Security of your wallet on LOBSTR

Modified on Fri, 08 Dec 2023 at 01:28 PM

The LOBSTR team cares about the security of our users and is committed to delivering the best possible experiences and protection for Stellar accounts when using the web and mobile versions of the LOBSTR wallet. The security of the wallet's private keys is one of the most important things when it comes to crypto.

Secret key and Recovery phrase encryption

Your Stellar Secret key and Recovery phrase are encrypted client-side and never sent unencrypted to our server. We encrypt your Secret key and Recovery phrase using keys derived from your password via script and a per-key salt. This makes cracking your password computationally difficult, even in the case of a data breach.

No one else (including us) has the ability to administer your account and funds on your behalf. Also, we’re unable to check the correctness of your Security information such as Recovery Phrase, Secret Key, Password on our end.

Your Secret key and Recovery phrase are encrypted using tweetnacl.secretbox (xsalsa20-poly1305) to avoid timing channel attacks and guarantee that if your seed decrypts properly, it has not been tampered with. The encrypted Stellar Secret key and Recovery phrase may only be downloaded with proper user authentication, so you must have entered the correct password and 2FA code (if you enabled it) to even have the opportunity to decrypt your Secret key and Recovery phrase.

We don’t store passwords in raw format on our end. The passwords are using PBKDF2 with random salt and sufficiently high number of iterations.


We built LOBSTR Vault for those looking for additional security.

Vault further protects the wallets by using the Stellar network multisig. With Vault every transaction needs to be authorized and signed with additional keys. Vault keys are stored on the device only and not backed up anywhere. Vault is open-source, so anyone can verify how this solution works.

Learn more:

Multisig and LOBSTR Vault

Keeping your wallet secure

LOBSTR provides an adequate level of security for your account by default. However, we provide several options which can be enabled to further increase the level of security.

As a user, you are responsible for making sure your account has a strong password and enabling PIN or biometric protection to keep your app on-device secure.

Your password should satisfy the following requirements:

— Unique. Do not reuse passwords, this creates major security risks. If the same password is used across multiple services, an attacker who gains access to one account, can also log into every other account that uses the same password.

— Long and complex. We recommend passwords consisting of at least 10 symbols, including numbers, symbols, lowercase and uppercase letters.

— Stored securely. Make sure you don't store your password in plain sight, or accessible online (like in your email inbox).

The IP address confirmation is an extra security layer that protects LOBSTR accounts by requiring email confirmation when logging in from new IP addresses. The IP confirmation is enabled for all LOBSTR users by default and cannot be disabled.

We also recommend enabling the 2FA protection to increase the protection of your wallet.

LOBSTR has a built-in protection to limit access requests to users accounts and temporarily restricts access to accounts after a number of unauthorized attempts.

Learn more:

Switching to on-device key storage: Migration process overview

How to restore my secret key?

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article