# Crypto Wallet Safety

## How MetaMask Works

MetaMask is code installed into the browser. It stores an encrypted copy of your private key on disk (this is why you have to enter a password to unlock it). MetaMask also tells websites how to interact with it. When you go to a website and "connect" to it, that is just the website saying "hey MetaMask, ask the user if it's ok if i know their public address". If you connect, it knows your public address. Nothing is compromised and nothing moves.

{% hint style="danger" %}
**A connected site cannot steal your stuff unless you sign something.**

*It is possible for a scam site to compromise your wallet in other ways though, even if you didn't sign a transaction. See* [different-kinds-of-attacks](https://frogland.gitbook.io/toadex/community/web3-blockchain-and-crypto-tips-and-safety/different-kinds-of-attacks "mention") for more. 
{% endhint %}

{% embed url="<https://youtu.be/Af_lQ1zUnoM>" %}
How to set up MetaMask video for beginners.&#x20;
{% endembed %}

## Best Practices

{% hint style="success" %}
**Get a hardware wallet**. It's more expensive and not as quick and easy to use, but it is the safest thing you can possibly do to protect your assets.
{% endhint %}

Write down your hardware wallet seed phrase *with pen and paper* (not in your notes app, not in an email, don't take a picture of it, not in your LastPass). Store the note in a firesafe box (or several copies in several boxes) in a secure location, like you would with your will or other precious documents. **NEVER EVER EVER EVER EVER EVER EVER EVER EVER EVER EVER EVER enter your seed phrase into a computer&#x20;*****anywhere*****.**

**Don't click links**. Always go to the site directly. (e.g. if Coinbase emails you asking you to login, go to their site in your browser URL - don't use the email link.)&#x20;

**Keeping a HOT and COLD wallet can help.** The hot wallet can be MetaMask and be on your phone for a degen on the go. The cold wallet should be a hardware wallet (like a Ledger or Trezor). You can treat the cold wallet like a vault: one way in, no way out. *(Check out the image below.)*

<figure><img src="https://4078035464-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FONP8xfqjC236o4CK1dmb%2Fuploads%2FUO17XLlq6TQVmlMJsQAT%2FWallets.png?alt=media&#x26;token=a8029394-80c8-4d0e-83bb-d2ad6f54f098" alt=""><figcaption><p>Hot vs cold wallet graphic.</p></figcaption></figure>

**Always check what you are signing.** This can be challenging sometimes especially on a hardware wallet. One strategy is nickname common contracts & addresses in MetaMask. For instance, if you nickname the FROGS contract FROGS and then you go to another site, and it asks you to sign a transaction going to the FROGS contract, you know something is up.&#x20;

**Token revocation** can help, but this can also be a source for scams. [Revoke.cash](https://revoke.cash/) is a well known and great site, but those sites go down fast under heavy load. **Vaulting** is a better approach, but requires planning.&#x20;

**Disconnecting from sites you are no longer using** is good practice but it's not that useful. The attack here is that if you are connected to a site with more than one account, and the site proposes to sign a transaction for *Account 2* instead of *Account 1.* If you have nicknamed your accounts and are checking what you are signing this is avoidable.&#x20;

This is a good article on all the ins and outs of how to keep your MetaMask safe <https://coinguides.org/metamask-security/>