty seed backup left at home).
  • Phishing & support scams. No legitimate support agent will ever ask for your seed or passphrase on a call, chat, or form. End the conversation immediately if they do.
  • Lifecycle & disposal. Before selling or discarding a device, wipe it via factory reset. Never throw away a device that still holds a live seed or a remembered passphrase.
  • Inheritance plan. Decide now who should recover funds if you’re unavailable. A brief, sealed letter explaining where to find the seed, passphrase, and device, plus the recovery playbook, can save loved ones from guesswork.
Signing flow refresher: Your computer constructs a transaction → hardware wallet displays key details → you verify on-device → wallet signs and returns only the signature. The seed never leaves the device.

Quick check

  1. Where should the seed be generated and entered?
  2. What’s the purpose of verifying the address on-device?
  3. Why do a recovery rehearsal?
  4. What are the trade-offs between a passphrase and Shamir sharing?
  5. List three ongoing OPSEC habits that meaningfully reduce risk.
Show answers
  • On the hardware device itself (never on a PC/phone keyboard or website).
  • To defeat UI spoofing; the device’s screen is authoritative for addresses and transaction details.
  • To prove your backup actually restores the same wallet and that you can spend funds before storing significant value.
  • Passphrase adds a hidden wallet but is unrecoverable if forgotten; Shamir splits recovery into m-of-n shares to remove single-point failure but adds operational complexity.
  • Examples: keep device disconnected when idle • restrict/revoke token approvals • separate “hot” and “vault” accounts • use multisig for large holdings • update firmware only via the official app • never disclose seed/passphrase to “support”.

Go deeper

Optional next steps: practice a passphrase restore, rehearse a Shamir reconstruction, and write your recovery playbook.