While private or mnemonic keys offer many advantages for security, they also present practical challenges, according to Mudit Gupta, the chief information security officer of layer-2 scaling solution Polygon.
Speaking at the Ethereum Community Conference (EthCC) event on July 17, Gupta discussed the differences between theoretical security and practical security in the blockchain and crypto space. Gupta told the EthCC audience in Paris that when it comes to theoretical security, the space is “running so fast.” However, the Polygon executive believes that when it comes to practical security, the space is “so far behind.”
For example, the executive explained how private keys are more difficult to keep safe than passwords because they can be changed if they get leaked. He explained:
“A mnemonic is just a one-time thing. You have it once. And if you ever make a mistake, if it ever gets leaked, you are done. So, keeping your mnemonic or private key safe is a much, much harder problem.”
According to Gupta, there are at least a couple of billion dollars lost due to people losing their mnemonic keys. The executive noted much more is at risk because of the lack of proper security. “There are billions of dollars in the wallets of users that are incorrectly secured,” Gupta said.
In addition, Gupta noted that private keys are theoretically 100% secure. “If nobody knows your private key, nobody can access your funds,” he said. However, the security professional recognized that there are practical problems that can come up.
“What if you die for some reason? How can your loved ones access your funds? So that’s a tough problem to solve. Then, there is the key rotation problem. What if, for whatever reason, your key is compromised?” he explained.
Apart from these issues, the executive also talked about the challenges of being a defender in the security world. According to Gupta, attackers have a much easier time than defenders. He said:
“As a defender, you have to cover every single point. If you leave any hole, someone will get in. As an attacker, it’s easier. You just ignore the secure system. You find a way around. You just have to find one way to break in, and that’s it.”
The executive stressed that this is why those who work in security have a much harder time compared to hackers and exploiters. Gupta noted that being a defender is all about covering all your bases. Despite all these challenges, the executive said, “Someone has to defend.”