Banner for undefined

The Definitive Guide to Wallet Security for NFT Creators & Collectors

Guides

Protecting yourself in Web3 requires much more than simply buying a hardware wallet and calling it a day.

The NFT.Storage TeamFeb 1, 2023

Whenever a new technology comes along there is an adjustment period where people are learning how it works and developing new habits. During this period, bad actors take advantage of the knowledge gap that exists in order to scam people. We saw this during the early days of the internet (Web1) and when social media came around (Web2). Now we’re seeing it happen again with the rise of NFTs and crypto (Web3). There are some new dynamics at play however.

Because the NFT ecosystem is based around self-custody rather than the practice of trusting third-parties to manage assets and data, it means that individuals have to shoulder a larger amount of responsibility for keeping themselves safe. No one is above this work either… anyone can fall victim to security breaches. Some of the biggest names in NFTs like Kevin Rose, the creator of Moonbirds, have had NFTs stolen due to lapses in their security practices.

To help you navigate this important topic and better protect yourself, we’ve put together the following guide that will teach you almost everything you’ll need to know when it comes to wallet security and digital hygiene.

Let’s dive in and boost our security together!

How crypto wallets actually work

While it’s not essential to fully understand how crypto wallets work, it can be incredibly helpful to at least understand the basics. Having this foundational knowledge will make your life easier and set you up for greater success. So, before proceeding any further, let’s go over the essential details…

Wallet Components

It’s natural to assume that a crypto wallet is a mobile application or a physical device, but it’s actually much more conceptual. Wallets are cryptographic keys that come in the form of strings of text. Whoever knows certain parts of the text can do different things with whatever is associated with the text (i.e. an NFT is associated with your address as being owned by it). Wallet applications are merely tools that allow you to more easily manage your cryptographic keys via a helpful interface (but more on this later).

There are 3 parts of a cryptographic wallet that you should be familiar with:

1. Public Address

Example: 0x63FaC9201494f0bd17B9892B9fae4d52fe3BD377

The Public Address is similar to an email address. Anyone that knows the public address can send things to the wallet, but they can’t control or send from the address. Unlike email though, anyone who knows a wallet’s public address can see everything inside the wallet as well as its complete transaction history. In most cases it is okay to share your wallet’s public address with someone, as long as you are comfortable with them being able to see what’s inside of it and associate it with your identity.

2. Private Key

Example: 8da4ef21b864d2cc526dbdb2a120bd2874c36c9d0a1fb7f8c63d7f7a8b41de8f

The Private Key is kind of like a password, except it isn’t chosen by the user and it cannot be changed. Whoever knows a wallet’s private key can access and control it, so it is critically important to never share your wallet’s private key with anyone… even customer support teams. If someone ever asks for your private key, they are trying to scam you. If your private key ever gets “leaked” or compromised, there is nothing you can do to change it which means you’ll need to create a new wallet and attempt to migrate assets (the technology will get better and solve for this issue over time, but this is the current state of things).

3. Secret Phrase

Example: list aim crime wide fence sad final squirrel dance eager jeans pull

The Secret Phrase is an ordered list of 12, 18, or 24 special words that are generated randomly from a pre-determined list of 2048 words. Each secret phrase can be used to generate multiple sets of public addresses and private keys. Whoever knows the secret phrase can access and control all of the wallets that were created using it. Like private keys, secret phrases are permanent and cannot be changed. If your secret phrase becomes compromised, you’ll need to generate a new one and migrate assets to new wallets.

Wallet Applications

To more easily manage and do things with a crypto wallet, most people import their cryptographic keys into wallet management software or applications. For instance, when you download a “wallet app” onto your phone like MetaMask, you’re actually just downloading a user interface that allows you to do interesting things with your cryptographic keys. The wallet app isn’t the wallet itself, and you can change which interface you’re using at any time by importing your keys into a new application (more on this later, but be careful when doing this!). This is great news for consumers because if you create a crypto wallet with MetaMask and later decide you don’t like MetaMask, then you’re not locked-in.

Additionally, the assets and data owned by a wallet don’t actually “live” inside a physical device anywhere. They aren’t really “in” your wallet. This might sound perplexing at first, but it’s actually not as odd as it may seem.

To understand this fully, it helps to understand how a blockchain works. A blockchain is a decentralized public ledger that lots of humans collectively trust and add data to. If the blockchain says you own a particular item, then you own it. This is similar to how banks don’t actually have all your money, they just have digital records of amounts and transactions. When you own an NFT, there is a record on the blockchain that says that your wallet owns it. Because you possess the keys to the wallet, you’re the only person that can change this record. If you wanted to transfer an NFT you own to someone else, you would have to create a transaction on the blockchain and “sign” the transaction digitally using your cryptographic keys.

The fact that your assets don’t live in a physical device anywhere is powerful because as long as you backup your secret phrase or private key, then you can recover your assets on any device from anywhere in the world.

Types of Wallet Interfaces

There are many different types of wallet interfaces that allow you to manage your cryptographic keys. These interface types can range in terms of complexity, features, and security. In an ideal setup, you’ll be using multiple wallet interfaces of different types (though not storing the same wallet in multiple interfaces).

Software Wallet

  • Highly convenient, often mobile or browser-extension based
  • Used on a multi-functional hardware device like a phone or laptop
  • Connected to the internet
  • Used as a “daily driver”
  • Secure, but not quite as secure as a hardware wallet
  • Meant for short-term holding and web3 browsing/interaction
  • Examples: MetaMask, Zerion, Ghost, Coinbase Wallet

Hardware Wallet

  • Not as convenient
  • Dedicated physical device that is separate from a phone or laptop
  • Not connected to the internet
  • Infrequently to rarely used
  • Higher security when used properly
  • Meant for long-term holding and storage
  • Examples: Trezor, Ledger, GridPlus Lattice



Security Best Practices

Protecting yourself in Web3 requires much more than simply buying a hardware wallet and calling it a day. You’ll need to begin thinking holistically about your digital life because a single point of failure in one area could cause a breach due to how interconnected they all are. For instance, you could have a rock-solid wallet setup but slip up in another area and still have your wallet compromised.

Good digital security and wallet hygiene is all about ongoing behaviors and habits rather than a “set it and forget it” mentality. While none of the following pieces of advice should be considered “bullet-proof”, they will help you be safer.

Wallet Security

1. It’s up to you to backup your wallet

There is no “forgot password” button when it comes to most crypto wallets. Your cryptographic keys stay on your device and are never known by the company that creates whatever wallet application or device you use. If you don’t properly save your secret phrases and private keys, you might lose access to your wallet forever… and all of the assets it owns.

2. Never share your secret phrases or private keys with anyone

As we discussed at the beginning of this article, a wallet’s secret phrases and private keys are what control the wallet’s assets. Whoever has these cryptographic keys can take what’s in the wallet. Furthermore, these cryptographic keys cannot be changed; if they ever get compromised or leaked, you’ll have to set up a new wallet and attempt to transfer everything.

3. Be careful where you connect, but be more careful with what you sign

When you connect your wallet to a new website or application, you’re typically giving that site permission to send signature requests to your wallet. Simply connecting your wallet to a website is relatively low risk in and of itself — the real danger comes when a malicious site sends your wallet a request and you sign the request. There are many scams and tactics bad actors will use to trick you into signing a transaction without realizing it’s harmful.

The vast majority of “hacks” and “scams” that occur in the NFT ecosystem are the result of people signing things with their wallet that they shouldn’t. One of the reasons for this is the fact that it is difficult to understand signature requests. As a result, you should be extremely careful when connecting an important wallet to websites or signing transactions. This actually leads us to our next best practice…

4. Multiple wallets, multiple secret phrases

Having your assets stored in a single wallet is very risky because it means if one thing goes wrong, you could lose it all. If you have a lot of NFTs or assets, then it’s wise to split them up between multiple wallets. While this will require more work and maintenance, it’s well worth it to avoid a catastrophe. The key thing to remember here is that you’ll only gain the security benefits from this practice if each unique wallet has its own secret phrase. As we mentioned earlier, a single secret phrase can be used to generate and recover multiple wallets. Unfortunately, when you create a new wallet in many wallet apps like MetaMask, it will default to creating a new wallet with the same secret phrase. Doing this will not give you any added security benefits. In order to properly split your assets between wallets, each wallet needs its own secret phrase.

5. Use a hardware wallet, but don’t let it give you a false sense of security

As mentioned earlier, hardware wallets like Ledger can be powerful tools for boosting your overall NFT security because they can create a bit of an “air gap” between your keys and the internet. There's a common misconception though that if you buy a hardware wallet and use it, then you'll be safe from all the scams and “hacks” out there. In reality though, wallet security has much more to do with your ongoing behaviors and practices... and a hardware wallet won't save you from bad habits. The vast majority of the security beaches you see within the NFT ecosystem could not have been prevented just by owning a hardware wallet.

All of that being said, hardware wallets are a very important part of a robust self-custody setup, and we highly recommend using them if you want the most security.

6. Backup your private keys and secret phrases in physical format only

For important wallets that need higher security, it’s critical that you only backup the private keys and secret phrases in a physical format like paper or metal. If they ever are backed up in a digital format, it increases the likelihood that a hacker could remotely gain access to them. By engraving your keys in metal using a product like Blockplate and/or storing them in a fireproof safe, you’ll make it impossible for a computer hacker to gain access to them.

7. Store important wallet backups in a fireproof manner

While you might be tempted to think that a paper backup might suffice, it’s critical to plan for the worst-case scenarios, including but not limited to floods and fires. Consider investing in a small fireproof safe or storing it someplace that is protected from the harshest of conditions.

8. Have a “daily driver” wallet

In point number 4 we discussed the importance of having multiple wallets. One of the wallets you should create for yourself is what we call a “daily driver” wallet. This wallet is meant for more casual or even higher risk usage, and it’s a wallet that you can feel easier signing transactions from. You should avoid storing valuables in it that you wouldn’t want to lose.

9. Have a “vault” wallet, but avoid actively using it

A “vault” wallet is a hardware wallet that serves as a high-security place to store assets long-term. The only thing that makes it a “vault” is what you do and don’t use it for. It should serve as a place to send assets to, but not as a wallet you ever want to sign transactions from. You can send assets out of it to your other wallets and receive assets using it, but you don’t want to ever do anything else.

For example, let’s say you buy an NFT worth $1,000 and want to keep it safe long-term. You could send the NFT to your hardware wallet that you have designated as a “vault” and not touch it until you’re ready to sell it. When you are ready to sell, you would transfer the NFT from the vault wallet to another one of your wallets and then list it for sale from there.

The moment you use your “vault” wallet for other activities, that’s when you introduce potential points of failure into the equation. By never doing anything but sending and receiving assets to your other wallets, you eliminate a significant source of trouble. This would sort of be like buying a laptop computer and never connecting it to the internet or installing outside software on it in order to eliminate any potential security weak points.

10. Consider the physical location of where you store your wallet backups

If you do engrave your secret phrases on a metal plate or store them in a fireproof safe, it’s critical that you then give some thought to the physical location that the backup is actually stored at. For instance, it would be unwise to store your backups at a business, place of retail, or location that receives higher foot traffic from unknown guests. If you keep your backups at your house, then you should find a relatively secure environment within the dwelling that won’t be easily accessible by bad actors. You could even consider installing digital security cameras as an added deterrent.

11. Keep in mind the limitations of privacy on the blockchain

As we discussed in our self-custody explainer, your privacy can be compromised on most of today’s blockchains if you’re not careful. If you’re in need of some relative privacy when it comes to transacting on the blockchain, you should create a new wallet and never interact with any of your other wallets that might be publicly tied to your identity. To fund the wallet, you should send crypto to it directly from a crypto exchange. By doing this, you make it relatively impossible for anyone other than the crypto exchange to know that you control the wallet address.

12. Avoid using a secret phrase in multiple wallet apps

While it’s possible to import a wallet’s secret phrase or private key into multiple wallet interfaces at the same time, it’s best not to do this. The more places you have your keys stored, the more chances there are for them to become compromised. In the security industry this is referred to as your “attack surface”. By reducing your attack surface, you can reduce your vulnerability.

13. Consider trying a smart contract wallet

There are many different emerging technologies that aim to solve a lot of the security weak points of “basic” crypto wallets. Smart contract wallets are one such technology, and it might be worth trying them out via a service like Argent. They are essentially more advanced wallets that don’t have secret phrases, but rather are recovered and managed by “guardians”.

Keep in mind that smart contract wallets are not supported everywhere yet, and there are sometimes additional costs associated with them.

14. Explore other emerging web3 security tools

Other new technologies and services attempt to solve common Web3 security vulnerabilities in creative ways. For instance, delegate.cash is creating a registry that will allow people to use NFTs stored in “vault wallets” without ever compromising the vault.

Another helpful tool is called Fire. Fire is a browser plugin that attempts to “simulate” transactions before you sign them so you’ll have a better understanding of what will happen when you sign.

Digital Security

Because crypto wallets often come into contact directly or indirectly with other parts of our digital lives, it’s important for your security readiness to extend out beyond just your wallet. By doing this, you’ll also be protecting yourself and your brand from reputation damage. There have been many cases of high profile NFT creators having their Twitter or Discord accounts hacked, which results in harmful messages and links being sent to followers.

The more of the best practices that you follow, the greater your digital security will be.

1. Regularly install updates to apps and devices

Your computer or phone’s operating system updates on a regular basis with improvements to potential security issues that are discovered over time. If you don’t regularly install these updates, then you dramatically increase the odds of something bad happening to your devices. Consider turning on the settings that automatically install these critical updates.

2. Use a password manager like 1Password in tandem with random passwords

One of the most common causes of internet accounts being “hacked” is a person using the same password across multiple accounts. For maximum security, you should utilize a password manager like 1Password to store unique and random passwords for all your traditional logins. That being said, you should avoid storing important wallet backups and secret phrases in a password manager because, as we noted earlier, these should never be stored digitally to maintain maximum security. The only wallet backups you should ever consider storing digitally are for your “daily driver” wallets that don’t contain many important assets. If you are going to store a wallet’s backup digitally, then it should be in a password manager rather than in a document or screenshot.

3. Use physical 2FA keys like Yubikeys

Whenever possible, always turn on Two-Factor Authentication (2FA) for your logins. This secondary check goes a long way in preventing bad actors from gaining access to your accounts. You can increase this protection even more dramatically by using a physical 2FA key in place of the digital options. A Yubikey is one of the most popular physical 2FA keys, and it can be easily placed on a keyring. When logging into your account, you would insert the key into the appropriate port on your device. Without access to this physical device, it would be almost impossible for a hacker to gain access to your account. If you end up going this route, be sure to buy more than just one key — you’ll want at least one backup in case you lose the original.

4. If not using Yubikeys, use non-SMS 2FA through your password manager

Many websites default their 2FA security feature to being through SMS text messages. While this method is better than nothing, it is somewhat vulnerable to other hacking methods. Whenever possible, it’s best to either use a physical 2FA key or the 2FA codes generated from a password manager like 1Password.

5. Be extremely careful when clicking on links or downloading attachments

Bad actors will often attempt to get people to download a file or visit a website that seems normal, but in reality is a trap. This often occurs over direct messages on social networks like Discord or Twitter. By training yourself to think twice and go slow very time someone sends you something, you’ll be able to protect yourself from this common attack vector. This is especially important when interacting with strangers, but is still key when interacting with people you trust… bad actors regularly try to impersonate friends and colleagues knowing that your guard will be down with them. If something seems strange, try to contact the person via a different channel to make sure it’s really them.

6. If it sounds too good to be true, it probably is

In the world of crypto and NFTs, there are often legitimate “free” things that are gifted to people, but the old saying is still true. If you see an “airdrop” or a “giveaway” or “free mint”, make sure to go slowly and triple check everything to make sure it is a legitimate and safe action to take. Fake giveaways and freebies are one of the most common ways that people have NFTs stolen, so it’s critical to have your guard up in these scenarios, even when you think it might be “safe”.

7. Learn more about social engineering

Many of the “hacks” that you may have seen on social media were not actual hacks but rather an incident of social engineering. This is when someone uses psychology and behavioral science to trick people into doing things that aren’t in their best interests. It’s one of the leading cause of security breaches across the world, and most companies devote large amounts of resources to teach their employees about it. Luckily there are many resources and examples that can be found via a quick Google search for “social engineering”.

Next Steps

Now that you have a comprehensive list of habits and best practices to protect yourself as you navigate Web3, it’s time to start implementing some of them. Go at your own pace and knock out as many as you can. Doing something is better than doing nothing! If you’re feeling overwhelmed, try reaching out to a friend and see if they’ll do it with you. Like most things, security is better when you don’t go alone. Keep your eyes on the prize — you’ll soon be able to enjoy a greater sense of ease as you explore Web3!

For more helpful resources about NFTs and Web3, follow us on Twitter: @NFTdotStorage