Security of your wallet in LOBSTR

This article is aimed to help you understand the level of control and the area of responsibility you as a user have over your secret keys and what LOBSTR can do to assist you to keep them secure.

Our team cares about the security of our users and is committed to delivering the best possible experiences and protection for Stellar accounts when using the web and mobile versions of LOBSTR wallet. 

The security of the wallet's private keys is one of the most important things when it comes to crypto.

Wallet keys of LOBSTR users are securely stored inside our platform in an encrypted form.

* We don’t have access to raw secret keys of our users. 

* User passwords are taking part in the process of encryption/decryption of secret keys.

* We don't store passwords in raw format. The passwords are using PBKDF2 with random salt and sufficiently high number of iterations.

* Secret keys are stored server side encrypted with a key, a part of which is a different secure hash of the password. This guarantees that we do not have access to your secret key and funds.

Keeping your wallet secure

LOBSTR provides an adequate level of security for your account by default. However, we provide several options which can be enabled to further increase the level of security.

As a user, you are responsible to make sure your account has a strong password and enable PIN or biometric protection to keep your app on-device secure.

Your password should satisfy the following requirements:

- Unique. Do not reuse passwords, this creates major security risks. If the same password is used across multiple services, an attacker who gains access to one account, can also log into every other account that uses the same password.

- Long and complex. We recommend passwords consisting of at least 10 symbols, including numbers, symbols, lowercase and uppercase letters.

- Stored securely. Make sure you don't store your password in plain sight, or accessible online (like in your email inbox). 

We recommend using a password manager (like 1Password, Lastpass, Dashlane, Keeper, etc) to help you generate and remember your password.

We also recommend enabling IP Confirmation and 2FA protection to most of our users.

LOBSTR has a built-in protection to limit access requests to users accounts and temporarily restricts access to accounts after a number of unauthorized attempts.

We also regularly update LOBSTR to bring the latest developments and security improvements to our web and mobile apps, multisig being the newest one.

Multisig

Multisig is probably the best way of keeping your account secure.

If you are using LOBSTR as your hot wallet, you might want to rely on the default level of protection. 

However, if LOBSTR is a primary place where you store your Stellar-based tokens, we recommend enabling multisig with a 2-of-3 wallet using LOBSTR Vault.

This configuration increases the security of your wallet (because an attacker would need to gain access to two keys, instead of 1), but also allows some level of fault tolerance (you might lose access to one of your keys but still have control over your funds).

Key storage and custody

Let's review possible scenarios describing how your public and secret keys can be stored in LOBSTR, and the level of control you have over your wallet.

Option 1: You have created a new Stellar wallet in LOBSTR and yet to return a loan. Secret key has not been exported.

Your public and secret keys are securely stored inside our platform in an encrypted form.

You will not be able to enable advanced multisig protection or merge your account until the loan is paid off.

These restrictions are applied on a network level, as until the loan is paid off your account has additional signer (...LOAN) owned and managed by LOBSTR. If we detect that the account has no activity and has no additional funds apart from the interest-free loan provided by LOBSTR, we may merge your account and return the funds that were temporarily given to you during the sign up.

Immediately upon returning the loan, additional signer (...LOAN) will be removed from your account, and you will be the only person having access to your funds.

As long as you keep your LOBSTR account credentials secure and keep your secret key unexported, your funds should be safe.

Option 2: You have created a new Stellar wallet in LOBSTR and have returned a loan. Secret key has not been exported.

Your public and secret keys are securely stored inside our platform in an encrypted form.

You have full control of your keys. You can export your key from LOBSTR using the web interface or enable a multisig solution for advanced protection.

Same as above, as long as you keep your LOBSTR account credentials secure and keep your secret key unexported, your funds should be safe.

Option 3: You have connected your existing Stellar wallet to LOBSTR using your public and secret keys

While your imported public and secret keys are securely stored inside our platform in an encrypted form, your keys have been generated and might still be stored outside of our system. 

LOBSTR is able to determine whether a transaction has been initiated from or outside of our platform.

If your funds were stolen due to your actions outside LOBSTR platform and trusted services, we will not be able to help.

Use caution and only share your keys with trusted services.

Make sure to report any scam activities and websites claiming to be associated with LOBSTR to our support as soon as possible.

Option 4: Connecting an existing Stellar wallet to LOBSTR using only your public key.

LOBSTR allows you to connect the public key of any Stellar account on the network to your LOBSTR account in the read-only mode. 

The account information is publicly available on the network for everyone to view, so LOBSTR is able to show you the balance of your wallet and send notifications when the funds are sent from or to your account.

However, please note that in this case, LOBSTR has zero level of control over your account, since a public key only gives read-only access to the information of your wallet.

Option 5: You are using a Stellar account created by LOBSTR with multisig enabled.

Multisig provides a significant additional level of protection for your Stellar account.

As in other cases, your public and secret keys are securely stored inside our platform in an encrypted form.

LOBSTR does not have access to the public and secret keys of your signer accounts. 

If you are using LOBSTR Vault, your signer key is generated and stored locally on your device and never leaves it.

As long as you keep your signer device and LOBSTR account credentials, your funds should be safe.

Option 6: You are using a Stellar account imported to LOBSTR with multisig enabled.

As in other cases, your public and secret keys are securely stored inside our platform in an encrypted form.

LOBSTR does not have access to the public and secret keys of your signer accounts.

Depending on the threshold values and key weights, the access to your funds may or may not rely on the access to the keys stored in LOBSTR.

LOBSTR is not responsible for any actions with your keys taking place outside of our system. 

Option 7: You have requested to view and export your secret key in LOBSTR web app.

While your public and secret keys are still securely stored inside our platform in an encrypted form, a copy of your raw secret key now may be stored on your computer or in a third-party service.

LOBSTR is able to determine whether a secret key has been exported and whether a transaction has been initiated from or outside of our platform.

While exporting your secret key and storing a copy may give you a guarantee of being able to control your funds without relying on LOBSTR, please keep in mind that you will be responsible for storing the copy of your secret key securely, and the safety of your funds will be dependent upon your actions. 

Use caution and only share your keys with trusted services.

Make sure to report any scam activities and websites claiming to be associated with LOBSTR to our support as soon as possible.