What's the biggest real security mistakes non technical bitcoiners still make?

[Patikno]

Alot of technical discussions in this board focus more on solutions to advanced attacks or technical solutions towards future risks but from y'all experiences what will you consider as the most common and dangerous technical or non technical  mistakes many regular non technical bitcoiners still make today. Is it poor seed phrase backup, trusting of wallets blindly, or choice of wallet, reuse of addresses or lack of passphrase or something else? I really want to know what actually causes people to lose their bitcoins based on your practical understanding?

There are so many mistakes made by Bitcoiners that we often encounter in various stories, whether due to a lack of knowledge (less learning is more), carelessness, or a lack of skepticism (not being careful about every action). Essentially, all mistakes occur from not being careful before acting, and people should not rush into crypto activities without experience. A wise person is one who learns from the experiences of others. Trust me, if you heed the few important points I have shared, you will avoid all kinds of mistakes, including some errors OP mentioned above.

[Rubuchi]

Saving their seed phrase online. I am surprised that many people still think this is the best practice even after several warnings against it. Non technical people like to save their seed phrase in their email or Google drive. But this is real dangerous though.

I want to ask this question, is it safe to save my seed phrase on my ‘draft’ box on my Gmail account? I don’t think it is possible for scrappers for example to be able to scrap what is saved in the draft and not sent or processed to another account. I was thinking if it is safe to just drop your seed phrase in three or five pieces on different draft folders since no one can scrap what’s left on the draft unless if they have access to your login details which should be well protected by you and split on two or three Gmail different accounts

[tabas]

I want to ask this question, is it safe to save my seed phrase on my ‘draft’ box on my Gmail account? I don’t think it is possible for scrappers for example to be able to scrap what is saved in the draft and not sent or processed to another account.

It's never safe to keep your seed phrase on any online/cloud storages even it's your personal email. Don't underestimate what hackers can do, once your email gets hacked or the email provider, they're going to scrape all of the potential data and information they can get from a victim's email account.

I was thinking if it is safe to just drop your seed phrase in three or five pieces on different draft folders since no one can scrap what’s left on the draft unless if they have access to your login details which should be well protected by you and split on two or three Gmail different accounts

Please never do this, it's not safe at all. Don't think of it that it's only hackers will attack you, someone can personally attack you and steal your device where you've logged in that email and force you to give it. Think of the $5 wrench attacks and other torturing just for these criminals to take your device.

[Btcalysis]

Is it poor seed phrase backup, trusting of wallets blindly, or choice of wallet, reuse of addresses or lack of passphrase or something else? I really want to know what actually causes people to lose their bitcoins based on your practical understanding?

All these that you pointed out are crucial part of the causes that should not be taken for granted. But some of the less mentioned ones that are important causes could be:

1. Copy-past malware address replacement
2. Human error of sending to wrong addresses or network
3. Weak passphrase and lack of other security measures
4. Taking self-custody for levity to the point of losing access without backup plan
5. Storing passphrase electronically. Even Google drive is a red flag
6. Laziness to verify by installing the wrong software and downloads
7. Trusting social media communication is bad
8. Trusting custodial systems is a big red flag.

[Pmalek]

...also not using passphrase doesn't bring security issues, it's just an extension of words and it's optional.

Passphrases are a question of security. A passphrase is an additional security layer, meaning it provides some extra security to the default one. If someone steals your seed, they can take your bitcoin. However, if someone steals your seed that is extended with a complex passphrase, they don't possess the essential key material to empty your wallet. They would have to bruteforce or guess your passphrase to steal your coins.

Also, some people also mess up with the transaction fees and end up sending a huge transaction fee to the receiver.

A small correction here. Transaction/mining fees don't go to the recipients of bitcoin. They go to the miners that mine the blocks where your transactions are included. Unless they also happen to be the recipients.

[RockBell]

There are so many mistakes made by Bitcoiners that we often encounter in various stories, whether due to a lack of knowledge (less learning is more), carelessness, or a lack of skepticism (not being careful about every action). Essentially, all mistakes occur from not being careful before acting, and people should not rush into crypto activities without experience. A wise person is one who learns from the experiences of others. Trust me, if you heed the few important points I have shared, you will avoid all kinds of mistakes, including some errors OP mentioned above.

There are components of investing in Bitcoin that need to be taken seriously because when you talk about security, everything about your asset depends on it. After the capital and knowledge, one of the things that anyone will take seriously will be the security of your assets because if they are left carelessly, you will eventually lose them, and when you go to social media, you will see how a lot of people have lost their money, and this is because they did not take their learning seriously which is very dangerous.

People are always rushing instead of taking one step at a time, so that they will be able to get enough experience, and when you are consistent, you will be able to get enough experience. From there, you will know things you can avoid because one thing you can consider, and as you are making mistakes, you are learning from them, and you are amending your ways.

[Text]

I want to ask this question, is it safe to save my seed phrase on my ‘draft’ box on my Gmail account? I don’t think it is possible for scrappers for example to be able to scrap what is saved in the draft and not sent or processed to another account. I was thinking if it is safe to just drop your seed phrase in three or five pieces on different draft folders since no one can scrap what’s left on the draft unless if they have access to your login details which should be well protected by you and split on two or three Gmail different accounts

honestly that’s still not safe even if it feels clever. Anything stored in Gmail inbox, sent, drafts included is still online & tied to your Google account if your Gmail ever gets compromised like phishing, malware, SIM swap, fake Google login page, etc., the attacker won’t care if it’s in drafts or not, they just search keywords & boom seed phrase gone. Splitting the seed into parts across drafts or multiple Gmail accounts sounds safer but it still has the same core problem, your keys are online.

[Rustam Meraj]

I believe that biggest mistake is giving up of security in exchange for ease that is made when people store large sums of crypto in their mobile phones other than in hardware wallet which is the only way that would make sure that your keys are not online and are instead locked away. To stay safe, one only needs to leave their seed phrase off internet and store their savings using specific hardware device, as these two steps are enough to help you be safer than nearly anyone in the market.
Most ignored risk in crypto is so-called ease trap. Users use their phones as safe deposit box yet phone is never locked off and never secure. In case you do not want to carry around $10,000 in your pockets, you should not carry around $10,000 worth of Bitcoin in your mobile wallet either, and that is only thing you can do well, as non expert user, buy hardware wallet.

[9ja Amaka]

Ignorance is the biggest mistake both technical bitcoiners and non-technical bitcoiner still make that affects their wallet.
Non-bitcoiners trust third parties for customer support without knowing if they are actually talking to the right support while bitcoiners trust exchange and influencers without personally verifying if the security settings is risky or not. So, yeah, they both know the disadvantages of not asking but they choose to stay ignorant.

[lovesmayfamilis]

I believe that biggest mistake is giving up of security in exchange for ease that is made when people store large sums of crypto in their mobile phones other than in hardware wallet which is the only way that would make sure that your keys are not online and are instead locked away. To stay safe, one only needs to leave their seed phrase off internet and store their savings using specific hardware device, as these two steps are enough to help you be safer than nearly anyone in the market.
Most ignored risk in crypto is so-called ease trap. Users use their phones as safe deposit box yet phone is never locked off and never secure. In case you do not want to carry around $10,000 in your pockets, you should not carry around $10,000 worth of Bitcoin in your mobile wallet either, and that is only thing you can do well, as non expert user, buy hardware wallet.

The same can be said not only about mobile devices, but also about computers, which are often used for everything. We see stories of people who have lost their bitcoins due to using their computers to play games, download pirated applications from torrents or from sources that supposedly offer free software versions.
Until people learn how to use the Internet safely and separate entertainment from finance, their knowledge and discussions of technical issues related to bitcoin will never grow in a positive way

[tottong]

Is it poor seed phrase backup, trusting of wallets blindly, or choice of wallet, reuse of addresses or lack of passphrase or something else? I really want to know what actually causes people to lose their bitcoins based on your practical understanding?

That generally still happens and usually I see people who don't join the bitcointalk community actually store bitcoins in unsecured wallets or some even still use CEX as a place to store assets.
This has been the experience of several of my friends and in the end I advised them to look for a much safer wallet to store their bitcoin assets.
Many problems occur especially when someone loses the bitcoin assets they own and even if they store assets in a much safer wallet especially if they don't have access to that wallet for reasons of forgetting the seed phrase then it is also as stupid as storing bitcoins in a CEX.

So, be careful because you have invested all the effort, capital and time but instead we lose access to the assets we have and this is one of the most stupid mistakes that we need to avoid.

[Fiasem20]

There are lot of security mistakes non technical bitcoiners make that may look little but can cause a huge mess.One common security mistakes I’ve noticed in the crypto space that most bitcoiners are fond of doing is storing their passwords and seedphrase on their PCs,it’s always said that offline storage is the best in regards to keeping your login credentials safe from hackers and scammers.Unfortunately this one look silly,but still a lot of bitcoiners are into it,they download an attachment sent to them through a link and at the end of the day their account would be compromised.

[qwertyup23]

Alot of technical discussions in this board focus more on solutions to advanced attacks or technical solutions towards future risks but from y'all experiences what will you consider as the most common and dangerous technical or non technical  mistakes many regular non technical bitcoiners still make today. Is it poor seed phrase backup, trusting of wallets blindly, or choice of wallet, reuse of addresses or lack of passphrase or something else? I really want to know what actually causes people to lose their bitcoins based on your practical understanding?

Perhaps the most common error that beginners do is entertaining any random messages that they receive from any platform. This makes them vulnerable to any attack given that scammers could send any link that has malware unknowingly to the beginner.

Additionally, being naive and ignorant could also potentially be a cause for beginners especially if they are too blinded to see the red flags obviously showing. One example here would be ponzi-schemes that offer high interest rates and returns which are too good to be true to the normal investor.

There are lot of security mistakes non technical bitcoiners make that may look little but can cause a huge mess.One common security mistakes I’ve noticed in the crypto space that most bitcoiners are fond of doing is storing their passwords and seedphrase on their PCs,it’s always said that offline storage is the best in regards to keeping your login credentials safe from hackers and scammers.Unfortunately this one look silly,but still a lot of bitcoiners are into it,they download an attachment sent to them through a link and at the end of the day their account would be compromised.

This stems from the naiveness and irresponsibility of the person thinking that they are safe when storing their seed phrases on their personal PCs. Again, storing any kind of password on your computer runs you the risk of potential viruses that can inject malware which may cause all of your personal information to be leaked.

[sleepfirefly]

forgot password

this button is always there when we log in to different platforms so when we forget our passwords and can’t log in, we can easily go back in but this is just not the same with bitcoin if you don’t store your seed phrase properly and you forgot about it there’s no one to hold your hand freedom comes with responsibility and people often forget that

[PrivacyG]

One common security mistakes I’ve noticed in the crypto space that most bitcoiners are fond of doing is storing their passwords and seedphrase on their PCs,it’s always said that offline storage is the best in regards to keeping your login credentials safe from hackers and scammers.

People store their nudes, private conversations and logins 'encrypted' in Third Party servers they even pay a subscription for these days out of convenience, there is not much to expect from them when it comes to the Security of their personal data.  Bitcoin is even more difficult to handle than a simple login, of course they will rather screenshot the Seed than properly store it.

The warnings are there usually.  A lot of them simply do not listen to them and try to be smarter by avoding the rules.

[KiaKia]

They see DYOR as a lot of work, how can they tell the difference between a fake wallets and a real one?
They give attention to total strangers online which end up luring them into clicking on malicious links.

They trust centralised exchanges more than their crypto wallet.
They overlook 2FA authenticator and feel pleased with mere passwords only.

The numbers goes on and on, if anyone is starting their crypto journey right now they must be opened to learning alot about security and also crypto in general, there are too many things to know when you are just starting.

[Cricktor]

...

How can you ask to store your mnemonic recovery words in your email account, it doesn't really matter in what folder you store it there, when this was one of the first things mentioned by multiple posters here to avoid digital storage.

Who controls your email account, who controls cloud storage? This is other people's computers and servers! Who do you think controls those? Hint: it's not you!

What if Google decides to create some fancy AI, to scrape all users mailboxes to do something (btw, they do this already to bombard you with more targeted ads or provide you with more "intelligent" services). Do you really think it is hard to program something that could recognize words coming from a well known list of 2048 words (BIP39 word list). Piece of cake...

It's good that you asked, because you were about to make big mistakes. Once your recovery words are out in the digital realm, you loose control who might get their hands on them. Do you want such an uncertainty? I doubt that. Come to senses!

[Joy- maker]

There are still big mistakes that non technical Bitcoin investors makes when it comes to security. This set of people are still falling for phishing scam. they are still leaving their coins in centralised exchange. they are still writing down seed phrase on paper and end up keeping just one copy. they are still over trusting online influencers and friends, by following them blindly without doing their own research. They move large amounts to noncustodial wallet without testing the wallet first, to know if the wallet is actually good or not for storing large amounts.

[libert19]

It's a good topic.

I'll go with saving your wallet's private key/seed into online password managers is mistake people make because password managers usually have notion attached to them that they are safe while it's not true and specifically not true for online password managers.

Few years back, people started getting their funds drained (which continues till this day), although no known cause was yet known back then, but common link among the victims was that they were using Lastpass to save their stuff which was eventually confirmed.

Early documentation on this handle:  https://x.com/tayvano_/status/1648187031468781568

Recent development: https://www.trmlabs.com/resources/blog/trm-traces-stolen-crypto-from-2022-lastpass-breach-on-chain-indicators-suggest-russian-cybercriminal-involvement

Sure, you could say, people could have had weak passwords to encrypt their vault (so choose stronger passwords), and offline password managers with cloud backups are equally risky (but here attackers will have to get into your cloud account first before getting into your encrypted vault so I guess it's relatively better). — (I know, last paragraph didn't flow smooth, but now I am gonna post it).