Forget the wallet password doesn't necessarily mean losing coins; once the mnemonic phrase is leaked, that's the real danger.
Written by: Tyler Tai Le
Usually, I often answer questions for some newcomers to Web3 and have encountered a variety of issues.
Some people ask, "Can I recover my wallet if I mistakenly delete it or forget the password?"; some take a screenshot of the mnemonic phrase and store it in their album, thinking it's fine as long as they don't share it with others; and some still can't distinguish the difference between the accounts on trading platforms and the wallets they downloaded.
These questions seem very basic, but in reality, many people who have used wallets for years might not truly understand them.
Thus, I plan to start a new series called "Web3 Survival Manual," aiming to avoid technical jargon and specifically focus on those seemingly small yet genuinely important issues, helping everyone gradually understand and use Web3.
This article is the first piece of the "Web3 Survival Manual," starting with the most important topic: what is the difference between private keys, mnemonic phrases, and wallet passwords?
1. First, remember one thing: there are actually no coins in the wallet
Many people think their BTC, USDT, ETH, or other tokens are "stored in the wallet."
But strictly speaking, assets do not reside within the wallet app; they are recorded on the blockchain. In other words, whichever wallet you use, whether it's MetaMask, OKX, SafePal, TP, or imToken, it's more akin to a tool that helps you keep your keys safe, rather than a vault for storing assets:
The blockchain is responsible for recording how much asset a particular address possesses, where those assets came from, and where they were transferred;
The wallet is responsible for helping you safeguard the "keys" for that address and facilitating the transfer in and out of assets for that address;
For example, when you transfer funds, exchange tokens, or authorize an on-chain application, the wallet will use the privately stored private key to sign the transaction, effectively proving to the blockchain that the person controlling that address indeed agrees to execute the transaction.
Therefore, the wallet app is not a vault for coins; it is more like a box for holding keys—the real value lies in the keys (private key) inside, not in the box itself.
This also explains two concepts that many find hard to understand:
Even if the original wallet app goes bankrupt, is removed, or you accidentally delete it, as long as you have the correct private key backed up, you can download another wallet, re-import the private key, and restore it, because currently, the industry is based on the same set of technical standards, and the import logic of different wallets is interoperable; changing the box doesn’t prevent you from using the same key to unlock it;
If someone else obtains your private key, even if your phone is still in your possession and the wallet app is not deleted, they can still transfer your assets away—because they can import that key into their own wallet, and the blockchain only recognizes the key, not who has it;
2. What is the difference between private keys, mnemonic phrases, and wallet passwords?
Since private keys are so important, what are mnemonic phrases then?
Actually, the emergence of mnemonic phrases is primarily to allow ordinary people to back up their wallets more conveniently. Because private keys are a long and messy string generated randomly by the system, it’s easy to make mistakes when backing them up manually, and ordinary people can hardly remember them directly.
Therefore, the industry adopted a universal standard that "converts" private keys into mnemonic phrases consisting of 12 or 24 English words.
In other words, private keys and mnemonic phrases are essentially the same key, just in a different format. To extend slightly: theoretically, a set of mnemonic phrases can derive multiple private keys; to facilitate understanding, you can think of the private key as a specific key while the mnemonic phrase is more like a master backup of a keychain (I have also discussed why mnemonic phrases are typically generated from a fixed word list and the basic logic behind it in my article "Starting from "Chasing Shadows": The 2048 Words that Determine Trillions in Crypto Assets"). Interested friends can check it out).
Now, most mainstream wallets prompt users to back up their mnemonic phrases during creation, and rarely ask ordinary users to write down a long string of private keys directly.
However, whether it’s a private key or a mnemonic phrase, you must not share it with anyone. Generally, neither wallet customer service nor project teams nor trading platform staff will ask you to send them the private key/mnemonic phrase; anyone requesting your private key under the pretext of "validating your wallet," "removing risk control," "claiming airdrops," or "assisting in asset recovery" can essentially be treated as a scam.
So what is the wallet password?
The wallet password, which is the PIN code or unlock password set when opening the app, is only used to unlock the app itself, similar to a mobile phone screen lock, and is completely different from the private key and mnemonic phrase.
Everyone can remember a simple principle:
If you forget your wallet password, no worries; you can re-import your private key/mnemonic phrase and set a new password;
If you lose your mnemonic phrase but can still open the original wallet, there is a chance to back up or transfer assets again;
If you lose your mnemonic phrase and cannot open the original wallet, that could genuinely mean you cannot recover it;
Once the mnemonic phrase is leaked, you should immediately transfer your assets to a brand-new wallet;
3. Why do accounts on trading platforms not have mnemonic phrases?
Many people's first encounter with cryptocurrency is actually through trading platforms like Binance, OKX, or Bybit, which might raise a question: "I also have BTC, ETH, and USDT, USDC in the trading platform; why wasn’t a mnemonic phrase provided?"
Because the assets stored on centralized trading platforms are typically not managed by you directly safeguarding private keys/mnemonic phrases, but rather managed by the trading platform on your behalf.
When we log into trading platforms, we rely on our phone number/email + login password, as well as secondary verification tools like SMS codes or Google Authenticator. The balance you see in your account is primarily an internal record kept by the trading platform, not an independent on-chain address fully controlled by you.
The advantage of this method is simplicity—even if we forget the password, we can contact customer service and recover our accounts after facial recognition or identity verification, but the corresponding cost is that we need to trust the trading platform to securely manage our assets and properly handle everyone's deposits and withdrawals.
In contrast, with wallets, you safeguard your own private keys, and you primarily control the assets. You decide when and to whom to transfer funds, usually without requiring the trading platform's approval; however, at the same time, you also bear the responsibility of safeguarding the mnemonic phrase, identifying phishing websites, and avoiding operational errors.
So, I’ve been telling everyone, using trading platforms and personal wallets doesn't mean one is inherently safer than the other; rather, it's two different methods of responsibility allocation: using a trading platform delegates part of the security and custody responsibility to the platform; using a wallet takes back control over assets and the corresponding responsibilities into your hands.
Which one to choose depends on your asset scale, usage frequency, and personal risk management ability.
However, today there’s also a confusing aspect: most mainstream trading platforms typically provide both a "trading platform account" and a "Web3 wallet"; for example, in the same Binance or OKX app, you can log into a trading platform account as well as create a self-custody wallet that requires backing up a mnemonic phrase.
Although they are presented together, they are not the same account, and how assets are controlled is also completely different. The criterion is simple; if the wallet requires you to independently back up the mnemonic phrase and clearly states that the platform cannot recover it for you, then it falls under self-custody wallets.
4. Hot wallets and cold wallets: the difference lies in the private key
After understanding private keys/mnemonic phrases, distinguishing hot wallets from cold wallets becomes straightforward:
Hot Wallets: Private keys are stored on connected devices, completing signatures through phones or computers. Wallet apps provided by brands like MetaMask, OKX, SafePal, and TP typically fall under hot wallets;
Cold Wallets: The hardware wallets we often hear about are a common implementation of cold wallets. Their private keys are generated and stored in dedicated offline hardware devices, and during the signing process, private keys do not leave the devices, such as hardware devices from Ledger, Trezor, and OneKey;
Of course, nowadays, virtually all projects making hardware wallets also have their own compatible software apps, such as SafePal and OneKey.
It is important to clarify that cold wallets do not mean the entire device never contacts the internet; more accurately, it means the private keys themselves do not leave the hardware device and are not directly exposed to connected phones or computers. The actual process goes approximately like this:
A phone or computer generates a transaction waiting to be signed;
The hardware wallet completes the signing within the secure chip of the device;
The hardware wallet sends the signed result back to the phone or computer;
The phone or computer then broadcasts the transaction to the blockchain;
Throughout the entire process, the private key remains securely held within the hardware device's secure chip.
However, cold wallets, or hardware wallets, do not equal absolute security; if you take a picture of the mnemonic phrase and upload it, or input it into a phishing website, or incorrectly authorize it to a malicious contract, then no matter how secure the hardware device itself is, it becomes meaningless.
Ultimately, hardware wallets protect the storage and signing environment of private keys, but cannot protect users from actively leaking the mnemonic phrase.
Regarding the specific choices between hot wallets and cold wallets/hardware wallets, we'll discuss them in detail in the next article.
5. Can mnemonic phrases really not be stored on cloud drives?
I also have friends repeatedly asking me: "Is it okay if I store the mnemonic phrase in my phone’s notes, as long as I don’t share it with anyone?" "Is it safe if I store it in the steel box of Alipay or an encrypted cloud?"
Objectively, security issues are rarely just a simple "will definitely be stolen" or "will definitely not be," but rather different storage methods correspond to varying risk probabilities.
Storing mnemonic phrases in regular notes, WeChat favorites, chat logs, emails, or albums carries the highest risk that the phone may become infected or remotely controlled, or that cloud accounts may be hacked, or that albums and notes may automatically sync, allowing certain apps to read clipboard or local content, and even data on old phones may not be thoroughly deleted when sold or repaired.
Of course, tools with independent passwords and encryption features can indeed be somewhat more secure than regular albums and notes, but you still need to trust the app corresponding to the phone’s system, the strength of the cloud account’s password, and any issue at any step could lead to a leak.
Therefore, for larger amounts of assets that you plan to hold long-term, it’s still advisable to handwrite the mnemonic phrase on paper or record it on a dedicated metal mnemonic board (currently, mainstream hardware wallet service providers also offer similar mnemonic steel plates, which I will talk about in the next article), and store them in two relatively safe, independent locations.
Of course, offline storage has its own risks, such as paper damage, loss during moving, or encountering fire or water damage, so a truly reasonable security plan would involve multiple backups.
We will detail the techniques for securing crypto assets, the specific use cases for hot wallets/cold wallets (hardware wallets), and their choices in the next article.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
