Topics and issues relating to the Daedalus wallet


Topics and issues pertaining to the security and best practices for the use of the Daedalus wallet


Why does my anti-virus issue an alert about a phishing or trojan web site when I open Daedalus wallet

During the post-launch of the Shelley network on Cardano Mainnet the Daedalus wallet is activating security alerts in several anti-virus applications. These alerts are warnings to block the traffic to websites that have been reported in the past to have phishing and trojans installed on them. Alerts come in various warning such "website blocked due to Phishing" or "website blocked due to Trojan".

Below is an example of such an alert:


Stake Pool Operators know of this issue and it is dealt with minor concern. Indeed, suggestions are made to check the IP / Domain on virustotal.com and report as a false positive if necessary.

According to Andrew Westburg of BCSH stake pools "the current version of Daedalus is contacting a TON of urls all over the world to download pool metadata. This will be the case until they (IOHK) switch over to the SMASH server for pool metadata. The behavior of hitting a ton of random websites very much looks like malicious behavior to malwarebytes even though in this case... legit".

NOTE: This is the course of Daedalus during the month of August 2020. If you come over to this message much later than August 2020 then SMASH should be in effect by then. If this issue arises after SMASH is implemented the alert will need more serious consideration by the user/owner of the Daedalus client.



If you forget your spending password can you just delete your wallet from Daedalus and recreate it with a new password as long as you have your recovery phrase?

This was answered by Andrew Westberg on Telegram:

The mnemonic keywords are used to derive your root private key. From this key, all other receive addresses are derived. This is some brilliant crypto magic in that no matter how many different addresses you use, the whole chain of all ADA you control can be rebuilt from this one recovery phrase.

The spending password is used to encrypt this root key while at rest on your machine. If you use a hardware wallet, the root key never leaves the Ledger/Trezor device so you only need your hardware pin to protect it. If you use a regular mnemonic phrase, the spending password is there to protect it in case someone gains access to your machine through malware or physical means. Pick a strong spending password, but also one you won't forget. You could also store it in a password management system like Lastpass or Onepassword.

If you ever forget your mnemonics, but still know your spending password, it's important to create a new wallet where you DO know your mnemonics and move everything to that new one. You basically got lucky if you're in this situation as you've forgotten your root key, but lucky enough that it still lives on in the files encrypted by your spending password.

If you want extra security, you can get a YubiKey to use 2-factor authentication with Lastpass/Onepassword.

The best security would be to get YubiKey and a Ledger device where you store your ledger mnemonics and pin in the password manager protected by your manager password and your YubiKey 2FA.

This is how I'll be eventually holding the pool's pledges, but we're waiting on some additional hardware wallet support before it will all work.


* Another thing to note... systems like LastPass and 1Password never store the keys used to encrypt all the other secure notes and passwords they contain. Your master password there is what secures them so it's important to pick a good and memorable one. Yubikey 2FA is important in case someone would happen to get your master password for the management system by using a keylogger malware or physical means. This way, an attacker needs both something you know (master password), and something you have (YubiKey) in order to gain access.

You can also choose a backup 2FA system in case your YubiKey gets broken or stolen. You can either get a second YubiKey for this, or you can use a phone app like Google Authenticator as a backup 2FA for the password manager.




This page published on 27 December 2020

Short URL to this page: