Defense in Depth
In the last module, you learned about common attacks. Now let's implement practical defenses. Security isn't about one perfect solution—it's about layers of protection.
Think of it like home security: You don't just rely on a door lock. You also have windows locks, an alarm system, outdoor lighting, and maybe a safe for valuables. If one layer fails, the others still protect you.
The Bitcoin Security Layers:
Device Security → Account Security → Wallet Security → Transaction Security → Storage Security
Hot Wallets vs Cold Wallets
The fundamental security decision: Should your Bitcoin be connected to the internet (hot) or kept offline (cold)?
| Feature | Hot Wallet (Mobile/Desktop) | Cold Wallet (Hardware) |
|---|---|---|
| Connection | Always online | Offline (air-gapped) |
| Security | Vulnerable to malware, phishing | Highly secure, immune to online attacks |
| Convenience | Very convenient for daily use | Less convenient, requires device |
| Cost | Free | $50-$200 |
| Best For | Small amounts, daily spending | Savings, large amounts |
| Examples | BlueWallet, Electrum, Muun | Ledger, Trezor, Coldcard |
Recommended Setup for Different Holdings
- $100-$1,000: Non-custodial mobile hot wallet (BlueWallet, Muun)
- $1,000-$5,000: Split between hot wallet (spending) and cold wallet (savings)
- $5,000+: Primarily cold storage, small amount in hot wallet for liquidity
- $50,000+: Multi-signature cold storage setup
Pro Tip: Think of hot wallets like your physical wallet (cash for daily use) and cold wallets like a bank vault (savings you rarely touch).
Password & PIN Security
Weak passwords are the #1 way accounts get compromised. Let's test your password strength and learn what makes a secure password.
Password Strength Tester
Test different passwords to see what makes them strong or weak
Password Best Practices
- Length is key: Minimum 16 characters for important accounts
- Use a password manager: 1Password, Bitwarden, or KeePassXC
- Unique passwords: Never reuse passwords across services
- Passphrases work: "correct-horse-battery-staple" is better than "P@ssw0rd1"
- Avoid personal info: No names, birthdays, pet names, etc.
- Hardware wallet PINs: Use 8+ digits, avoid patterns like 1234 or 0000
Two-Factor Authentication (2FA)
2FA adds a second verification step beyond your password. Even if someone steals your password, they still can't access your account without the second factor.
Types of 2FA (From Weakest to Strongest)
| Type | Security Level | Vulnerability |
|---|---|---|
| SMS/Text Message | ⚠️ Low | Vulnerable to SIM swap attacks |
| Email Code | ⚠️ Low | If email is compromised, 2FA is bypassed |
| Authenticator App | ✓ Good | Requires device access |
| Hardware Security Key | ✓✓ Best | Requires physical key, phishing-resistant |
Recommended Setup
Use authenticator apps (Google Authenticator, Authy) for exchanges, email, and password managers. Never use SMS 2FA when better options exist. Always save backup codes.
⚠️ Critical: Store your 2FA backup codes in a secure location (not the same place as your seed phrase). If you lose your phone without backups, you could be locked out.
Spotting & Preventing Phishing
Phishing is when attackers impersonate legitimate websites, apps, or people to steal your credentials or seed phrases. It's the #1 attack vector for stealing Bitcoin.
🎣 Can You Spot the Fake?
Attackers create URLs that look almost identical to legitimate sites. Here's a real example:
How to Protect Yourself from Phishing
- Bookmark important sites: Don't rely on search results or links
- Check the URL carefully: Look for typos, extra words, unusual domains
- HTTPS is NOT enough: Phishing sites can have HTTPS too
- Never click email links: Go directly to the site by typing the URL
- Be suspicious of urgency: "Verify now or account will be suspended" is a red flag
- Use a hardware wallet: Even if you visit a phishing site, your keys stay safe
- Enable browser warnings: Use browsers with anti-phishing features (Brave, Chrome)
✅ Your Personal Security Checklist
Click to check off each item as you complete it. Your progress will be saved!
Install a Password Manager
Use 1Password, Bitwarden, or KeePassXC to generate & store unique passwords
Enable 2FA on All Crypto Accounts
Use authenticator apps (not SMS) for exchanges, email, and password manager
Save 2FA Backup Codes Securely
Print or write down backup codes and store them in a safe place
Bookmark Important Sites
Bookmark your exchange, wallet sites, and browser extension downloads
Set Up Mobile Wallet with Seed Phrase
Install BlueWallet or Muun, write down seed phrase on paper, store securely
Add PIN/Password to Phone Carrier Account
Protect against SIM swap attacks by requiring verification for account changes
Update Operating System & Antivirus
Keep your devices patched against security vulnerabilities
Review Installed Apps & Extensions
Remove suspicious or unused apps that could contain malware
Consider a Hardware Wallet (if holdings > $1,000)
Research Ledger, Trezor, or Coldcard for cold storage
Test Wallet Recovery with Small Amount
Verify you can recover your wallet using your seed phrase
Key Takeaways
- Use hot wallets for spending, cold wallets for savings (like cash vs. bank vault)
- Strong passwords: 16+ characters, unique for every service, use a password manager
- Enable 2FA everywhere with authenticator apps (not SMS)
- Always save 2FA backup codes in a secure physical location
- Phishing is the #1 attack - bookmark sites, verify URLs, never click email links
- Hardware wallets ($50-$200) are worth it for amounts over $1,000
- Security is layered - no single solution protects everything
- Test your recovery process with small amounts before storing large sums