Security by default: 2FA, Seed, Phishing, Approvals, Hardware
In 30 minutes you'll set key protections and assemble your personal Security Playbook. Never share secrets here — nothing is collected.
- Enable TOTP 2FA and a withdrawal allowlist on your exchange.
- Organize an offline seed backup and understand when to add a passphrase.
- Spot phishing instantly and avoid address poisoning traps.
- Review and revoke risky DeFi token approvals.
- Set up a hardware wallet for larger holdings and verify addresses on-device.
5.1Exchange security
Most account breaches start with weak passwords or SMS codes. Switch to TOTP, lock withdrawals, and reduce human error.
TOTP 2FA (not SMS)
Use an authenticator (Aegis, Authy, 1Password/Bitwarden). Save backup codes offline. SMS is vulnerable to SIM-swap — use TOTP only.
Withdrawal allowlist
Add your own wallets and enforce a 24–48h delay for new addresses. Unlisted withdrawals get blocked.
Anti-phishing code
Set a personal code shown in official emails. If the code is missing, treat it as a red flag.
Unique passwords + manager
One service — one password, 16+ chars. Store in a password manager, not browser notes.
5.2Self-custody: seed and passphrase
Your seed is the wallet. Keep it offline and resilient.
Right
- Offline paper/metal backup
- Two copies in separate locations
- Non-obvious labeling
Wrong
- Cloud storage / email
- Screenshots / photos
- Single copy in one location
Offline seed backup
Handwrite clearly. Make two copies, store in separate safe locations. No photos, scans, or cloud.
Passphrase (if supported)
An extra word on top of the seed creates a new wallet. Losing the passphrase means losing access to that wallet. Use for a hidden layer if you can maintain it.
Hidden backup strategies
Split storage across locations, consider fireproof metal plates, use non-obvious labeling so a stranger can't reconstruct it.
No screenshots
Any image is an online copy; phone/cloud leaks leak your seed.
5.3Phishing
A "nearly correct" link is the most common loss vector.
URL and bookmarks
Access exchanges/wallets only via saved bookmarks. On mobile, pin a home-screen shortcut. Check HTTPS and the second-level domain.
Address poisoning
Never copy addresses from transaction history. Use your saved address book. Verify first/last 4 characters and confirm on-device.
Never paste seed or grant remote access
No support representative will ask for it. Never install remote-control software for "help."
5.3+Phishing Drill — Spot the Fake
Question 1 of 5: Which domain is legitimate?
5.4Approvals/allowances (DeFi)
A token approval lets a contract spend your tokens — often with unlimited allowance.
Risk
If a contract is compromised or malicious, funds can be drained without further prompts.
Revoke practice
Periodically review approvals with a service like revoke.tools and revoke unused/unlimited ones.
Best practices
Approve minimal amounts, use a separate wallet for farming, isolate activities by role.
5.4+Approvals Demo (Mock)
This is a mock demo — no real blockchain calls. Practice revoking unlimited approvals.
| Token | Spender | Allowance | Date | Action |
|---|---|---|---|---|
| USDC | FarmContractV1 | Unlimited | 2024-09-10 | |
| ETH | SwapRouter | 500 | 2024-10-02 | |
| WBTC | LendingPool | Unlimited | 2024-08-15 | |
| DAI | UnknownContract | Unlimited | 2024-11-01 |
5.5Hardware wallets and basic multisig
For meaningful sums, hardware is the norm. Multisig is the next level.
Verify on-device
Always confirm the address on your hardware wallet screen before signing.
Trust screen only
Malware can spoof addresses on your computer — never rely solely on what you see on screen.
When to move to hardware
If losing it would hurt financially or emotionally, it's time. Hardware reduces malware/keystroke risks.
Verify address on-device
Confirm receiving/sending addresses on the hardware screen, not just the computer/phone.
Basic multisig
2-of-3 for teams/families reduces single-point failure, but requires disciplined key storage and recovery planning.
Compliance Notice: Educational only, not financial advice. Never share seed/passwords/codes. We never request or store your secrets. Use third-party services at your own risk. Practice with small amounts or test networks.
5.6Do it now — action cards
- 1Set up TOTP in your exchange profile
- 2Write down backup codes offline
- 3Turn off SMS 2FA
- 1Add 1–2 of your addresses
- 2Enable delay for new addresses
- 1Write the seed clearly on paper
- 2Make a second copy
- 3Store copies in separate safe locations
- 4Verify readability
- 1Open an approvals checker (e.g., revoke.tools)
- 2Scan your tokens
- 3Revoke unnecessary or unlimited approvals
- 4First-timers: use testnets for practice
- 1Match first/last 4 chars on the device screen before sending
5.7Security Playbook
This is your personal security protocol. Do not enter any secrets here. Generated locally, not sent anywhere.
Playbook Preview
=== SECURITY PLAYBOOK === Generated locally. No secrets stored. --- EXCHANGE --- Password manager: ___ TOTP enabled: ___ TOTP setup date: ___ Allowlist enabled: ___ Allowlist setup date: ___ Anti-phishing code set: ___ --- SELF-CUSTODY --- Seed backup method: ___ Backup locations (general): ___ Passphrase used: ___ Passphrase maintenance plan: ___ --- PHISHING HYGIENE --- Bookmarks list: ___ URL check rule: ___ --- DEFI --- Revoke cadence: ___ Wallet roles: ___ --- HARDWARE / MULTISIG --- Threshold to use hardware: ___ Address verification rule: ___ Multisig setup (if any): ___ --- INCIDENT PLAN --- Steps on suspected compromise: ___ Steps on device loss: ___
5.8Security Quiz
Mini-Quiz
Test your understanding with 8 questions. Pass with 6/8 correct.
Non-affiliated; verify domains yourself.
- •Official help centers of your exchange/wallet (security sections)
- •Authenticator apps docs (Aegis, Authy, 1Password/Bitwarden)
- •Approvals checkers (e.g., revoke.tools) — use at your own risk
- •Block explorers (official domains)
Educational only, not financial advice. Never share seed/passwords/codes. We never request or store your secrets. Use third-party services at your own risk. Practice with small amounts or test networks.