Security Recommendations
This guide was created for Decentraland DAO grantees, to help them protect their data and assets. It is important to acknowledge that digital security is an ongoing process, and not an isolated activity. There is no single tool that mitigates all attacks, so incorporating protection mechanisms gradually is the recommended way to do it, and the more layers we add to our security over time, the harder it is for malicious actors to intrude in our assets.
1. Work on your digital hygiene #
Digital hygiene becomes a fundamental activity to reduce our risks. Some ways to do this are erasing accounts that are not in use anymore, cleaning your browsing history, making frequent backups and erasing what is stored on your computer, among other activities that reduce our digital footprint (the traces we leave when we use the internet). The larger our digital footprint, the broader our risk surface and the harder it becomes to protect it.
2. Keep your devices and applications updated #
Software and application updates are important to your digital safety and cyber security as these often include repairing vulnerabilities that have been discovered within their infrastructure. Whenever you see an update notification, take it seriously and be mindful of the importance of updating your systems as soon as you can.
3. Use passphrases instead of passwords #
The more characters your digital wallet password has, the more computing power and time it will take to crack it. Instead of using a password, it is recommended to use a unique passphrase that can help you keep your assets safe. 6 words or more is a good place to start.
4. Do not store your Secret Recovery Phrase on a password manager #
A Secret Recovery Phrase (or seed phrase) is a list of 12-24 words that is used to control your wallet. Whoever has this list of words, has complete access to your wallet. It is a good practice to compartmentalize, and have this information offline, in a safe if possible. To add one more layer of security, you can divide it and store it in two different physical places.
If you become unreachable, let someone you trust know how to access your wallets, as a way to safeguard your assets in case something happens to you.
5. Use non- custodial wallets #
Non-custodial wallets (also named self-custody wallets) are the type of wallets in which you are in control of your private keys and you own your cryptoassets. This means that you are responsible for remembering your private keys and maintaining security measures to protect your funds. Some examples recommended of non-custodial wallets include MetaMask .
6. Use Multi-Factor Authentication #
If your digital wallet offers additional authentication options like two-factor authentication (2FA), multi-factor authentication (MFA), or biometrics, use them! This will add an extra layer of security.
7 Compartmentalize your wallets #
Your Decentraland Voting Power is attached to your assets on your account. You can delegate your voting power from your wallet to another address connected to the cloud in order to vote in governance proposals, even if you don’t have your hardware wallet with you.
Another good practice is to generate burner wallets for NFT drops from unknown users or early projects.
8. Consider using a hardware wallet #
A hardware wallet is a crypto wallet that stores your private keys in a physical device. This provides full isolation between the private keys and your easy-to-hack computer. If you use them, be mindful to keep your hardware wallets disconnected from the internet, and always check the display in your wallet to make sure you are signing the correct transactions.
9. Use a Multisig to manage funds #
Multisig (multisignature), is the requirement for a transaction to have two or more signatures before signing a transaction. The one we recommend is GnosisSafe. It lets you add addresses and lets you decide how many of those are needed to make a valid transaction. We recommend that two out of three signers is a good number to generate a layer of security, and we suggest you add someone from your team for things related to your grant.
10. Make your own risk analysis #
All these recommendations are general, but the best way to know what to add first, is to make your own risk analysis. Threat modeling is a process to identify your potential threats and vulnerabilities to reduce the risk of the resources we want to protect. Once the context is mapped, it is possible to choose the ways that effectively and efficiently help protect our security. To map yours, answer to this questions:
Resources: what resources need to be protected?
Examples: money, identity, NFTs, among others.
Adversaries: from whom should these resources be protected?
Examples: a peer, corporations, the government, a harasser, smear campaigns, etc.
Risks: What resources does the adversary have to access those resources?
Examples: time, money, equipment, technological tools, etc.
Probability: What is the probability that adversaries will carry out the attack?
Examples: High probability, Mid probability, Low probability
Disposition: How far are you willing to go to protect resources?
Examples: time, financial resources, technical resources, etc.
Once you have mapped them, start working on your security measures from mitigating the most probable scenario, to the least.
11. Other general recommendations: #
- Don’t disclose your operational security (what hardware wallet or password manager you use) online
- Don’t open links from strangers (links on pdfs, images or related URLs)
- Extensions on browsers are an open door: try to install the least possible.
- Be wary of phishing attacks, use bookmarked sites and always verify the domain before signing transactions.
- Use different browsers/Virtual machines if possible to have the least attack vectors as possible.
If you have any valuable recommendations for our community, please share them to [email protected] so we can add them to this list.