## Why not hardened keys in addresses BIP44?

2

Being aware of the one weakness of BIP32:

One weakness that may not be immediately obvious, is that knowledge of a parent extended public key plus any non-hardened private key descending from it is equivalent to knowing the parent extended private key (and thus every private and public key descending from it). This means that extended public keys must be treated more carefully than regular public keys. It is also the reason for the existence of hardened keys, and why they are used for the account level in the tree. This way, a leak of account-specific (or below) private key never risks compromising the master or other accounts.

Why does BIP44 use non-hardened keys in the last 2 levels if it is still risky for the change/internal account? Wouldn't it be better to use always hardened keys?

m / purpose' / coin_type' / account' / change / address_index


Change in this case represent external/internal chain. Usually if that's external chain, you can share it with parties. Imagine having a client which is obliged to send you bitcoin very often. If you'd give him xpub for the whole external chain, he can generate addresses on his own and you don't have to be bothered. It's not heavily used, but sometimes happens.