Cybersecurity guidelines for Cardano users
Keeping your computer secure from threats is critical for keeping your cryptocurrencies safe. Always be sure to take preventive measures to mitigate the risk of having your computer compromised and prevent financial losses.
Proper recovery phrase management is also especially important when using cryptocurrency wallets. Please review the guidelines below to strengthen your system and improve your security practices to make better use of cryptocurrency wallets.
Security measures when using Daedalus
1. Download Daedalus ONLY from the official website
Download from: https://daedaluswallet.io/
Never download software from non-official, untrusted sources. Scammers may create fake copies of Daedalus and attempt to trick you into downloading the wallet from a different source. If you download Daedalus from an unofficial source, you put your ada at risk of being stolen.
Daedalus is a full node wallet, therefore it DOES NOT HAVE A MOBILE VERSION. If you see one, it is a scam, DON'T DOWNLOAD IT, DON'T USE IT!
2. We never do Giveaways.
If you find a website announcing an ADA giveaway it is always a SCAM. You will loose your ADA.
3. Always verify Daedalus installer’s signature and checksum listed on the official website.
You can find instructions on how to do it on your favorite operating system here
4. Keep your recovery phrase in a secure offline location
When you create a wallet on Daedalus you will receive a recovery phrase, this is a list of 24-words that are used to generate the private key to access your funds. Anyone who has your recovery phrase can access your funds and create transactions, so you must keep it safe and secure. This is of crucial importance!
- Create your wallets ONLY on a trusted system (See below, Security measures for your system)
- Write your recovery phrase on a piece of PAPER and store it in a safe place
- NEVER take a photo of your recovery phrase or store your recovery phrase digitally on your devices or in cloud-based services
- NEVER share your recovery phrase with anyone. Not even with IOHK.
- NEVER input your recovery phrase on a website
- Make sure that NOBODY IS LOOKING at your screen when you use your recovery phrase to restore your wallet
- IF YOU LOSE YOUR RECOVERY PHRASE, create a new wallet and transfer your funds immediately. You should not be using a wallet for which you do not have the recovery phrase.
5. Never use Daedalus on a shared or public computer
Shared computers might be already compromised. Using Daedalus in a shared or public computer carries several threats to your information and funds. Just don’t do it.
6. If possible, have a dedicated machine for your cryptocurrency activities.
Having a dedicated machine for your cryptocurrency activities can be of great help to keep your assets secure. Ideally, you won’t use that machine to surf the web, read emails, download software, etc.
7. Use a strong spending password or a Hardware Wallet.
When creating and restoring wallets you are required to set a spending password. This password is used to encrypt/decrypt your private key, Daedalus asks for it when you send transactions. We encourage you to:
- Have a password that uses a combination of words, numbers, symbols, spaces, and both upper- and lower-case letters.
- Have a password of at least 10 characters, Daedalus can take up to 255 characters, use it. If your computer gets compromised, a strong password might be your last line of defense.
- Using an encrypted password manager is a good idea. These tools, apart from generating strong and random passwords, can help to protect you against keyloggers since you will never need to type your password on the keyboard.
- Or use a hardware wallet in combination with Daedalus. This way the confirmation process happens on the device, which is a safer place than your computer. You still need to use a PIN or passphrase on your device but it is out of the reach of any malware installed on your computer.
Note that this password ONLY works to encrypt/decrypt your private key on the computer where your wallet is restored. Anyone with access to the recovery phrase can restore the wallet on a different machine and set a different spending password on that. So keeping your recovery phrase secure is vital.
Security measures for your system
8. Keep your system updated.
Install all software and security updates for your operating system.
- Turn on Automatic Updates for your operating system.
- Use web browsers that receive frequent, automatic security updates.
- Make sure to keep browser plug-ins (LastPass, UBlock Origin, Java, etc.) up-to-date.
- Uninstall any browser plugins that are not absolutely necessary.
- It is very easy to get unintended plugins installed on your computer. Make sure to routinely review which plugins are installed and immediately remove any that you do not recognize.
9. Firewall
A firewall is your first line of defense against cybercriminals and various online scams and attacks. Familiarize yourself with your firewall tools to better protect your computer from malware, cookies, viruses, and other threats.
10. Install antivirus/anti-malware protection
Malware is always ahead. It can take days, weeks, or even months before a threat is first detected by antivirus companies and update their definitions. So the fact that your antivirus doesn’t detect a threat doesn't mean that it does not exist, however, a good antivirus can keep you protected against known threats. Fair enough!
Install these programs from a known and trusted source. Keep virus definitions, engines, and software up-to-date to ensure your programs work at their best.
Run deep scans frequently, at least once per month.
11. Be careful where you click
Avoid untrusted and unknown websites. Dangerous websites can host malware that automatically installs on your computer and compromises it.
If attachments or links in email messages are unexpected or suspicious for any reason, don't click on them.
12. Be careful of phishing
Cyber-criminals will attempt to make you reveal information using a variety of social engineering tricks. Never disclose any private information by phone, text, social networks, email, or apps.
Usually, a phishing scam is initiated by an email that has the appearance of official business and requests that you perform an urgent action, such as “Download the latest version now”, “You have 5 minutes to register for a giveaway“, “Urgent, you need to validate your wallet’s data”.
Do not fall for these types of scams. IOHK, EMURGO, or the CARDANO FOUNDATION will never send these emails.
13. Never leave your computer unattended
If you need to leave your computer temporarily, lock it up so no one else can use it. For desktop computers, lock your screen or shut-down the system when not in use.
Have your computer password protected.
Always remember your system is most secure when it is completely shutdown.
14. Never discuss your cryptocurrency holdings
Never talk about your crypto holdings with anyone that does not specifically have a need-to-know (spouse, taxes, etc.). Advertising this only makes you a bigger target.
15. Computer repairs
If you need to have your device repaired, verify that you have your wallet recovery phrase(s), then completely remove/uninstall all Cryptocurrency wallets from your device (phone, laptop, tablet, or desktop machine) before allowing the service provider access to it. It is also good practice to remove/lock/logout of any password manager on the device.
While nothing is foolproof, and new malware, viruses, and scams are developed every day, following these guidelines as well as having a general awareness of the threats that are out there enable you to use cryptocurrency with more peace of mind and less risk of being a victim of fraud, theft, and scams.