What is a 'Secret Recovery Phrase', and how to secure your wallet
Head to MetaMask Learn for a straightforward learning experience designed specifically for newcomers to web3. It's completely free, available in multiple languages, and includes useful tools such as simulations to help you find your feet with MetaMask.
Your Secret Recovery Phrase (SRP) is a unique 12-word phrase that is generated when you first set up MetaMask. The accounts that hold your tokens are derived from it. If you ever lose your password, your SRP allows you to recover your wallet and your funds.
Write it down on paper and hide it somewhere, put it in a safety deposit box. Some users even engrave their phrases into metal plates! (Storing your SRP in a physical, offline format eliminates the risk of hacking.)
What's the difference between a Secret Recovery Phrase and a password? Why do I need both?
MetaMask locally encrypts your secret recovery phrase with your password. That means that when you lock your wallet, no one can use your funds until you enter your password again.
If you forget your password, you can regain access to your account with the SRP, as it's the key to access your wallet that only you hold. It's important to know that neither MetaMask or anyone else can change or recover your seed phrase if it's lost. Please guard it well!
For more information on this, see here.
Self-Custody
With MetaMask, control over your wallet belongs to the holder of a master key (that's YOU!).
Not even the team at MetaMask can help you recover your wallet and its accounts if you lose your Secret Recovery Phrase. As long as you keep this phrase safe and sound, no one can sign unauthorized transactions from your wallet's account(s).
There are a lot of benefits to using a self-custody wallet. For example:
- No institution can manipulate your access to your funds. Ever heard the phrase "not your keys, not your crypto"? Well, this is what it refers to. If you use a custodial wallet (where an organization or third party essentially controls the wallet, and acts according to your instructions), there's very little other than trust preventing the custodian from making off with your funds.
- No merchant you transact with via MetaMask can access more of your personal data than you reveal.
- Your MetaMask wallet can be used almost like a passport, enabling digital proof of identity. The Ethereum Name Service (ENS) is perhaps the most prominent example that self-custodial wallet ownership is increasingly following this route.
The trade-off? Because a MetaMask wallet is self-managed, the responsibility for keeping that wallet safe is entirely yours.
Never ever share your Secret Recovery Phrase with anyone. Sharing your SRP with someone would be like handing over the PIN code to your bank card, or the keys to your house. It would give that person the ability to access and transfer all of your funds. The MetaMask team will never ask you for it. If anyone or any website asks you to share it, they 're trying to scam you.
If you're more of a visual learner, this quick video should help.
How to reveal (and recover) your Secret Recovery Phrase
You'll be prompted to set your SRP and password when you first install MetaMask. If you lose it, you should be able to recover it if you remember your password and you have a copy of your vault data (files automatically created on the device you use to access MetaMask — so you need the device and your password).
However, there are only certain circumstances where this is possible. See our guide here to establish whether this is an option for you.
If you lose your Secret Recovery Phrase and forget your password, there is no way to recover the phrase and access your account.
Security tips
Here are a few basic security tips to help you keep your wallet secure:
Don't share your SRP and private keys with anyone
This has been mentioned already, but it doesn't hurt to be thorough: anyone who has your SRP or private keys can remove tokens from your accounts. Never share your SRP or private keys with anyone — not even the MetaMask team, even though we will never ask you for this information.
If anyone claims to be a MetaMask team member and asks you for this information, please report them immediately using our official support channels.
Store your SRP somewhere secure and offline
Do not store your SRP online. Online storage like the cloud or password managers are not secure and vulnerable to hacks.
Instead, store your SRP in a secure, physical location that only you have access to and that you won't forget.
If you have a large number of tokens in your accounts, consider getting a hardware wallet.
Hardware wallets, like Trezor and Ledger, are commonly thought to be a safer way to store your tokens. They store the private keys offline, meaning you need to be in physical possession of the wallet to sign transactions — a considerable barrier to online scammers.
Regularly update your systems and software
Make sure to keep your browsers, operating systems, and MetaMask versions up-to-date. Updates to these softwares frequently include critical security enhancements.
These are basic tips, but are by no means an exhaustive list of security options. Keep on top of token security trends and updates by learning from the Ethereum community, reading helpful material (like this post) and joining discussion channels like this.
If you see members of the community struggling with security, feel free to share this post. Remember, if you need any help, or would like to report accounts that are imitating MetaMask, get in touch.
Got any more questions? Check out our FAQs, other articles on this page, or get in touch with MetaMask Support by starting a conversation on the bottom right of the screen.