Whether its your seed phrase, private key or backup codes for your multi-factor authenticator, these types of credentials require special attention in order to secure properly given their sensitivity.
If someone has access to your keys then your assets including your NFTs, tokens, and other account data may be at risk.
Before we breakdown the best ways to safeguard your keys, let's understand the difference between a seed phrase, private key and backup code.
Seed Phrase A seed phrase (recovery phrase) is a set of words (usually 12 or 24) that can be used to recover a set of wallets. It is generated for your when you create your first wallet.
Private Key A private key is a long string of numbers and letters that allows you to access a specific wallet that was created underneath your seed phrase. Private keys are generated for you when you create additional wallets.
Backup Code A backup code is created each time you enable software or hardware based multi-factor authentication on an account (usually accounts like your email addresses, social networks, banks, etc.). If you were to lose the device that houses your multi-factor authenticator, for example, your smartphone that has Microsoft Authenticator, you will not be able to recover your multi-factor authentication codes on a new smartphone without having your backup codes saved somewhere.
If you do not store your seed phase, private key, or backup codes securely, let alone store them at all, you are putting yourself at risk of losing access to your own wallets and accounts!
Picture a seed phrase like a bank and private keys like vaults inside of that bank. If your seed phrase (door to enter the bank) is compromised, the attacker has access to all the private keys (vaults) that were residing inside of it.
This is why it is important to know the difference between a seed phrase and a private key, as there are scenarios where people have had their seed phrase compromised, were told to create a new wallet, and ended up creating that new wallet (private key) underneath the same seed phrase that was already compromised, therefore automatically compromising whatever assets they moved into that wallet again, instead of creating a fresh wallet with a new seed phrase and new private key.
What is the best way to manage this sensitive data?
Keep your seed phrases, private keys, and backup codes OFFLINE! Do NOT keep them in ANY digital format!
Whether it's a screenshot, sent to yourself in a text message or email, saved in a "secure" notes file or Word document, spoken to someone over the phone... literally do not keep this information in ANY sort of digital format WHATSOEVER!
If your seed phrase has ever been typed into any random website, input form or device then you can consider it already compromised, unless of course you were attempting to actually recover your own wallets directly. Keeping this information OFFLINE is the safest way to ensure that there are minimal variables that could compromise this sensitive information. If you are ever requested to provide your seed phrase or private key in order to receive support, claim a free airdrop, NFT, or token, or told to type it in or provide it to anyone or anywhere in general, STOP what you are doing and realize that it is not a real request and is 100% most likely someone trying to scam you.
When you create a new wallet and are provided a seed phrase you are often told to write it down (aka keep it OFFLINE). This is where it's important to understand the concept of not keeping all your eggs in one basket. For example, if someone were to find the piece of paper that you wrote the seed phrase on, it would be very easy for them to access your assets. So, it is best to split the paper up in 2 or 3, or potentially keep it in 2 separate safety deposit boxes or locations, or memorize a couple of the words with a trusted individual instead of having them all written in one place, this way if its found it is not easy to compromise.
The same idea applies for all your assets; do not keep them all in a single wallet. Instead, have a separate wallet for assets you do not plan on selling or interacting with, this way if the wallet you use daily for mints is compromised, you are not losing all your assets in one go.
Although employing our recommendations should increase the security of your own keys significantly, there are also products in the space that can assist as well.
Hardware wallets which are another option, such as Ledger, generate seed phrases that include 24 words also allow you to employ a 25th word that you can choose yourself as an additional layer of security to access your wallets. This makes it so even if someone were to find your 24 word seed phrase, they would still need the 25th word which you chose yourself in order to get into your wallet.
There are also products like SecuX which have a metal plate you can engrave your seed phrase onto which is also waterproof and fireproof for additional security, considering a piece of paper can degrade over time and be susceptible to these elements.
Can You Recover Your Own Keys?
It is important to confirm yourself that you can recover your own wallets at least once a year. Do this before you are (hopefully not) in the position that you actually need to recover your wallets. This way if you wrote down something wrong, or lost a piece of crucial information, you can ensure to recover what you need to resolve the issue. It is also important to make arrangements with someone you trust to be able to access your assets in case something happens to you, which is often not thought about.
Since self-custody requires you to understand that your assets are your responsibility, it is important to employ these precautions to help you protect your assets from potential compromise or loss.
Keep in mind that there is always some risk involved, so staying informed and employing the best security practices is essential.
Be sure to download the free open-source Wallet Guard browser extension to add an additional layer of security to your wallet of choice when navigating web3!