Security
Cover Your Assets!
Have you ever heard the expression “not your keys, not your coins”? It means if you aren't in control of the private keys associated with your funds or tokens, you’re trusting a third-party to manage your blockchain assets. You want complete control over how to use your blockchain assets. You, and only you (or someone you completely trust) need to have the keys and protect them.
Keep Private Keys Private
They are called private keys for a reason. When you set up a wallet you should be provided 24 words that are the 'seed' to your private key. If the wallet doesn't give you 24 words, pick a different one. These words are a like a massive password to all the private keys your wallet will hold for all the blockchains loaded into your wallet. Write those words down, in order, with old-school pen and paper.
Bottom line: Secure those 24 words! They are your seed and key to your assets on the blockchains. Keep copies of it safe.
3 Security Approaches
Below are three examples of security best practices to effectively use and secure blockchain assets. These are just examples. There are many different possible combinations of wallets and security scenarios.
NFT Focused: Ledger + Metamask
Metamask is a software wallet that has wide cross-platform usability. There are Metamask browser plugins and stand-alone phone apps. You'll need a wallet like Metamast to buy NFTs on marketplaces like OpenSea. Metamask uses a 12-word seed (mnemonic) phrase wallet seed.
Staking Coins: Atomic/Ledger
If you want to buy coins that allow staking rewards (ex: Cardano), choose wallets that allow staking without you having to download the entire blockchain for the coin. Two good options are the Atomic Wallet phone app, and the Ledger physical wallet.
High Value: Ledger/Trezor
If you have a lot of crypto currency, you need a physical wallet. Both Ledger and Trezor brand wallets are excellent choices. Be sure to buy from the manufacturer or an authorized third-party reseller listed on the Trezor or Ledger website. Beware of fake websites. When in doubt, search Trezor wallet or Ledger wallet on duckduckgo.com. Click the top 2 links in the search results. If they are the same base website, you've got the official one. When in doubt, keep searching for the official site. This is important not only when ordering a physical wallet, but also when interacting with the site later via your wallet, or when reading how to set up and use your wallet.
Be Paranoid - Stay Safe
Physical wallets are the best choices for combining usability with very high security. The Trezor Model-T and the Ledger Nano X are both excellent. One nice feature about the Ledger is that it allows you to set up hidden addresses. That means you have plausible deniability if someone were to force you to unlock your hardware wallet under physical duress. While this is highly unlikely, it has happened. You can have one wallet address that is visible when the primary PIN is entered, and another (or many) addresses locked behind another PIN that itself is secret and optional. A serious security approach could look something like this:
1. Buy a Ledger and follow the basic setup instructions.
2. Write the 1st 12 seed words on one sheet of paper, the last 12 on another. Secure each sheet in different locations (ex. different bank vaults).
3. Put a small but believable amount of crypto or NFTs into an address.
4. Set up a passphrase protected account and put most of your blockchain assets in that address.
5. Do not lose your passphrase PIN - see #2 above.
Under no circumstances should you:
1. Keep much, if any, assets in a hot wallet (software wallet).
2. Keep assets on an exchange except for immediate conversion to other assets (using a trustless DeFi exchange is better).
3. Move large amounts of assets in a single transaction (multiple small transactions are best and use a tiny amount for your first one).
4. Tell anyone that you don't want to take all your assets your seed, private key, password, or PIN.
5. Trust anyone you don't know with any information about your blockchain assets (stay anonymous, keep your mouth shut, use a VPN).