As web3 technologies evolve, one intent remains clear - the shift from centralized to distributed control, and putting more control in the hands of users.
All of the enabling web3 technologies from blockchain and cryptocurrencies, to decentralized finance (DeFi) and non-fungible tokens (NFTs) enable users to control outcomes more so than centralized entities.
However, with great power comes great responsibility.
From early in 2021 to just this past month, stories appeared on how Lost Passwords Lock Millionaires Out of Their Bitcoin Fortunes, tens of billions worth of Bitcoin have been locked by people who forgot their key, and Half a Billion in Bitcoin, Lost in the Dump. All of these situations come down to a lost key or lost password that prevented the Bitcoin owners from accessing their assets.
Regardless of your opinion of centralized entities, they often have a mechanism to validate your account and help you with credentials. For example, few people complain about losing access to their traditional bank.
However, with cryptocurrency, the very intent to distribute authority means that there is no easy recovery mechanism should something go wrong. A widespread phrase on the internet is that there is no 1-800 toll free number to call when things go awry in crypto.
With more decentralized applications, users must take responsibility for their credentials. While authentication options evolve to links via email, security keys, biometrics, and device-specific identities, most of these technologies rely on some type of username and password. A range of new sign in mechanisms via wallets also ties back to the seed phrase, username, and password for the wallet.
For many, using a password manager is the best combination of security and convenience. A password manager can store credentials with end-to-end encryption and make them available across all platforms using cloud synchronization, and in the case of Bitwarden, an option to self-host if desired.
1. Get a password manager
You can start with the fully featured free version of Bitwarden that stores unlimited logins across unlimited devices.
Be sure to use a unique password as your main Bitwarden password. Keep your main Bitwarden password in a safe place that you can remember.
You might also choose to use a unique email for your password manager, if you have the ability to create an alias easily.
2. Enable two-factor authentication for your password manager
This can be accomplished through authentication apps, email, SMS, and security keys. Different options work for different people so find what works best for you.
Whichever you choose, be sure to backup the two-step login recovery code for your password manager and also keep that in a safe place should you lose access to your authentication device.
Check out our framework for The Triangle of Security Success to see how you can instrument your email address, two-factor authentication, and your password manager to keep you safe:
3. Backup your vault
Make a backup of your vault and store that in a safe place, either electronically on a USB drive, or encrypted storage device, or print it out and put it in an extremely secure place like a locked safe.
Note that in Bitwarden you can make unencrypted or encrypted exports. Encrypted exports use your main Bitwarden username and master password so if you lose that, you will not be able to restore an encrypted backup.
4. For extra security you can
pepper select passwords
Some users prefer not to keep everything in their vault, or they like to handle sensitive passwords with an extra step.
One option is to
pepperyour passwords by adding a few extra characters that only you know. These can be manually added to a login after the password manager has filled it in automatically.
Keeping usernames and passwords, including peppered passwords, in a password manager makes autofill and syncing across devices easy. Some users say, however, that seed phrases, which often cannot be changed, are best left offline. From a recent Reddit thread:
"I wouldn't save crypto seeds to a password manager. I mean, IF, the value of the crypto wallet is big (more than 0.5 BTC) I would keep it offline.
However if the value is low, say 1000-2000$ why not. BW is safe and in the very worst case you would only risk <2000$"
5. Set up Emergency Access
With Bitwarden Premium Features, enabled with any paid plan, you can designate an emergency contact should you lose access to your vault. This provides another mechanism to stay protected and ensure your loved ones retain access to critical assets.