21 tips for securing your bitcoin
So, you just bought some bitcoin, now what?
The reality is that buying and selling bitcoin can be done in an instant. The rest of your time will be spent either on the outside looking in or doing everything you can to hang onto your stash.
If you’ve adopted bitcoin and want to keep it for a long time, you need to also adopt a consistent security practice. Holding bitcoin on your own requires some personal responsibility, but the good news is this is easily manageable with the right mindset and tools. Here are 21 tips to get you started and a great refresher for even the seasoned bitcoiner.
#1 — Don’t trust unsolicited communications (email, direct message, SMS text message, phone call, etc.)
If there’s one thing you take from this article, let it be this: beware of unsolicited communications. When you take self-custody with the right tools, the attack surface for bad actors moves from technology to you, the investor. It is far easier for someone to manipulate you than it is for them to hack you.
Phishing is when a bad actor sends an unsolicited message impersonating another party with the intention of obtaining more personal information, including seed phrases.
Verify requests independently using another form of communication. If a message or offer seems too good to be true, it probably is.
#2 — Use a password manager
Passwords are supposed to be complex enough that other humans and computers can’t guess. This creates a problem: effective passwords are incredibly difficult for people to remember.
Put those facts together and you get a predictable outcome. People tend to choose the easy route and create weak but memorable passwords and reuse them across multiple platforms. This makes it easy for hackers to leverage one stolen password to compromise multiple accounts.
Password managers are simple apps that prevent you from being an easy target by allowing you to generate and store robust passwords in an encrypted manner. We highly recommend using one. If you don’t already have a password manager, check out 1Password or KeePassXC.
Interested in testing what makes a strong password? Bitwarden has a fun tool for testing the entropy behind passwords.
#3 — Don’t store seed phrases in a password manager
In security, it’s best to use tools for their intended purpose. Password managers store passwords online, albeit encrypted. That encryption buys you time to rotate out of passwords in the event of a breach.
You can’t rotate out of a seed phrase in the same way you can a password. If you secure your bitcoin with a single key and you back up the seed phrase online, you can expect any bitcoin held with that key to be gone if the seed phrase is compromised.
Password managers are an excellent solution for storing passwords — they are not an effective solution for securing your wealth. The stakes are much higher for seed phrases.
#4 — Avoid using SMS text messages for two-factor authentication
After years of data breaches and stolen log-in credentials, many companies have initiated two-factor authentication (2FA) as precautionary measures to prevent unauthorized access to your online accounts.
The reasoning behind 2FA is sound. Passwords are a single point of failure, where one slip-up can undermine an entire security protocol. Security is about resilience. Ideally, a system should remain intact even if one or more failures occur. So adding another layer beyond passwords was a good move.
But the most common implementation of 2FA is weak. When you use your phone number for two-factor authentication, your carrier becomes a single point of failure. A bad actor can collude with or trick an employee at your carrier to port your phone number to their phone, a tactic known as SIM swapping. This means if you use your phone number, your 2FA method can essentially be stolen.
There are more secure forms of 2FA around today. Consider using an authenticator app, such as Authy or Google Authenticator, or use a security key such as a YubiKey. If a platform does not allow those options, a long, robust password is preferable to text message 2FA.
#5 — Don’t give out your main phone number
A phone number may not seem like much, but adversarial parties can learn a lot about you using your phone number. Between public records and private data, there’s a large pool of information being compiled and traded legally through data brokers and illegally on the dark web.
In addition to phishing and SIM swapping, bad actors can use phone numbers to target you and your accounts for other attacks and exploits, and there’s also annoying harassment such as telemarketers and robocalls.
Consider using additional phone numbers and segmenting your usage across multiple numbers. MySudo and Google Voice are two VoIP options you can use with your existing smartphone, or you can opt for a physical SIM card and a burner phone.
#6 — Hold your own keys in self-custody
Self-custody is the act of assuming responsibility for your bitcoin. Instead of entrusting your wealth to a bank, exchange, or third-party custodian, you’re in charge of securing your bitcoin.
Taking self-custody is important with your bitcoin because it is considered a bearer asset, meaning whoever has control of it and can spend it is the owner. By holding bitcoin with your own keys, you can protect your investment from third-party custodial risk.
#7 — Take self-custody in amounts of at least 0.01 BTC
As with any transaction, there’s a fee associated with sending bitcoin to and from self-custody on the bitcoin network, so it’s best to transact in amounts that can cover this fee and remain spendable in the future.
Avoid sending excessive transactions and strive to transact in amounts of at least 0.01 BTC. That way, you’re not spending more than you’re HODLing. The below article has more information about how to manage amounts in self-custody.
#8 — Don’t talk about your bitcoin
Discussing the innovation behind bitcoin can be fun and fulfilling. There’s not much to be gained from revealing personal secrets about your stash.
You never know who around you could be a bad actor. Sharing information on a need-to-know basis is a crucial part of operational security (OpSec). Loose lips sink ships and a little discipline goes a long way. While security through obscurity doesn’t provide complete protection, it’s a savvy way to avoid attracting unnecessary trouble.
#9 — Use ad blockers
The internet is a shopping mall, and when you browse the web, you leave little bread crumbs of data that unknown third parties can use to track you. Use the Brave browser and/or install uBlock Origin on every browser you use to block tracking by the corporate surveillance machine.
#10 — Keep keys offline
Unless you’re ready to send a bitcoin transaction, your keys should be kept far away from the internet at all times. If your key is connected to the internet, it can be hacked. Mobile wallets are acceptable only for small amounts, around how much cash you’d carry around with you in a physical wallet.
When you’re not sending a transaction, keep your keys in cold storage (offline) for any long-term holdings.
#11 — Use a multisig wallet for long-term holdings
You should increase your security as your level of investment increases. For significant long-term holdings, we recommend a multisig wallet for your protection.
Multisig wallets require you to use multiple keys to sign transactions. This arrangement is designed to protect your assets from single points of failure, such as a broken or lost device.
Our Casa vaults are built with a foundation of cold storage and multiple devices, so you can have peace of mind that, even if something goes wrong with one of your keys, your assets are safe. Want to try for yourself? Learn more here.
#12 — Avoid having immediate access to your long-term holdings
The power of multisig lies in its redundancy and distribution. By spreading your keys out, you can prevent one incident from jeopardizing your assets. But this only works if you actually spread your keys out.
There is physical risk associated with holding bitcoin, and it is far from theoretical. For years, I have maintained a running log of known physical attacks against persons who own bitcoin or other bearer digital assets. If you have enough keys close by, an attacker can compel you to sign a transaction.
It’s easy to leave your keys nearby when you first set up your multisig wallet. Don’t let complacency undermine your security. Avoid keeping a majority of keys in your primary residence or on your person. Ultimately, the only way to avoid losing bitcoin in a physical attack is to prevent yourself from being a single point of failure for coercion. The following article has more information.
#13 — Perform health checks on your devices every six months
Hardware wallets are powerful inventions but even they have a finite lifespan. The last thing you want when you need to send a transaction is to find out your device is at the end of its usable life.
By testing your devices on a periodic basis, you give yourself the opportunity to replace one of your keys. Six months is a good amount of time to ensure your device is in working condition, and our Casa app walks you through that process.
#14 — Control access to your devices
Don’t just leave your phone or hardware wallet lying around. Set up a PIN on each device and keep each one in an access-controlled location, such as a lockbox or safe. Otherwise, a burglar or even someone you trust can simply grab your device and use it.
#15 — Have an inheritance plan
Once you take self-custody over your wealth, you become a single point of failure. None of us can reasonably expect to live forever. When you pass away, you don’t want it to be the end of your bitcoin.
A lot of bitcoin has been lost over the years from investors who didn’t take the necessary steps to ensure their loved ones had a clear, reliable inheritance plan. You don’t want your family’s last memory of you to be that you overlooked something major.
Setting up an inheritance plan gives your loved ones tremendous clarity, and it provides you with a companion for your self-custody.
#16 — Don’t allow your seed phrase backups to be a single point of failure
Seed phrases are overrated. While hardware wallet manufacturers typically encourage you to create seed phrase backups of your keys, hiding a piece of paper from the world forever requires security knowledge most people don’t have.
If you choose to use a seed phrase backup, we would recommend that you maintain redundancy with your backups. Keeping a seed phrase is optional with a multisig wallet like Casa, but we recommend hanging onto at least 1 seed in a 5-key vault for easy recovery.
Sharing keys or splitting seeds isn’t a prudent option in most cases. You need all words in an exact order to successfully recreate a seed. This varies on a case-by-case basis. It’s acceptable to use Seed XOR for single-key wallets and Trezor Shamir backups, but generic Shamir’s Secret Sharing has the potential to perpetuate single points of failure.
#17 — Don’t settle for bitcoin IOUs
When you buy bitcoin on an exchange or purchase shares in a bitcoin ETF, you might think you own bitcoin for all intents and purposes, but this goes against the entire nature of bitcoin.
Bitcoin is a peer-to-peer network that allows you to hold assets and transact without relying on a trusted third party. Unless you hold the keys to participate in a transaction on the bitcoin network, you do not control what happens to your bitcoin. That is not our idea of ownership.
Take self-custody with an appropriate number of keys for the amount of bitcoin you’re holding. This guide can point you in the right direction.
#18 — Don’t install remote-access software
Remote-access software is a handy way to access your device from a faraway location. There’s one significant problem with this utility from a security perspective — you’re essentially creating a backdoor into your device.
While you may be required to have this software installed on a work computer, for instance, it’s highly recommended that you refrain from installing remote-access software on a device you will use to connect to your keys. Otherwise, you never know who could be monitoring your activity from afar.
#19 — Don’t roll your own security
If you got into bitcoin early, you’re probably smart — don’t let it go to your head.
Complexity is the enemy of security. All too often, bitcoiners are tempted to come up with their own clever measures in addition to or outside of the standard security protocol. In the end, your security doesn’t have to be creative. It needs to be effective.
One concept often associated with bitcoin is “vires in numeris,” which translates to “strength in numbers.” Typically this concept is a nod to the powerful mathematics and large numbers used to cryptographically secure assets. But on another level, strength in numbers applies to getting more sets of eyes on a particular security architecture in order to spot weaknesses. If you roll your own, you're far more likely to have blind spots.
#20 — Don’t flaunt your wealth (especially on social media)
Wealth makes you a target. If you show off your wealth, you increase your probability of being targeted by an attacker. This risk increases exponentially online where information is shared far and wide at a much faster rate.
The benefits of achieving notoriety are fairly limited, and the drawbacks are nearly endless. A consistent thread in many of the physical attacks I’ve compiled over the years has been the public display of wealth. This particular aspect of security is close to home for me. I was targeted in a swatting incident several years ago in part because of my involvement in the bitcoin community.
I do not regret my life’s work in bitcoin at all, though I have expended considerable time and resources to protect myself and prevent similar attacks. Few investors have the wherewithal to perform this level of preparation. For those that don’t have the resources to uproot their lives, maintaining a low profile is an excellent strategy to avoid unnecessary threats.
#21 — Don’t rely on your memory
We’ve now arrived at our final tip. Do you remember all 20 previous tips in exact order? That’s an unlikely proposition.
The human brain is powerful but it is far from perfect. This can be especially problematic with self-custody. The math behind bitcoin and other cryptographic assets is exact. There is no “close enough” and there are no do-overs. Forgetting a simple detail can be the difference between owning your assets and rendering them unreachable.
Far too often, investors see their own security undone by their own forgetfulness, whether it’s poorly memorizing a seed phrase or failing to recall a device PIN. And as we age, our minds often lose their ability to hold and retain information. Good security shouldn’t require you to remember every detail.
It’s okay to write some things down privately, and it’s okay to bookmark this article and refer back to it later. Each day represents an important step in a lifetime of vigilance.
Final thoughts
If you wish to own your bitcoin, it is incumbent upon you to reflect upon and exercise personal responsibility. This is a good thing. Bitcoin exists because there is no substitute for having total control over your assets.
The 21 tips I have listed above will help you protect your bitcoin far better than the majority of investors that buy and sell BTC on the open market. HODL on.
Have peace of mind your bitcoin is safe
If you’re bullish on bitcoin, it’s important to take self-custody, and Casa makes it so you don’t have to worry if you’re doing it right. Our multisig vaults and expert advisors give you all the tools you need to HODL with confidence.
Try it free for 30 days. Get started here.