Build a basic security stack before you need it.

• Password manager: unique passwords, recovery codes, and account notes in one protected vault.
• Hardware 2FA: security keys for the accounts that matter most, with at least one backup key.
• Seed phrase safety: physical storage only, never screenshots or cloud storage.
• Wallet separation: cold wallet for long-term assets, hot wallet for learning and connecting.
• Approval hygiene: review permissions and transaction previews before and after using apps.

You do not need to perfect everything in one night. Start with the basics, then improve the setup as the value or importance of the accounts increases.

• Use a dedicated password manager, such as Bitwarden or 1Password, and create a unique password for every important account.
• Browser-based password saving is still better than reusing passwords, but consider a dedicated vault for crypto, finance, email, and identity accounts.
• Secure your email account first. It is often the reset path for exchanges, marketplaces, social accounts, and your password vault.
• Review recovery email addresses, phone numbers, and old devices attached to important accounts. Remove anything you no longer control.
• Avoid SMS recovery where possible. A phone number can become a weak point if it is used to reset important accounts.
• Use biometrics or a strong local unlock method for your password manager.
• Keep recovery codes in your password manager or another secure offline location so you are not locked out if a device breaks.

• Choose one trusted person who would know where to start if something happened to you.
• Write down simple emergency instructions: which password manager you use, where recovery materials are stored, and which accounts matter most.
• Use built-in recovery tools where they exist, such as Bitwarden Emergency Access or 1Password Emergency Kit, recovery codes, and family recovery.
• Do not casually share your vault password. The goal is planned emergency access, not everyday shared control.

• Use a hardware security key, like a YubiKey, anywhere important accounts support it: email, password vault, exchange, Apple ID, social accounts, and payment accounts.
• Buy at least two security keys: one primary and one backup. Store them separately so one lost bag or broken device does not lock you out.
• When a platform does not support security keys, use an authenticator app like Authy or Google Authenticator, or your password manager's built-in 2FA. Avoid SMS unless it is the only available option.
• Built-in 2FA inside Bitwarden or 1Password is convenient, but think carefully before storing the password and second factor for the same high-value account in one place.
• Avoid making your 2FA depend on the same account it protects. If your email account stores the authenticator method for that same email account, the setup is weaker.

• Use a hardware wallet for assets you care about. Keep the recovery phrase offline and never type it into a website.
• Never store a seed phrase electronically: no photos, screenshots, notes apps, cloud drives, password managers, emails, or DMs.
• Write the phrase on paper or use a fire-resistant metal backup. Store it somewhere private and physically secure.
• Keep your most valuable assets in a cold wallet that only sends and receives. It should not be the wallet you use to explore random sites.
• Use a separate hot wallet for learning, minting, testing, and connecting to unfamiliar apps.
• If you split or back up a seed phrase, make sure every piece is stored securely and that loss of one location does not destroy access.

Example: Billfodl is one metal backup option for people who want something more durable than paper.

• Do not click wallet, exchange, or mint links from email, SMS, replies, ads, or surprise DMs. Navigate yourself from a trusted bookmark or official source.
• Bookmark the official sites you use often: exchanges, wallets, marketplaces, Art Blocks, and security tools. Use those bookmarks instead of links in messages.
• Send a small test transaction before moving a meaningful amount.
• Check that the address, network, and asset are correct.
• Use transaction preview and approval tools where they help, but treat warnings as a backup layer, not permission to stop thinking.
• Review token approvals periodically with a tool like Revoke.cash, especially after using unfamiliar apps.
• A VPN can help with network privacy on public Wi-Fi, but it does not protect you from signing a malicious transaction or sharing a seed phrase.
• Read every wallet prompt. If the action is unclear, cancel and investigate.
• Never share your seed phrase, private key, password, screen, or remote access with support, friends, artists, moderators, or strangers.

The best first move is usually to stop. Scams often work by creating urgency, confusion, or embarrassment. Slowing down can prevent one mistake from becoming several.

• Stop clicking, signing, sending, or approving prompts until you understand what happened.
• Disconnect the wallet from the site or app you were using.
• Do not reuse a wallet if its seed phrase or private key may have been exposed.
• Move unaffected assets from a risky hot wallet only if you understand the network, asset, fees, and destination address.
• Review and revoke token approvals from a clean device and wallet setup where appropriate.
• Change passwords and 2FA for relevant accounts from a clean device, starting with email and password manager access.
• Save transaction hashes, URLs, emails, screenshots, and support ticket numbers for your records.
• Contact official support only through bookmarked or verified websites, not links sent by strangers.

Password manager

Bitwarden

A dedicated vault for unique passwords, recovery codes, passkeys, and optional built-in 2FA codes.

Password manager

1Password

A polished password manager with one-time passwords, passkeys, Emergency Kit, and recovery planning features.

Authenticator app

Authy

A mobile authenticator app for accounts that support app-based 2FA but not hardware security keys.

Authenticator app

Google Authenticator

A simple authenticator app for accounts that support app-based 2FA but not hardware security keys.

Hardware wallet

Ledger

A hardware wallet option for keeping private keys off your everyday computer or phone.

Hardware wallet

Trezor

Another hardware wallet option with a long-running focus on self-custody and backup practices.

Security key

YubiKey

A hardware 2FA option for important accounts like email, exchanges, password vaults, and identity accounts.

VPN

NordVPN

A privacy tool for network hygiene on public Wi-Fi or shared networks, not a substitute for wallet security.

Wallet permissions

Revoke.cash

A tool for reviewing and revoking token approvals and wallet permissions across supported networks.

Transaction preview

Pocket Universe

A browser tool that helps preview wallet transactions before you approve them.

These are starting points for your own research, not sponsorships or guarantees. Company names and logos belong to their respective owners.