If you forget your spending password can you just delete your wallet from Daedalus and recreate it with a new password as long as you have your recovery phrase?

This was answered by Andrew Westberg on Telegram:

The mnemonic keywords are used to derive your root private key. From this key, all other receive addresses are derived. This is some brilliant crypto magic in that no matter how many different addresses you use, the whole chain of all ADA you control can be rebuilt from this one recovery phrase.

The spending password is used to encrypt this root key while at rest on your machine. If you use a hardware wallet, the root key never leaves the Ledger/Trezor device so you only need your hardware pin to protect it. If you use a regular mnemonic phrase, the spending password is there to protect it in case someone gains access to your machine through malware or physical means. Pick a strong spending password, but also one you won't forget. You could also store it in a password management system like Lastpass or Onepassword.

If you ever forget your mnemonics, but still know your spending password, it's important to create a new wallet where you DO know your mnemonics and move everything to that new one. You basically got lucky if you're in this situation as you've forgotten your root key, but lucky enough that it still lives on in the files encrypted by your spending password.

If you want extra security, you can get a YubiKey to use 2-factor authentication with Lastpass/Onepassword.

The best security would be to get YubiKey and a Ledger device where you store your ledger mnemonics and pin in the password manager protected by your manager password and your YubiKey 2FA.

This is how I'll be eventually holding the pool's pledges, but we're waiting on some additional hardware wallet support before it will all work.

 

* Another thing to note... systems like LastPass and 1Password never store the keys used to encrypt all the other secure notes and passwords they contain. Your master password there is what secures them so it's important to pick a good and memorable one. Yubikey 2FA is important in case someone would happen to get your master password for the management system by using a keylogger malware or physical means. This way, an attacker needs both something you know (master password), and something you have (YubiKey) in order to gain access.

You can also choose a backup 2FA system in case your YubiKey gets broken or stolen. You can either get a second YubiKey for this, or you can use a phone app like Google Authenticator as a backup 2FA for the password manager.

 

 


FOOTNOTES:

This page published on 27 December 2020

Short URL to this page:

https://cutt.ly/dh7hPg4

 

 


Revision #11
Created Sun, Dec 27, 2020 4:21 PM by Clive Hyman
Updated Sun, Dec 27, 2020 4:55 PM by Jorge Pascoal