User Guide: Secret Recovery Phrase, password, and private keys
Head to MetaMask Learn for a straightforward learning experience designed specifically for newcomers to web3. It's completely free, available in multiple languages, and includes useful tools such as simulations to help you find your feet with MetaMask.
MetaMask: a different model of account security
Public blockchain technology uses a very different set of tools to secure user data, compared to traditional online technologies. Most of us are used to creating an account with an app, or service and being able to, for example, write to support to reset our password or username. We're used to the app keeping our data, presumably on some sort of computer that belongs to the company.
Well... MetaMask doesn't work like that. MetaMask has three different types of secret that are used in different ways to keep your wallet, and your accounts, private and safe: The Secret Recovery Phrase, the password, and private keys. We'll walk you through these secrets one at a time.
Intro to Secret Recovery Phrases
One of the key technologies underlying MetaMask, and most user account-related tools in the crypto space is the seed phrase, or as it's referred to in MetaMask, your Secret Recovery Phrase (SRP).
All of your accounts are mathematically derived from your Secret Recovery Phrase. You can think of the SRP like a keyring, and it holds as many private keys as you could want: and each one of those keys controls an account.
Now, if you want a more technical explanation:
Seed phrases as we know them today were codified for usage in Bitcoin, according to a standard referred to as Bitcoin Improvement Proposal 39, or BIP-39. BIP-39 codifies, among other things, specific lists of words in different languages; a highly-randomized selection of these words are then used to create a seed, or secret recovery, phrase.
In MetaMask there are 12 words in a seed phrase. Some older seeds, and some generated by e.g. hardware wallets, use 18, or even 24-word phrases.
Each one of these words corresponds to a series of numbers, and when placed in a specific order, represent a much more user-friendly way to remember a very, very long number. That number is then used to deterministically generate your accounts, and you may hear people refer to deterministic wallets. In computer science, deterministic is used to describe a process (usually an algorithm of some kind) that will always generate the same result. In other words, your Secret Recovery Phrase will always generate the same set of accounts derived from it.
There are a number of important features to note here:
The Secret Recovery Phrase is the secret that controls the wallet.
- If someone has this secret, they have complete access to the wallet, and all accounts generated by it.
MetaMask does not keep your SRP : you are the custodian of your wallet.
- MetaMask representatives will never ask for your Secret Recovery Phrase, even in a customer support scenario. If someone does ask for it, they are trying to scam you or steal your funds.
Your SRP is used locally to derive private keys, one per account/address.
- Accounts exist on the blockchain, and these private keys unlock those accounts.
It is possible to import accounts from other SRPs and private keys.
- However, these accounts will not be automatically restored by MetaMask in another instance; you will have to manually re-add them, unless you have a Google/Apple account connected to MetaMask—then all connected accounts (except hardware wallets) will be automatically restored.
- For other scenarios, if you have manually imported accounts, make note of their private keys, in the same way you did your seed phrase, in order to be able to re-import them in the future.
If you uninstall the app or the extension, you will likely lose access to your data and accounts.
- Your data is stored locally in an encrypted vault, from which you can recover an SRP under some circumstances
- Any transactions you performed with that local version of MetaMask, even if you delete it, will have been recorded on the blockchain.
- Therefore, the transactions should be reflected on a block explorer
- And you can continue using those accounts in another instance of MetaMask, so long as you restore using the same Secret Recovery Phrase (with the words in the same order).
Bottom line: so long as you have your Secret Recovery Phrase, you will always be able to uninstall MetaMask and restore your wallet.
MetaMask Secret Recovery Phrase: Dos and Don'ts
Do
- Write down your Secret Recovery Phrase somewhere safe. We can’t tell you precisely where, as that depends on your circumstances.
- The importance of handwriting your Secret Recovery Phrase is that it cannot be stolen online. If you store it in a file in an internet-linked cloud storage folder, for example, it could theoretically be stolen.
- Double-check your spelling and that you wrote down every word in the same order they were given.
- Reach out to MetaMask Support's official channels if you need help.
Don't
- Keep it in an easily discovered location, like a post-it note stuck to your computer.
- Keep it in an easily hacked location, like a cloud-saved document or an email titled ‘Seed Phrase’.
- Provide your seed phrase to anyone, even if they say they’re from MetaMask Support.
- Change the order of the words.
Secret Recovery Phrase FAQs
My seed phrase restored a different account!
Please consult the knowledge base article on this topic here. In addition, see the Community thread here for more context and background information.
Other FAQs:
How to reveal your Secret Recovery Phrase
How do I access my accounts without my Secret Recovery Phrase?
Importing a seed phrase from another wallet software: derivation path
How to check my wallet activity on the blockchain explorer
What is a Secret Recovery Phrase and how do I keep my wallet safe?
Passwords and MetaMask
MetaMask uses passwords for a single purpose: to secure the app itself; in other words, to open the app, be it the Mobile app or the in-browser Extension. Once you've restored or created your wallet from your Secret Recovery Phrase, you won't need it regularly (although you should keep it backed up and safe), and you will use your password (or more commonly on Mobile, biometric authentication such as facial recognition or your fingerprint) to unlock the app. For more details, see our article here.
MetaMask traditionally uses passwords to secure the app itself; in other words, to open the application. When your application (Extension or Mobile) locks, your password is used to unlock it. You should make sure to set a strong password and to securely back it up. MetaMask cannot help you recover your password if you forget it.
If you've connected your Google or Apple account to MetaMask, your password helps you unlock the application, and also helps you access your SRP. Your SRP is sharded across five different and encrypted. Only the combination of your Google/Apple account and your password can decrypt and access your SRP; you need both to access your SRP and MetaMask.
Private keys
While a Secret Recovery Phrase is used to create and restore your wallet, including all accounts created in that wallet, each account has its own private key. This key can be used to import that account, and that account only, into a different wallet. Similarly, single accounts from other crypto wallets can be imported to your MetaMask.