Start here: MetaMask Setup with Security Best Practices

So, you are a complete beginner and have been hearing about DeFi and Crypto. You’d also love to get started. Well, you are in the right place!

This article will be part of a beginner-friendly series created to introduce you to decentralized finance (DeFi). This series will focus on explaining common terms and providing actionable steps to the question “How do I get started with DeFi and digital assets?”

By the end of this article, you will:

• Learn the best practices for keeping your assets safe of MetaMask
• Set up a password manager
• Be able to explain MetaMask to a friend
• Setup MetaMask

MetaMask is the most popular non-custodial wallet that holds your Ethereum based assets, be it a token, NFT art, or even your Ethereum identity. Non-custodial means that MetaMask doesn’t host or store your assets. Instead, MetaMask generates passwords and keys locally on your device, so only you have access to your accounts and data. You are 100% in control of what information you share with applications, and what to keep private.

With great power (of control and privacy) comes great responsibility. Here are some simple but essential security habits that will keep you surfing Web3 applications and using DeFi applications with confidence. ESSENTIAL security habits.

THE MOST IMPORTANT SECTION:

The three most important things to know are:

1. Don’t ever share your SECRET recovery phrase.
2. Backup your SECRET recovery phrase in a couple of secure locations, such as a password manager, cold wallet, steel wallet or on a written and secured piece of paper (preferably laminated and waterproof).
3. Keep your SECRET recovery phrase secret, keep it safe.

Remember how we said that with MetaMask, you have unparalleled privacy and control over your assets? Only YOU will have access to your SECRET recovery phrase. MetaMask is not able to reset your account or get your password. Never trust anyone that asks for your SECRET recovery phrase aka SECRET recovery phrase to restore your account. Remember, the SECRET recovery phrase and SECRET recovery phrase are the same things. This is a phishing attack.

A SECRET recovery phrase (aka seed phrase) is a 12-word phrase that accesses your accounts. IT CANNOT BE RESET BY ANYONE. If shared, it is compromised and you must move your funds to a NEW WALLET immediately. If not, your account can be drained. Due to how the blockchain is designed, we CANNOT reverse transactions. Once your accounts are drained, you will NOT get your funds back.

Due to the confusion caused by this term MetaMask calls it a secret recovery phrase. NEVER share your SECRET recovery phrase aka secret recovery phrase. From here on in we will call it a secret recovery phrase, but be aware that a SECRET recovery phrase is a secret recovery phrase.

Phishing is a form of social engineering where a hacker impersonates a trustworthy entity to get sensitive information from a target such as data, usernames, passwords or any other sensitive details. An example might be someone on Telegram offering to help you if you send them your secret recovery phrase.

Unlike traditional accounts you might have with a Web2 company, neither MetaMask nor anyone else are able to reset your account or retrieve a password.

The point of being decentralized is that you alone have complete control over these important keys. A simple explanation is, “not your keys, not your wallet”. If you do not ultimately control the keys to your financial castle, it’s not yours. We will explain more in-depth why this is a powerful new concept for the web in a future post to keep this article focused and actionable.

If you could lose sleep because of possible lost funds, then you should take this section seriously. Adopting these habits and setup will help keep your funds safe in the long run.

Set up your Password Manager:

Before you set up MetaMask, we should set up a password manager. Password managers are a unicorn in the security field since they increase convenience and security. Usually, one comes at the expense of the other.

What is a password manager? It is a tool that securely stores your passwords by encrypting them and providing one master password to access all of them. Using one frees

you up to only remember one password to access all your other passwords securely.

Why do you need a Password Manager?

1. They will make your life easier since you will only have to remember one password.

2. They generate passwords that are random, long, and hard to hack for better security.

3. They create new passwords so you won’t have to reuse old ones.

4. You can store your MetaMask secret recovery phrase here initially to reduce the chance of losing your information.

Some popular password managers are 1Password and LastPass. There are others as well. Pick the one that has reviews from credible sources and works best for you. It is highly recommended you get the paid version. If you plan on having more crypto than the cost of a yearly subscription, then it is a good trade-off for greater security.

Hackers can access your crypto by breaking into your email accounts, impersonating your phone number and/or leveraging your digital presence to trick others into revealing personal information. By completely hardening your passwords across all accounts, you can reduce these attacks.

How To Create A Strong Password for your Password Manager: The Mind Map Method

1. Think of the layout of your childhood room or the location of a personal non-public place that doesn’t exist anymore.
2. List the items in the order you walk into the room or location.
3. Use this list as a password.
4. Add special characters and symbols in between each word to make brute force cracking harder.
5. The longer the password, the more secure.

An example can be:
$LedZeppelinPoster.Chair.Be@nb@g.Bed99%

DON’T:

1. Reuse the master password used elsewhere for password manager.

2. Saving your password manager’s master password in phone’s notes, email or on your desktop.

DO:

1. Practice entering the master password often to memorize it.

2. Create a unique and memorable master password.

3. Make your master password typable and easy enough to remember for you.

Backup your password manager account:

Once you set up your password, download the emergency backup kit for your password. Print this piece of paper and save it in a SECURE location. If the location is fireproof, it is even better. This emergency backup kit will help reset your password manager’s master password in case you forget it.

Don’t be like this guy…Sorry Stefan. Hope you get access one day.

Or these guys. Avoid the problems. An ounce of prevention, beats doing math to calculate how much you would have had.

Ninja Level Password Management:

Configure your password manager in this form to increase your security further.

1. If you have 1Password, download and print your password manager’s emergency kit. Place this in a waterproof ziplock bag. Then place it in a safe place that is ideally fire and waterproof. See LastPass’s security tips for backups.

2. Set your password manager to auto-lock.

3. Automatically lock if idle or the screensaver comes on.

4. Automatically lock when logging off or exiting the application

5. Configure your password manager to lock the program after 1 minute. This configuration keeps you safe if you walk away from the computer briefly.

6. Remove Mac’s TouchID as an option to sign in and use the master password. You might have to access your information on a machine without Touch ID. Typing your master password often will help you remember it.

7. Clear the clipboard 20 - 30 seconds after copying. This option gives you enough time to paste your password, clears fast enough to avoid someone pasting and sending it to themselves.

8. Follow these additional security tips from LastPass and 1Password.

What if I have multiple password managers?
Pick one and consolidate your passwords there. You can opt to have a secondary password manager in case of an emergency with the essential information.

NOTE: The more avenues to access the password, the less secure the manager becomes. Choose wisely.

Setting Up MetaMask:

Did you set up your password manager? If not, go back and do so.

Now that you have set up your password manager, you will be able to securely save your secret recovery phrase in an encrypted location. Let’s set up your MetaMask Wallet.

Although some people may say that password managers are not decentralized enough, the article suggests pragmatic and easy to do instructions for people new to cryptocurrencies. Using a password manager strikes a balance between ease of use, good habits, and responsible security habits. This results in a new user having a higher chance of adopting better security. If someone wants to create a decentralized password manager, please have at it.

First, go to the MetaMask.io website.

Make sure to go to MetaMask.io. DO NOT google MetaMask and click on the link without checking the URL. Hackers often try to buy search engine ads and place exact copies of the MetaMask website with malicious software to steal your crypto.

Be careful and please go to the official MetaMask.io website.

Once in MetaMask.io website, click “downloads” and choose your browser.

Pro tip: Bookmark the official browser to avoid future confusion. Be a pro.

If you have Chrome, click add to Chrome. This process would be similar to other browsers.

After installing MetaMask, it’s time to set up your wallet. If you are creating a new wallet, click “create a wallet”.

You can agree to an optional policy to allow MetaMask to collect information to improve the product.

Once you choose, you will be prompted to create a password.

This password exists only to prevent unauthorized people from accessing your MetaMask account on your computer. If you were to type this password in a new computer it WILL NOT load up your MetaMask assets.

DON’T:

1. Reuse a password used elsewhere.

2. Reuse your password manager’s master password.

3. Tell others your password.

DO:

1. Use a unique password you can type in and remember.
2. Practice typing the password in.

The following SECRET recovery phrase is what accesses your funds.

Your SECRET recovery phrase:

A SECRET recovery phrase is a series of random words which act as your wallet’s password. The SECRET recovery phrase opens access to your funds. This SECRET access code is generated for your wallet and is FOR YOUR EYES ONLY. Never share it to ANYONE, especially people claiming to be from MetaMask.

Treat your secret recovery phrase (aka SECRET recovery phrase) with the same respect as your banking password. Would you share that? NO. Not even if a “customer service representative” asked for it.

NEVER share your SECRET recovery phrase with anyone. ESPECIALLY people claiming to be “MetaMask Support” and wanting to help with an issue. A common example of phishing and it occurs all the time.

MetaMask DOES NOT offer support via Telegram or Reddit. We will NEVER need your SECRET recovery phrase to help you. It’s a secret for a reason.

NEITHER you nor MetaMask can reset or change the words that make up your SECRET recovery phrase. MetaMask CANNOT recover your SECRET recovery phrase if you lose it. Learn why here.

If there are two things you learn from this article it is:

1. DON’T EVER SHARE YOUR SECRET RECOVERY PHRASE.
2. SAVE YOUR SECRET RECOVERY PHRASE SOMEWHERE SECURE.

Saving your SECRET recovery phrase:

Behind the lock are 12 common words that act as your password to access your wallet. Save these in your password manager. DO IT NOW. Don’t be like the guy who can’t access his wallet… Sorry Stefan.

DO NOT PROCEED UNTIL YOU SAVED YOUR SECRET RECOVERY PHRASE IN A SECURE AREA.

Note: If you save your SECRET recovery phrasein an external hard drive, please don’t throw it away by mistake, then ask a city to dig up a landfill…. Sorry James.

Now you will confirm your SECRET recovery phrase aka your SECRET Backup Phrase.

Choose the words you saved into your password manager or a secure location in the correct order.

Once you’ve confirmed your SECRET recovery phrase, CONGRATULATIONS! You are all set up.

Ideally you SHOULD save your backup in multiple locations.

Let’s say for some reason you need your SECRET recovery phrase again. You can follow these instructions to do so here.

Here is a way to get your SECRET recovery phrase in case you need it again. But, by now you should have backed them up right? Don’t be that person who loses their keys.

Remember: Not your keys, not your wallet.

In the next article, we will teach you how to add ETH to MetaMask, browse different applications, and send tokens to a friend.

Reflection Questions:
What is MetaMask?

What is Phishing?

What is a SECRET seed phrase?
What is a SECRET recovery phrase?
Why does the SECRET seed phrase do?
If MetaMask support asks you for your seed phrase or SECRET recovery phrase, what do you say?

Who can prevent phishing?

Now it’s time to put your skills to work:

• Practice entering your password manager’s master password.
• Place your printed password manager’s emergency kit in a secure and waterproof location.

Series Disclaimer:
This series article is intended for general guidance and information purposes only for beginners participating in cryptocurrencies and DeFi. The contents of this article are not to be construed as legal, business, investment, or tax advice. You should consult with your advisors for all legal, business, investment, and tax implications and advice. ConsenSys is not responsible for any lost funds. Please use your best judgment and practice due diligence before interacting with smart contracts.