Wallet Hygiene for New Players: Settings That Matter

Quick Start: The 80/20 of Wallet Hygiene

1. Keep savings on a hardware (cold) wallet; spend from a small hot wallet.
2. Write down the seed phrase offline; never photograph or store it in the cloud.
3. Turn on wallet auto-lock + hardware PIN.
4. Enable transaction-security previews/alerts (e.g., MetaMask + Blockaid).
5. Set custom spend limits on approvals; review/revoke regularly.
6. Verify addresses on the device screen; beware address-poisoning and clipboard malware.

Hot vs. Cold: Choose the Right Wallet for the Job

Hot wallets stay online for convenience; cold wallets (hardware) keep keys offline and are better for long-term holdings. Most beginners benefit from a split: a small hot wallet for dapps and a hardware wallet for savings.

Seed Phrase Storage: Rules You Don’t Break

Your seed (BIP39 backup) restores your wallet. Keep it physical and private. Don’t store digital copies (no photos, screenshots, email, cloud). For advanced users, an optional passphrase (“25th word”) creates a hidden wallet, but losing it means losing funds—use only if you can manage the risk.

Device & App Auto-Lock: Shrink the Window of Risk

• MetaMask: set an auto-lock timer (Settings → Advanced) so the wallet locks after inactivity.
• Ledger/Trezor: enable PIN and auto-lock on the device (Ledger defaults to ~10 minutes; configurable).

Safer Signing: Turn On Transaction Simulations & Warnings

• MetaMask + Blockaid: turn on security alerts that simulate transactions to flag malicious dapps before you sign. Also use “Estimated balance changes” for clearer outcomes.
• Ledger Transaction Check / Clear Signing initiatives reduce blind-signing risk; only enable “blind signing” when a dapp truly requires it.

Approvals: Spending Caps, Reviews, and Revokes

Many dapps ask for token “approvals” (allowances) to spend on your behalf.

• Prefer custom spend limits over unlimited approvals.
• Periodically review and revoke stale approvals (MetaMask Portfolio, Etherscan Approval Checker, Revoke.cash).
• Disconnecting a site is not the same as revoking approvals—contracts can still pull funds until you revoke.

Address Hygiene: Verify on Device, Beat Poisoning & Clipboard Swaps

• Always confirm the receive or send address on your hardware wallet’s trusted display before sending.
• Address-poisoning scams plant look-alike addresses in your history—check every character on-device.
• Clipboard malware can swap pasted addresses; keep antimalware updated and spot-check pasted text. Consider a small test send for new recipients.

Bitcoin-Specific Toggles: Privacy & Fee Control

• Avoid address reuse; use a new address per payment to reduce linkage.
• Learn coin control (UTXO selection) to improve privacy/fees and consolidate UTXOs during low fee periods.
• Understand Replace-By-Fee (RBF) to speed up stuck transactions by rebroadcasting with a higher fee.

If You Use Exchanges: Flip These Two Switches

• Set an anti-phishing code so real emails/texts from your exchange include your secret phrase.
• Enable withdrawal allowlisting/whitelisting so withdrawals only go to approved addresses.

WalletConnect & Site Connections: Clean Up Regularly

Keep WalletConnect sessions tidy—disconnect when done (and remember: approvals persist until revoked). Many wallets document that session disconnection ≠ approval revocation.

Account Logins: Use Phishing-Resistant MFA

For your exchange/email logins, prefer FIDO2 passkeys/security keys over SMS codes. Government and standards bodies call FIDO/WebAuthn the widely available phishing-resistant option; Google’s Advanced Protection enforces it for high-risk users.

The Wallet Hygiene Checklist (Copy/Paste for Setup)

1. Hot wallet (small balance) + hardware wallet (savings).
2. Write seed offline; no photos/cloud; store securely.
3. Optional BIP39 passphrase only if you can manage it.
4. Turn on auto-lock (MetaMask, Ledger/Trezor).
5. Enable MetaMask security alerts & balance-change previews.
6. Set custom spending caps; avoid “unlimited.”
7. Review & revoke allowances monthly (Portfolio / Etherscan / Revoke.cash).
8. Verify addresses on the device screen every time; consider a small test send to new recipients.
9. For Bitcoin, avoid address reuse; learn coin control; use RBF if a tx gets stuck.
10. On exchanges, set anti-phishing code + withdrawal allowlist.
11. Protect logins with FIDO2/passkeys (not SMS).

FAQs

Is a hardware wallet necessary if I only hold a little crypto?
Cold storage reduces online attack surface; many users still start with a hot wallet and move to hardware as balances grow.

Do I need a BIP39 passphrase?
It’s powerful but unforgiving; losing it means losing access. New users should master basic hygiene first.

Does disconnecting a dapp remove its rights to spend my tokens?
No—disconnect ≠ revoke. You must explicitly revoke approvals.

Are SMS codes good enough for exchange logins?
Prefer passkeys/security keys (FIDO/WebAuthn), which are phishing-resistant.