Password Security Tips To Protect Your Crypto Accounts

How Secure Is Your Password?

The security of your cryptocurrency accounts depends on your ability to safeguard your login credentials. Managing passwords for countless online accounts can become burdensome, leading some people to use the same password repeatedly or create weak passwords. These practices make it significantly easier for malicious actors to access your account, compromise your identity, or even steal your assets. Safeguarding against these possibilities is critically important, which is why it’s essential to maintain best practices when choosing passwords to protect your accounts.

Low-Level Password Security

Many of the most commonly hacked passwords contain the words “password” or “qwerty,” or feature a combination of the numbers “1234567890” in a row. Further, using words that can be surmised easily — like names, proper nouns, or common numerical formulas — also jeopardize your accounts’ security. It’s also imperative to avoid including your name, birthday, or other personal references, as these can often be deduced from social media profiles. Accounts with passwords that fit these descriptions are among the most at risk of being compromised. So, review your password list periodically and if any of them have these or similarly guessable properties, they should be revised immediately.

Many websites instruct users to create complex passwords when setting up an account — ones that require more than eight characters and a combination of upper- and lowercase letters, numbers, and special characters. While this is surely an effective step in bolstering password security, it should be considered a bare minimum requirement.

More effective than a simple password is a passphrase, which contains a string of random words. For example: “DangerWisdomCantaloupeFriendship” or “MonkeyTrampolineSoupBaseball.” The more random the string of words in a passphrase, the more secure it is.

Medium-Level Password Security

If the thought of juggling numerous complex passwords seems too difficult, you may want to consider using a secure password manager. Password managers are typically encrypted vaults that contain the login credentials for all your accounts and apps. Access to the vault is controlled through one master password. Once passwords are saved in a secure password manager, they will auto populate when you visit a site for which you have a saved password. This can prevent you from entering your credentials on a phishing site. Still, this option will not protect you if your secure password manager is hacked or if your computer is lost or stolen.

An additional security measure that you can take is to set up two-factor authentication (2FA). To gain entry to your account, 2FA typically requires that you enter a one-time passcode or an SMS code (from a text message) in addition to your own password. 2FA has become a security standard in the cryptocurrency industry and provides a solid second layer of protection. With 2FA, you use your phone number or download an app, such as Authy or Google Authenticator, which you then connect to your account via QR code.

Once connected, a 2FA app generates a random code that expires every 60 seconds. The security of this method can only be compromised if an attacker gains access to both your password and the authenticator application on your device. However, 2FA that uses an SMS code cannot protect against a SIM swap attack — where an attacker steals your SIM card information — either physically or remotely — via sophisticated methods of telecommunications fraud. For this reason, most crypto exchanges recommend using Google Authenticator or a similar app that doesn’t rely on text messages —  as these options are immune to SIM swap vulnerabilities. The only way to compromise a 2FA app would be the physical theft of the device on which your 2FA app is installed (usually your phone).

High-Level Password Security

Even with personal security measures in place, your password could be exposed and compromised if a company with which you have an account is the victim of a user database hack. Recent examples of companies that have suffered database hacks include Equifax, Home Depot, and Yahoo. Thankfully, there are tools that mitigate this kind of vulnerability, e.g., WebAuthn, a web standard for user authentication on apps and services via asymmetric key cryptography.

With WebAuthn, instead of a company storing your password in its database, you are assigned a personal public and private key pair. The public key is shared with the company account to prove your identity. The private key transmits data to the account and proves that the device holds the private key, without exposing the key itself (a type of zero-knowledge proof). WebAuthn protects users from exposure to database hacks. However, if an attacker can gain  physical access to your device, they would be able to access your key pair.

Another high-security password protection measure — that can be combined with WebAuthn for maximum security — is biometric authentication, which uses a part of the human body to authenticate an account. This biometric element is often a fingerprint or an eye or face scan, but it could be any measurable part of your body. But even biometric authentication still presents some risks — albeit minimal ones — that are worth considering. A biometric scan could produce false negatives if your body is showing different levels of biometric activity at a given time — as when you’re stressed or ill, for example. Moreover,  injuring your eye, losing your index finger in an accident, and other physical traumas could limit your ability to access your account via biometric authentication. You cannot change your biometric authentication as easily as you can change a password. In addition, under extreme (though rare) circumstances, you could be forced under duress to involuntarily log in with your biometric information.

Although password security has grown in leaps and bounds, there is no single security measure that protects users from every potential online risk. Nevertheless, following password security best practices can substantially reduce the exposure of your financial accounts to hacks, thefts, and other malicious activity.