A simple security routine

You now have all the pieces. Strong passwords. Real two-step login. The pattern of a scam. The shape of an investment scam. A wallet you control. A recovery phrase that does not live on any internet-connected device. A hardware wallet for amounts that matter. A clear sense of when to use an exchange and when not to. The instinct to read what you are about to sign.

The last piece is making all of it run on autopilot. Not by remembering everything every day, but by setting up a small routine that catches things before they become problems. This lesson is the routine: what to do this week, what to do every month, and what to do every year.

The weekly check (5 minutes)

A short pass that fits into a single sitting at the end of any week. The goal is not to find problems. The goal is to notice them while they are still small.

• Open your bank and card statements. Scan for charges you do not recognize, even small ones.
• Open your main crypto exchange and check the balances. Anything that looks off?
• Open any wallets you used this week and confirm the balances match what you expect.
• Look at any login alerts your email or password manager sent. Anything unfamiliar?

Most weeks this is a one-minute non-event. The cost is small. The week you catch something early, the cost is enormous compared to catching it three months later.

The monthly review (20 minutes)

Once a month, sit down with your password manager and your wallet apps open. This is the maintenance pass.

• Look at the password manager's security report. Are there reused passwords? Weak ones? Sites flagged as breached? Fix them.
• Check your two-step login on email and any financial accounts. Still on an authenticator app, not SMS?
• Look at your active token approvals on any chain you have used (via revoke.cash or your wallet's approvals page). Revoke anything you do not currently need.
• Move anything that is not for active use off the exchange and into self-custody.
• Review your wallet "allowlist" and unrecognized tokens. Do not click any "claim" links on unknown tokens; you can just hide them.

The quarterly check (1 hour)

Four times a year, take a deeper pass. This is also a good time to do the boring infrastructure things that nobody enjoys.

• Confirm your recovery phrase backups are still where you put them. Open the safe or drawer. Read the words. Confirm they are legible and complete.
• Test that the phrase still works. The safe way: import it into a fresh software wallet (a new MetaMask profile or a clean phone wallet) and check that the first address matches the one on your hardware wallet. Then delete that software wallet. Do not wipe your real hardware wallet unless you are deliberately doing a controlled restore and know exactly what you are doing.
• Review who has access to your accounts. Old shared logins? Family members on a Netflix-style account that has your billing info?
• Check the news section of any service that holds your money. Any breaches? Any platform issues? Adjust your custody plan accordingly.
• Confirm your hardware wallet firmware is up to date. Update before loading or moving meaningful funds.

The yearly deep clean (a couple of hours)

Once a year, the full pass. Block out two hours, get a cup of coffee, and run through it.

• Audit every account that has any of your money in it. Bank, card, broker, exchange, custodial wallet, anything. Close the ones you do not use.
• Rotate the master password for your password manager.
• Replace any SMS-based two-step login that you still have somewhere with an authenticator app or hardware key.
• Review the inheritance side. Does someone you trust know how to find your recovery phrase if you cannot help them? Should they?
• Take a snapshot of where everything is. A single sheet of paper, kept somewhere safe, that lists the accounts and platforms (not the credentials). Useful for you. Useful for your future self.
• If you are holding crypto, consider whether the split between hot wallet, hardware wallet, and exchange still makes sense for the size of what you hold today.

The five rules that cover most attacks

If you forget the rest of this lesson, keep these. Almost every common attack runs into at least one of these and dies there.

• Every important account has a unique password and a real second factor (authenticator app or hardware key, not SMS).
• Your email account is the strongest of all of them, because it controls everything else.
• Slow down when something feels urgent. Switch to a second channel before acting.
• Read what you are signing on a hardware wallet, on its own screen. Never sign anything you do not understand.
• Keep your recovery phrase offline, on paper or metal, in two physical locations. Never digital. Never shared.

Why the routine is the point

Security tends to fail not because people did not know what to do, but because they did the right things once and then stopped. The first time you set up an authenticator app, you have closed the door. A year later, if you have lost the phone with the codes on it and never tested recovery, you have a different kind of problem.

A small recurring check turns "I should probably get around to that" into "that is already done." Each pass is cheap. The compounding over years is what protects you when something does happen.

You have finished Security Basics

You have now been through the things that actually protect what you have built. The general half (passwords, two-step login, recognizing scams, recognizing investment fraud) protects you whether or not you ever touch crypto. The crypto half (recovery phrases, hardware wallets, exchanges, signing) protects the part of your portfolio that has no backstop.

Most people who lose money in this space never read anything like this lesson. They learn the same things the hard way. You have just done the work without paying the tuition.

The boring habits, repeated quietly, are the loud difference between people who keep what they earn and people who used to have it.

Run the routine. Adjust it as your situation grows. And keep coming back to the basics, because they are still the basics regardless of what gets invented next.