Skip to main content

Basic Safety and Security Tips for MetaMask

Does this article need to be translated?

Contribute to the Help Center

Submit translations, corrections, and suggestions on GitHub, or reach out on our Community forums.

note

New to crypto and web3?

Head to MetaMask Learn for a straightforward learning experience designed specifically for newcomers to web3. It's completely free, available in multiple languages, and includes useful tools such as simulations to help you find your feet with MetaMask.

What is a Secret Recovery Phrase and how do I back it up?

The use of a seed phrase, or Secret Recovery Phrase, is a standard most crypto wallets use. It's generated randomly when you create your MetaMask wallet, and provides access to all the accounts (addresses) within your wallet.

You receive the 12-word Secret Recovery Phrase when you first create your wallet. MetaMask does not control any of your personal or private data on our servers. Everything is encrypted in your browser and protected via your MetaMask password. So, when you lose your MetaMask accounts and need to restore them, you can only do that with your Secret Recovery Phrase.

When you restore your MetaMask wallet using your Secret Recovery Phrase, it restores MetaMask accounts too, in certain circumstances. If you have imported accounts, you will have to import them again.

Why you need to store your Secret Recovery Phrase

MetaMask is not a cloud-based solution. If your device breaks, is lost, stolen, or has data corruption, there is no way for the MetaMask Support team to recover this for you. This Secret Recovery Phrase is the only way to recover your MetaMask accounts.

Don't share your Secret Recovery Phrase and private keys

Anyone who has your Secret Recovery Phrase or private keys can control your assets, and therefore send tokens out of your accounts. Never share them with anyone, including the MetaMask team or anyone claiming to represent us.

We will never ask you to provide your Secret Recovery Phrase. If someone claims that we do, insist on not sharing. If you encounter someone who claims to be a MetaMask or MetaMask Support team member, or asks for your Secret Recovery Phrase and/or private keys, report them by getting in touch with Support.

This applies to websites and apps, as well. The only legitimate situations where you'll need to enter your Secret Recovery Phrase are:

  • When you're creating your wallet for the first time, since you need to input certain words from the phrase to confirm you've recorded it.
  • If you're restoring your wallet on a new device or from a fresh install, or you reset your password (a similar process).

There are, however, scammers that try to simulate these two situations. See here for more information: How do I recognize the real MetaMask?

If you have a large value of tokens in your account(s), consider getting a hardware wallet.

Hardware wallets are commonly thought to be the safest way to store your tokens. They are often referred to as 'cold' wallets, since they're disconnected from the internet most or all of the time. This approach means your private keys are never reachable by bad actors online, with the hardware wallet itself required to sign (authorize) any transactions.

There is no such thing as too much safety. The basic guide here is by no means comprehensive. Always learn how to better protect your tokens, by learning from the community, informative materials or discussion channels.

Additional resources

Here are some additional resources to keep your computer safe:

What are token approvals and why are they important?

Token approvals grant permission for a dapp to access and move a specific type of token and token amount from your wallet. If you are not careful about what token approvals you are approving in your MetaMask wallet, then this could potentially be an attack vector for your wallet to get drained.

To avoid this from happening try and follow these guidelines:

  • Always check what a dapp is actually requesting before clicking 'approve '. In MetaMask, you can also adjust the amount that the dapp has access to. Even if you only provide access to 10% of your tokens, and the dapp turns out to be a scam, that's still a considerably better outcome than if you 'd granted unlimited access.
  • DYOR. The best time to get in the habit of performing due diligence on any dapp before interacting with it was six months ago; the second best time is today. Look out for misspellings, low-quality images/logos, and other giveaways.
  • Remember that if something seems too good to be true, it probably is. If you're being offered 498,563% APY, you're probably on thin ice.

For a more detailed explanation on token approvals and how to manage them please read the following article.