While private or mnemonic keys offer many advantages for security, they also present practical challenges, according to Mudit Gupta, the chief information security officer of layer-2 scaling solution Polygon.
Speaking at the Ethereum Community Conference event on July 17, Gupta discussed the differences between theoretical security and practical security in the blockchain and crypto space. Gupta told the EthCC audience in Paris that when it comes to theoretical security, the space is “running so fast.” However, the Polygon executive believes that when it comes to practical security, the space is “so far behind.”
As an example, the executive explained how mnemonic keys are very difficult to keep safe compared to passwords because they can be changed if they ever get leaked. He explained:
“A mnemonic is just a one-time thing. You have it once. And if you ever make a mistake, if it ever gets leaked, you are done. So, keeping your mnemonic or private key safe is a much much harder problem.”
According to Gupta, there are at least “a couple billion” lost as a result of people losing their mnemonic keys. The executive noted much more is at risk because of the lack of proper security. “There are billions of dollars in the wallets of users that are incorrectly secured,” Gupta said.
In addition, Gupta also noted that theoretically, private keys are 100% secure. “If nobody knows your private key, nobody can access your funds,” he said. However, the security professional recognized that there are practical problems that can come up.
“What if you die for some reason? How can your loved ones access your funds? So that’s a tough problem to solve. Then, there is the key rotation problem. What if, for whatever reason your key is compromised?” he explained.
Apart from these issues, the executive also talked about the challenges of being a defender in the security world. According to Gupta, attackers have a much easier time compared to defenders. He said:
“As a defender, you have to cover every single point. If you leave any hole, someone will get in. As an attacker, it’s easier. You just ignore the secure system. You find a way around. You just have to find one way to break in and that’s it.”
The executive stressed that this is why those who work in security have a much harder time compared to hackers and exploiters. Gupta noted that being a defender is all about covering all your bases. Despite all these challenges, the executive said, “someone has to defend.”