It's the same logic as passwords - a478u5g_w1r@gmail.com makes it a lot harder to guess than john_wong@gmail.com, especially when your identity/personal details have been leaked.
6/ Use multiple emails
Again, "don't put all your eggs in one basket".
This way if shit goes down, at least the risk will be contained within just ONE email + ONE password.
Too much work? At least consider having a FEW different emails to mix and match.
7/ 2FA everything
2FA so that you'll need more than just an email + password to login.
Consider using 2FA apps such as Google Authenticator, @Authy or even better...
8/ Use a hardware security key
Hardware-based 2FA such as a Yubikey lets you authenticate the login by pressing a physical button, instead of having a code sent to you on your phone app.
Best practice is to have at least 3:
1 for daily use, 2 for backup (stored separately)
9/ Disable SMS authentication
Just don't. Your accounts will likely be more secure with this TURNED OFF (just remember to 2FA in other ways, please)
The risk of SIM swap attack is very real so be extra mindful of this.
Hot wallets are fast and convenient yes. But if you really value your magic internet coins, start storing them on a @Trezor or @Ledger.
This way, thieves ahold your device(s) will need more than just your Metamask login password to steal everything
11/ Don't use the 1st address
This doesn't work as well these days since @Rabby_io will just display all the addresses but hey - anything to make it HARDER for them.
If your private key gets leaked, maaaaaybe they'll give up after seeing $0 in the 1st address (or 2nd, 3rd...)?
12/ Don't approve infinite amount
Don't set unlimited spend limit when approving transactions.
Yes, more hassle, more gas fees when you want to change this down the road, but hey if shit hits the fan for the smart contract, at least your entire balance won't be drained
13/ Double check the approval
Don't just blindly click-through those transactions!
It takes just ONE mistake to potentially lose everything, so be sure to double-check, triple-check the deets before you even hover your cursor over that "approve" button.
This is a good practice to stop access to your wallet or funds, especially for contracts you haven't interacted with for quite some time.
Why? Because you never know. Malicious devs for instance could technically build in backdoor access
15/ Eliminate/minimize browser extensions
These little buggers may come with an extra serving of malware, and some may even have excessive permissions to read your data.
Unless you 100% trust the developer, best to just rid of them despite the inconvenience.
16/ Use separate browser profiles
Multiple emails. Multiple passwords. Multiple profiles. Same logic.
Isolate your wallet extensions like @rabby_io and @MetaMask into their own browser profiles.
17/ Double-check the site
Don't just click on the 1st link that pops up on your Google search.
Often times, the first link could be a fake. Be extra cautious when it's an ad.
Always cross-check sources for the right URL - official X account, @CoinGecko, @CoinMarketCap etc.
@SlowMist_Team 18/ Dedicated device for dedicated purpose(s)
Itβs NOT a good idea to crypto on the same device you use for torrents, XXX contents, deep web surfing etc.
To be extra safe, use a separate, dedicated device for crypto + an OFFLINE only mobile device for 2FAs.
19/ Beware of fake X accounts
Fakes, fakes, fakes everywhere.
Example - this fake @pendle_fi account:
β Got a golden @X checkmark
β Has its reply featured BEFORE the 2nd post in this thread
See how easy it is?
Rule of thumb - if it sounds too good to be true, it probably is
20/ Don't just rawdog crypto, remember to always use protection, folks!
I'm sure there are plenty more "best practices" out there but these should serve as a good starting point for all of us.
If you have any other good threads/suggestions, please leave them in the replies ππ»
21/ Remember, the rule of thumb here is to doubt and double-check everything - the website URL, approval transaction, Telegram/Discord ID, make sure that "I" is not an "L"....