Personal OPSEC

Account Security and Email

The most important account you own is your email address and it should be one of your top security concern. More important than your bank account, especially so if you use the same email address for your bank account. If someone gets access to your email, they more or less get access to everything by password resetting their way into all of your accounts.

Authentication

Proving who you say you are. Best way to secure is through multi-factor authentication. The password is just 1 factor. Think of security and additional factors in these terms:

  1. Something you are: fingerprint scan, iris scan, face scan (less secure)
  2. Something you know: a password
  3. Something you have:
    1. Google Authenticator
    2. Security key, like Yubikey 5 (easy to set up and works well for most people)
    3. Key fob (or cell phone)
    4. SMS

Avoid SMS as an authentication factor

There is a common SMS scam called SIM swapping, where malicious actors will takeover a phone number to intercept SMS based multi-factor authentication. In general don’t use SMS as an authentication factor for anything that matters like bank account — view SMS not as an added layer of security, but instead as a vulnerability.

If you insist on SMS for whatever reason, then consider contacting your phone service provider or cell carrier to inquire about any additional security they can offer to prevent such scams. Alternatively consider using a VoIP or Google Voice phone number as an authentication factor. They are not susceptible to SIM swapping or hijacking scams.

One-time-use codes

For every account you use on an authenticator app (Google Authenticator, Authy, Okta, etc) you should physically print out the one-time-use codes. This is per account, so you will need to back up every single account you have on your authenticator app. Once you print them out, you need to keep them safe. Do not put them online anywhere.

Password managers

Definitely use password managers. Do not use the same password for every service because the moment one password is compromised then all of your logins are compromised. Most, if not all, password managers utilize a master password to secure and manage your login information. Comparing the trade-off between using a master password vs. reusing passwords, it is clear that a password manager is much more secure. Password managers such as LastPass have additional security features like security keys (Yubikey), where you'll need to use both a password and a security key to access your logins.

Here is a short list of password managers. There's a large market of them and to compare and contrast them would warrant its own document.

  1. LastPass
  2. BitWarden — an open source password manager
  3. pass — a unix command line based password manager, for the more technically experienced

Wallet Security

Use a hardware wallet, it’s the safest and recommended approach as detailed in our Beginner's Guide. Hardware wallets stores the seed phrase on the device. The wallet knows how to use the seed phrase to sign messages. The computer sends data to sign and then the hardware wallet signs it and sends it back to the computer.

The seed phrase is also known as the recovery phrase or backup code. Like with any other backup code this should be stored somewhere very secure. Print it on a piece of paper and store it in a safe place. Ideally you want to store it off site. It makes your home less of a target. An additional enhancement to consider is to make an encrypted message, and to then have the seed phrases on that. Another cool way to store seed phrases is to use something like a crypto steel.

Wrench attacks

No matter how advance the encryption, hardware, or software, if someone comes at you with a wrench, you will probably just log in for them. To minimize the possibility of a wrench attack, do not put any PII (personally identifiable information) or any other identifying tags on your hardware wallet.

In the event of a wrench attack, a dummy PIN and account would be a useful decoy to mislead the attacker. In these dummy or "false" accounts, you can put small amounts of crypto assets. Ledger supports this functionality as an advance passphrase option.

Wallet related exploits

People have been hacked using Ledgers. This has come from the intermediary (something like Metamask) where the computer itself was hacked, not the Ledger device. So the display they saw looked good on screen but the intermediary was authorizing a message to send their assets to a malicious address. The take away here is to make sure you use at least basic computer security no matter what you do: use a private computer, be careful about phishing attacks, etc.