Exodus wallet has bad privacy and security

When I started looking to make the move from bitcoin to bitcoin and altcoins the biggest hindrance was where to put all the different cryptos. I did not want to bother with 5 different wallets. Good multi-currency wallets are key to diversifying and decentralizing the crypto ecosystem.

I tried Exodus and within 5 minutes I could see the privacy and security were unacceptable. All the problems I mention are quite easy to fix and have minimal impact on the ease of use.

Exodus forces address reuse

For each crypto you get 1 receiving address, that’s it. This goes against a basic crypto 101 privacy and security best practice. Don’t reuse addresses, use a unique address for every transaction.

Using 1 address for all your receiving transactions makes it easy for anyone you get a payment from to look up all the other payments you have received and to see the total amount of funds you have in that currency on Exodus!

It makes it easier for spies, hackers, advertisers, etc. to see patterns, make a profile and connect your crypto transactions to your real-world identity.

Exodus accepts insecure passwords

In Exodus’ own promotional video, you can see the founder using what he and the software call a very strong password, “bob-the-fish”. Other password strength indicators grade it as weak and say a computer would crack it in about 1 day.

Exodus does not enforce what it calls very strong passwords. Here are examples of what Exodus allows as “okay” passwords.

123a
abc1
bitcoin
ether
dash
litecoin
dogecoin
password!
password12
Password
1234567891
9571 (any 4 characters that don’t make a word or pattern)
qwertyuiop (top row of the keyboard)

Password strength indicators rate these as very weak and estimate they would take less than 1 second to crack! Yet Exodus thinks this is acceptable security for software that holds money with irreversible transactions and no recourse for theft!

Also, note that passwords are displayed in plain text as you enter them as per the image above. All of this violates basic info security 101.

An adversary could use this password to take your funds if they had access to your machine or to your email because Exodus emailed you a backup link.

Exodus is closed source

These obvious major flaws in basic privacy and security that I found in 5 minutes suggest Exodus either don’t care and/or is incompetent when it comes to privacy and security for their users.

That is why Exodus being a closed source is such a problem. You have no way to know what other mistakes they have made. Given the above, it’s reasonable to assume there are more mistakes hiding in the code and that they are potentially serious.

And another thing!

Also, note that there is no 2-factor authentication available.

All of this also makes me wonder about the glowing reviews I have seen for Exodus. I guess reviewers like Cryptocompare, 99bitcoins and others just see a pretty design and give it 9/10.

Exodus is a beautiful wallet with huge potential if they fixed these few issues.

Alternatives

A great multi-currency wallet is Edge. It’s from the team that previously made Airbitz. It has very good security and is beautiful and easy to use. Unfortunately, it is mobile only with no desktop version. This is the multi-currency wallet I recommend.

A multi-crypto wallet I tried on the desktop is Jaxx. With Jaxx, you can use unique addresses. Jaxx’s pin is weak but an adversary can only take advantage of that if they have access to your machine (with Exodus’ password it’s your machine or your email).

Jaxx is from the guys at Decentral who have a long and positive history in the space. They have come under criticism for security problems themselves though.

Coinomi is an often recommended, open-source, multi-currency wallet for android but I found it clunky.

Have fun multi-coining!