UPDATE: There are a growing number of phishing attempts posing either as new wallets or seed generators. These are found both as websites and apps and will typically appear at the top of search results as paid placements. Never use these. Even if it is in the app store or play store it doesn’t mean it is a genuine Iota app. Never use an app or website for generating a Seed. Currently the only approved wallet can be downloaded from here: https://github.com/iotaledger/wallet/releases If you’re still not sure, ask in the General or Help channels of the official Iota Discord (https://discordapp.com/invite/fNGZXvh) or the official Iota Stack Exchange (https://iota.stackexchange.com/).

Iota is an evolutionary advancement in distributed ledger technology that is capable of revolutionary changes in industrial sectors as diverse as finance, healthcare, automotive and logistics. Many new investors are realising the potential and Iota is growing in popularity. It is however very important people understand the personal responsibility they take on when investing in Iota, which also applies to all other decentralised systems. This piece is intended to cover the security of Iota and how the reader can confidently purchase and store the Iota Token.

If you want to learn more about the Iota Tangle, you can start here (https://iota.readme.io/docs). If you want to know how to buy Iota, you can find an up to date list of exchanges and trading pairs here (https://coinmarketcap.com/currencies/iota/#markets) and keep an eye out for my next post covering how to buy Iota Tokens in detail.

Wallet vs Exchange

You’ve purchased Iota, it’s sitting in the exchange wallet and you’re wondering why people suggest moving it to your own wallet. To get into the exchange you have to enter a username, password, a Captcha test and you’ve probably enabled two factor authentication (2FA), so what’s the concern? When your Iota is on an exchange wallet, it is similar to having money stored in a bank account. You don’t know where the vault is or how to open it and you trust the exchange with your holdings. You’re relying on the exchange to ensure your holdings are stored securely. Exchanges however have experienced security breaches in the past resulting in funds being stolen. Enjoying the benefits of a decentralised system means one is fully responsible for their own property and therefore should personally manage the security of their funds. You do this by transferring your holdings to your own security vault that only you can access. This is to say for Iota, you create your own seed. The Iota wallet is your window into the seed.

The Iota Seed

The seed is your username, your password and your security vault all in one. You must keep it secret! The exchange you bought your Iotas on has its own seed and internally manage who owns what through their accounts. Iota tokens, like other cryptocurrencies, aren’t physical things that can be stored. What actually happens is your seed proves ownership of the tokens through the transaction history on the distributed ledger. Maybe that’s too much jargon, but the key takeaway is the seed itself is the most important security measure for Iota. You should create your own seed, make it random and share it with no body.

Let’s talk about security of the seed. The seed is 81 characters long and can be a capital letter or the number 9, therefore each of the 81 characters has 27 options.

If the seed was 1 character long, there are 27 possibilities.

If the seed was 2 characters long, there are 27x27 or 27² or 729 possibilities.

If it’s 3 characters long, is 27³ or 19,683 possibilities.

Now consider the actual seed with 27⁸¹ possibilities, that’s

87189642485961000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

different possible seeds, and it’s a number greater than the sum of all the atoms in the universe. If you have a bank account with a 10 character username and 10 character password, both of which can be any letter or number (36 options), the total possible combinations is 13367494538843700000000000000000.

Wallet is deterministic, what does that mean?

Now that you have your seed, you can access your tokens with a wallet. You’ll first open a wallet, generate an address and send your tokens from the exchange to that address. After confirmation you can see them in your wallet. So if you log out, lose your device have you lost your tokens? The answer is no. The wallet it deterministic, which simply means it is a window into the Iota ledger that shows the ownership of a seed. The seed itself, which you use to log into the wallet is where the tokens are attributed. This means you can access your holdings on any device anywhere in the world through any Iota wallet if you have the seed. It also means anyone else can if they have your seed. One wallet can also be used for any seed by logging out and back in with a new one.

So what about email recovery and 2FA?

In a decentralised system you take on more responsibility. Your seed is not stored on a central database, therefore it is not recoverable because only you and no one else should know it. Regarding 2FA, knowing that the wallet is deterministic, you cannot add security through 2FA if your seed is compromised. Therefore the seed is the most important secret for your Iota security. I can’t stress this enough.

Why will the new wallet have 2FA?

If you’re privy to the soon to be released Trinity wallet, you may have heard that it will come with the option for 2FA, but haven’t we just learnt 2FA doesn’t improve the security if someone else has your seed? This is still true, what you need to understand is the purpose 2FA will serve with the Trinity wallet. Entering an 81 character seed to access the wallet every time isn’t very use friendly. The Trinity wallet will allow you to store your seed on the device keychain and use 2FA to decrypt it for the wallet. This way you don’t need to enter the seed every time. If the device keychain is compromised your seed could be hacked. This has happened before (http://bgr.com/2017/09/26/macos-high-sierra-keychain-password-hack/) therefore if you don’t need the convenience, it is better to not store your seed on the keychain and be prepared to enter it every time you log in.

How should I store my seed?

There is no one right answer here, but there are certainly some best practices. Firstly avoid sitting it in your email, on cloud storage or any other central database. Store it in multiple locations and on different formats. Personally I store my seed on two separate encrypted USB sticks and I have a paper copy hidden away. Just make sure your USB sticks or paper copies are kept safe from fire and flood risks.

Why can’t I send twice from the same address?

The explanation for this is very technical. In short, this is part of the mechanism to which the Iota network is resilient to an attack from quantum computing. It is a future proofing security mechanism that means one cannot send from the same address twice. For some time now the wallet prevents the user from doing this. You have to generate a new address before you send Iotas if you have already sent from the current address. Note that you can receive unlimited times into an address though. Also understand that only one Seed is required and you can generate as many addresses as you like attached to one seed.

Recent hack and stolen Iota

In January a number of people had their Iotas stolen. The cause was because they generated their seed through an online generator. The generator was either a scam or was hacked, and the seeds were being saved. After a number of months of acquiring seeds, the hackers logged in with these seeds and transferred the Iota tokens to their own addresses. Never use online seed generators. Come up with your own passwords. Remember the seed and the system are secure if you generate and store the seed securely. It is your username, password and security vault in one.

I hope you found this useful and feel confident to step into the world of distributed ledger technology.