Jump to Content:
Scroll for Your Story
Search MORE Story
→ Story You’re Creating or Missing . . .
Your Story here :
The migration of value into the digital realm brings with it new challenges in terms of best security practices. As with any unit of value, there is always someone, somewhere that seeks to extract this value for their own ends, whether it be through coercion, social manipulation or brute force.
This guide is intended to provide a broad overview of the best practices for securing your crypto assets. While most of these steps are not mandatory, following them will greatly increase your financial security and peace of mind in the crypto world.
Passwords — Complexity & Re-Use
Starting from the ground up, password complexity and re-use are two major pain points that many average users do not consider adequately. As you can see by this list, average password complexity still leaves a lot to be desired. The less complex your password is, the more susceptible to hack your account is. If you use the same passwords, or even slight variations of the same passwords across multiple accounts, your chances of compromise are greatly increased.
So what can you do? Fortunately the fix for this is relatively easy. Use randomly generated 14 character+ passwords and never re-use the same password. If this seems daunting to you, consider leveraging a password manager such as LastPass or Dashlane that will assist in password generation and storage.
Lastpass is a our favorite password generator and manager.
You can find out if any accounts associated with you have ever been compromised here as well as using this tool to test just how strong variations of your passwords may be (*do not use your real password on here, only similarly structured variations).
Dedicated Email Accounts
Almost every online service/exchange requires some type of email account association during the activation process. If you are like most people, you will probably use your default email that you’ve had for years, and perhaps add a bit more complex password for the account itself for good measure.
In most cases however, all a hacker needs is access to your emails in order to reset account passwords that may be tied to it. It’s as simple as navigating to the website/exchange and clicking the ‘forgot password’ link to begin the process. So, if you are like most people and have an email address that has been active for years, with a weak login password, your chances of being hacked are much higher.
For the above reasons, do yourself a favor and create a new/dedicated email address for use with your crypto accounts. Services like ProtonMail and Tutanota are free and offer end to end encryption without sacrificing usability (mobile app availability etc.). If you decide to stick with Gmail, consider activating the Advanced Protection Program that Google offers.
Proton Mail offers email with end-to-end encryption.
Use a VPN
A virtual private network (or VPN) is simply a must for everyone today, but especially cryptocurrency users.
As we surf the internet, there are unfortunately a lot of eyes on us at all times. One very big set of eyes watching us is our internet service provider (or ‘ISP’). They see and hear everything we do on the internet. And they often share that information with third parties. But our ISP and its friends are not the only people watching. Anyone using the same wifi network that we are using can also see what we are up to online.
A VPN solves this problem. When we use a VPN, our computer’s IP address is not connecting to any website directly. Instead we are communicating to another IP address over an encrypted connection. Then that IP address makes website requests on our behalf and send us back that data. This helps keep onlookers onto our connection locked out so that only one party knows what we are doing (the VPN).
It’s therefore important that you choose a VPN service with a great track record.
The reason VPNs are important for cryptocurrency users especially is that we use Bitcoin to keep as much data hidden as possible. However, when we expose our IP address, we might give away that our IP address is connected to someone who owns and uses cryptocurrency, merely because of the websites we visit.
Long story short: everyone should be using a VPN regardless of whether or or not they use Bitcoin. It’s for your own safety.
We typically recommend setting up two-factor authentication (2FA) for any and every account that offers it, even if the service is not crypto related. All 2FA does is require a second means of confirmation that you are who you say you are when logging into accounts. Most typically this is in the form of something you know (password) and something you own (SMS code sent to phone).
While SMS is still the most common form of 2FA offered by online services, it is unfortunately the least secure. The following general use 2FA methods are ranked from most secure to least:
- FIDO U2F — This is a physical device that plugs into a USB port and requires a physical button touch to generate a unique 2FA access code. It is preferable because a hacker would need to have the device in their physical possession in order to access your account. Most hacks occur remotely which makes this our top 2FA choice (albeit not a panacea).
- Google Authenticator — An app that resides on your mobile device and cycles through one-time use access tokens. If you go this route, be sure to save your backup code that is provided at initial setup. If you don’t have this and your phone is lost or broken then you have no way to get these code settings back. While not as good as a yubikey, it’s still better than SMS two factor.
- Authy — Similar to Google Authenticator but potentially less secure as you can re-access the codes from an alternate mobile device if your main one is lost or broken (this feature can be disabled but is active by default). While this may seem more ideal, what is more convenient for you is also more convenient for those who may be trying to hack you.
- SMS — Codes sent to your cell phone through text message. This is better than no 2FA at all, but is susceptible to social engineering SIM attacks. Interestingly, SMS 2FA security holes did not come to light until the popularity of Bitcoin began to grow. Some cell service providers are now offering a seperate PIN to prevent porting your cell service to another provider or SIM card. Contact your provider to setup a Port-Out Pin number to protect against this type of scam.
Yubikey is the most popular hardware second factor
Speaking of SIM attacks, there is one way to avoid them.
Services like Google Fi offer an alternative to traditional mobile phone contracts that are not only more flexible but also more secure.
With Google Fi, you can prevent any changes from occurring on your account without providing a second authentication factor. And because there are no SIM cards in a Google Fi plan, there are also no SIM attacks. This makes it impossible for attackers to hijack your text-messages and take over your accounts.
Currently, Google Fi is the only mobile phone service in the US that offers 2FA. So if you intend on taking your security seriously in this area, Google Fi is the only way to do it if you live in the United States.
Another nice perk of Google Fi is that it’s easy to change your phone number whenever you want. This feature alone also increases your security since many of our phone numbers have been leaked before and can be used to access other accounts online. If your leaked phone number is no longer active, you are a little more protected.
Mobile Crypto Wallets
Mobile app wallets such as Mycelium, BRD, Samourai, Cryptonator, etc. should be treated similarly to how you may treat your physical wallet/purse.
You only carry small amounts of discretionary spending funds in these wallets as they are more susceptible to loss or theft. Again, what is more convenient for you is more convenient for a malicious actor as well. Your phone is also susceptible to malware and should not be considered sufficiently safe for storing large amounts of funds.
If you have crypto then you are an ideal target for phishing scams. Facebook and Twitter are just two of many avenues that hackers scour for potential victims. It has become common to see fake crypto exchange emails or ICO fundraising confirmations circulating such as the example below.
Phishing email impersonating Blockchain.info. Note send address & logo irregularity.
It is best to NEVER open suspicious attachments or provide credentials through email and to always closely inspect the logo, wording and send address of any emails received that pertain to financial accounts or that request sensitive information.
When in doubt, navigate to the legitimate exchange or web service that the email supposedly originated from and contact their support team to inquire on the validity of what you received before taking further action.
Secure Crypto Storage
If you don’t hold the private keys, you don’t own your money!
This category is how most people have been compromised and lost money in crypto. How? Primarily, by treating an exchange (Coinbase, Binance, Bittrex, Poloniex etc.) as a wallet to store their crypto assets in.
Mt. Gox, Bitfinex, BitGrail and Coincheck are just four out of a handful of crypto exchanges that have been hacked in the past 5 years, with the cumulative amount stolen exceeding $1 billion USD. While some users of these exchanges have been ameliorated to an extent, many are still suffering from the partial or even total loss of crypto funds that they held on these exchanges at the time of the hacks.
Our advice is to hold crypto on hardware and back it up using a steel wallet.
The Billfodl is a steel wallet that backs up your recovery phrase, protecting it from fire and flood.
If you wish to trade on exchanges, only do so with funds that you are potentially willing to forfeit entirely should either the exchange or your individual account become compromised.
A few of our recommended hardware wallet manufacturers are Ledger and Trezor. You can find our more detailed wallet reviews here . As with all hardware/software, please ensure that your device firmware is kept up to date, as patches are pushed out continuously to address security concerns.
The Subject of Secure storage is something we cover in much greater depth in the next Bonus Chapter
Security on the web is akin to game of whack-a-mole and your level of security will likely scale accordingly with the amount of sensitive data (or crypto assets) that you are protecting.
While there is no such thing as an ‘unhackable’ system, there are valuable steps that you can take to drastically reduce your likelihood of compromise.
Always remember to:
- Use complex and unique passwords
- Create a separate/dedicated email account for crypto services
- Use two-factor authentication
- Store most (if not all) of your funds on hardware wallets
- Be wary of phishing emails
Good luck and stay safe!