New to the decentralized web? This explainer should help.
Your Secret Recovery Phrase (SRP) is a unique 12-word phrase that is generated when you first set up MetaMask. Your funds are connected to that phrase. If you ever lose your password, your SRP allows you to recover your wallet and your funds. Write it down on paper and hide it somewhere, put it in a safety deposit box, or use a secure password manager. Some users even engrave their phrases into metal plates! (Storing your SRP in a physical, offline format eliminates the risk of hacking.)
With MetaMask, control over your wallet belongs to the holder of a master key (that’s YOU!).
Not even the team at MetaMask can help you recover your wallet and its accounts if you lose your Secret Recovery Phrase. As long as you keep this phrase safe and sound, no one can sign unauthorized transactions from your wallet's account(s).
There are a lot of benefits to using a self-custody wallet. For example:
- No institution can manipulate your access to your funds. Ever heard the phrase "not your keys, not your crypto"? Well, this is what it refers to. If you use a custodial wallet (where an organization or third party essentially controls the wallet, and acts according to your instructions), there's very little other than trust preventing the custodian from making off with your funds.
- No merchant you transact with via MetaMask can access more of your personal data than you reveal.
- Your MetaMask wallet can be used almost like a passport, enabling digital proof of identity. The Ethereum Name Service (ENS) is perhaps the most prominent example that self-custodial wallet ownership is increasingly following this route.
The trade-off? Because a MetaMask wallet is self-managed, the responsibility for keeping that wallet safe is entirely yours.
Never ever share your Secret Recovery Phrase with anyone. Sharing your SRP with someone would be like handing over the PIN code to your bank card, or the keys to your house. It would give that person the ability to access and transfer all of your funds. The MetaMask team will never ask you for it. If anyone or any website asks you to share it, they’re trying to scam you.
If you’re more of a visual learner, this quick video should help.
Here are a few basic security tips to help you keep your wallet secure
MetaMask locally encrypts your secret recovery phrase with your password. That means that when you lock your wallet, no one can use your funds until you enter your password again. If you forget your password, you can regain access to your account with the SRP, as it’s the key to access your wallet that only you hold. It’s important to know that neither MetaMask or anyone else can change or recover your seed phrase if it’s lost. Please guard it well! For more information on this, see here.
You’ll be prompted to set your SRP and password when you first unlock MetaMask. If you lose it, you should be able to recover it if you remember your password AND you have a copy of your vault data. You can attempt to find your vault data (either locally on your computer or on a backup of the computer) using these instructions.
If you lose your Secret Recovery Phrase and forget your password, there is no way to recover the phrase and access your account.
This has been mentioned already, but it doesn’t hurt to be thorough: anyone who has your SRP or private keys can remove tokens from your accounts. Never share your SRP or private keys with anyone — not even the MetaMask team, even though we will never ask you for this information. If anyone claims to be a MetaMask team member and asks you for this information, please report them immediately using our official support channels.
Hardware wallets, like Trezor and Ledger, are commonly thought to be a safer way to store your tokens. They store the private keys offline, meaning you need to be in physical possession of the wallet to sign transactions -- a considerable barrier to online scammers.
These are basic tips, but are by no means an exhaustive list of security options. Keep on top of token security trends and updates by learning from the Ethereum community, reading helpful material (like this post) and joining discussion channels like this.
If you see members of the community struggling with security, feel free to share this post. Remember, if you need any help, or would like to report accounts that are imitating MetaMask, get in touch.