As the global cryptocurrency industry reached a market cap of $2.4 trillion in 2021, the number of risks, scams and attacks have increased exponentially.
Gary Orenstein is the chief customer officer at Bitwarden leading the go to market efforts across customer success, marketing, and sales. Here he shares his thoughts as to why password managers are the ticket to protecting crypto accounts.
Unsurprisingly a rising market that benefits investors also attracts threat actors hoping to profit from others. Over the last several years, tens of billions of dollars in Bitcoin, Ethereum and other cryptocurrencies have been stolen from users in an array of attacks aimed at harvesting credentials and other sensitive information, allowing threat actors to compromise accounts and transfer funds.
Alas, while attractive, cryptocurrencies’ decentralized nature is the very characteristic that makes it challenging to stop illegitimate transactions or recover funds. In most cases, once coins are taken, they are gone forever. To combat these risks, users need to be aware of the telling signs of scam emails, imposter sites, and shady giveaways, taking every precaution to secure their accounts and digital wallets. As attackers share methods for cracking accounts and wallets, daily users and holders alike may want to consider solutions, like password managers, to protect themselves.
The Case for Password Managers
Password security can be a polarising topic within the crypto community. While general consensus cautions against keeping any passwords or seed phrases online, it’s important to recognise the pros and cons of the various methods for generating and storing them.
Creating simple passwords or even reusing passwords across accounts, is akin to leaving a safe door wide open—it’s more a matter of when funds will disappear than if. Yet, overly complex passwords alone aren’t always the best solution either; if users fail to remember the right keys and phrases correctly, headaches are sure to ensue. Furthermore, if accounts remain inaccessible, not every service provides recovery assistance.
Roughly one-fifth of users also reportedly keep their passwords and phrases listed on a single piece of paper. With all the stories about accidentally tossing the paper or misplacing it, this solution seems risky. Balancing security, accessibility, and redundancy, password managers come pretty close to being the perfect solution for many.
What Should You Look for in a Password Manager?
A trustworthy password manager should support the following:
- End-to-end encryption and zero-knowledge encryption models that prevent the provider from seeing customer data
- Data encryption on a local device before sending it to cloud servers, so no one can see, read or reverse engineer it to reveal the real original information besides the owner
- Two-factor identification (2FA) with the appropriate backups of recovery codes stored in multiple places
- Self-hosting capabilities for those seeking complete control of their password vaults
Further, an open-source development approach ensures the ultimate in transparency for security, and facilitates an ecosystem where everyone can see the code directly. Coupled with regular audits from reputable third-party security firms and independent security researchers to detect errors and submit fixes, an open-source solution provides the most comprehensive way to maintain confidence in the solution.
If your chosen password manager features encryption models, 2FA and open-source code, in addition to other essential security characteristics, you can confidently use it to secure your exchange and digital wallet passwords and seed phrases.
When creating strong passwords, computers are much better than humans at generating random sequences. Fortunately, most password managers offer in-app generators across clients such as mobile devices, web extensions, desktops, browsers, and even a command-line interface. Some also provide web-based password generators that can come in handy to check the strength of current passwords and recommend new ones.
Though a password manager may retain the history of the password generator for each application, it can be cleared in most cases. However, you may want to hold off from clearing its history until you are absolutely confident that your passwords and phrases are saved or written down. If not, you run the risk of losing them forever.
Remembering Lost Passwords
Losing passwords and key phrases can prevent you from reaccessing your crypto accounts and wallets unless you hire a third-party recovery service that can restore access to them. Unfortunately, if you also happen to be missing your backup phrases, recovery is unfeasible.
According to blockchain data firm Chainalysis, nearly 20% of existing Bitcoin has been lost or stuck in digital wallets, amounting to billions in losses.
Using a password manager or even a combination of solutions to keep track of your passwords is not only a good idea but a financially sound one—especially given the high stakes.
In Case of Accidents
Once your accounts are secured, you may want to consider planning for the unexpected. Keeping recovery codes stored in multiple locations or finding a password manager with emergency access that assigns delegates to receive vault access can come in handy if you can no longer access your accounts due to unforeseen circumstances.
Passwords managers are not only beneficial for managing and protecting passwords. In some cases, they help users detect fake web pages included in malicious emails that intend to harvest users’ login credentials.
Most password managers retain known and confirmed URLs. If you had your manager’s browser extension enabled and visited Coinbase, for example, you would see a small notification alerting you of the number of logins for that specific site. If a URL is incorrect, the notification will not appear or prompt you to log in.
Paired with proper cybersecurity and password practices plus constant vigilance, features like this can help keep your funds safe from attackers. A few recommended steps:
- Use unique passwords for every website or service. Your password manager and crypto accounts should have long, complex, random, and unique passwords that are not used anywhere else.
- If you receive any emails requiring you to verify information or check suspicious activity, be sure to check all aspects of the email, including the sender name, displayed and actual email address, and links. To be extra cautious, it’s always better to open a browser and log in to the account directly than follow a link sent to you.
- Never open unexpected attachments from unknown and even known senders. Most ransomware is spread through attachments and could deploy immediately after being opened.
- Always enable 2FA. If a password becomes compromised, requiring a secondary login from a separate device can thwart attacks.
- Giveaways are often too good to be true and even verified accounts can be hacked. Be careful when participating in any challenges or giveaway offers. Anything that asks for funds, such as giving crypto to receive more coins in return, or requests for sensitive personal information, is likely a malicious actor running a scam.
Password managers offer many benefits and can act as another layer of security against malicious attackers, forgetful memories and unexpected life events. Given all these features, it makes sense to forgo using papers to keep track of passwords, and instead rely on tech solutions that can generate strong passwords, notify users of fake sites, and provide reassurance that your passwords are safely encrypted and locked away.