Crypto markets can stress you out, but securing your accounts doesn't have to. Here's a few easy steps you can take to make sure the only thing your tokens have to worry about is your trading strategy, not theft.
Before you start, understand your risk posture

"Understand your risk" is something I never hear discussed in the cryptocurrency sphere, but it's helped me understand what security steps are appropriate for my situation. I am a young, single professional who only invests money I can afford to lose. I define my risk posture the following way:
- I expect my account security will have to deal with general phishing attempts or company-wide security breaches instead of focused, tailored threats. My crypto portfolio simply isn't large enough to attract more dedicated threats.
- I interact with the crypto market informally — and infrequently — as a hobby. I can take a more conservative approach that emphasizes security over ease-of-access.
- I live in the United States, so I have access to publicly-traded exchanges like Coinbase that insure account owner's coins against hacks.
Your risk posture might be very different than mine. You might have the majority of your net worth invested in crypto. Maybe you jointly manage your crypto portfolio with a significant other. Or perhaps you travel often and place a premium on account ease-of-access. I'm confident the security steps I outline meet and exceed my crypto portfolio's risk posture, but they may not be appropriate for yours. As always, do your own research!
Step 1 — set up 2FA on all your accounts
Two Factor Authentication (2FA) gives your portfolio a second way to verify you are who you say you are. Accounts with 2FA require more than just a password to log in — this second step can either be a PIN the exchange texts you, a PIN provided by an independent security app like Google Authenticator, or even a hardware token you must physically touch. PCmag.com wrote an easy-to-read article that explains 2FA, linked here.
Large crypto exchanges offer several ways set up 2FA on their platforms. I use Coinbase and KuCoin, so I'll link their 2FA setup webpages below.
2FA meets and exceeds my risk posture because it protects against password theft. When I defined my risk posture I described how my accounts are much more likely to be compromised by a company-wide security breach. 2FA protects against this because even if my account credentials were stolen, my account would remain secure.
I secure my Coinbase account with a Yubikey, a physical token that requires me to plug it in and tap it before I can log in. Physical 2FA tokens are widely considered the best way to secure an account, but they are a bit more expensive and come with the added responsibility of keeping track of a small physical item. You can read more about Yubikey here.
Step 2 — use a password manager
Password managers do exactly what their names imply — they manage your passwords as a desktop or phone app. A good password manager does two things:
- Generates random, encrypted passwords of any character length
- Stores passwords in one encrypted location that you can easily access
I used to either re-use the same password across multiple accounts or save passwords on sticky notes or desktop spreadsheets. Using a password manager takes all this guess-work and file-keeping out of your hands. There are plenty of password managers available at different levels of security, transparency, or pricing. I recommend you start with cnet.com's excellent write-up called "Best password manager to use for 2022" to see which one best fits your situation.
I use a password manager called KeePass to generate and track my account passwords. I like KeePass because it stores your data locally, not on the cloud, and effectively ensures I can only access my accounts from my desktop computer. This restriction emphasizes account security at the cost of ease-of-access — a key component of my risk posture. It may or may not be a good fit for your situation.
Step 3 — make sure you can recover access
Good account security should always balance with your ability to recover access after computer loss, phone loss, or emergencies. Access recovery varies greatly depending on how you personally decide to set up your account security, but I'll briefly describe what my plan is below so you get an idea of what you should look for.
- I have a backup Yubikey that I keep separate from my primary key so that if I lose or break my primary, I will still maintain access.
- I store multiple, hand-written copies of my Google Authenticator recovery phrase in separate locations so that if I ever lose my phone, I can restore my access when I replace it.
You'll need to do due diligence on whatever platforms you use to make sure you can recover access in any emergency.
Final thoughts
Hopefully this post encourages you to think about the risk your portfolio faces, and what steps you can take to adequately secure your situation. These steps may or may not be appropriate for you, but hopefully they serve as starting points.
If you've spent any significant time in the crypto sphere you may wonder why I didn't recommend a cold storage solution. Cold storage is definitely the most secure way to protect your crypto assets. I personally move any tokens I don't intend to spend or trade longterm onto a Ledger wallet.
However I personally don't think cold storage is a good idea for people just starting their crypto journey, for two reasons:
- They introduce an additional cost barrier that might keep beginners away
- There are centralized exchanges available with proven track records that make crypto onboarding cheap, straight-forward, and secure
I highly recommend cold storage for people who invest in crypto long-term, who invest significant value, or who understand and accept the risk associated with completely independent financial ownership. Most beginners don't fit into these categories.
But then again, I'm just a random dude online, so, as always — do your own research!
Thanks for reading!