MetaMask Security Best Practices

The financial revolution is here. We're detouring around parasitic middlemen and building a parallel system powered by the internet and cryptography.

Your passport to this brave new world is MetaMask, a crypto wallet and gateway to blockchain applications. Think of it as a key card, money changer, and bank account rolled into one.

Over ten million monthly users now use MetaMask to interact with the Ethereum Network. MetaMask isn't the only wallet you can use to interact with the Ethereum, but it is the most popular. Key to the wallet's exponential growth has been its widespread acceptance among Web3's DeFi protocols and the recent NFT boom.

While the prospect of being your own bank is exciting, it isn't without its risks. One of the fundamental aspects of crypto is self-sovereignty and personal responsibility. Send a wire transfer to the wrong recipient with a bank and there's a decent chance they'll be able to recover your funds. Send USDC to the wrong address and the funds are likely irretrievable. In crypto you and you alone are responsible for your assets and their security.

A bank has a vault and maybe an armed guard protecting its funds. In crypto, encryption is the vault, and whoever has the private keys has access to it. If you're using MetaMask to send, receive, and store crypto, then your private keys are likely on the wallet too. Thus, it behooves you to follow some security best practices to ensure they remain secure.

I noticed a lot of the security tips for MetaMask were scattered in different locations, so I thought it'd be a good idea to put them all in one article. The list isn't exhaustive, but adhering to practices mentioned will greatly decrease your chances of falling victim to a hack.

Verify You're Using An Authentic Version Of The Browser Extension

Before interacting with the exciting world of DeFi and Web3 you'll need to install the MetaMask browser extension. For most people this entails downloading the extension from the web store of your browser of choice.

But how do you know you're running an authentic version of the software and not a modified, malicious clone (such as in this spooky instance)? By checking the extension's namespace.

To do this from Chrome or Brave, access the extensions pane of your browser by entering the following in the address bar:

brave://extensions/

chrome://extensions/

Then, click the Details button under the MetaMask extension.

The address should look like this:

chrome://extensions/?id=nkbihfbeogaeaoehlefnkodbefgpgknn

See the the thirty two character id at the end of the address? It should match the namespace below. If they do, you can be confident you're running an authentic version of the browser extension.

Chromium namespace: nkbihfbeogaeaoehlefnkodbefgpgknn (this will remain accurate as long as the author of the extension remains the same).

If you're running Firefox as your browser, see the following Medium article for instructions on how to check the namespace (there's also another set of instructions with pictures for Chromium users).

How to Ensure You’re Running the Legitimate Version of MetaMask
A recent attack for $8M has lead to many asking how to protect themselves from similar attacks. This will help.

Backup And Store Your Secret Recovery Phrase

Anyone who has ever set up a crypto wallet before will likely be familiar with the concept of a Seed Phrase. This is a series of words which have the power to re-instantiate your wallet and control access to your funds.

MetaMask also uses a Seed Phrase, though to emphasize its importance they call it a 'Secret Recovery Phrase.' This is a 12-word phrase that every user will receive when they set up their MetaMask wallet. This phrase should be backed up and stored in a very secure location, preferably offline. If you lose your MetaMask password you can use the Recovery Phrase to re-instantiate your wallet and regain access to all of your funds. However, if a bad actor were to come into possession of your Recovery Phrase, they could do the same.

That's why it's so important to never share your Secret Recovery Phrase with anyone. And by anyone, I do mean anyone, including someone pretending to be MetaMask, who will never ask you for your Recovery Phrase.

Social engineering someone out of their Seed Phrase is popular vector of attack in crypto, and MetaMask is no exception. The importance of keeping your Secret Recovery Phrase secure cannot be stressed enough. Hell, just in researching this article I came across a website inviting me to 'verify' my MetaMask wallet by entering my seed phrase.

No way, José. Repíteme: NEVER SHARE YOUR RECOVERY PHRASE.

Use In Tandem With A Hardware Wallet

Nobody wants to lose any amount of money, no matter how big or small, but if you're keeping an amount you really can't afford to lose on your MetaMask I highly recommend investing in a hardware wallet. Think of this as adding an extra layer of security to your MetaMask browser extension. Instead of your private keys being stored on MetaMask, they will be kept on the offline hardware wallet.

You have two options for which wallet to use with MetaMask: Ledger or Trezor. Having used both, I can confidently say Trezor provides a much better user experience. There's also the fact that they didn't leak customer data, which is more than Ledger can say.

Be Careful Who You Grant Permissions To

Depending on how involved you are in DeFi, you may browse a lot of different protocols. Most of them will require you to connect to your Web3 wallet in order to interact or even launch them.

When first interacting with a Dapp you will need to connect it with your wallet and approve certain permissions. Certain Dapps, like a decentralized exchange, will request permission to spend your funds. There is an obvious potential to get rekt here if you grant permission to a malicious protocol.

So, it's advisable to only grant access and permissions to widely used protocols. There are also applications available to audit Dapp connections. For a list of these, as well as more information on permissions, see this article.

I'd also advise you to periodically go through your MetaMask connections and disconnect those not in use. To do this, click the three dot hamburger menu on the upper right of your wallet (to the right of your account name and wallet address). This will open up your Account Settings. From there, click on Connected sites, then click on the trash can icon next to the sites you'd like to remove.

Use The Auto-Lock Timer Setting

Similar to how you wouldn't leave you cell phone lying around unlocked, it's also not a great to leave your MetaMask in a perpetually unlocked state.

Fortunately, like your phone, MetaMask also has an auto-lock feature. To enable it:

Click on your account in the very upper right hand corner.

Select Settings -> Advanced

Scroll down to Auto-Lock Timer (minutes)

Enter the amount of minutes you'd like before MetaMask auto-locks, then click Save.

Voila, your MetaMask will now auto-lock after however many minutes you designated.

Conclusion

We are now in the early stages of Web3. Innovation in the space is occurring at a rapid pace, with security sometimes taking a back seat. As such, DeFi often feel like the wild west. Like the old west, pioneers of this nascent digital continent will encounter equal amounts of opportunity and risk.

As such, it behooves each digital pioneer to keep his wits about him and take his own security seriously. Doing so will greatly increase your odds of succeeding in the new digital paradigm.

For those ready to take responsibility for their own financial destiny the decentralized frontier awaits...