Bitcoin Security Checklist
New holders do not need fifty tricks. They need the right order: move coins off exchanges, use a real signing device, make a durable backup, test recovery, secure the accounts around the wallet, reduce privacy leaks, and write down enough for future recovery.
| Order | Do this | Plain-English test |
|---|---|---|
| Step 1 | Move coins off exchanges | Withdraw a small test amount first. Verify the receive address on your hardware wallet screen, then move larger amounts only after the test confirms. |
| Step 2 | Set up a real signing device | Use a Bitcoin-only hardware wallet with its own screen, offline signing, open standards, and no remote PIN server dependency. |
| Step 3 | Back up the seed on metal | Stamp two durable copies. Store them in separate places. No photos, no notes apps, no cloud copies. |
| Step 4 | Prove recovery works | Wipe and restore before serious funding. Check the same XFP and receive addresses after the restore. |
| Step 5 | Lock down email and devices | Use a password manager, security key or passkey, full-disk encryption, software updates, and fewer browser extensions. |
| Step 6 | Protect privacy | Use fresh addresses, label coins, avoid careless coin merges, reduce KYC exposure, and keep your home address off easy lookup sites. |
| Step 7 | Plan for loss and death | Write a recovery kit. Include XFP, derivation path, descriptor, wallet app, test date, and who to call. |
| Step 8 | Review once a year | Check backups, recovery notes, device firmware, account security, heirs, and storage locations. Fix changes while you remember them. |
The order matters
Do not start with multisig, coinjoin, or a clever passphrase if you have not tested a basic restore. Most bitcoin losses are not elite attacks. They are bad backups, confused heirs, phishing, reused passwords, cloud photos, and addresses signed without checking the device screen.
Get boring first. Then add complexity only when it removes a real risk.