As the decentralized web continues to evolve, it opens up revolutionary new opportunities including permissionless finance to digital ownership. But with this new frontier comes new risks. Web3 security is just as critical as Web2 security. If your digital identity or assets are compromised, the consequences can be irreversible and financially devastating. In Web2, security breaches often involve personal data theft, account lockouts, or fraud. In Web3, the stakes can be even higher; one compromised private key or seed phrase can result in the permanent loss of your funds. 

If you’re navigating the Web3 world, here are the essential steps to keeping your onchain assets secure.

Never Share Your Seed Phrase, Private Key, or Passwords

Web3 flips the control paradigm: users own their data, their identities, and their funds. But with this power comes personal responsibility. You’re your own bank. And just like you wouldn’t leave your bank PIN on a sticky note on your front door, you shouldn’t leave your seed phrase unprotected. Your seed phrase and private keys are the master keys to your digital wallet and its associated digital identity. Sharing these, even with people you trust, puts you at serious risk of theft or exploitation. If someone is asking for your seed phrase or private key, it is a big red flag. Scammers often pose as support agents or friends to trick users into revealing this information. Reputable entities will not request this information, especially through third-party chat applications and social media.

Store Sensitive Data Offline

We all know we shouldn’t store passwords and other sensitive data in email, locally saved documents, and note apps. These methods aren’t secure and can be leaked or hacked. Chances are, you’re taking the risk and doing it anyway. If you need one reason to revisit your online security practices, Web3 is it. If you lose your seed phrase or private key, or if someone else gains access to this information, your investments are at risk. There is no way to reset a password or to ask customer service for access to your digital wallet with Web3. And if the wrong person gets access, they can easily transfer your funds to their own wallets.

The solution is to write your seed phrase and private key down on paper and store it in a secure physical location. Others might keep this information safe in an offline storage device that can’t be hacked. Be sure to backup your backups. You never know what you may lose!

Use Reputable Wallets and Exchanges

Reputation matters when it comes to digital wallets and cryptocurrency exchanges. Because decentralization is a core blockchain value, there are no regulatory bodies keeping tabs on who is considered safe or reputable. 

A reputable digital wallet or crypto exchange will have regular internal security audits, offer security features and services, and will have a verifiable presence online. If any of the above are not true for your provider, you should strongly consider switching. A reputable digital wallet or exchange values security and safety. They want you to have enhanced security features to protect your account and identity. Be suspicious of providers that do not offer services like 2FA. That signals their stance on security is weak, and you could be at risk.

What does it mean to have a verifiable online presence? Your provider should have a fully functional, secure website. They should have a real physical address that is associated with their business and this address should be verifiable. They may have active social profiles, which helps legitimacy, but doesn’t automatically mean the brand is reputable. When researching, you want to see positive reviews, but be sure to inspect them closely to be sure they are real.

Unfortunately, it’s relatively easy to stand up a fake digital wallet or exchange and run off with users’ funds. Inspect your provider closely, investigate their reputation, and don’t let a well-designed website trick you into providing sensitive information.

Backup Your Wallet

Once you have a reputable digital wallet provider, like Leather or Xverse, you have steps to take to actually secure your wallet. The first step is making sure you have backups of your password, private key, and seedphrase. It is strongly recommended that you have physical backups of this information instead of digital copies. Remember that online documents and note applications are not inherently secure and could potentially be accessed by hackers. 

Implement Two-Factor Authentication (2FA)

Enable 2FA wherever it’s available, especially on exchanges and when managing wallets. But don’t just use SMS. Opt for third-party authentication apps like Google Authenticator, which is far more secure and less vulnerable to SIM-swapping attacks. And remember - if options like 2FA aren’t available, then you should find another company to do business with.

Avoid Public WiFi and Use a VPN

Never access your wallets or make transactions over public WiFi. These networks are easy targets for man-in-the-middle attacks. At the most basic level you shouldn’t be using public WiFi for online shopping, banking, or other sensitive activities. You especially shouldn’t be using it for cryptocurrency. There is no failstop for your digital wallet if a bad actor gets your passwords!

Even at home, using a VPN adds an additional layer of encryption to your online activity, making it harder for malicious actors to snoop. 

Establish a Multiple Wallet Strategy

Divide your assets across multiple wallets. Consider having a hot wallet for everyday transactions and a cold wallet for long-term storage. A hot wallet is connected to the internet so it’s ideal for trading and transactions, but this also means it is more susceptible to hacking. Cold wallets are not connected to the internet and are by default more secure. Transactions from a cold wallet require extra verification steps, making it less investor friendly than a hot wallet. Cold wallets are commonly used to store funds until they are ready to be transferred to a hot wallet. 

Keep an Eye Out for Scams

Beware of the combination of a too-good-to-be-true offer with high-pressure sales tactics. The offer is meant to hook you, and the pressure is meant to make you drop your guard. Web3 scams are meant to hijack your digital wallet and identity, or meant to scam you out of an investment. Phishing is an extremely common scam where cybercriminals will attempt to get you to provide your account login information, private key, or seedphrase, usually by posing as a trusted entity. Investment scams come in the form of rug pulls, pump and dump schemes, and straight up theft of assets from wallets.

Always remember to slow down, do your research, and don’t buy into the hype. Keep in mind that you can never be too suspicious. Scams are ever-evolving and new tactics are always being tested. 

Final Thoughts

Web3 puts you in control, but that control comes with responsibility. By taking simple but crucial steps to secure your onchain assets, you can reduce the risk of loss and stay ahead of potential threats. In a space where one mistake can cost you thousands, or even millions, of dollars, staying vigilant and adopting best practices isn’t just smart, it’s essential.