Smart Computer Practices
There are a number of very smart computer practices that you can follow in order to minimize your risk of getting hacked, or of accidentally making a mistake of your own that causes you to lose access to some of your assets. Losing access to assets that are sitting in your wallet, because you've lost your private key, is just as final and devastating as outright theft. We have a number of suggestions about smart computing practices on this page. However, proper security is not just a set of practices or guidelines: It's a mindset. If your crypto portfolio is small, you may think that computer security is unimportant. However, your personal identification data is incredibly important too, and usually much more valuable than whatever amount of cash you have sitting in a savings account. Protecting your online identity from being compromised is important in case you have a valuable portfolio in the future, but also simply because being the victim of identity theft is incredibly frustrating and difficult to fix.
You may feel that achieving perfect computer security is impossible, and believe that you're wasting your time because a determined hacker will be able to hack you anyway. Remember that skilled hackers will usually target the easiest victim first, to pick the "low-hanging fruit." Let's put it this way: A skilled intruder can still break into your locked house, by picking the lock or smashing down the front door. That doesn't keep you from taking simple precautions such as locking the door, in hopes that an intruder will look for an easier house to break into somewhere else. Even if your digital security precautions are not perfect, they help make it harder, more inconvenient, or more expensive for someone to hack you. As you read through this page, you may quickly feel overwhelmed if you're not already technically literate when it comes to computers. That's ok. Start learning slowly and implement our suggestions. Baby steps. Let's get started.
Security Through Obscurity
Be aware that some hackers or thieves target victims randomly, while others target specific victims. If you are known to have wealth or cryptocurrency holdings, you're more of a target, even if people don't know how much money you have invested. Therefore, the number one rule in cryptocurrency security is to be discrete about it. If people don't know that you own any cryptocurrency, they'll be less likely to try to hack you, or to try to physically steal your assets!
If you regularly post on Reddit, and you're going to start posting in crypto forums, create a throwaway account that you use exclusively for conversations that mention crypto. This way, you're less likely to have your real-world identity tied to crypto. Use a separate browser for your two identities, so you're less likely to make an accidental post while logged in with the wrong username.
Although thousands of people have been hacked because of weak internet security (which we'll address shortly), there are also a significant number of people who have had cryptoassets stolen by boyfriends, girlfriends, family, and associates. In some of those cases (especially with family members or Significant Others), better security practices should have been in place. In many cases though, the assets would not have been stolen if the first place if the thief hadn't known that the victim owned any cryptocurrencies. So no matter how much you might want to brag about your crypto earnings and holdings, it may be smarter for you to keep that information completely to yourself. Probably the only person who should know about your cryptoasset holdings is your accountant, unless you share finances with your spouse. Remember the first rule of Fight Club: Don't talk about Fight Club.
Setting Up a New Email Address
If you use a single email address for all of your online interactions, and you use the internet frequently, chances are high that at some point your email address (and a password) will be lost in a data breach from some random website that you've used in the past. For starters, if you want to know if this has ever happened to you in the past, you can check the "Have I Been Pwned?" website. But even if your email address hasn't been associated with a data breach or hack at any point, it's highly likely that your email has ended up on a number of spam email lists. No matter how carefully you approach internet security, it is almost inevitable.
Hackers will take email lists, and try to find vulnerable emails to compromise. For example, a hacker could buy an email list of a million random email addresses, then try to sign in to a popular cryptocurrency exchange with every one of those email addresses (using an automated computer script to perform the work). If the exchange gives a message such as "your password is incorrect" rather than "your email address was not found," then the hacker can quickly compile a new shorter list of addresses for all of the emails that apparently have crypto trading accounts on that exchange. The next step is to focus on cracking the password, and that's a surprisingly easy process.
There's a simple solution to deal with all of this: Create a unique new email address for every banking and crypto website that you use! It's easy, and it's free. For example, if your name is Clayton Holmwood, and your real-life email address is claytonholmwood@gmail.com, you could create cholm814hK372@gmail.com for your Chase Manhattan banking account, cholm924uM261@gmail.com for your Coinbase account, and cholm285Wy925@gmail.com for your Bittrex account. If you do this, and you NEVER use those extra email addresses for anything other than accessing their one associated financial account in question, those addresses will never end up on a hacker's list, and the chance of someone guessing that such an email address even exists is astronomically low. Your email address won't be hacked if nobody else knows that it exists!
Make sure you enable Two Factor Authentication on each email address (which we'll explain shortly). Incidentally, we picked Clayton Holmwood from a random name generator website. Our apologies to anyone with that name who might end up reading this website or our book (Fomo, Moon, Lambo).
Basic Password Security
The number of poor passwords being used by the general population is just staggering. Even after years of education about the importance of computer security, many people still choose passwords such as "1234" or "password," or things like their spouse's name. Or a family member's name. Or a pet's name with a couple digits added. "Social engineering" hackers rely on this kind of foolish approach to computer security. So the very first step to better security is to always pick a password composed of random alphanumeric characters. Always try to include a mix of characters that includes at least one of each of the following types of character: A capital letter, a lower case letter, a digit, and a punctuation mark. By doing this, a hacker who is trying to use a powerful computer to "brute force" a password will need to try approximately 72 different options for each character, instead of just 26 options when someone sticks only to lower case letters. In a very simple four-character password, a full alphanumeric password with punctuation options gives rise to almost 26.9 million different possible passwords, rather than just 450,000 choices if the user sticks with just lowercase letters.
When it comes to passwords, length matters. As the length of the password increases, your password quickly becomes exponentially more secure. By using the four types of characters mentioned above, every single extra digit that you add to a password makes it 72 times more complex. Let's look at an example where somebody is trying to be proactive, and makes a password of twelve random lowercase letters. It would take a supercomputer a moderately long time to crack this, because there are about 95 quadrillion different options. But by using a mix of the four character types, you instead have 1.94 x 10^22 different options. If you don't know math, don't worry. Let's just say that this number is about twenty million times as hard to guess as the other 12-letter password that used only lowercase letters. If a website allows it, the authors of this website always prefer to use passwords that are between twenty and thirty characters long. Nobody will EVER guess those. Even someone in the future with a quantum computer would probably just walk away and find something better to do.
Always use a different password on EVERY website. This is extremely important. It's also very hard. People like to pick passwords that they can remember. Picking a password that you can remember is extremely poor computer security. If you find that this is too much of a challenge for you, you can always pick one easy "throwaway" password for all of the common public sites that you visit, a fairly complex (and unique) password for your email, and a complex (and unique) password for each financial, crypto, and banking site. Yes, it's annoying to have to remember and secure all of these passwords. But it's also annoying to open up your bank account or your crypto wallet and find that it's empty.
In some cases, keeping track of your passwords is very challenging. For instance, we regularly visit over two hundred different websites. We have different random passwords on every one of those websites! One good way to keep track of everything is to use a "password manager." Just make sure that you keep two backups of the data file from your password manager. A paper backup of the master password is important, and a digital backup of the entire data file is important. Make sure those are stored in a very secure location, preferably with a copy off-site in case your home burns down. Another option is to create a text file of all your passwords, then to encrypt that file using encryption software such as GPG (and of course, store a backup of that encrypted file someplace secure).
You may think that a password manager is risky, because if someone gets your master password, they'll then have access to every one of the sites that you visit. Yes, we acknowledge that this is a risk. However, since a password manager allows you to use different passwords on every website, at least you're lowering your risk portfolio with respect to third-party hacks of those websites.
At this point, you may be thinking that this is a lot of overkill. However, for proper computer security, you need to put in some serious work. Even if you can't do everything that we've suggested above, do as much as you can. Following good computer security protocols is a pain in the ass. But it would be much worse for you to have your identity stolen, or your financial assets stolen.
An alternative to random characters in your passwords, if a website allows for a long password (say 30 characters or more), is to type in a phrase. This type of phrase is often referred to as a pass phrase. A good pass phrase can be easier for you to remember than groups of random characters, but if it is fairly long, it is very effective at preventing brute force attacks, especially if the phrase is unique to a single website. An example of such a phrase could be, "ihatethecolorofmyneighborshouse" or anything like that. That password, due to its length, is an extremely secure password as long as you don't use it on more than one site, although unfortunately, many websites don't allow passwords to be that long. But that's changing slowly! Whenever we discover a website that doesn't allow passwords of at least 32 characters in length, we email the administrator of that site and respectfully suggest that they change their code to allow for longer passwords.
It goes without saying that if you write down a list of passwords on a piece of paper, and leave it in a desk by your computer, you're putting yourself at risk. If the passwords are complex, as outlined above, you've probably protected yourself again online hackers. However, you can still be vulnerable if a physical intruder or a family member finds that list. At the very least, hide it in a book somewhere. And again, have a backup copy in a sealed envelope in a safety deposit box or similar secure off-site location, in case of a fire or other natural disaster. Literally millions of dollars of cryptocurrencies have been irretrievably lost in events such as the California wildfires, simply because people didn't keep backups in secure off-site locations.
Two Factor Authentication (2FA)
Two factor authentication is a security protocol whereby in order to access a system, a user must have more than just a username and password. The user must also possess a second form of identification or verification to make it more difficult for anyone else to bypass the password security for the account. 2FA is usually tied to a physical device that a person carries with them, such as a special type of USB key, or a cell phone that can receive a text message, or a mobile device with an "authenticator app" that provides time-based authentication codes.
We need to be very clear about one big risk immediately. Text-based (SMS) authentication is slightly better than not having any 2FA at all, but it is still highly risky! Hackers are frequently able to trick mobile service providers into allowing a person's phone number to be "ported" to a different phone. This even happens (surprisingly often) when an account is flagged with a "do not port" instruction given by the customer, and sometimes even when a provider has a house rule to restrict porting. Remember that a lot of mobile phone company employees don't really care about a stranger's security, or they fall victim to a good social engineering attack. Perhaps a hacker calls the Support department and has your name and basic identity information on hand (which is easy to find on the internet), and she gives a story such as, "Help, I dropped my phone in the toilet earlier today, and just bought a new phone, and I need to get my old number back as quickly as possible because my daughter is expecting a baby right now, and she's already in the hospital in Dallas!" If the hacker can provide all of the basic personal details for the account, such as the address and phone number and birthdate, chances are high that the phone number will be compromised.
Once a phone has been ported to a new number, the hacker can make phone calls and send/receive texts using your number. Even worse, any text-based 2FA is immediately broken. If the hacker has also figured out your email, then he/she can log in. The 2FA service will send an authentication text, and the hacker then bypasses the 2FA and accesses your account. You're screwed. This is why SMS-based 2FA is a very risky security protocol.
To be fair, 2FA in general is not weak. In fact, it's highly recommended. However, having "device-based" 2FA is exponentially more secure than SMS-based 2FA. By far the most common type of device-based 2FA is to use an authentication app, such as Google Authenticator or Authy. Both of these are highly rated. If you're downloading either from an app store, be absolutely certain that you're downloading the legitimate app, rather than an imposter!
The way that an authentication app works is this: When you turn on 2FA for a website that you use, such as Gmail or a cryptocurrency exchange, the website will generate a unique key for you. That key will be presented on the screen in two formats: A text based version, and a QR code version. Basically, the code will look like a short private key, so it might hypothetically look something like this: XY4HF78HS93LKV82934H12PA. You can then open the authentication app on your phone, and either scan the QR code with the phone's camera, or manually type in the text version of the key. The key is then permanently hidden in your device. You may have to type in a name for the website associated with the key (to clarify exactly which site the authentication codes are for), since the authentication app can simultaneously hold many different keys for a number of different websites. So for example, you might want to label a certain authentication key as "personal gmail account," and a second key as "gmail account for coinbase account," and you might label another key as "coinbase account." From that point on, whenever you have your authentication app running, a six digit number will be displayed in large text for each different website's key that you have entered. Every website's key will be a different six-digit code number. There will be a small thirty-second countdown timer beside your code, and after the clock has run out, a new (different) six-digit code will be displayed. Your six-digit code is ONLY valid for the duration of the thirty-second clock. So when you go to sign into a website on which you've enabled 2FA, you'll typically enter your username and password, then you'll be taken to a second screen which asks you to enter your authentication code. Bring up your codes on your phone. It takes a few seconds to type in the code, so if your thirty-second timer is almost expired, wait a few seconds until a fresh code comes up. Once that new code is displayed on your phone, type the six digits into the website, and as long as the code on your phone is correct, you'll be allowed to log in.
With device-based 2FA, even if a hacker on the other side of the world knows your email address, and knows the password for your account, they won't be able to get into your account unless they physically have your phone in their possession. Of course, losing your phone is a big risk. If someone finds your phone, they'll have your authentication codes. However, they presumably won't know your password (unless you've stored it in your phone, which is risky), so they still wouldn't be able to access your 2FA-enabled account.
The biggest risk with enabling 2FA is that many people have lost their phones, or had phones stolen, or dropped their phone in a toilet. In all of these cases, you may have a big problem because you no longer have access to your authentication codes. In some rare cases, website Support teams have eventually agreed to turn off 2FA, but this process usually involves weeks of delays and submitting a large amount of documentation to reassure the website support staff that it's really you, trying to get into your own account, rather than a hacker. Some website support teams simply refuse to assist cases like this. And for some websites, if you didn't provide extensive documentation (like photos of driver's license or passport) when you signed up, they have no way to match your request to the account. You don't want to be put into this position. Thankfully, there's a backup option.
2FA can be enabled on multiple devices. For instance, if you have a spare older cell phone, you can enable 2FA on that phone too. After you've done that, lock it in a safe and forget about it. The phone doesn't even need to have an active mobile connection. You can set it up using a WiFi connection, and once the authentication app is running, it doesn't even need the WiFi conection anymore. The only trick is that when you're trying to set up multiple devices with Google Authenticator, you currently have to enter the initial authentication key manually on each device, because if you do it by scanning the QR code, the app immediately moves on to the next screen and doesn't let you scan the code with a second device. This leads to the next important security step: Save a copy of your initial setup key.
There is no time limit on the time that you're given to manually enter your authentication key, if you are adding a new website to the app. Nor is there any limit to the number of devices that you can add the key to (remember, you can add the key to an offline phone). If you want to create a backup by adding your 2FA key to a second older phone that's stored in a safe in your bedroom, or in a safety deposit box at your local bank, that's great. But you can also simply store all of your text 2FA Other people prefer to store their backup codes on a USB key that they store in a safety deposit box. Some people even go to the precaution of encrypting that key.
If you've decided to add 2FA to a backup phone, and you've already set it up on your existing phone at a previous time, you might have a temporary setback. If you scanned the QR code when you activated 2FA, you probably didn't also write down the text version of the code, so you probably don't know your authentication key for manual entry. In that case, you can log in to the website(s) in question, turn OFF your 2FA temporarily, then turn it right back on. The website will then generate a new and different authentication key for you. This will render your old key on your old phone useless, so the next step is to delete that old key from your phone. At this point, you can write down your text version of the new authentication key, and manually enter it into both devices.
There's one last important thing to remember. On most phones, if you lose/upgrade the phone, and restore all your apps to a new phone using a backup app/system, all of your old apps (including your authentication app) will usually be restored on the new device in a seamless automatic process. Many of your passwords will also be transferred to your new device. However, even though the authentication apps may be reinstalled automatically, your authentication keys are NEVER moved and cannot be recovered. This is why it's really important to save a backup of your original authentication keys in a secure location. If you've lost access to your old phone, and don't have your authentication keys backed up somewhere, you're probably screwed.
Transactions Over WiFi, and Using VPN's
Using public WiFi is risky. Whether you're in an airport, coffee shop, or hotel, there's always a chance that there could be a hacker within WiFi range, casually checking out activity on the network. Remote attacks are also possible. If you're frequently in situations like this, we recommend that you use a VPN service to help protect your wireless communications. The problem, however, is that there are literally thousands of VPN's out there, and many of them are not really that secure. In fact, some VPN's may even be worse than an unencrypted connection, especially if you happen to live in a relatively non-hostile WiFi zone in a remote small town with nobody around you! We recommend that you do a lot of research before picking a VPN. Be careful, because many of the top-ranked online articles that review VPN's are sponsored by some of the VPN's themselves, so they might be very biased. Check out a wide variety of reviews before you make a decision.
We feel very reluctant to advertise any one particular VPN. However, knowing how daunting a task it is to choose a good VPN, we'll admit that we usually use one called Private Internet Access (PIA). We'll also clarify right now that we have no direct or indirect association with PIA, and we're not receiving any compensation to say that we think they're one of the lesser evils out there.
PIA is not perfect, and depending on your priorities, you may find other providers that you prefer. So far though, PIA has been pretty good for us. Having said that, nothing is without risk. What if an employee at your VPN service is a hacker, and is able to monitor traffic passing through your secure connection? What if someone else sitting nearby in the same coffee shop is skilled enough to get around the VPN's security connection? What if the VPN you're using temporary drops the connection and goes to unsecure traffic, and you don't notice? These are all non-zero risks. Hopefully the chances of getting hacked in any of these ways are not very high, but you can never be too safe. Treat public WiFi connections as an unacceptably hostile environment.
For us, the best security approach is to make sure that we never access financial or crypto accounts from public WiFi. Try to make sure that you only access these sites on a secure home-based connection. Even if you're accessing important sites through your phone's cellular connection, there is a slight risk. It's possible for hackers to do packet sniffing, to observe internet traffic passing through a network. It's even possible (and not that expensive) for hackers to spoof a cell tower, which means that all of your mobile data transits through their compromised pipeline before connecting to a real tower. If they're doing that and they see your passwords or your private keys going by, you could be compromised. Thankfully, for some crypto-related services (such as mobile or desktop wallets), the private key never actually leaves your device, so it can't be seen passing through the internet. In this case, if you're able to create the private key on a secure and clean device which is offline, you're probably fairly safe.
If you're going to store crypto on a mobile device, and the monetary value is more than just "petty cash," maybe you should consider buying a cheap new-in-the-box phone and don't add ANY apps other than your crypto wallet to that phone. Even though mobile devices are generally less secure than desktop devices, a brand-new phone with no past usage may be much safer to use than your two-year old laptop that might have picked up malware from one or two of the thousands of sites that you've visited. Buying a new low-end $99 phone may be more cost-effective than spending $300 or more on a new laptop that is intended to be used solely for crypto. But then again, if you're going to be storing crypto funds worth much more than that, you shouldn't put yourself at risk just to save a few hundred dollars. This may not apply to you if you're only thinking about investing a few hundred dollars into crypto, and if you can afford to lose that investment. If you're considering investing a few thousand dollars though, you absolutely need to minimize or eliminate any possible attack vectors.
Router security is extremely important. Unfortunately, unless you're very tech-savvy, you'll look at routers as mysterious black boxes. You'll buy a standard consumer router, plug it in, nervously set up a network name and password, and hope it works. However, setting up a secure router is much, much more complicated than that.
There's a great router security site to be found at this link: https://routersecurity.org
However, don't be disheartened if you go to that site and quickly realize that you're not qualified to do everything that the site suggests. See if you have a tech-savvy friend who can help you out. If you thought that cryptocurrencies were complicated, they've got nothing on router security.
Using a "Clean" Computer
We've already hinted at the value of having a machine that isn't infected with malware or viruses. Having worked in IT, we've frequently been stunned by just how much garbage accumulates on most peoples' computers. The average one-year-old computer is riddled with viruses, spyware, and malware, unless the user is especially security-aware and careful. For starters, never click on an attachment in an email unless you know exactly what it is. We even question the attachments that come to us in emails from known friends, especially if the file isn't something that we were expecting to receive. Executables are completely off-limits, although most malware doesn't spread that way (at least not since the early 2000's). Documents, spreadsheet files, compressed folders, and some other types of files can contain malicious macros. Even some types of media files are dangerous. If you don't know what it is, don't open it. Even if you trust the source, it is possible that the sender's machine is unknowingly affected.
Email attachments aren't the only risk. Although they used to be the most common attack vector, there are a number of other weaknesses. Malware can be attached to torrents that you download, or hidden in mobile apps that have accidentally been vetted by Google and Apple as "safe" apps. Free software frequently has hidden payloads. And this may really dismay you, but a lot of public web pages have malicious scripts hidden on them. Even legitimate sites carry this risk, because the sites can be hacked and malware added without the sites' owners finding out. Advertising is also a problem, as malware can accompany ads on sites. Do some research into "malvertising," and you'll see what we mean. Frankly, the internet is a terrifying and unsafe playground. The more that you start to learn about these risks, the more surprised you'll be. Incidentally, don't think that if you have a Mac or an iPhone, you're immune. Viruses and malware also exist for Apple's products.
Even if you're not trading cryptoassets, it's very useful to spend time researching ways to prevent your computers and mobile devices from being infected with malware and viruses. This is simply a wise life decision. It's not just crypto that is vulnerable. Your traditional financial assets (online banking) can be vulnerable, and even more importantly, your personal identity information can be stolen. Identity theft is a very serious problem, and if your identity becomes compromised, you're going to have a lot of headaches to deal with in the future. You wouldn't leave a nice sports car parked unlocked in a seedy urban neighbourhood, would you? Then why would you leave your computer open to serious security risks? As mentioned, the internet is a cyber war zone, and good security is a mindset. Know and follow safe computing practices.
Let's assume that your regular computers have the potential for being compromised. What's your best option? Well, if you are tech-savvy, consider setting up, learning, and using a Linux machine. They are far more secure than Windows and Apple systems, and less susceptible to viruses and malware. If you're really comfortable with computer technology, you can even set up a version of a Tails operating system (Linux based) on a portable USB key, which is only ever used on an offline computer. This may be taking security to paranoid levels, but for some people with considerable investments, it's a smart choice. If you're not comfortable with Linux, another option might be to purchase a brand-new "throwaway" laptop (don't throw it away!), and use it specifically for your crypto activities. If you never use it to read emails, and never visit websites other than the half dozen key crypto sites (exchanges) that you may need to use, that laptop should remain fairly safe, especially if it is restricted to a secure home connection.
If you want to be especially cautious, don't even check price quotation websites with your special-purpose computer, not even once. For example, can you imagine the systemic risk to the cryptocurrency ecosystem if hackers were able to successfully embed a malicious keylogger script onto a website such as CoinMarketCap? Think of how many millions of peoples' accounts might be compromised within hours.
Going back to basics, don't click on unknown links on websites either. If you hover over a link with most browsers, the destination URL for that link shows in full text down in the bottom left of your screen (on desktop browsers). Always double-check this critical piece of information before you click. If there's a link on a sketchy website that says "www.bittrex.com" on the screen, but the URL on display in the bottom left says "http://www.bitttrex.de" then you will know that something fishy is going on, and you can avoid that link.
Be wary of links in Slack channels, and similar chat sites. We find Slack to be particularly bad. If you join a Slack room, you'll often start getting email notifications which say that you "must upgrade XXX to prevent losing coins" or something like that. Trust nothing.
Using Anti-Virus and Anti-Malware Software, and Script Blockers
It goes without saying that your computers or mobile devices should have anti-virus and anti-malware software installed. This is basic Computer Security 101 material. Do some research to figure out which programs are the best. As with most other things, different software packages perform certain tasks better or worse than other packages, so you'll have to figure out what's best for you. Free protection embedded in the operating system of your computer (such as Windows Defender) isn't perfect, but if you keep it updated properly, it may be a viable option. It's certainly better than nothing at all! Set up this software to update its virus and malware definitions (and do a full scan) on a daily basis.
If you're trying to figure out the difference between malware and viruses, a virus is a type of malware, just as a Dodge Dart is a type of automobile. There are lots of different types of malware though, not just viruses. Other types of malware include trojans, worms, adware, keyloggers, and spyware. Being on top of computer security means that you need to understand computers fairly well, and be able to recognize the different risks involved.
One security precaution that we feel is especially important is to ensure that you have a good script blocker extension in your browser. As mentioned earlier, many web pages run scripts. Some do so unknowingly after being hacked. Scripts (active computer code) have the potential to install malware on your computer. When you have a good script blocker installed in your browser, and you visit a website, the script blocker will warn you if the page is trying to run any scripts other than basic safe website languages such as html. The blocker will prevent all scripts from running until you've decided whether they should each individually be allowed to run, or be blocked. You can allow or disallow each script for the current session only, or on a permanent basis. Your choice.
In this day and age, it's inevitable that most complex modern websites will have some scripts on them, and you'll probably have to have a bit of faith. Even most cryptoasset exchanges have scripts on their websites, usually to enhance functionality and security. In general, however, the fewer scripts that you allow, on the fewest number of websites, the safer your computer will be. We've been to sites that are simply ridiculous. A good example would be trying to watch a video on a CNBC website and finding over 70 scripts on a single web page. If it's not necessary, and you're truly concerned about your computer's security, navigate away from that page. You don't really need to watch that video.
Using Encryption
Obviously, one of the first security steps that you should take with any specific device is to make sure that a password is needed to log in to the computer, or a PIN code is needed to get into the mobile device (or preferably, even stronger protection). As with other security matters, a stronger password is significantly more beneficial than a short and simple one. What would happen to you if your laptop got stolen? Do you have valuable information there that you don't want a thief to have access to? Do you store all your passwords on your laptop? Would someone be able to access all of your email accounts, bank accounts, and crypto accounts? If so, you're exposed to a big risk that you need to deal with!
One option is to make sure that you never let your laptop out of your sight. Of course, this approach isn't convenient. You probably don't want to take your laptop to bed, or to a nice dinner, or into a movie (well, ok, sometimes we do). Let's use a better example: What if you get mugged? Now you have a problem. However, there's a solution: Encryption.
It's possible to buy encryption software that will protect the contents of your laptop or computer. You can encrypt specific files, or you can encrypt specific folders, or you can encrypt the entire device. Be aware that whole-disk encryption is a great solution when you want to protect a single device (which is often going to be the case in the crypto scenarios that we're currently envisioning). However, if you're trying to share encrypted data over the internet with other users, you'll possibly focus on different types of encryption software.
For many years, the PGP/GPG (Pretty Good Protection) software was the gold standard in encryption. It's still a very popular choice, although there are other packages available. Again, do some extensive research to see what package appeals to you, as different packages have different features (such as 2FA or other options). We won't delve into device encryption any further here, but we do strongly recommend that you consider using device encryption if your laptop has sensitive data or gives users access to any type of financial assets. Even if you always leave it at home, you could be vulnerable if there's a break-in.