Select Page
The Guardian Papers 6: Don’t Mess Around with Passwords

The Guardian Papers 6: Don’t Mess Around with Passwords

Imagine that you own a castle. As a proud owner of such an impressive, shiny fortress, you’ve likely got defenses – a sturdy wall and a heavy gate to protect your valuables. When an advancing army approaches, however, you don’t necessarily want them to test that security. You wouldn’t even lower the drawbridge! 

Your passwords function the same way and are your first line of defense to keep bad guys from ever even getting a foothold near your digital hoard.

Welcome to the 6th installment of The Guardian Papers, where we walk you through how you can protect yourself from the digital miscreants who seek to steal, cheat, and otherwise destabilize our beloved community. 

As the blockchain revolution continues to provide opportunities for people all over the world, those who lurk in the shadows are always eager to prey on the unaware. It is our goal with this series to educate and empower our community to resist and repel the monsters who hide out there in the digital darkness, so that we all can be safe, secure and more prosperous as we build a better future together.

Miss an issue of The Guardian Papers? Catch up below!

In the next few articles, we’ll be talking about security fundamentals that apply to all aspects of digital defense. We’ll rotate back to the Gala community specifically soon, but for now these are fundamentals that everyone should learn, and that are often highly exploited in the blockchain world.

What Makes a Password Secure?

Nearly everybody has countless passwords across their digital profile, so you’d think that creating secure passwords is a skill that everybody just picks up early on in life. Unfortunately, despite most people knowing better, many people are still using incredibly unsafe practices with their passwords that can leave your digital assets vulnerable to the bandits of the blockchain frontier.

Increases in technology bring many extra tools to help keep your assets secure, but also give your enemies more sophisticated weaponry to use against you, which makes it more critical than ever to use strong and secure passwords throughout your entire online ecosystem.

Length and Variety

Different platforms have differing minimum criteria for the length and character variety of passwords, and it’s never a bad idea to go overboard. With current computing power, a cybervillain could potentially attempt billions of passwords per second. While this may be limited somewhat by network security features on some platforms, longer and more varied passwords mean more combinations will be required to guess yours.

If you were using a 7-digit password that consisted only of numbers, that password would have 10 million possible combinations (0000000-9999999). Take that same 7-digit password and include capital and lowercase letters as well– now you have 62 possible characters per digit. This would increase the possible combinations of correct answers to a little over 3.5 trillion, still with only 7 characters in the password.

Uniqueness

Not only do you want your passwords to be unique for each of your accounts, but ideally you want them to not be a combination of characters that no one else would have ever thought of in their wildest dreams. Including dictionary words or common mnemonics like a year could leave you vulnerable to hackers looking for low hanging fruit. 

Your password shouldn’t be something familiar or easy to remember– the entire point is to make it something that only you know.

This may seem like common sense to many digital veterans, but repeatedly data breaches have shown that things like “password”, “123456” and “qwerty” are the most commonly used passwords throughout the world. Using any common phrases in your passwords makes you the nice, soft target that the enemies of digital sovereignty are after.

Fun Fact: According to a study last year by NordPass, here are the top 10 passwords used worldwide:


1. 123456

2. admin

3. 12345678

4. 123456789

5. 1234

6. 12345

7. password

8. 123

9. Aa123456

10. 1234567890

Don’t be like these people. Make your passwords secure.

Anonymity

If someone is going to try to penetrate your personal passwords, the best place to start is often for them to know their enemy– you! If personal information that they can glean from public records or social media gives them insight into what your passwords may be, they may be able to breach all of your security before you even see them coming.

Using your birth year, your pets’ names, your children’s names or anything simple to guess with just a little information about you is incredibly unwise. Especially if you use similar mnemonics on all your passwords, one glance at your Instagram profile may have given a hacker all they need to clean out your digital hoards.

Common Password Vulnerabilities

Constructing strong and secure passwords certainly helps keep your defenses high. Secure passwords can still have vulnerabilities, however, and it’s extremely important to know all the angles that your password security could potentially be attacked from.

The Human Element

While many insecure passwords are often “brute forced” by miscreants with a program that can guess combination after combination, some are obtained through phishing attempts as we’ve discussed in our previous Guardian Papers profiling the common scams in the blockchain world. This is never to be taken lightly, as criminals will continue to develop new ways to trick your information out of you.

Your passwords are yours, and should never be shared. Even here at Gala, we’ll never ask for your password or keys– anyone who does is up to no good.

Even if you have excellent security and top-notch passwords, one error in judgment can still be exploited to ransack your digital fortress. There is no reason to share personal data or password information with anyone over email, Discord or any social media.

The scammers multiply because their methods get results. This is why it’s absolutely critical that the community here at Gala and throughout the entire blockchain frontier helps educate and empower their fellow digital pioneers. Once every member of the blockchain world is familiar with and prepared to fight off these attacks, these monster’s food source will dry up.

Even the best password hygiene is no substitute for caution when connecting to unknown networks!

Data Breaches

As massive data breaches have repeatedly shown in recent years, even secure information can be compromised and leaked when the defenses of organizations that you trust are compromised. If your passwords are stored with an organization who has been breached, you need to consider that password or any variation on it compromised forever. After a breach, that information is compiled in lists and distributed all over the dark side of the digital world, and information is forever.

In 2020, white hat hacking group FireEye identified a worldwide breach in the SolarWinds software. SolarWinds was a network management company with a global presence, and over 18,000 compromised clients were identified in the breach. FireEye noticed the breach quite by coincidence, but the systems had been compromised for more than a year.

This breach was later determined to be coordinated by the Russian Foreign Intelligence Service, and by leveraging the breached systems within SolarWinds for many months, they were likely able to access a significant portion of protected information across the entire global internet.

Read more about the breach from the US Government Accountability Office.

https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic

To limit your vulnerability to data breaches that are beyond your control, never use the same password on more than one account. If one of your accounts is compromised, the last thing you want is for that to just open the door to all your defenses. Changing your password frequently will help you stay ahead of any breaches that may happen.

Most importantly, don’t trust your password information to entities when you don’t have to. Always think critically about whether you really want to share sensitive information with organizations before you have a chance to regret it. Rather than having a device remember your sensitive passwords, store them offline whenever possible– an old fashioned paper and pencil is about as unhackable as you can get.

Password Managers and Single Sign On

Password managers and single sign on (SSO) can be a great way for people to securely protect their individual credentials without getting lost in the tangle of hundreds of secure and confusing passwords.

These tools crucially only work, however, if you use them securely. If you aren’t going to follow good security practices without a password manager, then putting all your credentials into one could just be shoving your eggs all in one basket for a scammer.

If you choose to use a password manager, make sure that you follow all recommended precautions and protect your credentials to that password manager. Make sure you are choosing a reputable and well-known password manager to use… the last thing you want is to try some brand new password manager, only to find that you’ve been had by a phishing attempt that now has all your passwords!

Hold the Line

Most of the time that digital defenses are infiltrated, it’s through the front door– a password. How secure can you expect your personal estate on the blockchain to be with a wimpy lock on the front gate? Even with the extra layers of security we’ve discussed throughout this series such as private keys, and the precautions we’ll discuss moving forward (looking at you 2-factor authentication!), if your passwords are penetrated the enemy is already inside your defenses. 

The best way to make sure you stay entirely secure is to keep that gate locked tight.

Maintaining secure passwords and protecting them from the grips of the enemy prevents any part of your digital profile from being compromised. Even one account being breached represents a chink in your armor that could then give way to other vulnerabilities. Keep your defenses battle ready at all times and don’t let anything past your guard.

The Advance Guard

As we continue to advance through The Guardian Papers, it’s our hope here at Gala Games that we’re contributing a collection of resources for the community to reference and share, so that we can all power-up our defenses against those who would do us harm. 

For our next installment, we’ll stick to fundamental security and discuss 2-factor authentication and multi-factor authentication. As this series progresses beyond this module, we’ll rotate to an increasing focus on issues that are incredibly relevant to not only the community here at Gala Games, but the entire cryptoculture as well. 

It is our sincerest hope that this series not only empowers you to defend your sovereignty on the blockchain, but also inspires you to empower others throughout our beloved community.

Stay safe guardians!

The Guardian Papers 5: Too Good to Be True

The Guardian Papers 5: Too Good to Be True

Welcome back to The Guardian Papers, the series where we help bolster the security super sense of our community on GalaChain and beyond! Today we’re continuing our dive into the world of cons and villainy as we explore the methods that scammers use to deceive unwitting marks. Educate yourself on their methods, and soon you’ll be a defender of others rather than a target!

Scam Profile: Too Good to Be True

Hey there! Would you like to amass riches without any effort whatsoever?

If you answered yes to this question,  you may be a human being!

Seriously,  everyone wants this.  This is what the scammers out there are counting on, and how they reliably reel in their prey.

Rather than exploring how scammers deceive you like last time, today we’re getting a bit more cerebral. We’re talking about the bait –  the incentives that scammers will use to get you to throw aside caution and logic to dive head first into their trap. 

If something seems too good to be true… it probably is. 

Common Motivations

We’re living in a material world… and the vast majority of us are material people. That doesn’t mean we’re obsessed with our stuff or money hungry,  but most people live in a state where an infusion of money could totally change their lives. Whether it’s an increase in living standards, a better life for our kids or simply a way out of debt, most humans have an amount of money that will reliably spur their motivation. 

The amount of easy money that may light a fire under us may differ,  but the important thing is that the scammers know there is likely an amount that will push caution and logic out of your head and replace it with dreams of escaping whatever financial situation you’re worried about or transforming your life for the better. This is exactly what they’re counting on. 

Once they’ve got you dreaming about easy money,  they can count on your critical thinking skills being less engaged. After that, all they have to do is keep you on the line and let you dream.

Preying on Need and Greed

We all have needs to survive. The scammers out there can capitalize on this to make you justify some degree of trust or risk. Sometimes, they get you in the door with only fairly unbelievable claims… the level where your curiosity is piqued, but your brow may still be furrowed.

We don’t know what your job searching experience is… but from the writer of this article’s perspective, tech jobs at major metropolitan competitive prices don’t just drop into cold calls without some major strings attached.

The wages given are very high for someone sliding in to mass announce job openings. That having been said, they are not high for competitive jobs within the industry for the very qualified. The intention is that your brain says it’s implausible… but not impossible. So you DM out of curiosity. Then they have a direct line to work on you hard.

At the point they get you into their DMs or on their site, there are any number of scams that they could attempt to run on you. The important thing is that they now have you where they want you, thinking about what that money could do for you.


Sometimes these types of scams run a little more flagrantly too good to be true. As the reward is cranked up however, our mind has a way of justifying a greater amount of perceived risk.

In the case of this DM (that I received four of at the exact same time from four different accounts 🙄) they’ve abandoned the idea of believability. Instead, they’ve employed several ‘hard sell’ techniques to make the target careless enough to slip up.

First, there’s the ludicrous amount of free money they’re offering. They temper this free thousands of dollars worth of ETH by having the target ranked third… leaving a quiet voice in the back of your head saying, “Surely if it was a scam they’d have put me in first.” 

Then there’s the time sensitivity. You only have 24 hours to activate your code! Oh no! No time to hesitate!!! Your decision-making reactively goes into high-pressure mode, making quick decisions with less information than it normally would. Of course once you go to their site, you’ll be asked to connect your wallet to get your winnings. Then they have access, and you are drained.

Note the inconsistencies across the messaging. “You have been RANDOMLY selected among users of Crypto Discord Servers.” AND If you don’t know what is crypto and how to use it – ignore this message”. But how can both those things be needed? Why would they send this to someone who didn’t know ‘what is crypto’ if they selected participants from among crypto communities only? 🤔

Think about that… selected from “Crypto Discord Servers”. That makes sense for an airdrop of some new token from a brand new ecosystem trying to get its name and token out there… but what would a trading platform have to gain by giving away so much to people who are NOT already part of their platform?

There’s no CTA to sign up. No email opt-in to enter. No marketing win for the company who fronted the prize… big red flag. At best, they’re getting 3 new users out of this ~13.9 ETH prize. That’s not how marketing budgets work.

Also, did you notice how seemingly random words were capitalized throughout the message? The capital words in the first section act as subconscious triggers for your brain, priming you to follow through on the scam. When you scan the text, your brain automatically considers the capitals more important. If you’re old enough to remember the classic tag cloud on websites, think of it as that… except it’s logging keywords with your brain instead of AOL Search and AskJeeves.

Scamming Human Nature

You may be reading this and nodding your head thinking, “This kind of stuff would never work on me!” You’re probably wrong. It can work on anybody.

The reason that scammers use these tactics is that they do work. Everybody has an instinctive reaction when presented with these kinds of stimuli. We are able to overcome them by informing ourselves, but the instinct is still there. That is what scammers exploit.

If you are informed, however, you usually cease to be a target. Notice how the last example above said to ignore the message if you didn’t know what crypto was? They don’t want difficult onboarding. They want people to slide through their trap easily with just a little butter. If you are a difficult mark, you are no longer worth their time. 

Most people are familiar with the classic Nigerian Prince con… again, a ‘too good to be true’ type of scam. In this type of advance payment scam you’ll often see the scammer deliberately misspell words, punctuate awkwardly or more or less just fail to perform the language they are typing in. This is because they don’t want people who think too critically to respond.

If you overlook all those obvious errors and their inconsistency with the idea of wealthy, well-educated royalty… you’ll probably overlook other things. If you spot the signs right away, the sharks don’t smell blood in the water.

Fun Fact: The ‘Nigerian Prince’ scam is actually a very old form of advance payment scams, most notably going back to the “Spanish Prisoner” scam in the 18th and 19th centuries.

The con man tells the mark that they represent a wealthy noble who has been imprisoned in Spain. The noble is under a false name for fear of political persecution, etc. If the mark can give bail money, the noble can reward them handsomely upon their return home. 

Once the mark gives the bail money, the con man comes back saying that the noble needs money for passage to his homeland where the treasure awaits. Then there will be storms and delays, extra costs. The con man keeps pumping the mark for money until the well runs dry, but the prisoner never brings back riches. They don’t exist.

Read more about the history of The Spanish Prisoner swindle in a very interesting deep dive by the Western History and Genealogy Department of the Denver Public Library. ⬇️

https://history.denverlibrary.org/news/very-old-fence-fresh-coat-paint

Guarding Through Community Education

The way to fight these scammers is to inform ourselves and those around us. These kinds of cons are not going away as long as there is a gullible audience for them to exploit. While it’s unlikely that we’ll ever be universally free of these types of predators, we can be free of them within our community with education, support and good practices.

That is, after all, what The Guardian Papers is all about. We all come from different backgrounds. Some of this may be little more than review for some members of our community, but there are others that this is all new for.

When it comes to scammers, we really are only as strong as our weakest link. As long as the villains find an easy mark within our ranks, they will be here. With every link strong and resistant against them, they’ll go elsewhere and find somewhere else to practice their evil art. That is the strength of community.

That’s all for us this week, and that will wrap up our second module of the Guardian Papers! We’ll circle back to the methodology of scammers again in a later article, but Module 2 was designed to give you a brief overview of who the villains are and what tools they use. Hopefully you have that context and it helps you in the battle against the forces of darkness.

Next time, we’ll be starting in on Module 3. In this part of the series, we’ll shift back to proactive security and talk in more detail about these mean streets. We’ll dive into the corners of the web3 world where you tend to encounter cyber criminals and talk about how to spot them in their natural habitats.

Until then, stay safe out there heroes! Keep your wits about you, and remember to share your knowledge with your friends… our community is our greatest tool to keep us safe!

Guardian Papers 4: Beware the Impersonator

Guardian Papers 4: Beware the Impersonator

Congratulations hero, you’re ready for the second module of The Guardian Papers. In our introductory lessons, we discussed the absolute bedrock fundamentals for safely navigating the web3 frontier. Now that you’ve mastered the basics, it’s time to move on to the basics of digital self-defense in specific circumstances. 

If you feel like you need a refresher on any material covered in module 1, don’t hesitate to dive back in!



Prepare yourself to move on from simply scratching the surface. For module 2 we’re going to dive into the underbelly of digital villainy in the web3 world, and talk about some of the most common ways that the good people of the blockchain world are preyed upon.

To protect yourself, you must first understand the danger.

Scam Profile: The Impersonator

Imagine, noble citizen of the web3 world–

You’re minding your own business, heading over to GalaSwap to make a few small trades and maximize your May Mayhem experience.

You click a handy link off Discord to gaIaswap.gala.com. It loads a little slow and the layout looks to have changed very slightly… must’ve been an update. For some reason you aren’t logged in… that’s weird, you were just a little while ago. But that can be easily fixed! Then you notice something weird after you put in your transfer code… you can’t see your balances or accept any swaps! 

Suddenly panicking, you switch over to a new tab and open your inventory… oh no! Your wallet is drained! Looking back at that link… an upper-case ‘i’ sure looks a lot like a lowercase ‘L’ 😭

You’ve just fallen victim to an impersonator scam. This one may have been elegantly simple, but they come in all shapes and sizes. Even a small scam can mean total damage.

Did we even have to change the L to an i though? A link can be anything, the text that you see is just an anchor that the real URL is tied to. Case and point — where do you think this leads? Gala.com (I promise that L is not an i!)

This con relies on the scammer earning enough of your trust that you give them sensitive information before thinking twice. These types of scams get easier to recognize and rebuff as you become more experienced in the web3 world. They can also, however, almost always be prevented by maintaining normal security standards, no matter the situation.

The Personal Touch

We’re all humans and that means we’re instinctively social creatures. When a scammer is trying to gain your trust, they have two options. They can either set up an impersonal trap like we mentioned above, or they can reach out more directly to their victims. A wide-reaching trap may catch a few marks for them, but many scammers will target individuals knowing that it’s a faster way to generate the trust needed for the con to work.


Sometimes, even a simple misspelling or low effort fake name may be enough to trick someone.

In this example, someone in a hurry may not even notice that extra s before reaching out to their friendly, neighborhood Taco!

Since this scammer has Taco’s exact PFP, they are counting on the trust that people associate with that image making them let down their guard enough to get sensitive information.

Someone only has to trust the scammer for a few minutes to make a horrible mistake!

We all know to look out for scammers… and we’d all like to think that we’re far too observant for it EVER to happen to us. But it still happens. 

Just because someone is a scammer doesn’t mean they’re incompetent. They know what works and how often… after that it’s just a numbers game until we all wise up to their tactics.


Here’s one we’ve all likely seen before, but they’re almost always targeted at someone who needs help and isn’t aware of what proper steps to take next.

When we want help, we want to be helped. The scammers are counting on this. When you can’t figure out what to do to fix a problem, frustration will start to build. A good scammer sees how long you’ve been looking for answers, and understands how frustrated you must be getting with the situation.

After that, it’s just a matter of providing you what you want to see in that moment – someone offering a simple and quick solution. This is the kind of situation that arguably traps the most victims for the web3 bandits.


Humans tend to see what we want to see to some degree, particularly at elevated levels of stress. If you’ve ever fallen for these types of scams, you shouldn’t feel ashamed. Many scammers out there are very good at what they do… which is why we all have to know more so we can fight back better.

This particular scammer seems to have found the ideal mark… the victim announced that they are having trouble sending $GALA and that there’s a problem with their wallet connection. 

These are easy pickings for a scammer. Often when they are initiating the conversation, they’ll be attempting to extract very sensitive information, like your seed phase or transfer code. Since they know this person is having trouble connecting a wallet and sending $GALA, the bad guy wouldn’t have to gain full control over the wallet to make a buck off the poor mark.
Once they can grab you in DMs, they’ll start “tech support” on it, which will often end with you either sending $GALA to their address or linking your wallet to their dApp surprisingly quickly.

The key here is trust. Once someone has your trust, they can usually make you compromise one security measure or another using some tried and tested methods.


The phrase “con man” or “con artist” comes from “confidence man.” These are criminals that have always existed, though the term first came to prominence in the mid 19th century. Even back then, everyone understood that confidence alone can often be enough to win trust. These scammers sound convincing, because that’s their profession… to be confident and gain your trust.

Here we’ve got a closer look at the profile of one scammer on the prowl. They call themself a dev in their name. Well that settles that!

Notice that “Discord Owner” is in the profile description box, meaning they wrote it in themselves. Since you see it before the “Role” section when you scroll down, however, your mind can easily just associate that name with “Discord Owner” and then Admin and Mod underneath!

They have used emojis in the about me section to make their “Admin” and “Mod” text look more official, as if that were a standard tag to denote role.

As usual, it’s all very convincing until you get down to the stuff you can’t fake. This person has been a server member for a very short time… how likely is it that they are the server owner?

Finally, we come to their role and see a simple member role. Since this info is below the lies above… will a person be more likely to disregard the information they see first or second?

When taken in isolation like this, many of these tactics seem so obvious. A scammer doesn’t have to succeed every time to make off like a bandit though. During the hustle of everyday life, there’s surely a moment or two when you let your guard down. That’s payday for the scammers.


This scammer rolls a lot of the concepts we’ve discussed into one effort. Their name isn’t particularly impersonator, but they’ve included the hexadecimal ETH prefix for a small air of authority.

They see that the victim is having trouble connecting a wallet. As we discussed above, this is a prime moment for these predators to strike. 

Realistically, this scammer knows that this user is likely trying to connect the wrong address… time won’t help.

At first, the scammer is just helpful. They don’t try to immediately push too hard, even mentioning that it may just need more time.

After being given a moment to consider the helpful stranger’s advice, the mark comes straight back to the scammer and asks for their help directly. Here again, we see the scammer build trust… they don’t immediately jump on the opportunity to strike but instead tell them they should talk to an admin.

When an admin fails to respond untagged after a few minutes, the scammer is quick to jump in and mention that they’ll send the mark the right way if they’d only DM them. Once the victim has reached out via DM, they’ll likely be sent a link to another user… the impersonator admin. They could also be sent a fake help desk link as we’ve seen above.


We have to stress again… absolutely anyone can fall victim to these kinds of tactics!!! People have used these kinds of cons for generations because they work! The best way to make sure that they don’t work on you is to learn about them and know better.

Did You Know? Victor Lustig famously sold the Eiffel Tower to scrap dealers in 1925… despite not being affiliated with the French Government. Later, he pulled off the exact same swindle a second time. Don’t ever think you’re immune to a good scammer!

Staying Safe and Secure

We’re being a bit drastic because this is a serious issue. Realistically, are there scammers everywhere throughout the web3 world and you should just be suspicious of everyone all the time?

No. That’s not how this goes at all. Scammers are a part of life… wherever there is opportunity for them to make a buck at someone else’s expense, there they’ll be. Once you learn how they exploit people’s trust, however, their methods are much less likely to work on you.

It’s not just about protecting yourself though. These scammers continue to escalate and find new ways to trick unsuspecting people because there ARE people who are unsuspecting. No one should spend their entire existence paranoid that a scammer is coming to get them, but someone without any of the knowledge that we’ve discussed here probably should until they learn what they need to protect themselves.

When everyone knows how these people operate, they cease to operate. Scammers abound in web3 right now because people are not informed. New technology doesn’t only bring new opportunities for the world to culturally, economically and socially advance… it always brings an all you can eat feast to those willing to prey on the uninformed.

Guarding Yourself and Your Community

Education is the answer. There are so many assumptions people have become accustomed to making in the web2 world, where we surrender our trust to corporations in digital spaces.

In the web3 world, you maintain control over your own digital footprint. That responsibility means there’s no corporate office keeping you safe anymore… To some degree, everyone needs to be responsible for themselves and know what they are doing and why.

This is not cause to bemoan that the digital villains will always be around… this is a time to celebrate! All we have to do to get rid of this web3 riffraff is empower each other with knowledge and the tools to protect ourselves. Do your own research (more on that in a future edition!) and share what you learn with your community.

Community is important. Have people you can turn to and ask for a second opinion. Have people who will watch your back and share important information and knowledge. Have a community you trust… without having to trust some faceless corporation with ownership of all your stuff.

Guardian Papers 2: Private Keys

Guardian Papers 2: Private Keys

Imagine losing the keys to your house… in a world with all unbreakable windows where locksmiths do not exist. This is what’s at stake when we talk about private keys, one of the most important tools in the web3 world.

Welcome to the second edition of The Guardian Papers, the series in which we’re taking you through some of the most important security issues in blockchain, one by one. The future of decentralization can create opportunities for bad people as well as good ones; that’s the nature of empowerment.

We’re here to not only empower our community, but also to help equip everyone with the skills and knowledge they need to protect themselves 

What Are Keys?

Keys grant you access to your assets or information on a blockchain. Just like a password, you can use your private key to access your holdings in a wallet address, but the security of a key far exceeds the security of a typical password. Passwords can be hurdles to the villains that stalk the shadows of the digital world, but cracking or brute forcing a private key is a hurdle too high for anyone to jump.

There are typically two types of keys associated with any blockchain address. A private key is your personal proof of ownership and should not be shared with anyone. This private key is known only to you, and due to blockchain’s decentralized nature your private key is how you prove to the network that the assets held at that address are actually yours. This itself prevents many of the methods that the bad guys will employ to prey on individuals in less sophisticated digital spaces.

A public key is the one that your wallet will share while transacting. Your public key is actually derived from your private key through complex mathematical calculations, but due to the high level of encryption, the process can’t be reverse engineered. This means that your public and private keys are matched pairs– one is your visible footprint on the blockchain while one is your personal access code.

DID YOU KNOW? 

Though not every blockchain uses the same names for them, most use some form of private and public keys.

On the Ethereum network, your wallet address actually represents the last 20 bytes of your public key. It is expressed in hexadecimal–  indicated by “0x” at the beginning of the address. Since each byte is represented in two hexadecimal digits, a full address is 42 digits long (0x+20×2)

Your GalaChain address is also expressed in hexidecimal characters. It is comprised of 24 digits, with the prefix “client|”, which can double as a unique user ID for the Gala platform.

On GalaChain, the ability to transact through the Gala platform or dApps built on chain simplifies the day to day use of your keys. Your public and private keys still control access to your on-chain items, however.

There are many independently functioning blockchains and not everything here will always be true for all of them. This is intended to be general information about how keys typically work on a blockchain, but you should always do further research to understand the specifics of any blockchain you use.

How Keys Protect Your Assets

In blockchains that use both a public and private key, asymmetric cryptography is employed to ensure that assets remain protected for a private key holder. This keeps security high even though transaction data and the public key are readily available as public information on chain.

GalaChain operates on asymmetric cryptography, just like many other chains. While your public key is used to sign transactions, your private key always stays exactly that – private.

First, your private key generates a public key with encryption software to complete the pair when you first set up your wallet. Your public key then secures data as it interacts with the blockchain so that it can only be decrypted using the private key that it pairs to. Your wallet safely stores your private key, which now is the only key that can give anyone access to your assets.

There are many nuances and exceptions to the way asymmetric cryptography works on blockchains, and there are even some chains out there that run entirely on symmetric encryption. Understanding how private keys and public keys interact and relate to each other, however, is the first step in keeping control over your crypto treasures.

It’s All In the Name

One of the key components of blockchains is transparency and history. Transaction information and data is readily available and stored within the chain itself, thus making ownership of your assets fully provable. While your public key will be visible on the network and identify your address to the chain, your private key needs to stay just that– Private!

Your private key should never be shared with anyone! This private key is designed to be stored within a wallet and should stay in one. Your private key can be imported to apps and extensions like Metamask, but make sure that you 100% trust the encryption and integrity of anywhere you are sending your private key. 

If someone has that key, they then suddenly own your entire digital hoard. While your private key may be able to be recovered with a seed phrase or recovery phrase, nothing can be done to prevent anyone who gains this key from immediately accessing your wallet. This cannot be restated enough times: Any individual asking for your private key is up to no good!

DID YOU KNOW?

A wallet doesn’t actually store your currency, but rather stores and controls access to the keys that can access the address the currency is stored at.

This means offline solutions like hardware wallets store your private keys in a secure environment, not accessible remotely.

When your private key is secure in a wallet, it signs transactions without being exposed to the network because your public key recognizes its other half. Though we use alphanumeric characters to express a private key, it’s in fact a seemingly random number of hundreds of digits long– the type of math us mere mortals use to keep your defenses impenetrable. Reverse engineering a private key from a public key is something that is beyond the technology of even a real life supervillain.

Control Your Lock and Your Key

The revolution that blockchain technology represents is all about sovereignty over personal property without barriers in between you and your assets. Maintaining control over your assets opens countless new possibilities, but that comes with responsibility.

Blockchains give you sophisticated tools to protect your assets, but in the end it all comes down to you. Maintaining a thorough security infrastructure on any device that your wallet is connected to will ensure that the lock on your vault is essentially impenetrable… but any lock is easy to penetrate if you hand over the key.

Your private keys are yours and yours alone. They should never be shared with others or transmitted digitally, and should preferably be stored offline whenever possible. Your keys are direct access to your treasures, so that’s what the enemies of digital sovereignty will come after… but you’re not alone in this fight. 

As long as there are easy victories to be had in our community for the bad guys, they’ll be hungry for more. Only by educating and empowering everyone within the blockchain world to protect their private keys can we shut out the brigands who seek to cheat their way through this digital frontier.

The First and Last Guard

We’ve already covered a lot of ground in The Guardian Papers on how to keep yourself secure in the decentralized world, and our next installment will take us even further yet as we explore how 2-Factor Authentication is crucial for healthy defenses.

In the world of Web3, you are the first and last guardian of your assets. This may sound overwhelming, but that is the cost of the power of controlling and owning assets without the interference of a larger organization. You have the tools at your fingertips to easily maintain defenses that can’t be matched in the pre-Web3 world. 

Here at Gala, we believe that empowering the players is about more than just ownership. It represents a responsibility to educate and arm the community with the knowledge they need to protect their control over their assets. As a community, the responsibility to spread wisdom that could help any member protect themselves is carried by all of us… until none of us are threatened. 

Our security on chain may be strong, but we are always infinitely stronger together.

Guardian Papers 1: The Responsibility of Empowerment

Guardian Papers 1: The Responsibility of Empowerment

This is the future, where ownership is real and the physicality of an object, idea or asset is less important than what it represents.

At Gala, we empower people to own their content through web3 tech. Thanks to the innovations of GalaChain, users can actually own the content they interact with. This revolutionary idea was first explored in finance and entertainment… but as demonstrated by the recent GALAthon hackathon event during GDC 2024, its applications are limited only by imagination.

Vast amounts of users and resources are already flowing through web3 ecosystems, and this is just the beginning. Still, many newcomers underestimate the risks of the space, as well as the enhanced security that true responsibility for one’s assets demand.

You shouldn’t have to trust faceless corporations to protect your interests. You should, however, have the skills and knowledge to trust yourself when the power is in your hands.

Only YOU can ensure your web3 safety!

Welcome to the Guardian Papers

From our staunch desire to both protect and empower members of our beloved community, the Guardian Papers were born. Through this series of articles on the responsibility of ownership, security guidelines and red flags, we hope to empower our community with something more valuable than any physical or digital asset: education. 

We want each of you to have the tools to effectively avoid the scams that can unfortunately still be found lurking in the corners of the Web3 world. We utilize blockchain systems for their unmatched security potential, but there will always be people who make it their life’s work to prey on the under informed, the gullible or – worst of all – the generous. This is a frontier. Frontiers have heroes… but they also have villains.

Understanding and staying ahead of the bad actors is an important part of doing your own research or due diligence– phrases you’ll continue to hear over and over in the web3 world. In this world, your money is no safer than your wallet, your wallet is as safe as your private keys, and your private keys are nothing short of sacred to you. Lose your firm, secure grasp on any of these things and your assets may be as good as gone. This is decentralization. There is no big bank ready to protect you and replace funds that were taken fraudulently. It’s all on you. The power is with the people.

Almost anyone can enjoy all the empowerment of the web3 space… as long as they also understand and accept the responsibilities.

Trust Yourself

Do not let these warnings make you afraid, but instead rise to the challenge of practicing basic security measures to keep your stuff safe! You are more capable of protecting yourself than any corporate bank, but you will have to spend some time and energy taking this power and responsibility into your own hands. This is still totally new, and we all have to learn new habits and routines.

The web2 world encouraged us to focus on simplicity and trust in the financial system. The convenience of cash transfer apps, debit cards and anytime/anywhere banking have taught us that money can move quickly and smoothly behind the scenes with little effort on our part. While highly convenient, it is easy to forget that this system requires trust of countless entities who are essentially strangers to you. With web3 tech, we are rapidly moving toward eliminating the need for trust. When trust is removed from the equation, a scammer’s power over victims is vastly reduced. You have the power to fight bad actors, you just need to learn to use it!

Owning crypto may not require you to trust a bank, but you must always trust yourself. You must trust yourself to never lose your seed or recovery phrase. You must trust yourself to take careful and deliberate actions when trading, transferring, purchasing, bidding, etc. You must trust yourself to follow the income tax laws of your country, realizing that while only you can hold yourself responsible, others will certainly hold you accountable.

Be a Watchdog

We understand that there will always be those who take advantage of anything with value. Become vigilant. Pay attention to the actions of those around you. Help your early adopter peers by watching their backs. These impersonators, imposters, phishers and frauds will always pollute the most successful blockchain communities. Their power will be continually reduced as web3 evolves toward its true potential. There is a constant battle between those here to engage with blockchain systems in the correct ways and those that are just here to try and take from others.

The Reality of Scams

Focus on protecting yourself and your fellow community members through open communication. Enhanced community looking out for each other… that’s making sweet and delicious lemonade out of some really bitter lemons.

Scammers and cheaters are not going anywhere, but the more people we can empower throughout the world, the fewer people will be driven to these types of malicious activities… and the more we’ll all be able to protect ourselves and each other. Doesn’t it feel good to be part of the solution for the big problems?

Within the Gala team, there are ongoing and passionate conversations about the importance of building a road for our growing community that is always safer and straighter than the one before. We’re proud to have been rated the most secure altcoin in the world, but there’s always room for improvement.

Upcoming Papers

This article is merely an introduction to the Guardian Papers series, which will be published over the coming weeks and months to ensure basic security information is available to all newcomers to the Gala community. 

Each relatively short article will have the intention of raising awareness to a specific security concern, but these articles are far from the whole story. We encourage every one of you to always stay vigilant and informed, and please, do your own research.

Stay tuned and stay safe!

Our mission of empowerment is becoming a reality, and as any friendly neighborhood Gala community moderator would tell you, with great power comes great responsibility.