Important: Before proceeding with this tutorial, make sure you have read and understood this Bitcoin and Cryptocurrency Security Best Practices Manual.
The advice provided on cryptocurrency and/or bitcoin trading is for informational and educational purposes only and does not constitute financial advice or investment recommendations. The cryptocurrency market, including bitcoin, is highly volatile and poses significant risks. Any investment decision or transaction made based on the provided information is the sole responsibility of the user. We strongly recommend conducting thorough research, consulting professional financial advisors, and considering your own financial situation and risk tolerance before engaging in any cryptocurrency and/or bitcoin-related activities. We are not responsible for any loss or damage resulting from the misuse of the provided information.
Good security practices when trading bitcoin
1. Do never lose or destroy a private key.
The private key is the main component of a bitcoin wallet. If you have the private key, you have control of the funds (of the bitcoin).
A private key may, for example, look like this:
p2wpkh:KwpdP6aQQJ2yhspLowPLMfrSbwNdo9pu4QkqVkNuhUZAwTqnekzA
Well, now that you have the key with you, if this wallet had money it would be yours as well as mine, because knowing that key you can take the bitcoins to another wallet whenever you want.
It is very common to create wallets on the fly and use them as a transfer point for money (bitcoin) for whatever reason. Surely, you will never use that wallet again in your life.
However, for security, you must store that private key in a safe place. Remember that it is the ultimate key to your funds.
Don’t lose any private keys, much less destroy them. Even if you think you’ll never use it again.
2. Do never show anyone your private key
For practical purposes, whoever knows the private key owns (controls) the funds.
If you don’t let anybody access your key, no one but you can take the bitcoins from that wallet to another wallet.
Unless you want to give away your bitcoins, do not show anyone your private key.
3. Do never let anybody to take a photo of your private key
An average person would be unable to memorize a private key in a few seconds. But taking a photograph with a mobile phone is an almost instantaneous act that can also easily go unnoticed.
Owning a photograph of the private key is, for practical purposes, owning the money (bitcoin) in that wallet.
So, never let someone take a photo of your private key.
4. Don’t take a photo of your private key
Your mobile phone is a device that isn’t secure.
Remember that if a person or company can see the private key, they will be as much owner of the funds as you and that means they can manage them as they wish.
Taking a photo of your private key with your mobile phone, even if it was not exposed to malicious agents, is equivalent to sharing control of your funds with the device manufacturer, with the developer of the operating system, with cloud services that copy and synchronize the multimedia files on your device and numerous other agents that work in the background.
Don’t take a photo of your private key. Neither with your mobile phone, nor with a webcam, nor with any other device.
5. Never enter your private key on any web page
No web page needs your private key. Not for any reason.
If any person, company, service or website asks you for your private key, it is probably with the purpose of stealing your bitcoin.
If what you need is to make a payment in bitcoin, or send your bitcoin to a person or company, instead of providing your private key, send it personally using a bitcoin transfer, from your wallet to their wallet. (From your address to his address).
These transfers are made in software wallet managers (such as Electrum or Exodus, for example). In them you will need to enter your private key at some point to be able to issue the bitcoin transfer.
For all this, never enter your private key on any web page.
6. The public address should also not be shown if it is not strictly necessary
This is the address corresponding to the private key shown above:
bc1qhg8sc48gejtndxvn822tlp3uh76t45kgwlpcu4
Knowing this address you can:
- Check the current balance of this wallet (of this address).
- Consult the entire transaction history of this address (inflows and outflows of money since the beginning of time).
- Send money to this address. (And, if this wallet belongs to you, you can receive payments and gifts or donations at this address).
For your information, the bitcoin wallet address is calculated from the public key, and this in turn is calculated from the private key.
private -> public -> address
This means that if you only have the private key, you can deduce the address. But if you have the address, you can’t deduce the private key.
Since showing the address involves revealing information (balance and transaction history of your money), the public address should not be shown either if it is not strictly necessary.
7. Discretion is security
The best way to ensure that no one steals your funds is that no one finds out that you have them.
Therefore, it is best not to show off your cryptocurrency possessions.
In particular:
- Don’t tell anyone that you bought bitcoin (or any other cryptocurrency).
- Don’t tell anyone how much bitcoin you own.
- Don’t tell anyone where you keep your wallet.
It is even advisable that you do not reveal to anyone that you have purchased a wallet.
Discretion is security.
8. Never generate free wallets from websites
Either these same web pages are fraudulent, or at any time they can be hacked by third parties and become fraudulent.
Do never generate free wallets from websites.
9. Be aware that every duplicate private key is a vulnerability
If you have your private key in one place, you probably have some fear of losing it.
Although the usual thinking is to generate one or more copies of the private key, these copies in turn become the wallet itself. You will have to protect and hide all these copies out of sight. And this, in practice, is frankly difficult.
The best solution is to have your private key in a single place, in a format or on a device that is difficult to lose and that is solid and durable.
10. Everything we have talked about regarding a private key applies equally to a seed phrase
A seed phrase or mnemonic seed is a series of words that encode one or more wallets (bitcoin or other cryptocurrencies).
A seed of this type could look like this:
sauce disagree document tattoo car bottom caught monkey match best candy when
Like a private key, the knowledge of this information is the equivalent to control the funds, so a mnemonic seed must be jealously protected and must never be destroyed or lost.
11. Do not trust your private key or mnemonic seed to an electronic device
Electronic devices are practical and versatile; but they are also extremely fragile.
As a general rule, electronics are easily affected by moisture and extreme temperatures, even if the exposure is brief. Likewise, electronics are fragile and do not usually withstand impacts or falls.
Furthermore, firmware quickly becomes obsolete and requires periodic updates to plug security holes that arise on a daily basis.
This is why electronic devices degrade after time, and why you should not trust your private key or mnemonic seed to an electronic device.
12. Don’t trust a paper backup of your private key or mnemonic seed
We humans tend to misplace papers, especially if they are small and/or we have kept them in a discreet place.
We humans tend to misplace papers, especially if they are small and/or we have kept them in a discreet place.
However, it is very common for this paper to be lost by the time it is needed.
It is also common that the accident that damaged the device (a small fire or excess humidity) has also destroyed the backing paper.
Don’t rely on a paper backup of your private key or mnemonic seed.
13. Buy the wallet on the manufacturer’s official website
If you are going to purchase a wallet for your cryptocurrencies, such as Material, make sure you buy it from the manufacturer’s official store, whether online or physical.
There are fake wallets for bitcoin and other cryptocurrencies. Counterfeiters make wallets that look identical to the official product, but provide addresses whose private keys are in the hands of the scammers.
To avoid buying a counterfeit instead of the original product, some tips are:
- Do not access the manufacturer’s website through any link. If you know the URL by heart, type it in. And, if not, find it through a reputable search engine.
- Carefully review the manufacturer’s URL, verify each character, and check their SSL certificate (which gives you the https:// header).
- If you hesitate, find out a contact phone number for the company and verify with them personally what the web address (URL) of their official store is.
- Never buy a wallet from third-party stores, unless they are official distributors of the brand, which is why they will be indicated on the manufacturer’s official website.
- If you decide to buy from Amazon, make sure that the seller is the manufacturer, or Amazon itself. However, if you can avoid buying on Amazon in favor of the manufacturer’s own online store, do so.
Buy the wallet on the manufacturer’s official website.
14. Do not store your private key unencrypted in a file on your computer
Computers, and especially mobile phones, are devices highly exposed to data theft and hacking. Unless you have high knowledge of cybersecurity, your data is not safe in them.
In case you decide to save your private key (or private keys, or mnemonic seeds, etc.) on a computer or mobile device, do not write them down in a text file that anyone can open. Encrypt it and protect it with a strong password. There is a wide range of software dedicated to this purpose for different operating systems. Be well informed to use it safely.
15. Do not write down your private key in a note-taking app that syncs automatically
Most modern mobile devices and computers come equipped with note-taking apps that automatically sync, creating a real-time copy in the cloud and spreading it to other devices connected to that account. This is true for applications like Google Keep and Apple Notes, among many others.
Do not make the mistake of jotting down your private key in these apps, even for a few seconds, as it will immediately be copied to the cloud, and the security of your funds will be seriously compromised.
A good practice is to disconnect your device from the internet whenever you are about to enter a private key into a software wallet (on your computer or smartphone). This way, if you temporarily note down your private key on the device, it likely won’t spread before you have the chance to delete it.
Despite this last tip, remember trying to not type down your private key in a note-taking app.
16. If you use passwords, make them secure
For practical purposes, for an expert trying to access your data, a weak password is equivalent to having no password.
Some basic guidelines are:
- Do not reuse passwords. (Do not assign passwords that you have already used before or in other services).
- Do not use basic passwords, such as “123456789”, “password”, “password123”, “qwerty”, “111111”, “1q2w3e”, etc.
- Do not create passwords with your date of birth, the name of your children, the birthdate of your children or similar.
- Mix uppercase and lowercase letters and incorporate numbers and symbols.
- The password must be long (16 characters or more).
Learn how to choose passwords that are strong and secure. There is a lot of very good information about it on the internet.
If you are going to use passwords, make sure they are really strong.
17. If you work with private keys, the computing environment must be absolutely secure
If you work with private keys, the computing environment must be absolutely secure
A computer that is normally used for work or leisure is not suitable for secure operations with bitcoin and other cryptocurrencies.
To minimize risks, the ideal is to operate with an open source operating system, such as Linux, that is recently installed, and only with the programs or packages essential to carry out the operations.
Whenever possible, all operations must be carried out with the equipment disconnected from any network (Wi-Fi, Ethernet, Bluetooth, etc.), and only connect during times that require connectivity.
For balance inquiries or receipt of funds, a high level of security is not necessary, since the private key does not come into play, but only the wallet address. But, to issue funds (make a transfer to another address) it is necessary to provide the private key or mnemonic seed of the wallet, and at this point the security of the funds comes into play.
The larger the amount to be managed, or the more critical the security of operations, the more important it is that the IT environment is secure.
To move a smaller amount of money, such as small payments, it doesn’t matter doing it from your mobile phone or a computer you use every day because, after all, the risk is low.
But when it comes to making a significant fund transfer, the computing environment must be secure.
18. Don’t keep the bulk of your bitcoin on a computer or mobile device
As already explained, computers and mobile phones or tablets in general are devices riddled with vulnerabilities and security holes.
For convenience, it is reasonable to keep a small amount of bitcoin on your mobile that can be used to make payments or tests; but the bulk of the capital must be in quality cold storage.
Don’t keep the bulk of your bitcoin or cryptocurrencies on a computer or mobile device.
19. Remember that bitcoin transfers are irreversible
With both bitcoin and most cryptocurrencies, transfers are irreversible.
Funds that are sent to incorrect addresses, even just because of a single wrong character, instantly become lost funds. This means that there is simply no room for error.
If you have to make a large transfer of funds, it is usually a good idea to break it down into two: A first small test transfer and a second with the remaining bulk, once you have confirmed that the initial funds have reached their destination correctly.
Bitcoin transfers are irreversible.
20. Try to scan or copy-paste addresses instead of typing them
If you have to provide a destination bitcoin address, either to make a payment or to receive it, don’t risk visually copying the address by reading it character by character and typing it by hand. You could get it wrong, especially in similar characters like ones, l’s, i’s; or zeros and o’s, for example.
If you have a QR that you can scan, or if you have the ability to electronically copy-paste the bitcoin address, the risk of error is greatly reduced.
Either way, before sending the funds, thoroughly check that you have entered the correct address. Well, as you know, in case of error, there is no turning back.
Try to scan or copy-paste bitcoin addresses instead of typing them by hand.
21. For greater security, do not reuse addresses or private keys
Due to the way cryptography works, reusing private keys (in the case of Material Bitcoin to extract funds from your board) eventually weakens its security. The possibility of diverting the private key from multiple signatures is extremely low with current cryptographic technology and knowledge. Most successful cryptocurrency attacks have not been through private key analysis, but rather through other ways such as phishing, malware, or exploiting software vulnerabilities.
Similarly, reusing addresses can reduce the privacy or anonymity of your funds, if that’s what you’re looking for. This reduction in privacy will depend on the type of exposure you give to your addresses.
So, although for normal use, reusing your keys does not represent a practical problem in the vast majority of cases, you should be aware that the best security practices recommend only one use for each Material plate.
Do not reuse addresses or private keys.
22. Education and awareness
Stay informed about the latest security threats.
We have seen that hackers and malicious actors are constantly developing new techniques to exploit vulnerabilities—in other words, to scam and steal assets from people. Being aware of these threats can help you take proactive steps to protect your assets.
Material Bitcoin has a group on Telegram where users bring valuable insights to cryptocurrency conversations. Multiple times, we have prevented users from becoming victims of scammers. We invite you to join us here.
Education and awareness is key to keep your assets safe.
0 Comments