# Crypto Wallet Safety ## How MetaMask Works MetaMask is code installed into the browser. It stores an encrypted copy of your private key on disk (this is why you have to enter a password to unlock it). MetaMask also tells websites how to interact with it. When you go to a website and "connect" to it, that is just the website saying "hey MetaMask, ask the user if it's ok if i know their public address". If you connect, it knows your public address. Nothing is compromised and nothing moves. {% hint style="danger" %} **A connected site cannot steal your stuff unless you sign something.** *It is possible for a scam site to compromise your wallet in other ways though, even if you didn't sign a transaction. See* [Different Kinds of Attacks](/toadex/community/web3-blockchain-and-crypto-tips-and-safety/different-kinds-of-attacks.md) for more. {% endhint %} {% embed url="" %} How to set up MetaMask video for beginners. {% endembed %} ## Best Practices {% hint style="success" %} **Get a hardware wallet**. It's more expensive and not as quick and easy to use, but it is the safest thing you can possibly do to protect your assets. {% endhint %} Write down your hardware wallet seed phrase *with pen and paper* (not in your notes app, not in an email, don't take a picture of it, not in your LastPass). Store the note in a firesafe box (or several copies in several boxes) in a secure location, like you would with your will or other precious documents. **NEVER EVER EVER EVER EVER EVER EVER EVER EVER EVER EVER EVER enter your seed phrase into a computer *****anywhere*****.** **Don't click links**. Always go to the site directly. (e.g. if Coinbase emails you asking you to login, go to their site in your browser URL - don't use the email link.) **Keeping a HOT and COLD wallet can help.** The hot wallet can be MetaMask and be on your phone for a degen on the go. The cold wallet should be a hardware wallet (like a Ledger or Trezor). You can treat the cold wallet like a vault: one way in, no way out. *(Check out the image below.)*

Hot vs cold wallet graphic.

**Always check what you are signing.** This can be challenging sometimes especially on a hardware wallet. One strategy is nickname common contracts & addresses in MetaMask. For instance, if you nickname the FROGS contract FROGS and then you go to another site, and it asks you to sign a transaction going to the FROGS contract, you know something is up. **Token revocation** can help, but this can also be a source for scams. [Revoke.cash](https://revoke.cash/) is a well known and great site, but those sites go down fast under heavy load. **Vaulting** is a better approach, but requires planning. **Disconnecting from sites you are no longer using** is good practice but it's not that useful. The attack here is that if you are connected to a site with more than one account, and the site proposes to sign a transaction for *Account 2* instead of *Account 1.* If you have nicknamed your accounts and are checking what you are signing this is avoidable. This is a good article on all the ins and outs of how to keep your MetaMask safe --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://frogland.gitbook.io/toadex/community/web3-blockchain-and-crypto-tips-and-safety/wallet-safety.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.