How do I keep my money safe?
At Exodus, we are passionate about giving you full control over your funds. When we say “full control”, we mean FULL control. Exodus as a company does not store any sensitive data about your wallet. We cannot view, access or control your wallet in any way because all of your wallet’s information is stored locally on your computer.
This means that we do not know anything about your password, 12-word recovery phrase, private keys, or even your public addresses. Essentially, your Exodus wallet is your own personal crypto-bank - you have the keys to the front door, and the combination to the vault.
With the power of controlling your own bank, comes the added responsibility of protecting your bank. The topics in this article will teach you how to protect your new “crypto-bank” and strengthen your security profile. As you wouldn’t want your actual bank to be a place where anyone could just walk in and take whatever they want, you shouldn’t let your wallet and computer be like that either.
If you only read one sentence, make it this one: A hardware wallet is the biggest step you can take to secure your funds. If you were to go all the way to Tier 4: "The Fort Knox", devoting an entire computer only to running Exodus Wallet in a secure environment, it would be about as effective as a hardware wallet.
The Trezor One and Trezor Model T hardware wallets are both supported within Exodus. Before you buy, please take a look at the list of Trezor-supported assets to make sure that your portfolio is covered.
Exodus co-founder Daniel Castagnoli explains the advantages of pairing Exodus with a Trezor:
Keep reading to learn how to secure a computer that's running Exodus without a hardware wallet.
In this article
How to use this guide
Here’s how we suggest you use this guide:
- Browse through it once to get an idea what we’re talking about.
- It’s likely you’ll get discouraged by the number of things to do and all that information. Don't be. You don’t have to do all of it at once. We’ll take it step by step. But it's important that you implement these security practices otherwise your funds are at risk!
- So, start from the beginning and implement the suggestions in Tier 1. It’s easy!
- Give it a day, play around with your wallet, do your exchanges. Then start implementing Tier 2.
- Some things in Tier 2 can be done right away, others need some research, like which password manager or VPN to use. You’ll perhaps decide that getting a hardware wallet is a worthy investment. In any case, within a few days you should be all set; just as long as it takes for the hardware wallet to arrive!
- Congrats! You deserve a little break to enjoy the fruits of your labor!
- Then move on to Tier 3. Here it will probably take a little longer to complete all the steps. Take your time. Start with those you can do right away and then slowly move to the next.
- Yes! After Tier 3 your protection is top-notch! You still have Tier 4 but you can bask in the glory of your security skills for a while. After all, Tier 4 is something that will be gradually accomplished. It needs to be done, in order to have top of the line security, but here you can definitely pace yourself as there are some serious investments involved and things get more technical. But once you’re done, you’ll be as protected as you can be!
- Oh! And one more thing: Along with these Tiers, always keep in mind the last section when browsing the cryptospace! Because there’s passive safety and active safety.
Now, if you feel that you can't or don't want to complete at least the first two Tiers to protect your funds, perhaps you'd like to consider alternative methods of storing them. Here's an article we've written on the subject. However, please keep in mind that many of the security practices discussed here are needed regardless of where you keep your crypto!
Exodus is only as secure as the computer it is installed on and your security practices!
So, please don’t skip on these protection measures. They’re the only thing standing between the hackers and your money. And if you’re thinking “Why would a hacker bother to hack me?”, the answer is, "For your money." Hackers may not target you specifically, but they do target your funds.
If such an unfortunate incident were to happen it would be impossible to retrieve your funds; not even Satoshi could do it. It's how the blockchain works. On top of that, we don't reimburse hack cases. So, prevention is the only way here.
You need to ask yourself: “How much is my money worth to me?” and act accordingly to keep the Big Bad Wolves out!
Tier One covers the very basic security measures that everyone should be using to protect their computer, wallet, and funds. They’re the bare minimum of what you should apply. They won’t get you far, but without them, you might as well start throwing your money in the air out in the street. So, let’s get started!
1. Protect your 12-word recovery phrase
This is the number one rule! Your 12-word recovery phrase is like the master key to your wallet. Anyone who has access to your 12-word recovery phrase will be able to access any and all funds in your wallet. Since this is such an important piece of information, you will need to take the necessary steps to protect it from prying eyes.
- Keep your 12 words only on paper.
- Print them on your home printer.
- It’s important that you do not print them on any public printers, such as in your work or library.
- If you don’t have a private printer at home, write your 12 words by hand.
- They must be written in the correct order, with correct spelling and all small letters. Exodus has tools to help you with the spelling if you need to restore, but it's better to play it safe and double-check that they're written down correctly.
- Keep them somewhere private and safe. The drawer of your desk is not such a place unless it can be locked.
2. Do not copy your Private Keys
Your Private Keys are similar to your 12-word recovery phrase, except they only allow access to certain assets. Your Ethereum and Ethereum Assets are all controlled by the same Private Key. So, if it’s compromised, all of these assets are in danger! Bitcoin and the other assets have a bunch of Private Keys, each controlling a single address. But still, a single one of them can compromise all of them. For this reason, we want you to keep your Private Keys as safe as possible and as such we’ve hidden them away. You can still get to them, they’re yours after all, but it’s not recommended.
- Copying them to keep them safe doesn’t increase security. The safest place for them to be is in your wallet. Your wallet protects your Private Keys with heavy encryption, so copying them and saving them somewhere else actually weakens your security.
- In versions earlier than 1.57, Private Keys were exported in a CSV file instead of being shown on screen. Sometimes, though, people would export them and forget the CSV file on their desktop in their vulnerable, unencrypted form. If you think you may have exported your Private Keys in the past, look for any files with "PRIVATE" in the name and delete them and then empty your Recycle Bin or Trash.
3. Create a unique, strong password for Exodus
You've heard that before, but do you know what it means?
- Unique means: Not at all similar to any other password you use. Your Exodus password should not be the same or a variant of your email password, your social network passwords or any other password for that matter.
- Strong means: At least 16 characters long, comprised of random words. Look around you, choose 4-5 random words and create your password. You can put numbers and special characters in them to make them even more complex. Just make sure that none of these words have anything to do with you (like the name of your dog who's sleeping next to you)
- We discuss what a good password is and why it's important here.
THE ABOVE IS PRIVATE INFORMATION AND MUST REMAIN SUCH!
Do not share any of them with anyone, not even Exodus staff!
Do not store any of these on your computer, phone, cloud, flash drive, Dropbox or any other such service or device!
(The password managers discussed in the article above, and in more detail later, are an exception because they were made for the purpose of keeping information private, but even those need care in how they are used)
4. Keep your (legitimate) OS and your apps up to date. Especially Exodus.
I know, those update notifications have a nasty habit of popping up right when you are settling in to (re)watch the third season of The Office - use that update time to make a snack and crack open a beer. That way you’ll have the peace of mind knowing your apps are up-to-date. Many people think that keeping their OS up to date is not important for security, but experts think this is one of the most important tasks a user can do to keep their computer safe.
- This reduces your chances of being targeted with zero-day exploits (What are zero-day exploits?).
- We’re not kidding about the legitimate copy of Windows (MacOS and Linux are free). It’s not worth compromising your computer to save a few bucks. Because you don’t know what backdoors you’re installing with a pirated copy.
- We roll out a new version every second Friday, sometimes more often than that, so make sure to stay up to date. Exodus makes that super easy. Also, whenever there’s a security patch, you’ll get notified from within the app itself. In that case, install it right away!
5. Don’t visit suspicious sites or download material from untrusted or pirate sources
While these seem obvious and well-known to most, it’s common to act against our better judgment in these cases, because we just must see that funny video of the puppy yawning a random contact in Facebook just sent us. Don’t!
- Do not download any kind of pirated material. We know this sounds like a scare tactic to protect the income of big software companies, but it's not. Pirated material, of any kind (programs, cracks, and even videos or documents), is the single most common way of delivering malware! Like a pirated OS, it's not worth it!
- Do not follow links randomly sent to you in an email, messenger, Reddit, Telegram, or any other communication platform
- Do not open attachments in emails if you do not trust the sender. Even if you do, be sceptical if anything seems out of place (like getting an email you didn't expect). If necessary contact the sender to verify they have sent the email themselves.
- You can use https://www.virustotal.com to check links for security flags
- While rare, visiting a malicious website can download and install sophisticated malware that can open a backdoor and give an attacker complete control of your computer
- Safe browsing and downloading is the only way to be sure your computer is clean!
6. Don't boast about your crypto holdings
Especially publicly. Many YouTubers have fallen victim to hacks because they broadcasted their holdings to the world and on top of that, didn't take the necessary measures to protect themselves. There's no need to put a target on your back. Talk about crypto, definitely, just don't advertise that you hold a small (or big) fortune. This advise holds true up to Tier 4 and beyond!
After these steps, you’re protected against 50% of threats.
It’s not much, we know. But we didn’t do much either, right? We only went over the basics, things that you probably have already heard at some point, but perhaps didn’t take into account. Well now you do and perhaps that’s the biggest gain: the fact that you’re starting to develop a security-oriented way of thinking. That can go to great lengths in protecting you.
Was Tier One a breeze? Do you already keep your 12-word recovery phrase in a steel trap? Are you that friend who looks forward to OS updates? Even if you weren’t you are starting to become, right?
In any case, you are ready for Tier Two! This is where you can really step up your game, and give yourself some added peace of mind that your wallet and computer are better protected.
1. Use a hardware wallet
Exodus, being a software wallet, is only as secure as the computer it’s installed on and your security practices, and that’s what we are addressing in this article. But still, even after Tier 4, you’ll only be 99.9% protected, because no computer can ever reach 100%. For that reason, we suggest that you use a hardware wallet. Exodus has partnered with Trezor to combine the security of a hardware wallet with the ease of use and friendly interface of Exodus.
By using a Trezor you can overcome all the security vulnerabilities of software wallets. In fact, it's the easiest way to secure your funds, so it's definitely an investment worth making, especially if you keep large amounts.
If you choose to use a Trezor, make sure to buy it either from the link on our site or from Trezor directly. Do not purchase a hardware wallet on eBay, Craigslist, or any other retailer, and definitely don't get it second-hand, as you do not know if the product has been tampered with.
If you want to know more about Trezor in Exodus, these articles have all the information you need.
There are of course hardware wallets from other manufacturers and if you have one from them it's recommended to use it to store large amounts. You just won't be able to use it with Exodus, at least not yet. The most well-known manufacturers besides Trezor are:
2. Enable 2FA on all accounts.
This means emails, social media, exchanges and everywhere that’s available.
Don’t know what 2FA is? 2FA stands for Two-Factor Authentication and is usually implemented through your phone. It works on the principle that in order to login to your account you need two things: something you know (your password) and something you have (your phone). Want more info? Sure you do, so here’s the Wikipedia page.
- Use Google Authenticator or Authy. Don’t use SMS or email 2FA. It’s bad!
- Here’s a video demonstration of Google Authenticator.
- Why doesn’t Exodus have 2FA? Great question! Take a look at this article which goes into detail about this very topic.
3. Use a password manager
In the first tier, you created a unique and strong password for your wallet. Now, you might be worried that your other passwords aren’t so secure. With so many accounts and passwords to remember nowadays, it’s easy to slip into the bad habit of reusing your favorite password. Don’t! Using the same or similar passwords for everything can unravel your whole security net!
An easy way to create strong passwords, and track them across your accounts, is to use a password manager.
- There are a number of free and paid high-quality password managers on the market. Depending on your preferences and your operating system, you will need to choose the option which works best for you. These are a few of our favorites:
- Keepass is a free, open-source option for Windows. They also have unofficial distributions for other platforms.
- A cross-platform app that has both a free and paid plan is LastPass.
- We as a company use 1Password. It has only a paid plan but we recommend it as a wise investment. At first, you can start with the online account but as we move forward things will move offline!
- Dashlane is another popular paid option.
- For Mac users, there’s the option to use Apple’s own Keychain that can be synced through iCloud to all other Apple devices. Although such a solution might be acceptable for this Tier, it’s not recommended as a strong security practice, because the keychain is not protected by a second password other than your computer's password.
- And here is a review of free apps from PC Magazine if you want to explore other options as well.
- Change all of your important passwords to be strong and unique. Here are some accounts you should definitely consider important:
- Exodus (but see point number 7 below)
- Exchange accounts
- Any platform that stores your financial information, such as:
- Bank accounts
- PayPal, Venmo, etc.
- Uber, Lyft, etc.
- GrubHub, Deliveroo, etc.
- Use your password manager to generate strong passwords for each of those accounts. Set your password manager to generate passwords that are:
- At least 30 characters long.
- With numbers, mixed capitalization, and symbols
- Check if any website that you log in to has been compromised with the website https://haveibeenpwned.com/ - if your password has been compromised, change it immediately!
- Some password managers have tools to check this automatically, as well as checking if you have reused some passwords. Heed their warnings!
- Most password managers also offer to save and autofill 2FA codes for you. Although it's convenient, don't use that feature! You don't want to keep all your eggs in one basket.
IMPORTANT: Some browsers offer to remember your passwords. Don't use that feature! It's not safe. For example, if your Google account was compromised, all the passwords stored in Chrome would be compromised too! Delete any passwords stored by your browser and keep them only in your password manager.
4. Use a VPN and a firewall
A firewall is a necessary tool to have both on your computer and on your router. Firewalls protect your network from unauthorized traffic, especially from the Internet to your computer. A VPN gives you added privacy by securing and encrypting your communications and protects you from people intercepting your activity. It is especially important to use these tools when you are on an untrusted network.
- Don’t ever use public WiFis without them, and even then avoid any sensitive activity.
- Including a VPN and Firewall in your daily routine is especially important if you spend a lot of time working, studying, or just watching Netflix at your local cafés, bars, or bookstores
- All Operating Systems come with a default firewall nowadays, but there are some paid options that offer better functionality and protection. Here are our recommendations:
- MacOS: Little Snitch
- Windows: NetLimiter (although technically not a firewall it does a great job monitoring your activity and works wonders with Windows Defender)
- Linux: UFW (That’s free by the way. Linux, right?)
- There are many VPNs to choose from depending on your needs and the price you’re willing to pay. Some of them offer free solutions as well. Keep in mind though, that a VPN will slow down your internet speed and depending on whether it’s free or paid the impact might vary.
To learn more about how VPNs work, and why you should use one, check out our article: Why a VPN Matters for Crypto Users
5. Use antivirus and anti-malware programs, and keep them up to date.
Antivirus and antimalware programs are great for keeping you ahead of the curve and adding yet another layer of protection. While these are great tools to have in your arsenal, it’s important that you don’t rely on them to catch every threat and every problem in your computer.
Antivirus isn’t a panacea and it won’t protect you from unsafe browsing/downloading. Once again, the best way to make sure your computer is clean of malware is safe browsing and downloading. And don't underestimate the chances of getting malware by not following this advice or the havoc they can potentially spread on your system. They are one of the highest threats to your crypto holdings!
6. Keep your 12 words safe!
"Wait, didn’t we already talk about 12-words in the first tier?" You bet! Your 12-words are so important that they are worth mentioning twice. These Tier 2 tips will help you keep them extra safe:
- Don’t print them, write them down. Already mentioned it as an option in Tier 1, if you don’t have a printer at home, but it’s a good practice to do either way.
- Create two copies that you keep in separate, secure locations. One in your house, hidden away in the pages of a book or stashed behind old stuff in a cupboard. The other at a completely different location, like your parents’ house or buried in the yard, so if one is destroyed by fire or flood, you’ll still have the other.
- Laminate them to protect them from the elements (do it at home, don’t go to a store: Clear packaging tape or clear book cover work just fine)
- Don’t use them unless absolutely necessary.
- After all these, our article: The Do's and Don'ts of 12-Word Phrases and Private Keys will likely be preaching to the choir, but do give it a read!
7. "I'm reading the article and I've been doing everything wrong! What should I do?"
If you found that your security practices haven't been the best ones so far, don't worry, you can always correct things. In some cases though, more drastic measures need to be taken.
- If your Exodus password hasn't been strong or unique, and your wallet is old enough to have an Email Backup Link, it's better if you create a new wallet with Exodus. Changing your password isn't enough, because your old backup link still works in combination with your old password.
- We know this isn't ideal, but because we don't keep your email we can't know what your old backup link is in order to invalidate it when you get a new one.
- If your wallet was created after Feb 1st, 2019 then you won't have a Backup Link. In that case, simply changing your password is all you need to do.
- If you were keeping your 12 words on cloud services, or in another electronic form, deleting them from there might not be enough. You never know what traces might be left behind. In this case, it's better if you create a new wallet, like above.
- If you have been using untrusted or pirated software the only way to be sure that you're running a clean system going forward is if you do a clean install of your Operating System. We know it's a drag, but all the security measures are for nothing if your computer has malware on it.
After these steps, you’re 80% protected
“What?!?! Are you kidding me? After all these things I’ve done, I’m only protected like 80%??” Yes, but the most common attacks happen in that 80%. Truth be told, even if you stopped here and did nothing more, especially if you use a Trezor, you'd be okay and it would likely take a careless act to compromise your wallet. But that’s not good enough, right? You've gotten into the whole security mindset and want to go all the way, not just for the security of your funds but for the security of your computer and online activity in general. So take a break as suggested, and then keep protecting.
You’ve made it through Tiers One and Two! Pat yourself on the back on a job well done! It’s as if you have a small army protecting your network and computer now. And yet, even with all of your new security measures in place, you still have a sneaking suspicion that there are lingering vulnerabilities for your crypto and your computer.
That brings you to Tier Three. This is where you will really start to fortify your security profile and make it extremely difficult for anyone to capitalize on any remaining loose ends.
1. Bring your password management to the next level
- Change all your passwords to the strongest type available
You already changed your important passwords, now it’s time to change all of them and let your password manager handle them for you. Use the strongest, longest, baddest option available: 64 characters with 10 numbers and 10 symbols (that’s what 1Password offers, others may offer longer). This kind of password will take several times the age of the known universe to crack with today’s computers. I’d say any potential hacker would have their work cut out for them.
- Remember part of your passwords
If you want to really take it to the next level you can memorize the last 4 characters of your most important passwords and delete those characters from the passwords stored in your password manager. That will protect these accounts in case your password manager account is compromised somehow. But don’t do this if you are not absolutely certain that you’ll remember those characters and don’t do it for more than 2 or 3 of them (your Exodus and your email, for example).
2. Safeguard your network
Network security settings are often overlooked when learning how to protect a computer. Don’t make the mistake of ignoring these settings. These little soldiers quietly add layers of protection to bulk up your security profile and deter malicious activity. Learning how to increase security on your home network is a quick way to make huge strides in protecting your assets.
- Enable WPA2 encryption on your WiFi. If not possible, use WPA.
- Do not use WEP!
- WPA2 means nothing without a strong, unique password. You have all the tools now to use one.
- Disable WPS. It makes your network insecure!
- Change router’s default password. You know the drill: Unique, strong password created by your password manager
- Upgrade your router’s firmware regularly.
- Regularly check the router’s logs for unauthorized activity. By checking the router’s logs you can see whether any unauthorized devices have been using your network. Each router is different but here’s a guide generally describing the procedure. Set a calendar reminder to check on this periodically so you don’t forget.
- Use VPN on the router too so that all your devices go through it. Most VPN providers offer solutions for certain routers that support VPN. If your router is one of them, enable the VPN on it as well. This will allow all traffic from your home network to the outside world to be encrypted. But still keep the VPN on your computer that has Exodus installed as well, for complete end-to-end encryption.
- Want to read more? Then have a look here and here
3. Save your old Backup Link offline
We typically don’t suggest this, but you’re a pro now, so you need pro protection. If you created your wallet before February 2019 and have chosen to receive a backup link, here are the steps you should follow:
- Save the email in a folder on a flash drive.
- Delete it from your email and empty its trash
- Encrypt the folder and use your password manager to create the password. Here are some guides on how to do that on Windows, MacOS, and Linux.
- Confirm that the file opens correctly.
- If the original (unencrypted) folder remains on your desktop or the flash drive, delete it and empty the recycle bin.
- Copy the encrypted folder on a second flash drive in case one of them fails.
Keep in mind though that the email is most likely never truly deleted. Most email providers keep the deleted emails on their servers. But it will definitely add a level of difficulty to any attacker’s attempt!
4. Encrypt your hard drive
Encrypting your hard drive will protect your data if it gets stolen or lost. Here’s how you can do that for all platforms. This password, which is also your login password, along with your password manager’s master password can and should be the only ones you’ll have to remember. However, keep in mind that encryption won’t protect your data once they’re decrypted, ie. while you’re using your computer. For that reason:
Have your computer lock after a few minutes of inactivity or when you close your laptop’s lid. It’s no use to encrypt your hard drive if your computer is always unlocked and available for anyone to access.
These extensions will warn you if you visit any malicious sites that they have blacklisted. PhishFort is a cryptocurrency anti-phishing service that protects several prominent companies in the ecosystem, including Exodus, from having phishing versions of their sites or apps become a threat to their customers. Metamask is an interface for safely interacting with the Ethereum blockchain, like with wallets and decentralized exchanges.
Keep in mind though that neither of these extensions will warn you for sites that they don’t know about. You will need to remain diligent and not rely solely on these tools to warn you of all malicious sites. PhishFort has an easy way to report a phishing site right from within the extension, if you come across one that hasn't been blacklisted, contributing in this way to the protection against such attempts.
6. More and more protection for your 12 words
You guessed it! 12 words again. They are so important that we’ll come back to them in Tier 4 too. In Tier 2 you created two paper copies of them, now it’s time to really protect them:
- Keep one copy in a fireproof safe hidden somewhere in your house and the other in a safety vault in the bank. Seriously.
- Instead of paper, use something like CryptoSteel: https://cryptosteel.com. It guarantees your 12 words are protected from the elements. Great for both your Exodus and your Trezor recovery phrases!
After these steps, you’re protected against 95% of attacks.
You’ve locked down everything, your passwords are unbelievably strong, encryption is your middle name and your 12 words are stored in metal for crying out loud! Yes, all you need is careful online activity and you’re solid. It will take some really bad luck or a coordinated attack to break down your defences. But you don’t want to leave anything to chance. 95% is not good enough for you. You want the ultimate protection for your funds. You want The Fort Knox. Cause you ain't kidding!
You’re here! At the top tier of wallet security. It’s certainly no easy feat so well done! But you still got to actually implement "The Fort Knox", so no time to twiddle our fingers. Straight to action!
A word of caution: Some of the suggestions in this Tier require a level of technical expertise and familiarity with computers and networks, so make sure you fully understand the guides provided and know what you’re doing before implementing any of them.
1. Top-level password management
As you’ve become more security conscious perhaps you’ve asked yourself this question already: “Is it safe that I use the password manager’s servers to sync my devices?” The answer is probably yes, but there’s no reason to put your trust and faith on that. You can save your passwords on your computer and sync them through your local network, so nothing leaves the safety of your home.
The instructions below are for 1Password. If you’re using another password manager please search for similar functionality on their sites.
- Create a local vault in your app (File > New Vault > New Standalone Vault...)
- Move all your items from your account vault to your local vault.
- Make your computer a WLAN server to sync your passwords with your iOS and Android devices.
- Make sure to sync all your mobile devices in that manner. That way you’ll have your passwords on all of them and they will also work as your backup in case your computer crashes.
In such an unfortunate event, you can temporarily move your passwords from your mobile devices to your account and sync through the password manager’s servers, until you set up a new WLAN server on your computer.
In addition to the above make sure that you enable the following in your password manager’s settings:
- Anything you copy from your password manager is deleted from your clipboard after 1 minute tops.
- Your password manager is locked after a few minutes of computer inactivity.
2. Protect your 12-words
IMPORTANT: Nothing beats offline! In a digital world paper is the ultimate protection against attacks. It is vulnerable, though, to other threats. This tip is meant as a protection measure compared to a simple paper copy of your 12-word recovery phrase. If you have implemented all the suggestions so far regarding your 12 words, stick with them. No need to go digital.
At this point, you can safely say that we are a broken record. But these final tips will help secure your passphrase to the maximum level and give you added peace of mind.
- Store them in your password manager. Make sure that they are hidden and you have to reveal them in order to see them.
- Store only 11 of them. Remove one from a random position. Make absolutely sure you remember both the word and the position! Do not use this tip unless you’re absolutely certain you’ll remember both word and position!
- Destroy any paper versions. Okay, you can probably keep the one in the security vault if you want.
3. Network fortification
Here comes the heavy artillery of network defenses! With these tips, your local network will be virtually impenetrable. However, because these settings differentiate greatly between routers and VPN providers we can’t provide detailed instructions.
- Create different SSIDs on your router. SSID (Service Set IDentifier) is your network’s name basically and depending on your router you’ll be able to set up more than one:
- One for your home devices
- One for guests
- One for your dedicated crypto computer (see below)
- Each one of them should be isolated from the rest and have a strong, unique password generated by your password manager. Well, your guest network could have an easier one since you're probably going to have to share it with people.
- You could add a time limitation on how long a device can stay logged in the guest network.
- Use advanced connection settings for your VPN, if your provider offers them, like Double VPN or VPN over TOR network. Some experimenting might be needed with this, as certain implementations over the TOR network might cause connection issues to Exodus. Also, in some cases you'll need to use servers that specifically allow P2P connections, otherwise Exodus might have trouble connecting to P2P nodes for BTC and LTC. However, this connectivity issue won't affect Exodus' functionality.
- Keep in mind, though, that VPN and TOR will significantly reduce your internet speed. In order to avoid that affecting your overall connection speed, TOR connections could be applied to the dedicated computer only (again, see below). Speed limitation isn’t a factor there.
4. Have a computer dedicated to Exodus
This is the quintessential protection method. A computer just for Exodus! Many people do this before many of the above steps. But we recommend it here, as the last step in protecting your crypto, because unless the proper security methods have been applied to everything else first, this measure is likely to provide only false protection. So here’s how to go about setting that computer:
- First, do a clean install of your OS. Do not do anything else before doing that! If you're using Windows, it goes without saying that it needs to be a legitimate copy.
This computer should have installed on it only:
- A good firewall
- A VPN
- Your password manager that will have:
- Your Exodus password
- Login info for VPN and firewall
- Your 12 (or 11) words for Exodus and your Trezor
To make sure that this information isn’t lost in case your computer crashes you should sync your passwords with a local folder and then save that folder on two flash drives. You can use the same flash drives that you used to store your Backup Link in Tier 3.
IMPORTANT: Make sure these flash drives are freshly formatted and not used for anything else, nor plugged into any other
- The computer should be kept offline and turned off, and only connect it to send or receive funds, or to exchange assets within the wallet. No internet browsing or any other activity whatsoever! It’s called dedicated for a reason.
- Keep your OS and your apps up to date!
In order to transfer necessary information to this computer, like addresses to send funds to, you can use a Google doc where you paste the necessary address from your daily driver computer and read it on the Exodus dedicated computer. And that's about all the browsing you should do on it!
After these steps, you’re 99.9% protected (with Trezor let's say it's 99.99999%)
Congratulations! You've done it! You’ve reached the pinnacle of protection. You’ve turned your computer into a digital Fort Knox. It will take an attack from ninja assassins to break through your defences now! Or some unsafe action, like exporting your Private Keys. So stay vigilant and keep the next section in mind in case you have to do such an action.
But before that, another turn of applause and congratulations are in order we believe. It was no easy task for sure and we all admire your perseverance!
Now you have both the freedom that comes with controlling your wealth and the peace of mind to enjoy it!
Things that you might do that can weaken your security.
And how to do them “safely”
After trekking up those four tiers, it’s hard to believe that there is more on the security to-do list. In this section, we’ll cover some safety practices to further strengthen the security measures you just put into place.
These tips are called “practices” because they require ongoing diligence. Much like you should apply sunscreen every day, you should also apply good computer security measures every day. In the long run, these habits could be your saving grace against scammers or prying eyes.
Keep in mind that the most important thing when maintaining security is to protect your private information. This means you’ll need to fiercely guard your private keys and 12-word phrase, and take extra care when engaging in risky business, such as:
- Claiming forked coins
- Sending unsupported tokens
- Using some contracts, like EOS registration
Those three tasks will almost always require you to export and share your private key. As you know, using your private keys in any service weakens your security profile, and should only be done if absolutely necessary. So, before you are seduced by the next up-and-coming fork, take the time to learn and recognize the signs of a scam.
Things to keep in mind when asking questions about Exodus online:
- Exodus support will never ask you for your 12-word phrase, private keys, backup link, or password
- Exodus does not offer phone or video support.
- The only official channels of support are through email (firstname.lastname@example.org) and in our Slack channel:
- You can also reach out to us through our social media presence on Twitter and Facebook, but these channels are mostly for general, easy to answer questions.
Common signs of a scam
- Someone or something asking for your 12-word phrase or private keys
- Anything that guarantees returns or profits, especially high ones. Bitconnect is a prime example.
- There are many ETH, BTC, LTC, etc. giveaways on Twitter that are always scams. Always double check Twitter handles and report scammers. Our official Twitter handle is @exodus_io.
- Avoid anything that says they will send you crypto once you send them a small payment of crypto. For example, there are many scam crypto faucets and cloud mining scams which ask for deposits before sending any payouts.
- If you aren’t sure about the legitimacy of a site or address, you can check them on these sites:
- As mentioned in Tier 3, install PhishFort and MetaMask browser extensions to warn you if you visit any malicious site that they have blacklisted. But bear in mind that they won’t warn you for sites they don’t know about.
- Be sure to check out our article on How to Spot a Crypto Scam
Common phishing signs
- Airdrops that require your Private Key. Airdrops only need your public address, so any site that claims they will airdrop coins in your wallet if you enter your Private Key is a scam.
- Emails or direct messages with multiple spelling and grammatical errors
- Emails or direct messages randomly sent to you offering a crypto giveaway
- These will usually ask you to submit your private key or send a “deposit”
- Incorrect sender’s address. Always check the sender’s address domain to confirm it is the correct one. If it is not the correct address, do not reply, follow any links, or open any attachments. Simply delete it!
- Any well-known company asking for private information or claiming that your account will be blocked/turned off without any apparent reason.
If you do find yourself tempted by the promise of free coins, be sure to follow these guidelines to keep your current assets safe:
- Look before you leap! When you find a project you’re excited about, do your due diligence by researching it extensively.
Copy your Private Key and paste it directly in the destination wallet. Don't save it in a document first.
- Move all of the funds out of your address before you enter your private key to claim any forks.
Always make sure the site is legitimate before entering your private keys:
- For known sites (like MyEtherWallet) always type the address manually or use your own bookmarks
- Never follow links, even from search results
- Check that the site address is exactly correct
- Check for the security certificate
- Use Metamask to access MyEtherWallet. A benefit of Metamask is that you only need to export your Private Key once.
- Better yet! Send any unsupported tokens to your Trezor ETH address and use MyEtherWallet to manage them. That way no Private Key is ever exposed. Don’t send any unsupported tokens to Exodus, so you don’t have to export your ETH Private Key.
For unknown sites, like when you want to claim an airdrop:
- Never follow links to those unless you have searched them online and made sure they are legit
- Any site that asks you for a Private Key or your 12 words to claim something or give you access to airdrops is potentially a scam.
Practice safe forking, friends!