You can also even add a password to your Trezor (if you end up buying the Model T) that even if you loose the device, nobody can access the interface because it's password protected.
When you talk about a password, you are referring to the PIN needed to unlock the hardware wallet, but that password is not a guarantee that your device will be protected in case it falls into the wrong hands. Furthermore, if you have not set the paraphrase, an experienced attacker who comes into physical possession of such a device will extract the seed from it within 5 minutes.
However, for the sake of transparency, here is a high-level description of the attack:
- Physical access is necessary
- Equipment required: the Extractor + laptop
- Setup cost is low: ~100$ + computer
- Attack is fast: 3 minutes preparation, 2 minutes seed extraction: ~5 min
- Works on all firmware versions - On encrypted firmware (Keepkey & Trezor >= 1.
, the PIN must be bruteforced. It can take a few more minutes (on a fast computer) for a long PIN (9 digits)
Attack is very reliable: 100% success on ~20 devices
- Physical access is necessary
- Equipment required: the Extractor + laptop
- Setup cost is low: ~100$ + computer
- Attack is fast: 3 minutes preparation, 2 minutes seed extraction: ~5 min
- Works on all firmware versions - On encrypted firmware (Keepkey & Trezor >= 1.
, the PIN must be bruteforced. It can take a few more minutes (on a fast computer) for a long PIN (9 digits)Attack is very reliable: 100% success on ~20 devices
If someone can find that piece of paper they can indeed access to your coins, so you better keep that paper in a high secured place...
A seed that is additionally protected with a sufficiently strong paraphrase (brute force resistant) will not allow anyone to steal anything - in other words the seed and paraphrase should be stored separately.