We know the transition to web3.0 from the current internet is hard, because the way in which wallets work is fundamentally different from the way accounts work in web2.0 . When you signup for a normal application like Instagram or Paypal you have to type a username and password which they will remember till next time you login. Through many years web2.0 was able to mature by adopting better security standards and thus improving user experience. But web3.0 is still in it’s early stages.
Unlike standard passwords which is only in your brain, the secret key is stored inside the wallet application at all times so it can be compromised even when you are sleeping. Which is why security of your device is also very important.
Deconstruction of wallet
Now some of you might be wondering what is secret key. Well it’s not something you directly use, but it’s an integral part of your wallet. Listed below are the things that your wallet is comprised of. Surprisingly it’s independent of Metamask. You can take these things and load onto some other application and still access the same account.
Seed Phrase: apple banana chair table fan pen fear jump quick brown lazy girl => seed written in human readable format is called seed phrase or secret recovery phrase
Public Key: 048e66b3e549818ea2cb354fb70749f6c8de8fa484f7530fc447d5fe80a1c424e4f5ae648d648c980ae7095d1efad87161d83886ca4b6c498ac22a93da5099014a => Public/Private Key pair is derived from seed.
Private Key/Secret Key: 09e910621c2e988e9f7f6ffcd7024f54ec1461fa6e86a4b545e9e1fe21c28866 => Public/Private Key pair is derived from seed. This is used to digitally sign any transactions.
Wallet Address: 0xDC25EF3F5B8A186998338A2ADA83795FBA2D695E => Wallet Address is shortened form of Public Key. Just like url shortening.
Password: <your password as you define> => Used to lock your wallet
Except password all are permanent and can be derived from the secret recovery phrase (aka seed phrase).
Common mistakes to avoid
- Sharing your secret phrase with any website or person on internet is a no no. It’s called “secret phrase” for a reason, duh!
- Screenshotting your secret phrase
- Backing up secret phrase in a text file
- Using a weak password to lock Metamask
- Sending money to strangers who promise to send back. This doesn’t necessarily compromise your wallet but your money is surely gone for good.
Facts that you should know
- All transactions are irreversible unless it’s shown pending.
- secret phrase cannot be edited. If you think your account is compromised it’s better to create new wallet with new secret phrase
- Customer support is not a promise! at least to an extend.
- Do not initiate more transactions, if your previous transaction is still pending. This usually happens when you get impatient after minting/listing on a website and it shows loading for a longtime. If your Metamask shows the transaction as pending just wait till it is resolved.
Security for beginners
- Install your wallet from the official website eg Metamask
- Password should have at least 12 letters
- Use non dictionary words in password
- Do not include personal information like birthday, names in password
- Use a safe device that you don’t use for downloading/installing pirated software.
Security for intermediate
- Install Metamask on mobile device instead of browser extension. I know this hinder the convenience of using extension, but you can overcome this by using WalletConnect.
- WalletConnect is an alternative option for connecting your wallet to marketplaces like Foundation and Opensea. You don’t have to install any separate application for this process. It will show a QR code that can be scanned from metamask on phone.
- Use a password manager if you must.
- Delete your wallet from any other devices if you have installed it at multiple places.
Security for professionals
This is where we gonna talk about hardware wallet also known as cold wallet.
Applications like Metamask is just an interface that helps you to store your seed and sign transactions. Your actual wallet is the seed phrase only.
So if you are able to isolate your secret key from the internet you achieve maximum security. Instead of storing this key in software applications like Metamask we keep the secret key in a “pendrive” like device which is why we call it hardware wallet. 2 trusted companies in this category are Trezor and Ledger. I recommend you buy it directly from the official website instead of buying from resellers.
Ideally hardware wallets were intended for crypto traders, so it doesn’t support nft based applications as of writing this blog, so what you can do is connect the hardware wallet to the metamask extension and then use metamask as the interface to your hardware. So the transaction signing process will be forwarded from metamask and you will have to sign this through the hardware using a pin.This does reduce user experience a bit, but it’s a tradeoff between UX and Security
For more details and updates https://ethereum.org/en/security/
Written by: Adeeb Abdul Salam (https://linktr.ee/zeroknowledgep)