Alternatively, you can use a hardware wallet which essentially uses encryption hardware to shield your private keys from the PC allowing you to use your wallet on a system without worry about compromise. Notable hardware wallet companies are Trezor and Ledger and prices are generally reasonable considering the protection they provide.
It is not as simple as it may seem at first, because by buying a device like this and sending a coin to it, we cannot say that we are 100% protected. While it is true that a hardware wallet protects us even on a computer infected with malicious software, the way it protects us is by forcing us to check each of our actions in the user interface and on the hardware wallet screen. Therefore, if we know that the seed should not be shared with anyone and should not be entered anywhere, the greatest attention should be paid to the clipboard malware that changes the destination address - so before click
send check for address match (on UI and on HW screen).
Hardware wallets are also a good option if you like to access your wallets somewhat frequently but worried about residential theft (like if you keep your hardware wallet in a drawer right next to your PC). A hardware wallet, if fallen into the wrong hands, prevents thieves from accessing your coins as would a safe.
Partly true, because there is a known vulnerability in the Trezor wallet that allows anyone who comes into physical possession of the device to very easily extract the seed if it is not additionally protected with a passphrase (extra 25 word). Everyone should practice additional protection of the device itself by protecting their main wallet with passphrase, which will not only protect the seed (if anyone finds it), but is the only thing that can protect our coins in case of a physical attack where thieves can only access to that wallet which contains a small part of the coins.
Valid points. Has there been any case where a redirection malware has actually changed the destination address? This is why I do routinely check the first 6 and last 6 of each sending address. I know some of those redirection scripts are cleared out by Malwarebytes Premium but obviously if the malware is new or is relatively low availability in the wild then it probably won't get picked up on by the scanner's heuristics.
When I purchased my Ledger I heard about the Trezor vulnerability. I assume they would have changed the chip since then - perhaps they have not updated it. My Ledger requires a pin to be entered to access the device and clears the seed if it fails 3 times. Are the Trezor's still hackable with a pin/password if physical access is available?