Do YOU have 2FA enabled? Do you use a password manager? The convenience of cutting these corners is NOT worth the risk!

This public service announcement is a reminder to stay safe when you crypto! I know many of you have heard this all before, I know I certainly have - but then the other day I witnessed an attempted crypto-heist in the flesh, so I feel it's worth saying it again in case anyone missed the memo.

The other day I met up with an acquaintance of mine who is a miner, to have drinks and chat crypto. We only met recently, and hadn't had much time to talk tech until .then. Also, I was looking to sell some USD, so naturally we had our computers with us.

A little bit of background: the individual I was meeting up with only got into crypto because it can be mined. In some ways, he might almos bet a caricature of what "chinese miners" are described as: he doesn't keep up with tech, he's not a technology enthusiast (other than crypto), he got involved because he can buy these machines that generate money as long as you keep them online.

He was also using an exchange as his wallet (for some cryptoassets), as not all cryptoassets have light wallets and some assets get acquired speculatively in quantities where its hard to justify the installation of a dedicated wallet for each one. I understand the line of reasoning, but I find it to be a path of least resistance that can be quite dangerous to follow.

When he fired up his browser, he immediately got a notification from his email about emails from Bittrex. I hear him say "Wtf? Someone's trying to withdraw my coins!" when he opens his email, and indeed, he has withdrawals awaiting approval in his email that he did not initiate.

While he cancelled the withdraw requests, and changed his password on the exchange account, while my mind immediately jumped to attack vectors. How did this happen? The thought that it was a targeted attack because he is a miner crossed my mind, but didn't have much in support of it. It didn't seem likely that his PC was compromised/keylogged, or his exchange account would have been emptied for sure - but the attacker appeared thwarted by email 2FA.

The attack vector we determined was password reuse across multiple sites. He had used the same password on his the exchange as on various cryptocurrency oriented forums - which have disproportionately large targets painted on them for this very reason. One of the forums probably stored passwords insecurely (plaintext, or hashed without a salt), was hacked, giving attackers a DB of email addresses + passwords. From there, an attacker need only try the combination on exchanges.

My friend was very lucky on two counts - he didn't have the same password on his email and the attacker didn't have enough time, since the withdrawal attempts were discovered only 10-15 minutes after they were initiated. Given more time, the attacker could have run a background check (based on the KYC info in the exchange account), used the information from that to guess secret question answers, and reset his email password that way.

The way to protect yourself from the password reuse attack vector is by having a unique password for each and every online account. This can be accomplished by using a password manager, so instead of having to remember each and every password, you have one master passphrase which is necessary to decrypt your database of saved passwords. If you need to synchronize across multiple devices, as long as your master passphrase is strong, the password database can safely be stored in Dropbox/Google Drive. If you prefer to avoid sharing the encrypted DB with any 3rd parties, syncthing can be used.

I recommend KeePass or KeePassX 2 for a password manager. There are browser addons to allow autofilling of login information, but I would think twice about using those: is it really a good idea to give the software you use for executing untrusted code (your browser) direct access to the database of all your shared passwords?

Create a strong a pass-phrase for your password database. Then, go to File->Database settings (in KeePass2) or Database->Database settings (in KeePassX2), and increase the number of Itirations/Transform rounds. This will increase the amount of operations it takes to derive the DB's master keys from the password, making it much harder to decrypt via brute force attack.

Then, every time you log in to an online account, you need to systematically start changing the passwords, replacing them wit ones randomly generated with KeePass.

It is also of critical importance to enable 2FA on every cryptocurrency-related account where it is available, including email accounts associated with any logins. Google Authenticator is considerably more secure than Authy, but you have to make sure to write down 2FA secrets, as you will be locked out of your accounts without them if you lose your phone (or it breaks).
SMS-based 2FA is NOT secure, and should not be used. It is far too easy for an attacker to socially engineer the phone company into giving them control of your phone number.

Enable 2FA everywhere it's available and use a password manager, unless you want to make it easy for thieves to steal your hard-earned crypto. Don't use exchanges as wallets. Get a hardware wallet if its cost is <%10 of the value of the crypto you are holding and need to protect. Use traditionaly cold storage if you don't want to fork over the bitcents for a HW wallet. Don't become a statistic.