Basic safety and security tips for MetaMask
加密货币和 web3 的新手?
前往 MetaMask Learn 获得专为 web3 新手设计的直接学习体验。 该功能完全免费,支持多种语言,并包含模拟等多种实用工具,协助您顺利启用 MetaMask。
什么是私钥助记词以及如何将其备份?
使用助记词或者私钥助记词是大多数加密货币钱包的标准做法。 It's generated randomly when you create your MetaMask wallet, and provides access to all the accounts (addresses) within that wallet.
When you first create a wallet, you will be prompted to write down your Secret Recovery Phrase (SRP), or connect your Google or Apple account to MetaMask. While both options have an associated SRP, they function differently in the backend.
If you secure your SRP, and do not connect your Google or Apple account to MetaMask, then MetaMask does not control any of your personal or private data on our servers. 所有内容都在浏览器中加密,并使用 MetaMask 密码予以保护。 So, if you lose your MetaMask accounts and need to restore them, you can only do that with your SRP. In this case, your SRP is your single point of failure for access to your accounts.
If you connect your Google or Apple account to MetaMask, your SRP is encrypted and sharded across five different nodes. Only your Google or Apple account and password can access and decrypt all five shards. In this case, your Google/Apple account and password are your two points of failure. Because of this, make sure you do not reuse your Google/Apple password for your MetaMask password. The two passwords should be completely unique. We also recommend you still secure your SRP in case you lose your password or Google/Apple account.
Why you need to store your Secret Recovery Phrase
MetaMask is a self-custody wallet. Whoever has access to an SRP has access to all of its accounts. If your device breaks, is lost, stolen, or has data corruption, there is no way for the MetaMask Support team to recover your SRP for you.
Don't share your Secret Recovery Phrase and private keys
Anyone who has your SRP or private keys can control your assets, and therefore send tokens out of your accounts. 切勿与他人分享私钥助记词,包括 MetaMask 团队或任何声称代表我们的人在内。
We will never ask you to provide your SRP. If someone claims that we do, insist on not sharing. If you encounter someone who claims to be a MetaMask or MetaMask Support team member, or asks for your SRP and/or private keys, report them by getting in touch with Support. If anyone else asks for your SRP and/or private keys, assume they are trying to steal all of your assets.
这一原则同样适用于网站和应用程序。 The only legitimate situations where you'll need to enter your SRP are:
- 当您首次创建钱包时,这是因为您需要输入助记词中的某些单词来确认您已将其记录下来。
- 如果您在新设备上或从全新安装中恢复钱包,或者重设密码(类似流程)。
然而,也有骗子试图模拟这两种情况。 请参阅此处了解更多信息:我如何识别真正的 MetaMask?
如果您的账户中有大量代币,请考虑购买硬件钱包。
一般而言,硬件钱包是存储代币最为安全的方式。 硬件钱包大部分时间或始终不联网,因此通常称为“冷”钱包。 这种方法意味着您的私钥永远不会由网上的恶意行为者获取,因为任何交易都需要使用硬件钱包本身进行签名(授权)。
Don't share your password(s)
You should never share any of your passwords with anyone, but for now, we will focus on your MetaMask password. If you connect your Google or Apple account to MetaMask, your password is required to access your accounts.
MetaMask Support will never ask you to share your password. If someone has access to your password and your Google/Apple account, they can access all of your MetaMask accounts.
If you don't have your Google or Apple account connected to MetaMask, your password functions differently. Having access to your password will not give someone access to your accounts. However, you should still secure your password and practice good password hygiene.
- Use a strong password, with a mixture of uppercase and lowercase letters, numbers, and special characters.
- Use a different password for each account.
- Store your passwords in a secure, offline location. Cloud services and password managers can be hacked, and are not the most secure way to store your passwords.
- NEVER share your password with anyone.
安全性再高也不为过。 本文的基本指南并非无所不包。 始终可以透过社区、说明性材料或讨论渠道,学习如何加强代币的保护。
Additional resources
以下是一些有关如何确保计算机安全的附加资源:
- Windows - 在家中保护计算机安全
- Mac - 设置 Mac 以保安全
什么是代币批准,为什么这很重要?
代币批准授予 dapp 在您的钱包中访问并转移特定类型代币和代币金额的许可。 如果您对在 MetaMask 钱包中执行哪些代币批准未持审慎态度,则这可能会成为您的钱包亏空殆尽的一项诱因。
为了避免发生这种情况,请尝试遵循以下指南:
- 在点击“批准”之前,始终检查 dapp 实际上请求提供的内容。 在 MetaMask 中,您还可以调整 dapp 可以访问的金额。 即使仅提供 10% 的代币访问权限,而随后证明该 dapp 是一项欺诈,这样仍然比授予无限访问权限要好得多。
- 自行做好调查(DYOR)。 在与任何 dapp 交互之前,养成对其进行尽职调查习惯的最佳时机是六个月前;其次就是今天。 注意拼写错误、低质量的图像/徽标和其他赠品。
- 记住,如果某事看起来好到令人难以置信,则这很可能是欺诈。 如果给您提供的年化收益率高达 498563%,则您很可能面临欺诈风险。
有关代币批准以及如何进行管理的更详尽说明,请参阅以下文章。