You'd never leave $100,000 in cash on your kitchen table.
But that's what a lot of people effectively do with their crypto by leaving it sitting on an exchange with a recycled password, SMS-based 2FA, and no backup plan.
The standard "security advice" online falls into two categories: thinly-veiled ads from hardware wallet companies telling you their product is the answer to everything, or generic listicles so basic they might as well just say "use a strong password" and call it a day.
This is neither. This is the checklist I give to every client who sits down with me. The one I've refined over 1,500+ coaching calls. The one I wish someone had given me five years ago, before I learned most of these lessons the expensive way.
Why Most Crypto Security Advice Misses the Point
Let me tell you about a bloke I'll call Rodney.
Rodney had about $7,000 worth of crypto - a lot of money for him - sitting in a MetaMask wallet he'd set up back in 2021.
When we got on a coaching call and tried to access it, he couldn't remember his password. No problem, I said, we'll use the seed phrase.
"My... seed phrase?"
"Yes, Rodney. The 12 words you were given when you set up the wallet. The ones you obviously wrote down and kept somewhere safe."
Long pause.
"I think," Rod said slowly, "I might have written it on a Post-it note."
"Hmmmm, OK. Where is this Post-it note then, Rodney?"
"Well... it was stuck to my monitor. But that was at my old office. Before we moved. Two years ago."
What followed was twenty-three minutes of my life I will never get back. Rodney tried his wife's birthday. His anniversary. His postcode. He tried variations of his labradoodle's name combined with various years.
Twenty-three minutes. Seven thousand dollars. One rather upset labradoodle owner.
Here's the thing. Rodney is a successful bloke. Runs a logistics company. Manages 40-odd employees. Makes decisions worth thousands of dollars on a Tuesday afternoon without breaking a sweat. But his crypto security was held together with Post-it notes, wishful thinking, and a labradoodle-based password syntax.
Rodney isn't unusual. He's the norm.
Security isn't a product you buy. It's an operating system you build.
Having a hardware wallet sitting in your desk drawer doesn't make you secure, any more than having a fire extinguisher under the sink makes you a firefighter. A hardware wallet is a component of a security system. Without the processes around it — proper backup, tested recovery, documented access, ongoing maintenance — it's just an expensive USB stick.
I've done over 1,500 one-on-one coaching calls. On at least a quarter of them, I've been faced with some variation of the Rodney situation (I call it the "Rodney Protocol").
The real threats aren't sophisticated hackers in dark rooms. They're user error, poor organisation, and the slow accumulation of "I'll sort that out later"... until one day you can't remember what you're supposed to sort out and wouldn't know how to do it anyway.
Level 1 — The Basics (Do These Today)
These take less than an hour. Most of them take less than ten minutes. The excuses for not doing them ran out a long time ago.
Dedicated Email for Crypto Accounts
Create a new email address that you use exclusively for crypto — exchanges, wallets, DeFi platforms. Use it for nothing else. No newsletters, no shopping, no sign-ups for things you'll never read.
Why? Compartmentalisation. If your personal email gets compromised in a data breach (and it probably already has — check out HaveIBeenPwned if you want a fun morning), your crypto accounts aren't exposed. Attackers can't target something they don't know exists.
I had a client who'd signed up to his exchange using the same email he used for literally everything — loyalty programs, newsletters, his local cricket club. His inbox looked like the aftermath of a spam explosion. He'd received several actual phishing emails targeting his exchange account and hadn't noticed any of them because they were buried under 400 unread messages from Kmart.
Authentication That Actually Works
Two-factor authentication using an authenticator app (Google Authenticator, Authy, or a hardware key like YubiKey). Not SMS.
Why not SMS? SIM-swap attacks. A motivated attacker calls your phone provider, convinces them to transfer your number to a new SIM, and intercepts your verification codes. It's not hypothetical — it happens regularly, and high-value crypto holders are specific targets.
A Password Manager — Non-Negotiable
Unique, long passwords for every crypto account. At least 16 characters of random noise. You don't need to remember them — that's what the password manager is for.
If you're using the same password for Coinbase that you use for your Netflix account, you're one data breach away from disaster.
I've spent literally hours on coaching calls waiting for clients to find passwords, reset them, or try variations of "what was it again?" A password vault eliminates this entirely. It costs about $5/month. That's the cheapest insurance you'll ever buy.
Device Security
Keep your operating system and browsers updated. Those update notifications you've been dismissing for three weeks? They often contain security patches for vulnerabilities that are actively being exploited.
Use a VPN when accessing crypto on any network you don't control. Coffee shop Wi-Fi is not the place to be moving significant money around. (Proton VPN offers up to 70% off with a 2-year subscription.)
For high-value transactions, consider a dedicated device — a laptop or tablet that you use exclusively for crypto. No email, no browsing, no dodgy downloads. It sits in a drawer and comes out when you need to move money.
Get this in your inbox every morning.
A short daily email that decodes the crypto market for people who didn't grow up with it. No hype. No financial advice. Just the signal.
Level 2 — Self-Custody Foundations
When You Need a Hardware Wallet
Many people consider a hardware wallet once their holdings exceed around $1,000. The cost ($80-280) is modest relative to the counterparty risk of leaving funds on an exchange — though self-custody introduces its own operational responsibilities, which this guide walks you through.
The three established options:
| Wallet | Price Range | Best For |
|---|---|---|
| Ledger (Nano S Plus / Nano X / Stax) | $80 - $400 | Wide token support, mobile connectivity |
| Trezor (Safe 3 / Safe 5) | $80 - $220 | Open-source, simple interface |
| Tangem (card wallet) | $55 - $80 | Card form factor, NFC tap-to-sign |
(Trezor and Tangem links include a 10% discount.)
I don't recommend any one of these over the others. In fact, I personally use all three (partly so that I know how they all work, and partly so that I'm not holding too much of my portfolio in one place). They're all solid, and the "best" one is the one you'll actually use. I suggest checking out all three and pick the one that best fits your preferences and budget.
For a deeper walkthrough of the setup process, see our self-custody guide.
Your Seed Phrase Is Your Master Key
Your seed phrase — typically 12 or 24 random words in a specific order — is the master backup for your wallet. If your hardware wallet breaks, gets stolen, or ends up at the bottom of a swimming pool, those words restore everything.
Write it down on paper or steel. Never store it digitally. Not in email. Not in iCloud. Not in a password manager. Not in a photo. Not in a text message to yourself.
If someone gets your seed phrase, they get everything. If you lose it and your device breaks, your funds are gone permanently. There is no recovery process.
The "Two Places" Rule
Store your seed phrase backup in a separate physical location from your hardware wallet. Home safe for one, bank safe deposit box for the other.
Why? Fire, theft, natural disaster. If both are in the same room and that room has a bad day, you've lost everything. Two locations, separated by enough distance that a single event can't destroy both.
(Unless that single event is a nuclear event or asteroid strike or some shit like that. Let's be honest, something like that's gonna take both down with it... but if that happens, I'm betting you'll probably have bigger problems on your mind than saving your seed phrase.)
Level 3 — Operational Security
Hot Wallet vs. Cold Wallet
Think of it as cash versus a safe.
Hot wallet (software wallet, connected to the internet): Walking-around money. Enough for what you need today. Not enough that losing it sends you into a spiral.
Cold wallet (hardware wallet, offline): Everything else. The bulk of your holdings sit here, offline, behind a PIN and a seed phrase. You access it when you need to move serious money, and the rest of the time it sits in a drawer doing absolutely nothing. Which is exactly what you want it to do.
Smart Contract Approvals
If you use DeFi — and even if you've only dabbled — you've probably approved smart contracts to spend your tokens. Every time you interact with a DEX, a lending protocol, or an NFT marketplace, you likely gave it permission to access your wallet.
Most people forget about these approvals entirely. They pile up over time like old standing orders on a bank account you never cancel.
Review and revoke unnecessary approvals regularly using tools like Revoke.cash. It takes five minutes. Literally five minutes. And yet almost nobody does it, because "I'll get to it later" is the most dangerous phrase in crypto security.
Transaction Hygiene
Three rules for every transaction:
- Test first. Send a small amount before the full transfer. Every time. No exceptions. Even if you've done it a hundred times before.
- Triple-check addresses. First few characters, last few characters, middle characters. Clipboard malware that swaps addresses is real and it is not sophisticated — it just works.
- Bookmark your exchanges. Never click a link in an email to access your exchange account. Type the URL or use a bookmark. Phishing sites that look identical to the real thing are everywhere.
Level 4 — The Stuff Nobody Talks About
The Spouse Test
This is where security stops being about hackers and starts being about your family.
If you get hit by a bus tomorrow, can your spouse or partner access your crypto? Do they know it exists? Do they know where the hardware wallet is? Do they know what a seed phrase is, let alone where yours is stored?
For most people, the answer is no. Which means your security infrastructure — the very thing protecting your wealth — is also the thing that would lock your family out of it permanently.
We've written a full guide on this: Crypto Estate Planning: How to Protect Your Family's Digital Wealth. It covers the three questions your partner needs to be able to answer and how to build an Emergency Recovery Kit.
The Quarterly Fire Drill
Prove you can actually recover your wallet. Don't just assume your seed phrase backup works — verify it.
Once a quarter:
- Confirm your seed phrase is where you think it is
- Check that the words are legible and in the correct order
- Verify your companion app and firmware are up to date
- Review your documentation
You wouldn't skip a fire drill at work. Don't skip one for your financial security.
The Checklist
Designed to be bookmarked. Print it out if you want.
Level 1 — Today:
- Dedicated email for all crypto accounts
- 2FA via authenticator app or hardware key on every account
- Password manager with unique passwords for every account
- OS and browser up to date
- VPN for any network you don't own
Level 2 — This Week:
- Hardware wallet purchased from manufacturer's website
- Seed phrase written on paper or stamped on steel
- Seed phrase stored in secure location (not with the hardware wallet)
- Seed phrase backup in a second physical location
Level 3 — This Month:
- Hot/cold wallet structure established
- Smart contract approvals reviewed and revoked where unnecessary
- Exchange URLs bookmarked (never click email links)
- Test transaction completed successfully
Level 4 — Ongoing:
- Spouse Test passed (partner knows the three questions)
- Emergency Recovery Kit created and stored securely
- Quarterly fire drill scheduled in calendar
- Firmware kept up to date through official app only
Frequently Asked Questions
What is the safest way to store cryptocurrency?
A hardware wallet (cold storage) for the majority of your holdings, with a small amount in a hot wallet for active use. But the hardware alone isn't the answer — it needs to be part of a system: proper seed phrase backup, documented access procedures, and ongoing maintenance. The safest setup is one you've tested, documented, and can recover from if something goes wrong.
Do I need a hardware wallet for Bitcoin?
If you hold more than about $1,000 in any cryptocurrency, yes. Below that, a reputable software wallet with strong 2FA is adequate. Above that, the cost of a hardware wallet ($80-280) is trivial insurance against exchange risk, hacking, and your own potential mistakes.
How do I protect my crypto wallet from hackers?
The biggest risk isn't sophisticated hackers — it's user error and phishing. Use unique passwords via a password manager, authenticator-based 2FA (never SMS), a dedicated email for crypto accounts, and never click links in emails claiming to be from exchanges. The vast majority of crypto theft is preventable with basic operational discipline.
What happens if I lose my hardware wallet?
Nothing — as long as you have your seed phrase. The hardware wallet is just a secure key for accessing your crypto on the blockchain. Your seed phrase is the master backup. Lose both the device and the seed phrase, and your funds are gone permanently. That's why the "two places" rule exists.
How often should I update my crypto security?
Review your security setup quarterly. Check for firmware updates, review smart contract approvals, verify your backup still works, and update your documentation. Security isn't a one-time setup — it's ongoing maintenance, like any other business-critical system.
Some links in this article are referral links — we may earn a small commission at no extra cost to you. Trezor and Tangem links include a 10% discount. Proton VPN link offers up to 70% off a 2-year subscription. We only reference products we've personally used. This guide teaches process and systems — it is not financial advice.
Want this kind of analysis in your inbox?
A short daily email that decodes the crypto market for people who didn't grow up with it. No hype. No financial advice. Just the signal.
Former corporate lawyer and strategy consultant who spent 5 years going deep on crypto so you don't have to. I teach systems, not picks.
Subscribe to the daily email →