Protecting your crypto means securing your 12-word secret recovery phrase, wallet, and device. Most losses happen due to user error, phishing, or malware.
Here’s how to stay secure:
Secure your crypto by writing down your secret recovery phrase and storing it offline.
Don’t share your secret recovery phrase or private keys. Anyone who gets hold of them can steal your funds.
Use strong passwords on your device and your wallet, and keep your operating system and wallet up to date.
Use a hardware wallet (like Trezor or Ledger) for large holdings to keep private keys offline.
Be cautious of scams. Don’t trust unknown links, QR codes, or messages from people claiming to be support.
You have total control over keeping your crypto safe. Want a secure wallet where you hold the keys? You can download Exodus here.
In this article:
Why are you in full control of your crypto with Exodus?
Exodus is a self-custody wallet, which means you have full control of your funds.
When you create an Exodus wallet, your device generates a unique 12-word secret recovery phrase, which is the master key to your wallet and its private keys.
Your wallet is like a vault for your private keys. If your wallet is a vault, your secret recovery phrase is the key that opens the vault.
Because only you hold the key, you're in full control of your crypto. But that also means you’re fully responsible for keeping it safe.
How can I ensure that I always have access to my wallet?
In Exodus, you always have access to your wallet by writing down your 12-word secret recovery phrase.
In Exodus Mobile, you can also store your encrypted secret recovery phrase in your iCloud or Google Drive account and protect it with a passkey.
People can lose their crypto by misplacing or never writing down their secret recovery phrase.
Manually saving your secret recovery phrase on paper or encrypting it in cloud storage will ensure you always have access to your Exodus wallet.
How do I keep my secret recovery phrase safe?
Your secret recovery phrase is the only way to restore your wallet if something happens to your device, such as loss, theft, or damage. Your wallet doesn't transfer to a new device automatically, so storing it safely and securely is crucial.
Anyone with access to your secret recovery phrase can take full control of your wallet and its funds.
It's important to note that Exodus never has access to your secret recovery phrase, so we cannot help you recover your wallet if you lose it.
Below, you'll find tips to protect your secret recovery phrase.
For a guide on how to secure your wallet, visit: How do I always have access to my wallet with my secret recovery phrase?
Dos:
Write it down and store it offline: Use paper or a metal phrase storage device. Laminate paper for added durability. Metal backups are fire and water-resistant.
Keep multiple copies in secure locations: Store at least two physical copies in separate, safe, offline places only you can access.
Protect it from physical threats: Choose storage locations that are private, dry, and safe from fire, flooding, or theft.
Don'ts
Don’t store it digitally: Avoid saving it in text files, photos, emails, screenshots, or cloud storage as these can be compromised by malware or hackers.
Don't share it with anyone: No one, not even Exodus Support, should ever ask for your secret recovery phrase.
Don't let anyone see your secret recovery phrase: Avoid viewing your secret recovery phrase in public and make sure no one is watching and there are no cameras nearby.
Don’t enter it on websites or forms: Be cautious of phishing websites that trick you into giving away your secret recovery phrase. To learn more, visit: What scams should I watch out for?
Don’t copy and paste it: Avoid using your device's clipboard as it can be read by apps or seen by others with access to your device.
How do I keep my iCloud or Google Drive backup safe?
In Exodus Mobile, you can securely store your secret recovery phrase by creating an iCloud or Google Drive backup and protecting it with a passkey.
When you do this, your secret recovery phrase is encrypted and stored as a secured file in your cloud storage account.
At the same time, your passkey manager creates and stores a passkey that is secured by the same Face ID, Touch ID, PIN, or password you use to unlock your device. This passkey is the only way to decrypt your secret recovery phrase and access your wallet.
Because your iCloud or Google Drive backup is managed by both the passkey in your passkey manager and the backup file in your cloud storage account, you must keep your accounts secure and safe.
To learn more, visit: How do I back up my wallet with iCloud or Google Drive?
Dos:
Use strong, unique passwords: Secure your iCloud or Google account, passkey manager, and device with strong passwords.
Enable two-factor authentication (2FA): When possible, turn on 2FA for your iCloud or Google account to add an extra layer of protection.
Know where your recovery data is stored: Your encrypted secret recovery phrase is saved in your cloud storage. The passkey is stored in your device’s passkey manager. To learn more, visit: Where are my backup file and passkey stored?
Manually save your secret recovery phrase in a safe, offline location: This ensures you can always recover your wallet, even if you lose access to your cloud backup. For more information, visit: How do I always have access to my wallet with my 12-word secret?
Stay alert for phishing scams: Only create an iCloud or Google Drive backup using the official Exodus Mobile app. Be cautious of fake websites or messages that ask you to secure your wallet or share sensitive information. They are scams.
Don'ts:
Don’t reuse your device PIN or password: Your passkey is protected by the same Face ID, Touch ID, PIN, or password used to unlock your device. Using a unique, secure code helps prevent unauthorized access.
Don’t delete your backup file or passkey: You won’t be able to restore your wallet if you delete either the encrypted backup file or the passkey that protects it.
How do I keep my private keys safe?
In Exodus, your private keys are derived from your 12-word secret recovery phrase. While your secret recovery phrase gives you access to all your assets, each private key controls access to a specific crypto wallet. For example, your Bitcoin private key controls access to your Bitcoin wallet, your Ethereum private key controls access to your Ethereum and EVM-compatible wallets, etc.
If someone gets access to your Bitcoin private key, they would have access to your Bitcoin wallet (but not your Ethereum wallet).
If you have written down your 12-word secret recovery phrase or stored it with iCloud or Google Drive, you don’t need to save individual private keys.
Dos:
Be careful when copying private keys: If you copy a private key, it’s stored on your device’s clipboard, which may be accessible to certain apps or anyone with access to your device. Always clear your clipboard afterward.
Don'ts:
Never share your private keys: Anyone with access to your private key has full control over that wallet’s funds.
Don't enter private keys into websites or apps: Scammers often create fake websites or forms to steal private keys. Only view or use your private key within trusted apps like Exodus. To learn more, visit: What scams should I watch out for?
Don’t view your private keys in public or where someone else or a camera could see them.
How do I set a password for my Exodus wallet?
Setting a password (on Desktop and Web3 Wallet) or a passcode (on Mobile) adds an extra layer of security to your wallet. If someone gains physical access to your device, your wallet will be protected because they won’t be able to access Exodus.
For more information, please visit: The importance of a good password..
Setting a password does not replace storing your secret recovery phrase. If your device is lost or stolen, you’ll need your secret recovery phrase to restore access to your wallet.
Here is how you can set a password or passcode for your Exodus wallet:
Mobile | You can set a 6-digit passcode for your mobile wallet after securing your secret recovery phrase: How do I back up my wallet and write down my 12-word secret recovery phrase? |
Desktop | You can set a password for your desktop wallet during the backup process: How do I back up my wallet and write down my 12-word secret recovery phrase? |
Web3 Wallet | You will be prompted to create a password when setting up your new Web3 Wallet: How do I install and set up Exodus Web3 Wallet? |
What if I have an old email backup link?
If you created your Exodus wallet before February 2019, you might have an email backup link.
Be careful where you store your backup link. Keep in mind that if the link is stored in your email inbox and an attacker gets access to your email, they will be able to access your backup link. If they also have your password, or if your wallet had no password when you were emailed the link, they'll be able to access your wallet.
Never share your email backup link with anyone.
While it's still possible to restore your Exodus wallet with the email backup link, we recommend instead securing your wallet by writing down your secret recovery phrase. To learn how, visit: How do I always have access to my wallet with my 12-word secret recovery phrase?
Why should I use a hardware wallet?
A hardware wallet is a physical device that stores your wallet’s secret recovery phrase and private keys offline. Because it never connects directly to the internet, your sensitive wallet data is better protected from malware and online attacks.
Keep in mind that a hardware wallet is only as safe as the secret recovery phrase. Like the secret recovery phrase for your Exodus wallet, keeping your hardware wallet's secret recovery phrase safe and stored in a secure location is important.
For more information on how to keep secret recovery phrases safe, visit: How do I keep my 12-word secret recovery phrase safe?
Trezor and Ledger are hardware wallets that can be connected to Exodus. You can connect Trezor to Exodus Desktop or Ledger to Exodus Mobile.
For more information on using hardware wallets with Exodus, visit:
What are security best practices?
Use two-factor authentication (2FA)
Since Exodus is a self-custody wallet, and all its data is stored locally on your device, you can't use 2FA with Exodus.
However, for anything account-based, such as your email, 2FA adds an extra layer of protection by requiring a second verification step beyond your password. Even if someone steals your password, they won’t be able to log in without the second factor.
Avoid SMS or email-based 2FA, which can be vulnerable to SIM-swapping or email hacks. Instead, use an authenticator app like Google Authenticator or Authy, or a hardware authenticator like YubiKey.
Use unique and strong passwords
Having unique passwords for every account ensures that if an attacker gets access to one of your passwords, they will not be able to access any of your other accounts.
The best passwords are random and at least 16 characters long. They contain a mix of lower- and upper-case letters, numbers, and symbols (like "@" and "#"). To learn how to create a strong password, visit: How do I set a strong password?
Use a password manager
Password managers help you store, manage, and generate strong, unique passwords for all your accounts. They’re an essential tool for protecting your digital life.
You can choose from free or paid options, but make sure you fully trust the password manager software.
When generating a password, make sure to use unique and strong passwords.
While they offer stronger security, your passwords are only as safe as your password manager. Be sure to securely store your master password, which you use to unlock your password manager, or have an emergency backup in case you lose access.
It's best practice to avoid letting your browser or device remember passwords. If one account is hacked or compromised, then all accounts you've used the same password for are also at risk of being compromised.
Watch out for scams
After not securely storing your secret recovery phrase, the biggest threat to your crypto is falling for scams, especially phishing attacks.
Scammers often promise high returns, free crypto, or use fear tactics to pressure you into taking quick action. They may impersonate trusted companies, support staff, or even friends to trick you into revealing sensitive information.
Never share your secret recovery phrase or private keys: not online, in forms, or with anyone. If someone asks for them, it's likely a scam.
Exodus Support will never ask for your secret recovery phrase or private keys.
To learn more about scams and how to identify them, visit: What scams should I watch out for?
How can I protect my device?
Your crypto is only as safe as the device on which it is stored. Here are some tips on how to keep your device safe.
Use anti-virus and anti-malware software
Install trusted anti-virus and anti-malware software to help protect your device from threats like viruses, malware, and spyware. Examples of such software include Malwarebytes and Bitdefender.
While this software adds an extra layer of security, it’s still important to avoid suspicious websites, apps, or downloads. Also, never use pirated or cracked software as it often contains hidden malware.
Good security software helps, but your online habits are your first line of defense.
Encrypt your hard drive
Many devices and operating systems support encrypting the data on your hard drive.
This adds an extra layer of protection because you need a key or password to decrypt the data on your hard drive, including your wallet data.
How can I protect my network?
Ensuring that your device only connects to a trusted and secure network can help you protect your device from unauthorized access and att.
Secure your router and WiFi
Using a private, secured network is one of the best ways to protect your crypto activity.
Avoid connecting to public WiFi, as public networks often have weak or no encryption. This can make it easier for attackers on the same network to monitor your activity or compromise your device.
Secure both your router and WiFi with unique and strong passwords. Enable encryption for your WiFi, ideally WPA3. Do not use WEP encryption, as it provides limited protection.
Regularly check for router and modem firmware updates. If your router supports WPS, make sure it is turned off. If WPS is turned on, it could make it easier for an attacker to get unauthorized access.
For additional protection, consider hiding your network's SSID so it isn’t publicly visible to nearby devices.
To find out how to change your network settings, consult your router manual.
Use a firewall and VPN for extra security
Firewalls monitor and control incoming and outgoing network traffic to protect your network from unauthorized access.
Most operating systems come with a built-in firewall, but there are also paid options that might offer more options and better protection.
Your device and internet router must use a firewall you trust to stay secure.
Virtual private networks (VPNs) encrypt the connection between your device and network, making it more difficult for an attacker to track your activity. VPNs are commonly used to protect a network connection when using public network.
What can weaken my security?
To keep your crypto safe in the long term, it is important to know what could weaken your crypto wallet's security.
What could weaken the security of my 12-word secret recovery phrase?
The most important way to keep your crypto safe is to keep your secret recovery phrase safe. No matter how safe your device is, if anyone gets access to your secret recovery phrase, they will have full access to your funds.
Storing your secret recovery phrase as an unencrypted digital copy will weaken your security. This includes taking photos and screenshots of your secret recovery phrase. Once your secret recovery phrase has been in a digital environment, there is no way to reverse the exposure.
Avoid importing your secret recovery or private keys into wallets you do not trust. If you import your secret recovery phrase or private key into another wallet, attackers will have one more wallet that they can potentially target and attack.
What could weaken the security of my device?
Your wallet is only as secure as the device it's on. If your device is compromised, your wallet could be too. Keeping your device secure is just as important as securing your wallet.
Be mindful of websites, software, and apps you use with your device. Visiting untrusted websites and installing unknown software can weaken your device's security.
Also, make sure you protect both your device and your Exodus wallet with strong passwords. This way, even if your device is lost or stolen, it will be difficult to access your wallet.
How can scams weaken my security?
Even if your secret recovery phrase and device are safe, scams and phishing attacks can still compromise your wallet by tricking you into giving up access.
One of the most harmful scams is fake support. Scammers may pretend to be from Exodus or another trusted company and offer help through social media, forums, or direct messages. They’ll often ask for your secret recovery phrase, private keys, sync QR code, or try to get you to connect your wallet to a malicious site or app.
Remember:
No one from Exodus will ever ask for your secret recovery phrase, private keys, or sync QR code.
Never share your secret recovery phrase, private keys, or sync QR code with anyone.
Don’t enter your secret recovery phrase, private keys, or sync QR code into websites, online forms, or apps, even if they look legitimate.
To learn more about scams and phishing attacks, visit: What scams should I watch out for?