Built-in password managers in web browsers store your passwords on your computer in an unencrypted format. Remote hackers could technically access the password files on your computer and view them, unless you encrypt your computer’s hard drive.
This alone makes your login credentials that much more difficult to be compromised.
#3 2FA Everything
Important: Stop using SMS authentication ⏤ especially in the US, the risks of SIM swap attacks are adamant. Even Jack Dorsey’s (Twitter CEO) Twitter account was hacked via SIM swap back in 2019.
Instead, use Two-Factor Authentication (2FA) ⏤ either via i) software or ii) hardware tokens.
i) Software Tokens (2FA Apps)
Some of the more popular (and free) authentication apps are Google Authenticator and Authy. Download either one on your mobile device and start enabling 2FA on all supported accounts.
There are several differences between the two, but in general:
- + Very simple to use
- – Does not allow multi-device sync
- – Not possible to protect app via PIN
- + Secures authentication code with option to use a PIN / biometrics to protect the app
- + Multi-device sync solution (although I would suggest to enable it only when you need to sync another device. Once synced, disable multi-device sync. More here)
ii) Hardware Tokens (YubiKeys)
If you value your accounts with at least $100 (most of us should), buy at least two YubiKeys and set them up with your key accounts (emails and exchanges).
You need at least two, because if you lose one, you will have at least one other recovery option stored somewhere secure.
With any security tools, only order directly from the official website.
How does it work?
The YubiKey makes 2FA as simple as possible. Instead of a code being texted to you, or generated by an app on your phone, you press a button on your YubiKey ⏤ that’s it.
How? Each YubiKey has a unique code built on to it, which is used to generate codes that help confirm your identity. More here.
Which one to buy?
YubiKeys comes in multiple sizes. Personally, I use the YubiKey 5 NFC, which works with both laptops (via USB A or C) and mobile devices (via NFC).
There is even a short quiz on the official website to help you identify which YubiKeys are right for your setup.
For more FAQs on YubiKeys, check out this subreddit or this FAQ.
Why buy at least two?
Things can and will happen in life. Just get a spare. You wouldn’t have only one set of keys to your home, would you?
Register the YubiKeys on critical accounts so you don’t get locked out if you lose one. Store one somewhere you can easily access daily like a keychain, and at least one other in a safe place (at home, safety deposit box, bank vault etc).
What happens if you lose one? Nothing to worry, because:
i) The person who finds it would likely not know who it belongs to; and
ii) Even if the person knew, they would need to know which accounts you have used it on, AND know your login credentials to those accounts, AND attempt to login before you remove the lost YubiKey from your accounts
If you do end up losing one, use your spare YubiKey to log into your accounts and easily remove the lost key. Immediately order a new replacement YubiKey and set that up once received.
Why are YubiKeys recommended by most cybersecurity professionals?
All approaches for human authentication rely on at least one of the following:
i) Something you know (eg. a password) ⏤ password manager
ii) Something you are (eg. a fingerprint / Face ID) ⏤ your personal device
iii) Something you have (eg. a 2FA) ⏤ software or hardware
2FA software apps are mostly secure, but they are not unhackable. Adopt this mindset: Anything and everything stored online (unencrypted) can and will be stolen.
In most cases, it only requires a man-in-the-middle attack via simple social engineering.
Hardware 2FA tokens are strong enterprise tools that are used by top global tech companies like Google for a reason.
Let’s see how this fits into our OPSEC overview:
Now, an attacker would need access to one of your personal devices, your login credentials, AND physically have your hardware token.
- Simplicity: just tap the device (no installation required, no cumbersome 2FA codes)
- Widely supported by most major services (click here for full list)
- Not supported by all services (i.e. FTX supports only one YubiKey at a time)
Coins Held Off Crypto Exchanges
“Not your keys, not your [coins]” ⏤ phrase popularized by Andreas Antonopoulos
Cryptocurrencies are bearer assets. If you keep your coins on an exchange, you are trusting that exchange to keep your private keys (and coins) secure on your behalf, with intermingled funds from all their customers.
From high withdrawal fees, to a growing history of exchange hacks, philosophical beliefs against centralization etc, there are real reasons why you would want to self-custody and hold your own coins.
It is empowering to be able to hold your own coins in your custody so it cannot ever be confiscated or withheld by banks, or exchange hackers. Direct control of your own money. Holding your own coins provides you with unlimited freedom to transact on the blockchain, but at a cost: holding your own keys means being your own bank ⏤ if you lose your keys, no one can help you.
Although it seems straightforward, not everyone should hold their own keys given the surprising amount of nuance to consider.
Most use a combination of the two ⏤ trading portfolio on exchanges (or hot wallets like Metamask), and the rest in personal custody (cold wallets), diversifying counterparty and custody risks.
It is a personal decision. How much do you have? How frequently do you plan to transact? Are you confident that your self-custody setup is more secure than with an exchange / regulated custodian’s cold storage?
Let percentage of net worth guide your decision. As a personal rule of thumb, if you have more than 5% of your net worth in crypto, you should at least use a hardware wallet.
The two most popular hardware wallets are Ledger & Trezor.
I would recommend at least two hardware wallets for redundancy (similar to having two YubiKeys). Keep one with you, and a backup in a secure location in case you lose your main device.
Hardware wallets are capable of generating or importing seed phrases ⏤ strings of 12 or 24 words which are literally the keys to your coins.
If you lose your hardware wallet, you can still key in your seed phrase into a new replacement hardware wallet to access your coins.
However, if you lose your hardware wallet AND your seed phrase instead, your coins are as good as gone.
Here are some best practices in handling seed phrases:
- Write it down on the provided recovery sheet that comes with your hardware wallet, and store it in a secure place. NEVER take a picture of it, save it on a device, sync to cloud etc ⏤ remember: “anything and everything stored online (unencrypted) can and will be stolen“
- Consider a metal solution to durably store your seed phrase
- Never key it into a computer / mobile device with an Internet connection. It should always remain offline, and only keyed into secure offline devices like hardware wallets
- Never lose it! You can lose your hardware wallet device but you cannot lose your seed phrase
Advanced Security Principles (at your own risk)
How secure are seed phrases? Although it seems like only 24 regular English words, the number of possible permutations is so large that there is no English word for the number! To give an idea, this number is larger than the number of atoms in the entire universe (see line 24 below):
Hence, the odds of two people picking the exact same 24 words in the exact same order is virtually zero.
For a more detailed explanation on hardware wallets and seed phrases, this article is a good resource.
Important final note: Don’t make your custody setup so complicated that even you forget how to access the funds. Go slow, test with small amounts and add more as you get more comfortable. Test your setup periodically.
Additional OPSEC Tips
- Never log into your key accounts on a shared device. You never know if the device has been compromised or not
- If you absolutely have to use public WiFi, use a VPN
As a handy reminder, I have summarized our OPSEC 101 in the following Twitter thread:
Invest The Time
Some of these measures might seem like overkill to most people.
In crypto, these are not good-to-haves ⏤ these are must-haves. Hackers only need one point of failure.
Your cyber / crypto security is as good as its weakest link. Invest the time to set up your OPSEC right once and for all.
Especially in crypto, we need to upgrade our attitude and culture towards security.
Disclaimers: I only recommend products that I would use myself. This post may or may not contain affiliate links that at no additional cost to you, I may earn a small commission. Depending on the platform, you may receive rewards too. Nothing written on ken-chia.com is financial advice.