PSA: How to Secure your Crypto Accounts

Hi there,

The amount of posts published every day on this sub about how people have lost access to their accounts or were “hacked” is getting absurd, so I thought I’d share some general notes on how you can secure your accounts **right now.**

edit: never store your seed phrase online!

1. **Stop** using the same password for more than one account. This is **the most common** way accounts get stolen. If a password you’ve used appears in a data breach then that login combination **will** be tested against various financial institutions, crypto included.
2. The same applies to email address. Stop using the same email address for more than one account. This increases your risk factor from phishing emails considerably. The way to solve this one is to use aliases. I’ve give an example with gmail, as the biggest email client out there. Imagine your email address was []( What you can do is add a “+randomtext” after your email. So it becomes this [“](mailto:””. You will receive all emails as normal in your inbox. It’s important to note that “+randomtext” should really be random and not “+amazon” or “+apple” to avoid them picking up any patters as “+bank”. If an alias gets compromised, you simply change that one email and block all emails going to it.
3. Two-Factor Authentication is key (pun intended). Enable 2FA on every single account that you own and store your backup codes somewhere offline. 2FA should be your primary way to confirm logins/approve transactions.
4. Use whitelisted addresses for withdraws. If someone does get access to your account (near impossible, if you’ve done the above) then they won’t be able to take your precious coins without needing to approve a wallet address using 2FA.
5. The moment your investment becomes more than you’re willing to lose it’s time to get a hardware wallet. This point deserves it’s own post, so won’t go into much detail but they can’t “hack” what’s offline.

A few good software recommendations for anyone looking into this post:

* []( or []( – In my opinion the best password manager out there. Could be a bit much for someone new to this. A close second for me is [](
* 2FA is a hot topic and you won’t go wrong with []( or Google Authenticator

Remember, **you** are the biggest vector of attack for any online account that you own. It’s up to you to secure it.

Stay safe folks.

View Reddit by avidnumbererView Source


Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings


  1. Go back through your sent email and delete any message to which you’ve ever attached a picture of your passport, driver’s licence, birth certificate, or anything else that could be used to impersonate you.

  2. Also, the time for using your phone sim as your 2fa is past… Use an authenticator app instead, like the ones from google and microsoft. It’s just too easy for bad actors to sim swap you today

  3. Excellent advice on all counts, I would only amend 2FA to include Aegis as a good fully featured free & open source Authy/Google alternative on mobile. Bitwarden also has an option to handle 2FA for you, but whether you use it for that really depends on your threat model (you might prefer to keep 2FA completely separate from password manager, and that would be totally fair).

    At the bare minimum, at least *use* a password manager to make it easy to implement unique logins with strong passwords everywhere. 2FA support across the web is still not super consistent, but it’s getting there. Highly recommend using a hardware security key like the Nitrokey wherever possible too.

    So many people still just use the same weak credentials everywhere and it’s just a disaster waiting to happen.

  4. Just a quick shoutout to a secure holding service that is somewhere between an exchange and a hardware wallet.

    Celcius is a service where you can store your crypto. They have a nice HODL mode, which takes 24 hours and a special code to disable (you can store this offline or activate your account with video comfirmation). They also require whitelisted withdraw addresses and whitelisting takes 24 hours. Accompanied with 2FA and mandatory email confirmation on withdrawals I feel it’s pretty safe. The team is also big on offline security and they have a limitless security budget, since the CEO has 300 million on his own platform. 😅 And they are working on implementing optional insurance, too.

    So I think it’s a newbie friendly service if you want to buy and hold some crypto or if you don’t own enough to warrant an offline wallet.

    Good post, cheers! ✌️

  5. I would almost beg that everyone to use Authy. I’ve been burned by the Google Authenticator, I didn’t realize that it doesn’t do cloud backups on its own. Obviously, if I would have backed up the 2FA codes I wouldn’t have gotten burned… but I still appreciate the multi-device support and cloud backup. The game changer was when I realized that Authy still works 100% of the time even if a website says “We do Google Authenticator as our 2FA.”

  6. I’ve been using Keepass since about 2007, can’t recommend it enough!

    But you need to tweak some setting for better security out of the box.

    Go to File > Database Settings > Security tab

    Change your encryption algo to **ChaCha20**

    Change your key derivation function to **Argon2**

    Choose a number of **iterations** that yields a roughly 1 second wait time to open/save the database. More iterations = harder to crack.

    And of course, choose a strong master passphrase.

  7. The only way to secure your crypto is to be the only person that knows the private keys. This means you are in control and only you are in control.

    I know the hype is now to tell people to just keep their coins on an exchange but here is how it will go wrong

    – goverments might make crypto illegal and seize the company that controled your keys

    – an insider in the company might steal all the crypto, including yours and dissapear.

    – they might get hacked

    – they might go bankrupt and your crypto will be auctioned of and maybe you will get some back, maybe you won’t.

    – the company might start a fractional reserve where they sell you crypto that does not really exist, you won’t know till you try to withdraw and can’t.

    – You might lose an email address or phone or your 2FA and the company decides they are not going to provide you with a reset. If you control your priv keys, all you need is a priv key on a piece of paper that you put in a safe and you always have access.

    I find it really worrying that posts about leaving your crypto on exchanges now get upvoted and I feel like something really nefarious is going on. See “not your keys not your coins” is one of the most popular catchphrase and now suddenly the opposite of it is becoming popular? That does not make sense unless manipulation on a grand scale is going on. Anyway, don’t let them get you. Set up a cold and a hot wallet and learn how to manage your own crypto. If network fees are to high for you then sell those coins and get coins that run on low fee networks, plenty of profit to be made with those. Alternatively you can get wrapped versions of the coins you want or use L2 system so you can still indirectly deal with high fee networks, but at a greater risk and in some cases a loss of decentralisation. Normal banks can’t get hacked in such a way that depositors lose their money because as long as the bank has a copy of the records, everybody has their money. Banks can just revesere the transactions of the hackers in most cases. This is radically different with a crypto exchange. There is always going to be a human or a team of humans in control that have access to most of the priv keys. They go rogue and all your crypto is gone. Crypto was invented to give you full control, if you give up security and control for comfort you deserve neither. There is no excuse for not learning how to use a cold and hot wallet, in the process you might even figure out that some crypto projects don’t even have wallet software or even a real network …. which is good information to have as an investor. In that case you can dump because you know that it’s bullshit. And whatever is bullshit always eventually crashes to zero, just a matter of time.



What do you think?

Kazakhstan to Develop Local Bitcoin Industry

Kazakhstan to Develop Local Bitcoin Industry

SEC Bitcoin BTC

Former SEC Head Jay Clayton joins One River’s crypto Council