Wallet Security
Have you ever said to yourself, "gee, my bank account is too complicated. It would be much easier if instead of a password, I just pounded 12 words into a sheet of metal?"
No? Then congratulations, most crypto wallet security guides are not for you.
Luckily, this isn't most guides. I spend a lot of time thinking about practical wallet security. That means security for normal people who expect that their assets will be protected with a reasonable process for recovering them if something unexpected-but-not-unlikely should happen, like losing their phone.
Setting up your wallet
You should have a self-custody wallet. It is the difference between renting your wallet from a company and owning it. Metamask, Coinbase Wallet, and Phantom are all fantastic self-custody wallets.
When you install the wallet on your computer or phone you will be prompted to write down a seed phrase. This is a set of 12 words that acts as the master password for your wallet. If you lose this seed phrase you will lose access to your funds forever. This is the area where crypto most differs from traditional finance. There is no company to sue and no one to hold liable.
When saving your seed phrase you need to protect against two things: other people and yourself.
Protecting against other people means storing your seed phrase offline, typically written in pen on a piece of paper. This reduces that chance that malicious software or a phishing link can gain access to your seed phrase and associated wallet.
Protecting against yourself means actually remembering where you put the piece of paper. You would be shocked how often people forget this step. They write down their seed phrase and stick it into their wallet or purse. 6 months later they clean it out and it accidentally gets thrown away with a dozen receipts and old business cards. Don't do this.
Store your seed phrase somewhere safe and hidden at home or another secure location. To prevent the chance that you misplace it, send an email to yourself with a surreptitious reminder of where you stored it and include a keyword that you can easily find by searching.
Some wallets allow you to generate 24 word seed phrases for improved security. If you're using a 24 word seed phrase, consider writing down sections of it and storing them with trusted friends or family. You can do this by giving them each a shard on an index card like this:
In the event that you need to recover your wallet, you can contact two of the shard holders to recover the seed phrase. If you die, they will likely gather and recover the shards themselves, in which case your assets will be available as part of your estate planning.
This simple step is the most important thing you can do. It will take about a day to do right, but then you'll never have to think about it again.
Avoiding scams
Since transactions are irreversible, crypto is an especially appealing target for desperate and opportunistic scammers who will try to steal your money.
It is likely that you will click on a bad link at some point in your crypto journey. The best way to protect yourself is by segregating your assets into three accounts:
- A vault account that only receives assets and never interacts with smart contracts. This is like your savings account.
- A main account that is used for transacting on trusted sites. This is like your checking account.
- A burner account that is rotated often and used for interacting with unknown websites. This is like cash in your wallet.
Here's a great post from 6529 on the topic:
Should you use a hardware wallet?
Lots of people recommend hardware wallets like Ledger, Trezor, or Grid. A hardware wallet is useful because the seed phrase is generated on an airgapped device, reducing the risk that it is exposed to the internet and a malicious actor. I have used all three and use a hardware wallet in my current wallet setup. It is important if you are considering holding a large percentage of your net worth in crypto.
With that being said, I don't think a hardware wallet is strictly necessary for most people and can always be added later. People tend to waffle on getting one or use it as an excuse to punt on security until they buy it. In most cases it sits in a drawer unused while providing a false sense of security.
What about exchanges?
If you are just planning to hold coins like BTC, ETH, SOL, etc. you can choose to keep your money on exchanges. This replaces the threat of losing or exposing your seed phrase with the risk of the exchange shutting down or being compromised.
Businesses disappear every day. Crypto is intended to be a lifelong asset. These two trends do not mesh well.
If you are buying crypto or need a place to store it as a clearinghouse for your bank, then exchanges can be useful. But if you are considering holding assets for 10+ years it is advisable to put your crypto onto a self-custody wallet that reduces the risk of your exchange of choice disappearing when you're not looking.
What about multisigs?
Multisigs are a great alternative to the shard model that I outlined above. They allow a wallet to be controlled by multiple addresses. This reduces the risk that a single account being leaked will compromise your assets, while also allowing you to include other people in your recovery process.
Make sure that if you include other people on your multisig they cannot achieve quorum without you. For example, don't have a 3-6 multisig where 3 of the wallets do not belong to you. A typical setup is a 3-of-5 multisig where 3 accounts belong to you and 2 belong to trusted friends or family.
Gnosis Safe is the gold standard on Ethereum, while other chains have their own solutions for multisig wallets.
What about physical security?
What happens if there is a fire or emergency that requires you to leave your home in a hurry? What if your backpack is stolen along with your Ledger?
Physical security is important and can be mitigated by using multisigs with multiple signers, or distributing shards among several friends or family members who don't live together.