Interactive Checklist
Crypto Security Checklist
20 practical steps to protect your exchange accounts, wallets, and seed phrases. Check items off as you complete them. Progress saves automatically in your browser.
High-priority items you have not completed yet
1. Account Security
Enable authenticator app 2FA Critical
Replace SMS 2FA with Google Authenticator, Authy, or a hardware key. SMS can be bypassed by SIM-swap attacks. Do this first for every exchange you use.
Use a unique, strong password Critical
Never reuse passwords from other sites. Use a password manager (Bitwarden or 1Password) to generate and store a random 20+ character password for each exchange.
Disable SMS 2FA everywhere possible
Log into each exchange and remove SMS as a 2FA option. Some exchanges still require it as a backup. If forced, add a carrier PIN to your phone account to make SIM-swap harder.
Save your 2FA backup codes securely
When you set up an authenticator app, exchanges give you backup codes. Print them and store them offline with your seed phrase. Losing your phone without backup codes means losing exchange access.
2. Email Security
Secure your email account with 2FA Critical
Your email is the master key to every exchange. If someone gets into your email, they can reset your exchange password. Enable authenticator 2FA on Gmail, Outlook, or whatever email you use for crypto.
Use a dedicated email for crypto accounts
Create a separate email address used only for crypto exchanges. This limits phishing exposure and makes it easier to notice suspicious login activity.
3. Phishing Protection
Bookmark exchange URLs and never click email links Critical
Phishing sites look identical to real exchanges. Always navigate via bookmark, never by clicking links in emails or Discord messages. This is how most account drains happen.
Enable anti-phishing code on supported exchanges
Crypto.com and Binance let you set a personal anti-phishing code that appears in every real email they send. If an email lacks your code, it's fake. Enable this in your security settings.
Never enter your seed phrase anywhere online
No legitimate service, ever, will ask for your wallet seed phrase. If you see a prompt asking for it in any app, browser extension, or website, close the browser. This is always a scam.
4. Withdrawal Security
Enable withdrawal address whitelisting
Most exchanges allow you to whitelist specific withdrawal addresses. Once enabled, crypto can only be sent to approved addresses, and adding a new address requires a 24-48 hour email confirmation delay.
Double-check withdrawal addresses before sending
Some malware replaces clipboard addresses with attacker addresses. Never paste-and-submit without manually verifying the first and last 6 characters of a wallet address.
Enable withdrawal confirmation emails
Ensure your exchange sends an email confirmation before any withdrawal processes. This adds a second checkpoint even if someone gets into your account.
5. Device Security
Keep your OS and browser updated
Most successful crypto hacks exploit unpatched vulnerabilities. Enable automatic updates on your operating system and browsers used for exchange access.
Audit browser extensions regularly
Malicious browser extensions can steal credentials and intercept clipboard content. Remove any extension you no longer actively use. Be especially cautious with extensions that request "read all website data" permissions.
Do not use public Wi-Fi for exchange access
Public Wi-Fi networks can be intercepted or spoofed. Access your exchange accounts only on trusted private networks. If you must use public Wi-Fi, use a reputable VPN first.
6. Wallet and Seed Phrase
Write your seed phrase on paper and store it offline Critical
Never photograph, screenshot, or type your seed phrase into any device. Write it by hand on paper and store it in a physically secure location. Your seed phrase is the only way to recover a non-custodial wallet.
Store a second seed phrase backup in a separate location
House fires, floods, and theft happen. Keep a second copy of your seed phrase backup in a different physical location from the first. Both should be equally secure.
Use a hardware wallet for holdings above $500
A hardware wallet (Ledger, Trezor) stores private keys offline. Even if your computer is compromised, an attacker cannot access your funds without physical possession of the device.
7. Ongoing Monitoring
Enable login and withdrawal notifications
Turn on push or email notifications for all account activity on your exchanges. Catching a suspicious login within minutes can prevent a full account drain.
Review active sessions and revoke unknown devices
Most exchanges list active login sessions. Check yours monthly and immediately revoke any session from an unrecognized device or location.
Get a copy of your results
Enter your email and we will send your completed checklist with recommendations based on your score.
Sent. Check your inbox.
Recommended security tools
These are tools that directly address checklist items. We are not affiliated with any of these (no commissions), just recommending what works.
Password Manager
Bitwarden
Free, open-source password manager. Generates and stores unique passwords for every site. Desktop, mobile, and browser extension. No excuses for reusing passwords.
bitwarden.com
Authenticator App
Authy
Authenticator app with encrypted cloud backup. Protects you if your phone is lost or broken. Free for personal use. Supports all major exchanges.
authy.com
Hardware Security Key
YubiKey
Physical security key for the strongest 2FA available. Plugs into USB or taps via NFC. Phishing-resistant by design. Overkill for small holdings, essential for large ones.
yubico.com
Hardware Wallet
Ledger Nano X
Stores private keys completely offline. Your exchange cannot be hacked if your crypto is not there. Supports 5,500+ assets. Bluetooth for mobile. Around $149.
ledger.com
Hardware Wallet
Trezor Model T
Open-source hardware wallet. Fully open firmware that security researchers can audit. Touchscreen interface. Strong reputation in the security community. Around $219.
trezor.io
Seed Phrase Backup
Cryptosteel Capsule
Fireproof and waterproof stainless steel seed phrase backup. Letters on stainless steel tiles that can survive house fires and flooding. ~$80. Serious about long-term storage.
cryptosteel.com
Common security questions
What 2FA method is safest for crypto?
Hardware security keys (YubiKey) are the most secure. If unavailable, an authenticator app like Google Authenticator or Authy is far better than SMS codes. SMS-based 2FA can be bypassed by SIM-swap attacks and should be replaced where possible.
Do I need a hardware wallet?
If you hold more than you can afford to lose, yes. Hardware wallets like Ledger or Trezor store your private keys offline, meaning an exchange hack cannot touch your funds. For small amounts under $500, a reputable exchange with strong security may be sufficient while you learn.
What is a SIM-swap attack?
A SIM-swap attack is when a criminal convinces your phone carrier to transfer your phone number to a SIM card they control. They then use your number to bypass SMS-based 2FA and reset your passwords. It has been used to steal millions in crypto. Protect yourself by disabling SMS 2FA and adding a carrier PIN to your account.
How do I safely store my seed phrase?
Never photograph your seed phrase. Never type it into any website or app. Write it on paper and store it in a physically secure location such as a fireproof safe or safe deposit box. Some people use metal seed phrase backup plates for fire and water resistance. Never store it in email, notes apps, or cloud storage.
This checklist covers exchange account security and basic wallet hygiene. It does not cover advanced topics like multisig wallets, operational security for large holdings, or tax implications. For large holdings, consult a professional.