Ultimate crypto security guide part 1
or How not to get fucked.
We’re going to explore the general useful tips in this part 1 and go more about specific cryptocurrency use in part 2.
Please suggest me more tips in PM and comments to add content and make this guide the ultimate guide.
The main 5 pro tips :
- 1. Use multiple email addresses. Especially a trashy one for trashy services. No it is not complicated, simply redirect all emails to your main email address to have everything in one place and avoid using that main address as login to most services.
- 2. Use different login names or email addresses (see 1). The very first thing hackers do is to use your nickname and email from forum/slack to try login into known exchanges and services with dumb easy passwords. Guess what ? It works, that’s why they do it.
- 3. Use a damn unique, long and truly random password for every single service. I know it is too hard to create and impossible to remember all of them for a normal human brain, that’s why you’re gonna start using a password manager right now. There are many good password managers so read reviews from forums/reddit and ask your crypto friends on slack. Be aware that it is a compromise : you get as many as you need true long random passwords but you need to watch regularly for security breach in that application on twitter/reddit or be ready to change if the reputation gets bad.
One of the most common attack happen when a service is hacked and the database is used directly or sold on the darknet to other hackers that will use your name/password combinaison on many known services. When you use the same login/password everywhere, one single service that get hacked and you’re fucked.
If one service get hacked, change the password immediately. It’s also a good practice to change passwords regularly because some hacks are discovered much later.
When using your password manager, don’t fuck the process : be sure the app save the right login/password combination. You must know perfectly how your password manager works. You must own it. He is your best friend.
- 4. Use 2FA but not phone/sms 2FA ! If you’re using it on any service, deactivate it right now. Google is still pushing its users to use a phone/sms 2FA and that’s a terrible security practice because it’s one of the worst flaw. It is too easy to hack into everything and require no skills at all, just a phone call. Check out this video that explains it : https://www.youtube.com/watch?v=caVEiitI2vg
Anyway, use any other 2FA like Google Authentificator (on a phone) or a YubiKey (you need to order a special device for that). When activating 2FA, make at least one backup of the codes (the code is either given or contained in the QRcode that you are asked to scan) or better, have two active 2FA devices at the same time. In case you lost one device or think it’s compromised, use the other one to reset all your 2FAs asap.
The Authy app allow many features like password protected backup and syncing on different devices. It is of course compatible with Google Auth. I heard good and bad about them so do some research, try and decide.
- 5. Never ever install any hacked app or game on your OS, phone or browser. Do not use a hacked Windows FFS ! This is really dumb, think about it… why would anyone bother hacking an app (that can take weeks of hard skilled work), hosting (paying from his pocket) and giving it for free over the Internet to total strangers ? Because he wants to fuck you ! For Christ’s sake if you can afford shitcoins and ICO scams you can pay for all your apps and games ! Getting all your data and bitcoins stolen is not worth the risk.
- Do not install any unnecessary app on your OS, phone or browser. I know it’s tempting to install all the free apps and games but be aware that apps listed on Google Play or Chrome are not verified for security flaw ! The more apps you install, the more attack vectors you create. Mind blow.
- Do not brag about your money over the Internet. The more money you have, the more tempting it is for hackers to spend time and energy finding a flaw in your security system.
- Do not click on every URL you see. Think. Why did someone put a link in the middle of the conversation ? Is the link from this quote the original link ? What if all those comments are fake ? What if a hacker is usurping the identity of my friend ?
If you think someone is usurping an identity, ask him to identify himself on other services (different slack, forum, twitter, email). There is very little chance someone get hacked on all services at the same time unless he have really shitty security practices but he should not be your friend in the first place.
Friends with shitty security practices are also attack vectors. Mind blow. Share this guide.