To Be Your Own Bank With MetaMask, You Need To Master These Password Best Practices
So, you are a complete beginner and have been hearing about DeFi and Crypto. You’d also love to get started. Well, it begins with password management. By the end of this article, you will:
- Learn the best practices for keeping your assets safe of MetaMask
- Setup a password manager
- Be able to explain MetaMask to a friend
- Setup MetaMask
MetaMask is the most popular non-custodial wallet that holds your Ethereum based assets, be it a token, NFT art, or even your Ethereum identity. Non-custodial means that MetaMask doesn’t host or store your assets. Instead, MetaMask generates passwords and keys locally on your device, so only you have access to your accounts and data. You are 100% in control of what information you share with applications, and what to keep private.
With great power (of control and privacy) comes great responsibility. Here are some simple but essential security habits that will keep you surfing Web3 applications and using DeFi applications with confidence.
The Most Important Section
The two most important things to know are:
- DON’T EVER SHARE YOUR SECRET SEED PHRASE.
- BACK UP YOUR SECRET SEED PHRASE IN A COUPLE OF SECURE LOCATIONS, SUCH AS A PASSWORD MANAGER, COLD WALLET, OR WRITTEN AND SAFELY HIDDEN ON A PIECE OF PAPER.
KEEP YOUR SEED PHRASE SECRET, KEEP IT SAFE.– Crypto Gandalf
Remember how we said that with MetaMask, you have unparalleled privacy and control over your assets? Only you will have access to your secret seed phrase. MetaMask is not able to reset your account or get your password. Never trust anyone that asks for your seed phrase to restore your account. This is a phishing attack.
DO NOT SKIP THESE STEPS.
💡 Phishing is a form of social engineering where a hacker impersonates a trustworthy entity to get sensitive information from a target such as data, usernames, passwords or any other sensitive details. An example might be someone on Telegram offering to help you if you send them your secret seed phrase.
Unlike traditional accounts you might have with a Web2 company, neither MetaMask nor anyone else are able to reset your account or retrieve a password.
The point of being decentralized is that you alone have complete control over these important keys. A simple explanation is, “not your keys, not your wallet.” If you do not ultimately control the keys to your financial castle, it’s not yours. We will explain more in depth why this is a powerful new concept for the web in a future post to keep this article focused and actionable.
💡If you could lose sleep because possible lost funds, then you should take this section seriously. Adopting these habits and setup will help keep your funds safe in the long run.
Set up your Password Manager
Before you install MetaMask, you should set up a password manager. Password managers are a unicorn in the security field, since they increase convenience and security. Usually, one comes at the expense of the other.
💡What is a password manager? It is a tool that securely stores your passwords by encrypting them and providing one master password to access all of them. Using one frees you up to only remember one password to access all your other passwords securely.
Why do you need a Password Manager?
- They will make your life easier since you will only have to remember one password.
- They generate passwords that are random, long, and hard to hack for better security.
- They create new passwords so you won’t have to reuse old ones.
- You can store your MetaMask seed phrase here initially to reduce the chance of losing your information.
Some popular password managers are 1Password and LastPass. There are others as well. Pick the one that has reviews from credible sources and works best for you. It is highly recommended you get the paid version. If you plan on having more crypto than the cost of a yearly subscription, then it is a good trade off for greater security.
Hackers can access your crypto by breaking into your email accounts, impersonating your phone number and/or leveraging your digital presence to trick others into revealing personal information. By completely hardening your passwords across all accounts, you can reduce these attacks.
If you are not convinced, see the video of this prominent cryptocurrency influencer on how he was hacked and almost lost all his crypto assets. You can search the internet for other cases of funds being stolen due to forgetting good security practices.
How To Create A Strong Password for your Password Manager: The Mind Map Method
- Think of the layout of your childhood room or the location of a personal non-public place that doesn’t exist anymore.
- List the items in the order you walk into the room or location.
- Use this list as a password.
- Add special characters and symbols in between each word to make brute force cracking harder.
- The longer the password, the more secure.
An example can be:
- Reuse the master password used elsewhere for the password manager.
- Save your password manager’s master password in phone’s notes, email or on your desktop.
- Practice entering the master password often to memorize it.
- Create a unique and memorable master password.
- Make your master password type-able and easy enough to remember for you.
Backup your password manager account
Once you set up your password, download the emergency backup kit for your password. Print this piece of paper and save it in a SECURE location. If the location is fireproof, it is even better. This emergency backup kit will help reset your password manager’s master password in case you forget it.
Don’t be like this guy…Sorry Stefan. Hope you get access one day.
Or these guys. Avoid the problems. An ounce of prevention, beats doing the math to calculate how much you would have had.
Configure your password manager in this form to increase your security further.
Ninja Level Password Management
- If you have 1Password, download and print your password manager’s emergency kit. Place this in a waterproof ziplock bag. Then place it in a safe place that is ideally fire and waterproof. See LastPass’s security tips for backups.
- Set your password manager to auto-lock.
- Automatically lock if idle or the screensaver comes on.
- Automatically lock when logging off or exiting the application
- Configure your password manager to lock the program after 1 minute. This configuration keeps you safe if you walk away from the computer briefly.
- Remove Mac’s TouchID as an option to sign in and use the master password. You might have to access your information on a machine without Touch ID. Typing your master password often will help you remember it.
- Clear the clipboard 20 – 30 seconds after copying. This option gives you enough time to paste your password, clears fast enough to avoid someone pasting and sending it to themselves.
- Follow these additional security tips from LastPass and 1Password.
🤔What if I have multiple password managers?
Pick one and consolidate your passwords there. You can opt to have a secondary password manager in case of an emergency with the essential information.
NOTE: The more avenues to access the password, the less secure the manager becomes. Choose wisely.
Did you set up your password manager? If not, go back and do so.
Now that you have set up your password manager, you will be able to securely save your seed phrase in an encrypted location. Let’s set up your MetaMask Wallet.
💡 Although some people may say that password managers are not decentralized enough, the article suggests pragmatic and easy to do instructions for people new to cryptocurrencies. Using a password manager strikes a balance between ease of use, good habits, and responsible security habits. This results in a new user having a higher chance of adopting better security. If someone wants to create a decentralized password manager, please have at it.
First, go to the MetaMask.io website.
⚠️ Make sure to go to MetaMask.io. DO NOT google MetaMask and click on the link without checking the URL. Hackers often try to buy search engine ads and place exact copies of the MetaMask website with malicious software to steal your crypto.
👀 Be careful and please go to the official MetaMask.io website.
Once in the MetaMask.io website, click “download now” and choose your browser.
☝️Pro tip: Bookmark the official browser to avoid future confusion. Be a pro.
If you have Chrome, click “Add to Chrome.” This process is similar in other browsers.
After installing MetaMask, it’s time to set up your wallet. If you are creating a new wallet, click “create a wallet”.
You can agree to an optional policy to allow MetaMask to collect information to improve the product.
Once you choose, you will be prompted to create a password.
⚠️ This password exists only to prevent unauthorized people from accessing your MetaMask account on your computer. If you were to type this password in a new computer it WILL NOT load up your MetaMask wallet and assets.
- Reuse a password used elsewhere.
- Reuse your password manager’s master password.
- Tell others your password.
- Use a unique password you can type in and remember.
- Practice typing the password in.
⚠️ The following SECRET seed phrase is what accesses your funds.
Your SECRET Seed Phrase
A secret seed phrase is a series of random words which act as your wallet’s password. The SECRET seed phrase opens access to your funds. This SECRET password is generated for your wallet and is FOR YOUR EYES ONLY.
💰🕵️ Treat your secret seed phrase with the same respect as your banking password. Would you share that? NO. Not even if a “customer service representative” asked for it.
⚠️ NEVER share your secret seed phrase with anyone. ESPECIALLY people claiming to be “MetaMask Support” and wanting to help with an issue. This is a common example of phishing and it occurs all the time.
⚠️ MetaMask DOES NOT offer support via Telegram or Reddit. We will NEVER need your secret seed phrase to help you. It’s a secret for a reason.
⚠️NEITHER you nor MetaMask can reset or change the words that make up your SECRET seed phrase. MetaMask CANNOT recover your SECRET seed phrase if you lose it. Learn why here.
If there are two things you learn from this article it is:
- DON’T EVER SHARE YOUR SECRET SEED PHRASE.
- SAVE YOUR SEED PHRASE SOMEWHERE SECURE.
Saving your SECRET seed phrase
Behind the lock are 12 common words that act as your password to access your wallet. Save these in your password manager. DO IT NOW. Don’t be like the guy who can’t access his wallet… Sorry Stefan.
⚠️DO NOT PROCEED UNTIL YOU SAVED YOUR SECRET SEED PHRASE IN A SECURE AREA.
⚠️Note: If you save your SECRET seed phrase in an external hard drive, please don’t throw it away by mistake, then ask a city to dig up a landfill…. Sorry James.
Now you will confirm your SECRET Seed Phrase aka your SECRET Backup Phrase.
Choose the words you saved into your password manager or a secure location in the correct order.
Once you’ve confirmed your SECRET seed phrase, CONGRATULATIONS! You are all set up.
Ideally you SHOULD save your backup in multiple locations.
Let’s say for some reason you need your SECRET seed phrase again. You can follow these instructions to do so here.
Remember: Not your keys, not your wallet.
In the next article, we will teach you how to add ETH to MetaMask, browse different applications, and send tokens to a friend.
- What is MetaMask?
- What is Phishing?
- What is a SECRET seed phrase?
- Why does the SECRET seed phrase do?
- If MetaMask support asks you for your SECRET seed phrase, what do you say?
- Who can prevent phishing?
Now it’s time to put your skills work:
- Practice entering your password manager’s master password.
- Place your printed password manager’s emergency kit in a secure and waterproof location.
This series article is intended for general guidance and information purposes only for beginners participating in cryptocurrencies and DeFi. The contents of this article are not to be construed as legal, business, investment or tax advice. You should consult with your advisors for all legal, business, investment and tax implications and advice. ConsenSys is not responsible for any lost funds. Please use your best judgement and practice due diligence before interacting with smart contracts.