Web3 Survival Guide 01 | Private Key/Seed Phrase vs. Wallet Password: What's the Real Difference?

I often answer questions for newcomers to Web3, and I’ve encountered all kinds of problems.

For example, some ask, “Can I recover my wallet if I accidentally delete it or forget my password?” Some people screenshot their seed phrase and save it in their photo album, thinking it’s safe as long as they don’t share it with others. Others still can’t tell the difference between an exchange account and a wallet they downloaded themselves.

These questions seem very basic, but in reality, many people who have used wallets for years don’t fully understand them either.

So, I plan to start a new series called “Web3 Survival Guide,” trying to avoid jargon and focus specifically on those seemingly small but critically important questions, to help everyone understand and use Web3 step by step.

This article is Part 1 of the “Web3 Survival Guide.” Let’s start with the most important thing: what exactly is the difference between a private key, a seed phrase, and a wallet password?

1. First, Remember This: There Are No Coins in Your Wallet

Many people think their BTC, USDT, ETH, or other tokens are “stored in the wallet.”

But strictly speaking, assets are not inside the wallet app; they are recorded on the blockchain. In other words, the wallet you use, whether it’s MetaMask, OKX, SafePal, TP, or imToken, is more like a set of tools to help you keep your keys safe, not a vault for storing assets:

• The blockchain is responsible for recording how much asset a specific address holds, where these assets came from, and where they were sent;
• The wallet is responsible for helping you keep the “key” to this address and for helping you deposit and withdraw assets from this address;

For example, when you transfer tokens, swap tokens, or authorize a dApp, the wallet calls the private key stored within it to sign the transaction. This essentially proves to the blockchain that the person controlling the address indeed agrees to this operation.

Therefore, the wallet app is not a vault for coins; it’s more like a box for storing keys. The truly valuable thing is the key (private key) inside, not the box itself.

This also explains two things that are hard for many people to understand:

• Even if the original wallet app goes bankrupt, is removed from the app store, or is accidentally deleted, as long as you have a backup of the correct private key, you can download another wallet, import the private key, and recover it. This is because the entire industry is based on the same technical standards, and the import logic of different wallets is interoperable. It’s like putting the same key into a different box – the lock still works.
• If someone else obtains your private key, even if your phone is still in your hand and the wallet app hasn’t been deleted, they can still transfer your assets away – because they can import the key into their own wallet. The blockchain only recognizes the key, not who holds it.

2. What’s the Difference Between a Private Key, Seed Phrase, and Wallet Password?

Since the private key is so important, what is a seed phrase?

Actually, the seed phrase exists mainly to make it easier for ordinary people to back up their wallets. A private key is a string of characters randomly generated by the system; it’s long and messy, easy to make mistakes when copying manually, and almost impossible for the average person to memorize directly.

Therefore, the industry adopted a universal standard to “convert” private keys into a seed phrase composed of 12 or 24 English words.

In other words, the private key and the seed phrase are essentially the same key, just in a different format. To elaborate a bit: theoretically, one seed phrase can derive multiple private keys. For easier understanding, you can think of a private key as a specific key, while the seed phrase is more like a master backup of a key ring (In my article “Starting from ‘Catch the Wind and Shadows’: The 2048 Words Deciding Trillions in Crypto Assets,” I also discussed why seed phrases are usually generated from a fixed word list and the basic logic behind it. Interested friends can check it out).

Nowadays, most mainstream wallets ask users to back up their seed phrase during creation, and they rarely require ordinary users to copy a long string of private keys anymore.

However, whether it’s the private key or the seed phrase, you must not tell anyone. Under normal circumstances, no one – not wallet customer service, project teams, or exchange staff – will ask you to provide your private key/seed phrase. Anyone who asks you to provide your private key on the pretext of “verifying your wallet,” “lifting a risk control restriction,” “claiming an airdrop,” or “helping recover assets” should be treated as a potential scammer.

So, what is a wallet password?

A wallet password, i.e., the PIN code or unlock password set when opening the app, is only used to unlock the app itself. It’s like a phone screen lock and has nothing to do with the private key or seed phrase.

Everyone can remember a simple principle:

• Forgetting your wallet password is no big deal; you can re-import your private key/seed phrase and set a new password.
• If you lose your seed phrase but your original wallet can still be opened, you still have a chance to back it up again or transfer your assets.
• Only if you lose your seed phrase and your original wallet cannot be opened is there a real risk of not being able to recover it.
• If your seed phrase is leaked, you should immediately transfer your assets to a completely new wallet.

3. Why Don’t Exchange Accounts Have Seed Phrases?

Many people first encounter cryptocurrency through exchanges like BN, OK, or BG. At this point, they might wonder, “I also have BTC, ETH, USDT, and USDC on the exchange, so why don’t they give me a seed phrase?”

This is because assets held on centralized exchanges are usually not under your direct control via a private key/seed phrase; the exchange manages them on your behalf.

When we log into an exchange, we usually use our phone number/email and login password, along with 2FA tools like SMS codes or Google Authenticator. The balance shown in your account is mainly a record kept by the exchange in its internal system, not a fully independent on-chain address under your direct control.

The advantage of this method is its simplicity; even if we forget our password, we can contact customer support, complete facial recognition or identity verification, and recover our account. However, the trade-off is that we need to trust the exchange to securely manage the assets and properly handle everyone’s deposits and withdrawals.

Wallets are different. You control the private key yourself, so asset control is mainly in your hands. You can transfer assets whenever you want, to whomever you want, usually without needing approval from the exchange. However, you also bear the responsibility of safekeeping your seed phrase, identifying phishing sites, and avoiding operational errors.

So, I always tell people, An exchange and a personal wallet aren’t inherently about which is safer; they represent two different ways of allocating responsibility. Using an exchange means entrusting part of the security and custody responsibility to the platform. Using a wallet means taking the control and the corresponding responsibility back into your own hands.

Which one to choose depends on your asset size, usage frequency, and personal risk management ability.

However, there’s another point of confusion today: mainstream exchanges usually offer both an “exchange account” and a “Web3 wallet.” For example, within the same BN or OK app, you can both log into your exchange account and create a self-custody wallet that requires backing up a seed phrase.

Although the entry points are together, they are not the same account, and the way assets are controlled is completely different. The judgment standard is simple: if the wallet requires you to independently back up your seed phrase and clearly states that the platform cannot recover it for you, then it is a self-custody wallet.

4. Hot Wallets and Cold Wallets: The Difference Is Also the Private Key

Once you understand private keys/seed phrases, distinguishing between hot and cold wallets becomes easy:

• Hot Wallet: The private key is stored on a device connected to the internet. Signing is done via a mobile phone or computer. Wallet apps like MetaMask, OKX, SafePal, and TP are typically hot wallets.
• Cold Wallet: Hardware wallets, which we often hear about, are a common implementation of cold wallets. The private key is generated and stored within a dedicated offline hardware device. During signing, the private key never leaves the device. Examples include hardware devices from Ledger, Trezor, and OneKey.

Of course, most projects making hardware wallets nowadays also have their own compatible software apps, like SafePal and OneKey.

It’s important to note that a cold wallet doesn’t mean the entire set of devices never touches the internet. More accurately, it means the private key itself never leaves the hardware device and is never directly exposed to the internet-connected phone or computer. The actual process is roughly:

• The phone or computer creates a transaction waiting to be signed.
• The hardware wallet signs it using its internal secure chip.
• The hardware wallet sends the signed result back to the phone or computer.
• The phone or computer then broadcasts the transaction to the blockchain.

During the entire process, the private key always remains securely stored inside the hardware device’s secure chip.

But a cold wallet, or hardware wallet, is not absolutely secure. If you take a photo of your hardware wallet’s seed phrase and upload it, enter it into a phishing website, or mistakenly authorize a malicious contract, the hardware device’s security becomes meaningless.

Ultimately, hardware wallets protect the storage and signing environment of the private key, but they cannot protect against users actively leaking their seed phrase.

We’ll discuss the specific choice between hot wallets and cold wallets/hardware wallets in more detail in the next article.

5. Can I Really Not Store My Seed Phrase in the Cloud?

Some friends repeatedly ask me: “Can I just save my seed phrase in my phone’s memo app without sharing it with anyone?” “Is it safe to store it in Alipay’s Iron Box or an encrypted cloud drive?”

Objectively speaking, security issues are rarely a simple case of “it will definitely be stolen” or “it will definitely not be stolen.” Different storage methods come with different levels of risk.

The biggest risks of storing your seed phrase in a regular memo app, WeChat favorites, chat history, email, or photo album include: your phone might get infected with malware or be remotely controlled; your cloud account might be hacked; your photos and memos might sync automatically; certain apps might read your clipboard or local content; or your old phone might not have its data completely wiped before being sold or repaired.

Of course, tools with independent passwords and encryption features are likely safer than a regular photo album or memo app. However, you still need to trust the phone system, the corresponding app, the cloud account, and the password strength. Failure in any link could lead to a leak.

Therefore, for large amounts of assets intended for long-term holding, it is still recommended to write the seed phrase on paper, or record it on a dedicated metal seed plate (most mainstream hardware wallet providers also offer similar metal seed plates; we’ll cover this in the next article), and store them in two relatively secure, independent locations.

Of course, offline storage also has its own risks, like paper damage, loss during a move, or fire or water damage. So, the truly reasonable security plan is multi-location backups.

We’ll discuss the techniques for safeguarding crypto assets, the specific usage scenarios and choices for hot wallets and cold wallets (hardware wallets) in more detail in the next article.