Web 3 Security 101: Essential Tools and Habits for Staying Safe Online


Introduction: Why Web3 Security Matters
In Web3, you’re the bank. That means when something goes wrong, no one’s coming to save you. Unlike traditional finance, there is no central authority that can reverse transactions (unless in extreme scenarios, such as the DAO hack) or restore a compromised wallet. Besides that, finding the culprit can be challenging for the authorities, and most cases result in the inability to recover a single penny. That’s why developing security habits in crypto is an essential part of the journey; more important than making money is being able to keep them safe.
Choosing a Wallet: Software vs. Hardware
Understanding Software Wallets
Software wallets, also known as hot wallets, are wallets whose keys are generated and stored online. Some examples include Rabby (EVM), Solflare (SOL), and Unisat (BTC). They are convenient and fast for day-to-day use, but due to the way they were generated and how they are stored, they are also vulnerable to malware attacks, leaks from the wallet provider (such as the Slope and Atomic cases), and social engineering attacks.
The Power of Hardware Wallets
Now on the other hand, hardware wallets, also known as cold wallets, are wallets whose keys are generated and continuously stored offline. Some examples include Ledger, Trezor, and OneKey. They don’t protect against everything, but they’re your first serious step into real security. By using a hardware wallet, you are protected from malware attacks and leaks; however, you are still vulnerable to sophisticated social engineering attacks (especially now with the Pectra Upgrade), carelessness with approvals, and lack of wallet separation.
Boosting Security with Add-ons and Tools
Recommended Browser Security Extensions
Security extensions are a vital part of web3; they provide an additional layer of security that helps identify malicious websites, compromised accounts on social media, and translate and emulate transactions. Some examples include Pocket Universe, Kerberus, and Scam Sniffer. It’s important to note that even though they are reliable, it’s essential that you know how to identify potential attacks by yourself, in cases where the extensions fail, you are transacting on a non-supported chain or if the extension provider decides to go rogue or is compromised.
Using Password Managers for Crypto Safety
Another vital security layer is password managers; they are crucial in web2 and are equally important in web3, especially with apps trying to simplify the user experience by utilizing MPC wallets and social connections for wallet creation. Some examples include Bitwarden, 1Password, and ProtonPass. By having strong and unique passwords, you also protect your friends and audience by making it harder for your social and email accounts to be compromised.
Best Practices for Everyday Web3 Safety
Wallet Separation: Minimize Risk, Maximize Control
Rather than having just a single “all-in” wallet, it’s essential to divide your assets across multiple wallets with clear objectives and rules for each. This way, you are minimizing the risk of losing everything while also having complete control over where you go and what you hold in each wallet. An easy setup that we like to introduce is the TAP - Three Address Protocol.
Mint Wallet: A wallet for your day-to-day operations - should hold minimal funds and can be used to connect with sketch websites and apps.
Marketplace Wallet: A wallet that should be used only in marketplaces (Uniswap & Opensea), you shouldn’t connect this wallet anywhere besides trusted marketplaces.
Vault Wallet: A wallet that you hold your valuable assets - shouldn’t have any approvals open, should not interact with anything besides staking protocols, plain text signatures only and you can also use Wallet Delegation.
Airdrop Wallet (optional): Your delegated wallet should be used to claim airdrops, prove asset ownership from your vault, and can also be your smart account after the Pectra Upgrade.
The Three Don’ts: Don’t Download, Don’t Click, Don’t Trust - Verify
There are multiple techniques that, when combined, will significantly increase your odds of staying safe in web3. These include using the TAP (Three Address Protocol), utilizing password managers, security extensions, and implementing an additional layer of security by following the Three Don’ts. This technique is meant to be an easy-to-remember mental exercise that should be applied every time you are navigating through Web3. It consists of:
Don’t Download: Malware is a significant concern in web3; it’s a type of attack that can cause substantial damage and, in some cases, result in the complete loss of a user's entire portfolio with just two clicks. Now, even if you have a hardware wallet, scammers will still be able to compromise your social media accounts, email addresses and even bank accounts if you have them logged in your computer.
Don’t Click: As a rule of thumb, you shouldn’t be clicking on links in Web3. If you want to access a specific website, you should always navigate yourself into it by using Google - just be careful with malicious ads and by bookmarking the websites that you most access in crypto, this way it already lowers your chances of entering a malicious website and mistakenly approving a scam transaction.
Don’t Trust - Verify: Last but not least, don’t ever trust, always verify. It doesn’t matter if it’s your best crypto friend, your favorite influencer, or the hyped project you are dying to join. Scammers are constantly evolving their scam techniques, crafting elaborate tactics and compromising social media accounts on a day to day basis, so don’t ever trust links, files, job offers or anything that requires trust to be performed and always make sure to verify with other users, companies and ask around to see if that’s legit or not.
Protecting Your Seed Phrase Like a Pro
What Is a Seed Phrase and Why Is It So Important
Let’s start with the basics: a seed phrase is a set of 12 to 24 words from the BIP-39 word list that provides access to an infinite set of private keys (wallet addresses). These addresses can be individually accessed by their private key, which is derived from the master key (seed phrase). However, the holder of the master key can also access them. Another essential thing to note is that the seed phrase cannot be modified or reset; therefore, if it gets compromised, all wallets associated with it can no longer be considered secure.
Top Methods for Storing and Securing Your Seed Phrase
First and foremost, do not store your seed phrase online. After following this first rule, you should find a reliable solution to store your seed phrase, such as metal backup solutions like Cryptosteel, Cryptotag, or Billfodl. After that, you should store it in a fireproof and waterproof safe. Some additional tips include maintaining multiple backups across different geographical locations and storing them in places where they are unlikely to be discovered by others. Another solution is to purchase third-party recovery solutions, such as Ledger Recovery.
Conclusion: Security is a Habit, Not a Feature
Security is like getting fit; you can buy all the expensive supplements and courses, but that doesn’t help unless you put the effort daily in the gym and learn how to do the exercises. There is no one-time thing that you do that will keep you safe no matter what; you must follow the latest security trends and always verify what you are doing while adhering to best practices. Otherwise, even a single mistake can result in severe losses.
Security is a prevention game; don’t wait to take action until it’s too late.
Ready to learn more?
The good part is that there are multiple free resources available to help you improve your security game. Some of these include taking the free Boring Security classes, completing the Boring Security Quests, following the SEAL frameworks, reading resources from security tools, and joining the Boring Security Community!
Subscribe to my newsletter
Read articles from Renan (ReDzin) directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
