How to Keep a Crypto Wallet Secure

How important is it to keep your cryptocurrency wallet secure?

Consider the plight of James Howells, the Welshman whose crypto wallet ended up in a garbage dump. He spent 12 years sifting through garbage and fending off waves of regret as his erstwhile holdings of 8,000 bitcoin grew in value from tens of thousands of dollars to about $1 billion.

Few people are sitting on 8,000 bitcoin. But the hard lesson learned by Howells holds true for everyone: Keeping any amount of crypto requires vigilance. There are plenty of ways to lose it. Hardware breaks or gets destroyed or lost. Exchanges are hacked. Individual investors are also hacked or scammed, or lose their physical wallet, as Howells did. While holding crypto comes with these risks, there are plenty of ways to protect a wallet.

Crypto isn't stored in a wallet. It's stored as data on a blockchain, which is a public, decentralized ledger of transactions. A crypto wallet is where cryptocurrency owners store their public and private keys. A public key is like an address, similar to a bank account number, where crypto is deposited and held. The private key is a type of password that enables anyone to access the crypto at the corresponding address and sell it or move it to a different address with a different private key. (Technically, a private key is a cryptographic signature that authorizes transactions.)

Before choosing a wallet to secure keys, it's important to understand the different types and their key distinctions.

Hot wallets are usually software-based and constantly connected to the internet via a desktop, laptop, or mobile phone. Hot wallets are:

• Easy to use for frequent trades or transactions.
• Less secure than cold wallets. Because they are constantly online, they are more vulnerable to hacks and malware.

A newer innovation, warm wallets offer a compromise between the convenience of hot wallets and the security of cold wallets. Warm wallets:

• Can be connected to the internet to conduct transactions
• Store keys online but require human involvement, such as offline two-factor authentication (2FA), to authorize a transaction

Custodial wallets are held and secured by another party. Most custodial wallets are held by cryptocurrency exchanges for the convenience of their customers, especially those who make frequent trades. Choosing a custodial wallet means leaving control of the keys, and thus the crypto, in the hands of whoever controls the wallet.

Because of this, custodial wallets bring third-party risk. Major crypto exchanges maintain custodial wallets containing keys to many billions of dollars of crypto, making them frequent targets—and sometimes victims—of hackers. With exchange-based custodial wallets, customers also face the risk that the exchange becomes insolvent or restricts withdrawals during a crisis.

A non-custodial (or self-custody) wallet is any wallet controlled by the actual crypto owner. These are widely considered more secure than custodial wallets, but do require the owner to accept full control over the keys and thus responsibility for their security. Losing a wallet or experiencing a hardware failure can be devastating.

Regardless of the wallet type, securing it starts with a very strong password. At the very least, use a reputable password generator and 2FA. When using any online wallet or a wallet that will be connected to the internet, use best practices against phishing and malware on all related devices. With cold wallets, store them in a secure location, such as a home safe or bank safe-deposit box.

Here are some additional measures crypto investors should consider, depending on their assessment of the risks they face and the trade-offs between security and convenience they're willing to accept.

Using an authenticator app for 2FA is more secure than using SMS or email. Using a dedicated hardware device, such as a Yubikey, is even better, making authentication possible only with physical possession of the device. Another option is using a wallet with biometric authentication methods such as fingerprints or facial recognition.

Anyone who invests in a cold wallet should purchase the device directly from trusted manufacturers or vendors and make sure the package shows no signs of tampering when it arrives. Consider verifying the firmware version before using the device.

Not all wallets use seed phrases, which are especially recommended for cold wallets. A seed phrase is a series of 12 to 24 human readable words that serves as a master backup for wallets. It can be used to regenerate existing keys if a previous wallet was lost or destroyed, using BIP-39, a public encryption protocol that converts words into keys.

Any device using BIP-39 will generate the same keys from the same seed phrase. This can be invaluable to anyone who has lost their wallet or a private key but still has the seed phrase. However, this does mean anyone who obtains the seed phrase can generate the same keys and access the related crypto simply by buying any wallet that uses BIP-39.

In other words, seed phrases both sharply mitigate and create risk. This is why security experts suggest keeping a physical copy of seed phrases, written on paper or metal, in secure locations. Some suggest splitting the seed phrase into multiple parts and keeping the different parts in different locations. At the very least, a seed phrase should be kept on an encrypted drive that is disconnected from the internet and stored in a secure location.

Any hardware wallet that holds the keys to a lot of crypto should be backed up by at least one other device. (Software wallets can also be backed up to a hardware device.) A backup offers quick access to the crypto if a primary wallet is stolen, lost, or destroyed, enabling the owner to transfer the crypto to a different, safe location.

Long-term holders of large amounts of crypto—or anyone who wants to minimize risk as much as possible—could keep the crypto at multiple blockchain addresses and spread their different keys across multiple wallets. This obviously sacrifices convenience in the event of liquidation and involves managing the security of multiple devices (a unique risk in itself). But it eliminates the risk of total loss due to a single point of failure, where there is no backup measure in place.

Multi-signature (multi-sig) wallets require multiple parties, all with different keys, to sign off on any transaction. These wallets offer another way to minimize the risk of loss due to a single point of failure. Institutional investors frequently use multi-sig wallets, though any group of people with a shared interest in the crypto, including companies and families, might find them useful.

No single type of wallet or security measure will fully protect an investor's private key and the crypto it accesses, though vigilant investors can combine some of the methods above to enhance their security.

Ultimately, the best way for any investor or trader to keep a crypto wallet safe will depend on several factors, most commonly involving a trade-off between convenience, personal effort, and security. That choice should be made by assessing the most likely points of failure—is the biggest risk a misplaced wallet or hackers?—and determining how much suffering the crypto loss would cause.

Let's examine a few common scenarios.

An active trader with a modest account  would most likely want to trade extreme security for convenience, likely in the form of a custodial hot wallet held by the exchange they trade on. Still, they could increase security with a hardware 2FA key with just a bit of added inconvenience. Those worried about hackers attacking the exchange could investigate its security protocols and consider another exchange if they're not robust enough.

A somewhat less active trader with an account big enough that losing it would represent a significant, painful financial setback would likely want to trade convenience for stronger security to protect against hacks, malware, and the loss or failure of their wallet. They could choose a cold wallet with a hardware 2FA. A seed phrase and encrypted backups might also be appropriate.

A big investor, or anyone who really can't afford to lose their crypto, would want security that is as bulletproof as possible. For institutional investors, that might involve high-quality, multi-sig wallets, with encrypted, geographically dispersed backups stored in bank safe-deposit boxes, along with protected seed phrases.

An individual investor seeking the highest level of security could consider the same, although they might swap a hardware 2FA device for the multi-sig wallet.

One thing about cryptocurrencies and decentralized finance: There's no higher authority coming to the rescue—and no deposit insurance. Whether through fraud, hacking, user error, natural disaster, or simply throwing the wallet out with the trash, losing the keys or having them and the crypto stolen means you're on your own. That crypto is gone.