AKA Know your enemy. Watch out for the proverbial “man in the middle” — someone trying to get in between you and your destination. Spoof sites, malicious websites that mimic other sites, can be picture-perfect nowadays. Make sure you double check URLs. Better yet, bookmark your crypto sites, and stick to your bookmarks (MetaMask also blacklists MyEtherWallet clones for you). Verify software downloads. A copy of Tails OS is no good if it’s infested with spyware. A man-in-the-middle attack can even be literal: one guy lost his life savings to a reseller on Ebay who pulled the recovery seedfrom a hardware wallet and repackaged the wallet. Always buy your hardware wallet directly from the manufacturer. Now think two steps ahead. Maybe your URLs look good. But how do you know someone hasn’t hacked your Wi-Fi, spoofed the DNS, and redirected you to different IPs? Safe computing is like chess: always assume your opponent is smarter than you.
You should know the drill by now — no birthdays, street addresses, song lyrics, etc. (don’t even get me started on my mom’s passwords). But even if you mash the keys on your keyboard, that’s still not random enough (you are not a good source of entropy). Password-crackers can rifle through 350 billion guesses per second. Use a random mnemonic generator to create a passphrase, or buy a hardware wallet to generate powerful keys and signatures for you. Multiple passwords are better than one. Multi-signature wallets, like Gnosis’, require multiple keys to validate transactions. And use two-factor authentication for everything: email, exchanges, Steam, etc. Heads up: the countdown might be annoying, but app-based two-factor is much more secure than SMS. Let thisbe your warning.
You don’t have to go 300 meters underground, but you should keep the majority of your crypto “cold” — that is, air gapped and offline. Only keep an amount in exchanges and online wallets that you are willing to lose. You can either build an air gapped computer by removing the network card from your PC or laptop (Tails is an operating system that you can run offline), or buy a hardware wallet. When generating the seed phrase, plug your hardware wallet into a wall outlet to keep it as cold as possible. Paranoia tips: cover the mic/camera of your laptop and remove any electronic devices from the room.
Make small test transactions or practice with a tiny bit of funds on a test network before going full monty. Never manually type out addresses (over 12,000 ETH have been lost forever due to typos). Copy and paste, use Ethereum Name Service, or scan QR codes. Make sure your scan app is secure (Pro Tip #1: Know the attack vectors). Double-check the identicon of your target address. Before transferring any crypto onto your hardware wallet, test your seed phrase. If you’re building an air gapped computer, record and re-check the MD5 checksum before and after you load data onto the SD card. For the love of Ethereum, test everything.
A standard Bip39 seed phrase is that curious string of 24 words from which you can derive a private key. Manage your seed with utmost care. If you write it down on paper, consider making two copies and storing them in separate locations. SD cards are another storage option, but they rarely last more than five years, and they could be wiped by a pinch (EMP bomb). Use both analog and digital just in case (some people hammer their seed phrases into steel). If you want to level up: store pieces of your seed phrase in separate, safe locations. And remember: meticulously record your steps, so you (or your heirs) can recreate the seed.
Plausible deniability in the cryptoverse means the ability to keep certain data hidden. Here’s a helpful public emission guideline: don’t broadcast your holdings, and especially don’t tell the world (over social media) the exchanges where you keep all your crypto (again, this guy). All your crypto shouldn’t be hot anyway (Pro Tip #3: Use cold storage). You can hide accounts under different HD paths on your hardware wallet in case someone comes knocking. Also, minimize your risk exposure by distributing your holdings across multiple wallets.
Dodson finishes his GitBook by recommending four different levels of wallet setup, Level 4 being for the most rigorous users. It’s your call how sophisticated you want to get. But remember: your security choices affect not only you but the ecosystem. If you don’t use two-factor authentication, and someone seizes your email (that, say, you left open on a library computer), when that bad actor starts phishing your personal network, that’s on you. So challenge yourself to level up. Experiment with hardware wallets, Tails, and multi-sig. Channel your inner Snowden. Learn by teaching. Tell your friends about cold storage, and your mom about strong passwords. Help the community flag spoof sites and fake accounts. Dodson’s “Pro Tips” are a gift to the ecosystem, and something we can pay forward.