How Investors Can Keep Crypto Assets Safe
It’s too easy to lose everything. Here’s a guide to where—and how—to store digital currencies, NFTs and more.
There are multiple options to store crypto assets, and how you go about it depends largely on factors such as how often you trade and how much crypto you hold. One option is the custodian method. This is where companies like Coinbase Custody and Gemini are in charge of securely storing your funds, similar to how a bank keeps your money in a checking or savings account. These services are known as custodial wallets, and they take charge of your private keys—long, randomly generated passwords made up of numbers and letters—that allow crypto transactions to occur. You log in to your account with an email and password—ideally with multifactor authentication set up—and
you’re good to buy, sell and trade crypto.
These custodian services charge an annual custody fee that generally runs less than 1% of the assets under custody, and there may be other fees related to account setup and withdrawals. All of these costs can eat into your profits, and there’s always the possibility that these services can be hacked or go bankrupt.
Still, custodians offer an easy entry point for beginners and those who don’t want the responsibility of having to keep track of their private keys or much more than a password. “Ultimately, you’re trusting that third party to behave reputably,” says David L. Yermack, the Albert Fingerhut professor of finance and business transformation at the NYU Stern School of Business.
Be aware, though, that a replacement device will let you gain access to your holdings only if you have your recovery seed—a security method used on hardware wallets that acts as a kind of master password to access your crypto. So you must be sure to safely store a copy of your seed—a string of 12 to 24 words—somewhere. Well-known hardware-wallet makers include Trezor and Ledger.
Spread out your holdings
One method involves using two wallets: a hot wallet, which is accessible online, to be used on a day-to-day basis for spending or trading; and a cold wallet, such as a piece of hardware, which remains offline. “The hot wallet is perhaps more vulnerable to theft. So you put just enough for your predicted expenses in that one,” says Damon McCoy, associate professor of computer science and engineering at New York University’s Tandon School of Engineering. “It’s a balancing act,” he says.
People who use self-custody for their crypto need to guard their private keys appropriately from theft and accidental loss. A popular recommendation is to write down your private keys on paper and store them in a secure place such as a fireproof safe, a safe-deposit box at a bank, or an offline computer with no Wi-Fi or internet access. And, as before, If you’ve got a hardware wallet, be sure to keep your seed phrase secure and back it up.
thieves. “You really have to go old school,” he says.
For safekeeping, you might also consider splitting up a private key and distributing it among a few trusted individuals, though it’s advisable to have a backup plan in case one of the parts gets lost. You could also splinter your seed phrase.
“Just remember, the more complicated you make the retrieval process, the more likely you are to forget or lose something—and therefore lose access to your funds,” says Ben Weiss, chief executive and co-founder of CoinFlip, a bitcoin ATM operator.
There’s some debate among experts over whether crypto owners should use a password manager such as LastPass or KeePass, which many people use for storing passwords for all sorts of financial and online accounts. This decision can come down to personal comfort level with a particular password manager and how much crypto you hold. “I know that there are a lot of people who do this for convenience, and if you have two-factor authentication enabled, it is seen as ‘safe enough,’ ” says Adam Morris, co-founder of Crypto Head, a platform that helps crypto users learn about the industry. “But when dealing with potentially life savings, we wouldn’t recommend it.”
Consider tougher measures
When you’re using a custodian, experts recommend sticking with multifactor authentication—meaning you need more than just a password to verify your identity and access your account.
Many services allow you to authenticate your identity by text message, but Dr. McCoy recommends a software-based authenticator such as Google Authenticator or a U2F token, a physical device that allows users to securely access online services. This avoids the problem of SIM swapping, where scammers usurp a person’s phone number to gain access to their device and accounts.