Skip to main content
Loading...

Securing your Secret Recovery Phrase and password

MetaMask uses a different security model than traditional apps. There’s no password or centralized account recovery, you are in full control of your wallet and the assets within it. This guide explains the different elements that protect your wallet so you can keep your assets secure:

Tl;DR

Your SRP is the foundation of your wallet; your password’s importance depends on your setup. Read on to dive deeper into each of these components and best practices to secure your wallet.

Remember: MetaMask cannot recover your wallet for you. Your wallet is created using an SRP and your password and/or login method protects access to your wallet per device. If you lose access to your SRP—or the means to access your wallet through Google/Apple login—your funds cannot be recovered. This is important to understand when using MetaMask, or any other self-custodial wallet.

Secret Recovery Phrases

Your Secret Recovery Phrase (SRP), also known as a seed phrase, is a unique 12-word phrase that is generated when you first set up MetaMask. The accounts that hold your tokens are derived from it. If you ever lose your password, your SRP allows you to recover your wallet and your funds.

  • It is the master key to your wallet (whoever controls the SRP controls the wallet)
  • It is used to generate and recover your accounts and balances
  • It is used to restore your wallet on a new device

When you create a new wallet, MetaMask generates a unique 12-word SRP for you. Some other wallets use 18 or 24-word SRPs.

MetaMask extension onboarding choose example SRP

Regardless of setup method, the SRP is the ultimate control over your wallet. Anyone who can access your SRP can control your funds. MetaMask cannot recover your wallet if access is lost. How you access and store your SRP depends on how you created your wallet:

  • Your SRP is shown to you during setup
  • You are responsible for storing it securely
  • You can use it anytime to restore your wallet (on the same device or other devices)
  • You directly control and manage your SRP

Passwords and MetaMask

Your MetaMask password is used to unlock your wallet and protect access to it. However, its role depends on how your wallet was created:

  • Your password unlocks MetaMask on that device
  • It does not recover your wallet
  • If you forget it, you can restore access using your SRP

In this scenario, your password unlocks local access only (the device you're using). Your SRP is the key to full ownership and recovery.

Private keys

Each account in your wallet has its own private key, derived from the SRP. This is a long cryptographic string that controls a single account. It can be used to import and export that account, and that account only, into another wallet.

Unless you're a developer, you probably won't need to know about private keys. Like your SRP, private keys must never be shared.

If you need to learn more about importing an account with private key, see here.

SRP Dos and Don'ts

Do

  • Write down your Secret Recovery Phrase somewhere safe. We can’t tell you precisely where, as that depends on your circumstances.
  • The importance of handwriting your Secret Recovery Phrase is that it cannot be stolen online. If you store it in a file in an internet-linked cloud storage folder, for example, it could theoretically be stolen.
  • Double-check your spelling and that you wrote down every word in the same order they were given.
  • Reach out to MetaMask Support's official channels if you need help.

Don't

  • Keep it in an easily discovered location, like a post-it note stuck to your computer.
  • Keep it in an easily hacked location, like a cloud-saved document or an email titled ‘Secret Recovery Phrase’.
  • Provide your Secret Recovery Phrase to anyone, even if they say they’re from MetaMask Support.
  • Change the order of the words.

Security tips

Don't share your SRP and private keys with anyone

This has been mentioned already, but it doesn't hurt to be thorough: anyone who has your SRP or private keys can remove tokens from your accounts. Never share your SRP or private keys with anyone — not even the MetaMask team, even though we will never ask you for this information.

If anyone claims to be a MetaMask team member and asks you for this information, please report them immediately using our official support channels.

Store your SRP somewhere secure and offline

Do not store your SRP online. Online storage like the cloud or password managers are not secure and vulnerable to hacks.

Instead, store your SRP in a secure, physical location that only you have access to and that you won't forget.

Use a strong, unique password

With Google/Apple wallet setup, your password is essential to accessing your wallet or logging in on new devices. You can use a password manager to generate a strong password. Computer-generated passwords are more secure than passwords you create yourself. We don't necessarily recommend storing your password in a password manager online as they can be susceptible to hacks.

If your wallet has a high value of assets, consider getting a hardware wallet.

Hardware wallets, like Trezor and Ledger, are commonly thought to be a safer way to store your tokens. They store the private keys offline, meaning you need to be in physical possession of the wallet to sign transactions — a considerable barrier to online scammers.

Regularly update your systems and software

Make sure to keep your browsers, operating systems, and MetaMask versions up-to-date. Updates to these softwares frequently include critical security enhancements. See more here.

Was this helpful?
Connect MetaMask to provide feedback
What is this?
This is a trial feedback system that uses Verax to record your feedback as onchain attestations on Linea Mainnet. When you vote, submit a transaction in your wallet.