Why I Am Not Using Hardware Wallet For Cold Storage

Despite all the marketing about how secure and reliable are hardware wallets, I am not using any and very likely will not be using any indefinitely.

Why?

First, I desire to be in control of my private keys. I believe I own only what I can get hold of, directly. And getting hold of my private keys directly is NOT the same as getting hold of the recovery seeds/mnemonic passphrases that recover/restore the private keys. It is like getting hold of your physical gold vs getting hold of the paper claim to your physical gold stored elsewhere inaccessible to you. And if I can safely secure my recovery seeds/mnemonic passphrases well enough from being destroyed by fire or flood, or eaten by a dog, or stolen by thieves, then I can also do the same with my private keys directly. So why not I spend my dedicated effort on securing my private keys directly instead of the "paper claim" to it? And just because anyone is using any hardware wallet doesn't mean he/she is free of any responsibility to secure anything (in this case, the recovery seeds/mnemonic passphrases). And if I can secure my recovery seeds/mnemonic passphrases, I will be far better off securing the private keys instead.

Second, different hardware wallets, or any type of wallets, be it hardware, desktop, mobile, or online, have different approach to encryption. If I am using a wallet that uses a type of encryption that no other wallet uses, then I am literally stuck with this wallet for my cryptocurrency use. This is an issue of compatibility. If I control the recovery seeds/mnemonic passphrases, then my cryptocurrency funds is dependent on a particular wallet. But if I control the private keys directly, then I am independent of any particular wallet. And if I rely on any particular wallet, I would have to transfer my cryptocurrency to another different wallet if I want to spread the risk. And yes, there is a huge risk involved when I make myself dependent on any particular wallet for encryption, because if the wallet that I am using suddenly screws up (along with its company and team of developers), then my encrypted private keys may never ever be decrypted again. All the cryptocurrency I have stored with the private keys would be as good as totally gone. So instead of relying on any 3rd-party to encrypt my private keys, why not I take responsibility in encrypting them myself? And when I want to decrypt them, I can do that anytime, anywhere, and with any computer I want.

Third, replacement cost is very high with hardware wallet. While it may cost less than USD100 per hardware wallet, such price tag may not be accessible to people from less developed countries where the USD100 price tag can be multiple times over in local currency, making owning a hardware wallet an exclusive stuff. And if the hardware wallet breaks, gets destroyed, stolen, or lost, I will probably need to buy another one of the same, because of the issue of wallet compatibility and the fact that I only have the recovery seeds/mnemonic passphrases instead of the private keys. Yes, some hardware wallet is compatible with another but I expect full 100% compatibility with every different wallet, not just a few. However, if I am in control of my private keys and encrypt them myself, my replacement cost would be just a tiny fraction of any hardware wallet's replacement cost. It would be so cheap I wouldn't care if my backup gets destroyed, stolen, or lost because I would have plenty of them strongly encrypted and stored in multiple locations easily accessible to me. I can backup my encrypted private keys with multiple inexpensive copies of CDs/DVDs. I can email myself my strongly encrypted private keys (so even if my email gets hacked, no hacker can crack my private keys unless they have some super hyper ultra quantum computer that can hack into any strongly encrypted private keys within minutes/seconds/hours).

Fourth, to rely on any 3rd-party wallet to secure and/or cold storage my cryptocurrencies is itself a big security hole. And I am not the only one saying this. I am expecting the wallet to work as expected, until it doesn't. And then panic sinks in. No wallet is perfect. They all have their own bugs, glitches, backdoors, differing BIP support, etc that either allows them to be hacked or they screws up on their own, or both. I am not going to put myself into such potential future problem, especially if I treasure my hard-earned cryptocurrencies.

Fifth, I am not a fan nor a believer of some apocalyptic event to be caused by some major EMP attacks, either from some man-made terrorist attacks or from a natural cause like solar spot, solar flare, or solar storm. But I am very sure just in case such thing happen by accident or without my knowledge of it coming my way, any data contained in any hardware wallet will be goner. But the same cannot be said if I have my encrypted private keys backup-ed in optical equipment like CDs/DVDs. By backing up my private keys in such medium, I am literally "hard-coding" my private keys' data into a physical form and thus resistant to any EMP-based attack/accident/calamity.

-Update (August 2nd, 2017)-
Sixth, direct control of your private keys allows you to enjoy any free cryptocurrency due to hard fork. Many users keep their cryptocurrencies at the exchanges or 3rd-party wallets (like Localbitcoins.com, etc) and so they do not enjoy any free "giveaway" that they are entitled to. Instead, it is the 3rd-party wallet providers that enjoy such giveaway that by right is yours. Rather than argue with them on their policy, you are far better off just saving everything (or almost everything) in private keys that you directly control.

So how exactly am I protecting my cryptocurrencies independent of any hardware wallet?
Easy. I just generate a bunch of private keys from an offline, formatted computer. And then I encrypt these private keys with proven software like WinRar with strong password (exceeding 20 alphanumerics + symbols that I personally can relate to and remember without anyone knowing, not even my family members) into a .rar file. Lastly, I backup the encrypted .rar file into multiple copies of high-quality CDs/DVDs as well as email myself a copy of it. A strongly encrypted .rar file is proven to be very very secure against any brute force attempt so even if any of my backups fall into the hand of some hacker, I am not worried. And I believe remembering a 20+ alphanumerics + symbols that I can personally relate to is always far easier than making up a story to remember a 12-word recovery seed. Or else try remembering these two sets of password/recovery seeds within 1 minute and see which one is far more memorable for days to come:

1. I@mD0rkY_ah.ha.ha.haaa.$$$ (26 alphanumerics + symbols, a password strength check at howsecureismypassword.net says it takes 3 decillion years to crack)
2. seed rain tower fallen horse apple ghost machine sleep balance travel salary (12-word "recovery seed" as example, not usable)

Remember that such personal encryption method is only for cold storage, which I sincerely believe is superior to any hardware wallet and paper wallet combined.

Arguments made by hardware wallet companies in favor of using their hardware wallet:

1. "I can securely use the hardware wallet even in severely infested computer." In reality, no way. Even if I am using the world's most secure wallet ever, doesn't mean I can let down my defense and start tolerating any infested computer. Even when I have to deal with a merchant, I expect his computer to be secure and clean, not infested.
2. "I can easily lose my paper wallet backup due to clumsiness or forgetfulness." In reality, no way. If I am clumsy and forgetful with my paper wallet backup, I will be equally as clumsy and forgetful with my recovery seeds/mnemonic passphrases too. But then, if I am not clumsy and forgetful, I might as well go for the paper wallet instead. But no, this is no paper wallet. This is a digital-based, strongly-encrypted, private key .rar file that is hard-coded into multiple, unrestricted number of optical backups, which is far better than any paper wallet and hardware wallet, for cold storage.

But someday when I eventually get richer, I would want to spend my cold storage. So how will I do it? Because I control my private keys, I can distribute my cryptocurrencies equally to multiple private keys. Say if I have 100 bitcoin, I will just generate 20 private keys offline and distribute 5 bitcoin to each of the private keys. And when I want to spend them in the future, I will just use an offline computer to decrypt and transfer one of the private keys into any wallet I like/trust, including but not necessarily hardware wallet, for spending. But such wallet use is strictly only for spending, not cold storage.

In conclusion, a DIY strongly-encrypted private keys with multiple inexpensive backups gives:

• maximum security (free of 3rd-party trust)
• maximum control (direct control of private keys)
• maximum independence (private keys 100% portable with zero reliance to any particular wallet/brand)
• maximum trustless (that's the main idea of having a blockchain after all so why am I not living it with my private keys?)

Now, can you see how and why such a DIY strongly-encrypted private keys with multiple inexpensive backups is superior to both paper wallet and hardware wallet for cold storage? It's very easy and very cheap too!

Additional notes:

1. Generate a number of new addresses + private keys offline and do double encryption (or even triple) on the private keys whereby you will only have easy reference to the addresses but not the private keys (except you need to decrypt them if you want to).
2. Send a portion of your crypto funds to each of the addresses equally, for example if you have 100 BTC and you generated 20 new addresses, you send 5 BTC to each of the addresses. Make sure an address has only 1 type of cryptocurrency/erc20 token, which means if you have boatload of different cryptocurrencies and erc20 tokens, you will need to generate a boatload of new offline addresses.
3. And in case you received any phishing email or message saying your addresses/accounts may be hacked and you may have lost a lot of cryptocurrencies and/or erc20 tokens and you may need to hurry up by visiting certain phishing link to check if your addresses/accounts are okay, all you need to do to make sure if everything is really okay is just confirm this at the blockchain with your addresses. Because you are making it inconvenient even for yourself to access your private keys, it may very likely that your addresses/accounts are safe AND you avoid the mistake of accidentally giving away your private keys.

Upvote this article if you find it deserving. And thank you for reading. Hope the info helps.