Basic safety and security tips for MetaMask
New to crypto and web3?
Head to MetaMask Learn for a straightforward learning experience designed specifically for newcomers to web3. It's completely free, available in multiple languages, and includes useful tools such as simulations to help you find your feet with MetaMask.
What is a Secret Recovery Phrase and how do I back it up?
The use of a seed phrase, or Secret Recovery Phrase, is a standard most crypto wallets use. It's generated randomly when you create your MetaMask wallet, and provides access to all the accounts (addresses) within that wallet.
When you first create a wallet, you will be prompted to write down your Secret Recovery Phrase (SRP), or connect your Google or Apple account to MetaMask. While both options have an associated SRP, they function differently in the backend.
If you secure your SRP, and do not connect your Google or Apple account to MetaMask, then MetaMask does not control any of your personal or private data on our servers. Everything is encrypted in your browser and protected via your MetaMask password. So, if you lose your MetaMask accounts and need to restore them, you can only do that with your SRP. In this case, your SRP is your single point of failure for access to your accounts.
If you connect your Google or Apple account to MetaMask, your SRP is encrypted and sharded across five different nodes. Only your Google or Apple account and password can access and decrypt all five shards. In this case, your Google/Apple account and password are your two points of failure. Because of this, make sure you do not reuse your Google/Apple password for your MetaMask password. The two passwords should be completely unique. We also recommend you still secure your SRP in case you lose your password or Google/Apple account.
Why you need to store your Secret Recovery Phrase
MetaMask is a self-custody wallet. Whoever has access to an SRP has access to all of its accounts. If your device breaks, is lost, stolen, or has data corruption, there is no way for the MetaMask Support team to recover your SRP for you.
Don't share your Secret Recovery Phrase and private keys
Anyone who has your SRP or private keys can control your assets, and therefore send tokens out of your accounts. Never share them with anyone, including the MetaMask team or anyone claiming to represent us.
We will never ask you to provide your SRP. If someone claims that we do, insist on not sharing. If you encounter someone who claims to be a MetaMask or MetaMask Support team member, or asks for your SRP and/or private keys, report them by getting in touch with Support. If anyone else asks for your SRP and/or private keys, assume they are trying to steal all of your assets.
This applies to websites and apps, as well. The only legitimate situations where you'll need to enter your SRP are:
- When you're creating your wallet for the first time, since you need to input certain words from the phrase to confirm you've recorded it.
- If you're restoring your wallet on a new device or from a fresh install, or you reset your password (a similar process).
There are, however, scammers that try to simulate these two situations. See here for more information: How do I recognize the real MetaMask?
If you have a large value of tokens in your account(s), consider getting a hardware wallet.
Hardware wallets are commonly thought to be the safest way to store your tokens. They are often referred to as 'cold' wallets, since they're disconnected from the internet most or all of the time. This approach means your private keys are never reachable by bad actors online, with the hardware wallet itself required to sign (authorize) any transactions.
Don't share your password(s)
You should never share any of your passwords with anyone, but for now, we will focus on your MetaMask password. If you connect your Google or Apple account to MetaMask, your password is required to access your accounts.
MetaMask Support will never ask you to share your password. If someone has access to your password and your Google/Apple account, they can access all of your MetaMask accounts.
If you don't have your Google or Apple account connected to MetaMask, your password functions differently. Having access to your password will not give someone access to your accounts. However, you should still secure your password and practice good password hygiene.
- Use a strong password, with a mixture of uppercase and lowercase letters, numbers, and special characters.
- Use a different password for each account.
- Store your passwords in a secure, offline location. Cloud services and password managers can be hacked, and are not the most secure way to store your passwords.
- NEVER share your password with anyone.
There is no such thing as too much safety. The basic guide here is by no means comprehensive. Always learn how to better protect your tokens, by learning from the community, informative materials or discussion channels.
Additional resources
Here are some additional resources to keep your computer safe:
- Windows - Keep your computer secure at home
- Mac - Set up your Mac to be secure
What are token approvals and why are they important?
Token approvals grant permission for a dapp to access and move a specific type of token and token amount from your wallet. If you are not careful about what token approvals you are approving in your MetaMask wallet, then this could potentially be an attack vector for your wallet to get drained.
To avoid this from happening try and follow these guidelines:
- Always check what a dapp is actually requesting before clicking 'approve '. In MetaMask, you can also adjust the amount that the dapp has access to. Even if you only provide access to 10% of your tokens, and the dapp turns out to be a scam, that's still a considerably better outcome than if you 'd granted unlimited access.
- DYOR. The best time to get in the habit of performing due diligence on any dapp before interacting with it was six months ago; the second best time is today. Look out for misspellings, low-quality images/logos, and other giveaways.
- Remember that if something seems too good to be true, it probably is. If you're being offered 498,563% APY, you're probably on thin ice.
For a more detailed explanation on token approvals and how to manage them please read the following article.