obsidiate.
Set up & trade safely
BeginnerLesson 1 of 106 min read

Locking down your account

Most account takeovers are not cinematic. Nobody sits in a dark room brute-forcing your password while green text scrolls past. The typical attack is depressingly mundane: a password you reused on some forum leaks, an automated script tries it on a thousand exchanges, and the attacker walks in through the front door holding your own key. Security researchers call this credential stuffing, and it accounts for the overwhelming majority of compromised accounts on every platform that has ever published numbers.

The good news is that the defense is equally mundane. You do not need to be technical. You need a password that exists nowhere else on the internet, a second factor that does not travel through your phone number, and about ten minutes of routine maintenance a month. This lesson walks through each layer in order of importance, so even if you stop halfway, you will have fixed the things that matter most.

Passwords: long, unique, and not yours to remember

A strong password has two properties, and only one of them is the one people obsess over. Length and randomness matter, but uniqueness matters more. A mediocre password used on exactly one site is safer than a brilliant password used on five, because the brilliant one is only as safe as the weakest site that stores it. When a small online shop with sloppy security gets breached, every account sharing that password is breached with it — including, potentially, the one holding your money.

  • Aim for at least 16 characters. Random words strung together — the classic four-word passphrase — beat short strings of symbols both in strength and in your ability to type them without swearing.
  • Never reuse a password between your exchange and anything else. Not your email, not your bank, not the pizza app.
  • Your email account deserves equal protection. Whoever controls your inbox can reset almost everything else, including your exchange password.

Password managers do the remembering

The only realistic way to have a unique random password for every account is to not remember any of them. A password manager generates, stores, and fills credentials for you, locked behind one master password — the single password you actually memorize. Make that one long, make it unique, and write it on paper stored somewhere genuinely safe, because losing it is the one failure the manager cannot fix for you.

Managers have a side benefit most people discover by accident: autofill is a phishing detector. The manager fills your password on the real exchange domain and stays stubbornly silent on a lookalike, because it matches exact web addresses, not appearances. A human sees a familiar logo and a familiar layout; the manager sees that one character in the domain is wrong and refuses to cooperate.

If your password manager will not autofill a login page it normally fills, treat that as an alarm, not an inconvenience. It is telling you the domain does not match the one you saved.

Two-factor authentication: the app beats the text message

Two-factor authentication, or 2FA, means a login needs something you know — the password — plus something you have. The quality of that second factor varies enormously. An authenticator app generates six-digit codes on your device, offline, rotating every thirty seconds. SMS sends codes through your phone number, and your phone number is far easier to steal than most people imagine.

The attack is called SIM swapping: a scammer convinces, tricks, or bribes a mobile carrier employee into moving your number onto their SIM card. From that moment, your texts — including login codes and password-reset codes — go to them. This happens to ordinary people, not just public figures, and you usually find out when your phone mysteriously loses signal at the exact moment your accounts start changing.

  • Use an authenticator app instead of SMS wherever the choice exists. Hardware security keys are stronger still, if you want the top shelf.
  • When you enable 2FA you receive backup codes. Store them offline — on paper or in an encrypted file — and never in the same place as your password.
  • Keep SMS only if the alternative is no second factor at all. Weak 2FA still beats none.

Session hygiene: log out of what you forgot

Every device where you logged in and chose to stay signed in holds a live session — a key that works without your password. Most exchanges show you a list of active sessions with device type and approximate location. Read it occasionally the way you read a bank statement: not because you expect fraud, but because the one time something looks wrong, you want to catch it on day one rather than month three.

  • Review active sessions monthly and revoke anything you do not recognize or no longer use.
  • Never stay signed in on shared or public computers; one forgotten library login outlives any number of password changes.
  • Log out before selling or handing down a device, and remember that browser sync can quietly carry sessions to machines you have never touched.

Device checks: the ground your account stands on

Everything above assumes the device itself is clean. A keylogger or a malicious browser extension sits underneath every password and every second factor, so a little device hygiene closes the loop. None of this is exotic — it is mostly the maintenance your computer already nags you about.

  • Install operating system and browser updates promptly. Most malware exploits holes that were patched months before the infection.
  • Audit browser extensions ruthlessly. Each one can potentially read what you type. Keep the few you genuinely use and remove the rest.
  • Download trading apps only from official app stores, and check the publisher name before installing — lookalike apps are a real and recurring problem.
  • Public Wi-Fi is mostly fine for browsing thanks to modern encryption, but a personal hotspot is the calmer choice when you are moving money.

Set a quarterly ten-minute audit in your calendar: active sessions, authorized devices, browser extensions, and whether your backup codes are still where you think they are.

Key takeaways

  • Credential stuffing — reused passwords from unrelated leaks — is how most accounts actually fall. Uniqueness is the cure.
  • A password manager makes unique passwords effortless and doubles as a phishing detector through exact-domain autofill.
  • Authenticator apps beat SMS because phone numbers can be SIM-swapped; store your backup codes offline.
  • Review active sessions regularly and never persist logins on devices you do not control.
  • Keep devices updated, prune browser extensions, and install apps only from official sources.
NextWhy exchanges ask who you are