Web3 Survival Guide 01 | Private Keys / Seed Phrases and Wallet Passwords: What's the Difference?

I often answer questions for friends who are new to Web3, and I've encountered all sorts of problems.

Some people ask, "Can I recover my wallet if I accidentally delete it or forget the password?" Others take a screenshot of their seed phrase and save it in their photo album, thinking it's safe as long as they don't share it with anyone. Some still struggle to understand the difference between a trading platform account and a self-downloaded wallet.

These questions may seem basic, but in truth, many people who have used wallets for years don't fully grasp them either.

So, I'm planning to start a new series called "Web3 Survival Guide," aiming to minimize jargon and focus specifically on those seemingly small but genuinely important issues, helping everyone understand and use Web3 step by step.

This article is the first installment of the "Web3 Survival Guide," starting with the most important thing: What exactly is the difference between a private key, a seed phrase, and a wallet password?

1. First, Remember This: There Are No Coins in Your Wallet

Many people think their BTC, USDT, ETH, or other tokens are "stored in the wallet."

But strictly speaking, assets are not inside the wallet app; they are recorded on the blockchain. In other words, the wallet you use, whether it's MetaMask, OKX, SafePal, TP, or imToken, is more like a set of tools to help you safeguard your keys, not a safe for storing assets:

• The blockchain is responsible for recording how many assets a specific address holds, where those assets came from, and where they were sent.
• The wallet is responsible for helping you keep the "key" to this address and assisting you in transferring assets into and out of this address.

For example, when you transfer funds, swap tokens, or authorize a dApp, the wallet uses the private key stored internally to sign the transaction. This proves to the blockchain that the person controlling the address indeed agrees to execute this operation.

So, a wallet app is not a safe for holding coins, but more like a box for holding keys—the real value lies in the key (the private key) inside, not the box itself.

This also explains two things that are hard for many to understand:

• Even if the original wallet app goes out of business, is removed from the store, or you accidentally delete it, as long as you have backed up the correct private key, you can download another wallet, import the private key, and restore access. This is because the entire industry is based on the same technical standards; the import logic of different wallets is interoperable. It's like putting the same key in a different box—the lock will still open.
• If someone else gets hold of your private key, even if your phone is still in your hand and the wallet app isn't deleted, they can still transfer your assets. This is because they can import that key into their own wallet, and the blockchain only recognizes the key, not who holds it.

2. What Exactly Is the Difference Between a Private Key, Seed Phrase, and Wallet Password?

Since the private key is so important, what exactly is a seed phrase?

In fact, the seed phrase was created primarily to make it easier for ordinary people to back up their wallets. A private key is a string of characters randomly generated by the system—long and messy. It's easy to make mistakes when manually copying, and almost impossible for the average person to memorize directly.

So, the industry adopted a universal standard to "convert" private keys into a seed phrase consisting of 12 or 24 English words.

That means, a private key and a seed phrase are essentially the same key, just in a different format. To elaborate a bit: theoretically, one seed phrase can derive multiple private keys. For easy understanding, you can think of a private key as a specific key, while a seed phrase is more like a master backup of a keychain (I discussed why seed phrases are typically generated from a fixed word list and the basic logic behind it in the article Starting from "Catching Shadows": The 2048 Words Deciding Trillions in Crypto Assets, which you can check out if you're interested).

Nowadays, most mainstream wallets prompt users to back up their seed phrase during creation, and rarely ask ordinary users to manually copy a long string of private keys.

However, whether it's a private key or a seed phrase, you must never tell anyone. Under normal circumstances, no one—whether wallet customer service, project party, or exchange staff—will ask you to send them your private key/seed phrase. Anyone who asks you to provide your private key for reasons like "wallet verification," "risk control lifting," "claiming an airdrop," or "helping recover assets" can basically be treated as a scam.

So, what is a wallet password?

A wallet password, like the PIN code or unlock password you set to open the app, is only used to unlock the app itself. It's similar to your phone's screen lock and has absolutely nothing to do with the private key or seed phrase.

You can remember a simple rule:

• If you forget your wallet password, it's okay. You can re-import the private key/seed phrase and set a new password.
• If you lose your seed phrase but can still open the original wallet, you still have a chance to back it up again or transfer assets.
• If you lose your seed phrase and cannot open the original wallet, it might be truly unrecoverable.
• If your seed phrase is leaked, you should immediately move your assets to a completely new wallet.

3. Why Don't Trading Platform Accounts Have Seed Phrases?

Many people first encounter cryptocurrencies on trading platforms like BN, OK, or BG. This might raise a question: "I also have BTC, ETH, USDT, and USDC on the trading platform, so why wasn't I given a seed phrase?"

This is because assets held on centralized trading platforms are usually not directly managed by you via a private key/seed phrase, but are managed by the platform on your behalf.

When we log in to a trading platform, we typically use a phone number/email + login password, along with 2FA tools like SMS verification codes or Google Authenticator. The balance you see in your account is primarily a record kept by the platform in its internal system, rather than assets on a fully independent on-chain address under your direct control.

The advantage of this method is simplicity—even if we forget our password, we can contact customer service, complete facial recognition or identity verification, and recover the account. However, the trade-off is that we need to trust the platform to securely manage the assets and properly handle everyone's deposits and withdrawals.

Wallets are different. You hold the private key yourself, and control over the assets primarily rests with you. You can transfer funds to anyone at any time without needing approval from a trading platform, but at the same time, you are responsible for safeguarding the seed phrase, identifying phishing websites, and avoiding operational errors.

So, I always tell people that trading platforms and personal wallets are not about which one is inherently safer, but rather two different ways of allocating responsibility. Using a trading platform means entrusting some security and custody responsibilities to the platform. Using a wallet means taking both asset control and the corresponding responsibilities into your own hands.

Which one you choose depends on your asset size, usage frequency, and risk management capabilities.

However, there's a point of confusion today. Mainstream trading platforms usually offer both a "trading platform account" and a "Web3 wallet." For instance, in the same BN or OK app, you can log into your trading account and also create a self-custodial wallet that requires backing up a seed phrase.

Although the entry points are together, they are not the same account, and the method of asset control is completely different. The judgment is simple: if the wallet requires you to independently back up the seed phrase and clearly states that the platform cannot recover it for you, then it is a self-custodial wallet.

4. The Difference Between Hot and Cold Wallets Also Lies in the Private Key

Once you understand private keys/seed phrases, distinguishing between hot and cold wallets becomes easy:

• Hot Wallet: The private key is stored on a device connected to the internet, and signing is done via phone or computer. Wallet apps provided by brands like MetaMask, OKX, SafePal, TP, etc., are typically hot wallets.
• Cold Wallet: The hardware wallets we often hear about are a common implementation of cold wallets. The private key is generated and stored on a dedicated offline hardware device. When signing, the private key never leaves the device, such as hardware devices from Ledger, Trezor, or OneKey.

Of course, most projects making hardware wallets also have compatible software apps, like SafePal and OneKey.

It's important to note that a cold wallet doesn't mean the entire setup never touches the internet. More accurately, the private key itself never leaves the hardware device and is never directly exposed to the internet-connected phone or computer. The actual process is roughly:

• The phone or computer generates a transaction waiting to be signed.
• The hardware wallet signs the transaction within its internal secure chip.
• The hardware wallet sends the signed result back to the phone or computer.
• The phone or computer then broadcasts the transaction to the blockchain.

Throughout this process, the private key remains securely stored inside the hardware device's secure chip.

However, a cold wallet, or hardware wallet, does not equal absolute security. If you take a photo of your hardware wallet's seed phrase and upload it, enter it into a phishing website, or mistakenly authorize a malicious contract, the security of the hardware device itself is meaningless.

Ultimately, a hardware wallet protects the storage and signing environment of the private key, but it cannot protect against users actively leaking their seed phrase.

We'll delve into the specifics of choosing between hot wallets and cold wallets/hardware wallets in the next article.

5. Can Seed Phrases Really Not Be Stored in the Cloud?

Some friends also repeatedly ask me: "Can't I just save my seed phrase in my phone's memo and not share it with anyone?" or "Is it safe to store it in Alipay's secure vault or an encrypted cloud drive?"

Objectively speaking, security issues are rarely a simple case of "will definitely be stolen" or "definitely won't be stolen." Different storage methods correspond to different risk probabilities.

Storing your seed phrase in a regular memo, WeChat favorites, chat history, email, or photo album carries significant risks. Your phone could be infected with malware or remotely controlled. Your cloud account could be hacked. Your photos and memos might auto-sync. Some apps might read your clipboard or local content. Even selling or repairing your old phone could leave data incompletely erased.

Of course, tools with independent passwords and encryption features are likely safer than a regular photo album or memo. However, you still need to trust the phone system, the corresponding app, the cloud account, and the password strength. A failure in any single link could lead to a leak.

Therefore, for significant amounts of assets intended for long-term holding, it is still recommended to write down the seed phrase on paper or record it on a dedicated metal seed phrase plate (most major hardware wallet providers also offer similar metal seed phrase plates, which will be discussed in the next article). Store these in two relatively safe and independent locations.

Of course, offline storage has its own risks, such as paper damage, loss during a move, or damage from fire or water. So, a truly reasonable security plan involves multiple backups.

We'll cover more about the techniques for safeguarding crypto assets, the specific use cases and choices between hot wallets and cold wallets (hardware wallets), in the next article.