Introduction

In the world of cryptocurrency, "Not your keys, not your coins" is a widely known saying. While storing assets on a major exchange like Binance has its conveniences, account security is something every user should take seriously.

For Chinese mainland users, the unique nature of the network environment may present some additional security challenges. This article provides a comprehensive security setup guide to help you build a multi-layered account protection system.

1. Password Security

Password Guidelines

A secure Binance password should:

  1. Be at least 12 characters long: The longer, the safer
  2. Include multiple character types: Uppercase and lowercase letters, numbers, and special symbols
  3. Avoid personal information: Do not use your name, birthday, phone number, etc.
  4. Be unique: Do not reuse passwords from other platforms
  5. Be non-patterned: Do not use keyboard sequences (like qwerty) or common words

Using a Password Manager

Creating and memorizing multiple strong passwords manually is difficult. Consider using a professional password manager:

Recommended tools:

  • Bitwarden: Open-source, free, cross-platform support
  • 1Password: Feature-rich with high security
  • KeePass: Offline password manager with fully self-controlled data

How to use a password manager:

  1. Install it and create a strong master password (the only password you need to remember)
  2. Use the password manager's random generator to create a password for Binance
  3. Save your Binance account information in the password manager
  4. Auto-fill from the password manager when logging in

Change Passwords Regularly

It is recommended to change your Binance password every 3-6 months. When changing:

  • The new password should not be too similar to the old one
  • Confirm the password manager has been updated
  • Withdrawal functions will be restricted for 24 hours after a password change (this is a Binance security measure)

2. Two-Factor Authentication (2FA)

Authentication Method Priority

Binance supports multiple 2FA methods, ranked by security from highest to lowest:

  1. Hardware security key (e.g., YubiKey): Highest security
  2. Google Authenticator: Recommended for most users
  3. Email verification: Medium security
  4. SMS verification: Lowest security (but still better than nothing)

Recommended Configuration

The ideal 2FA setup enables multiple verification methods simultaneously:

Best combination: Google Authenticator + Email verification + SMS verification

This means:

  • Login requires password + Google Authenticator code
  • Withdrawals require password + Google Authenticator code + email verification code
  • Changing security settings requires all verification methods

Google Authenticator Setup

Refer to our dedicated article for detailed Google Authenticator setup steps. Key points to emphasize:

  1. Always back up the key: Write it down and store it in a physically secure location
  2. Do not take screenshots: Screenshots may be captured by malware
  3. Ensure time sync: Incorrect phone time can cause verification code errors
  4. Consider a backup device: Add the same key to a second device as backup

Email Verification Setup

  1. Go to Binance Security Center
  2. Bind your email and complete verification
  3. Ensure your email itself has two-step verification enabled
  4. Use a secure email service (Gmail or Outlook recommended)

3. Anti-Phishing Code

What Is an Anti-Phishing Code

An anti-phishing code is a custom string you set in Binance. After setting it, every official email from Binance will contain this string. If a "Binance email" you receive does not contain your anti-phishing code, it is a phishing email.

How to Set It Up

  1. Log in to Binance -> Security Center
  2. Find the "Anti-Phishing Code" option
  3. Click "Enable" or "Set Up"
  4. Enter a 4-20 character anti-phishing code
  5. Confirm the setting

Setting Recommendations

  • Use a character combination that is easy to remember but hard to guess
  • Do not use the same string as your password
  • Do not use personal public information (such as usernames or birthdays)
  • Send a test email after setting it to confirm it works

Identifying Phishing Emails

After setting an anti-phishing code, here is how to verify email authenticity:

Legitimate email: The email body will prominently display your anti-phishing code Phishing email: No anti-phishing code, or an incorrect anti-phishing code

4. Device Management

View Login Devices

Regularly check which devices have logged into your Binance account:

  1. Go to Security Center -> Device Management
  2. View the list of all logged-in devices
  3. Each device shows: device type, operating system, login time, and IP address

Identify Suspicious Devices

Be alert if you notice:

  • Devices you do not recognize
  • IP addresses from cities or countries you have never visited
  • New login records during times you were not active

Handle Suspicious Logins

If you find a suspicious device:

  1. Remove the device immediately: Click the "Delete" or "Remove" button next to the device
  2. Change your password immediately: Use a completely new strong password
  3. Check your account: Look for abnormal trades or withdrawal records
  4. Reset all security settings: If you confirm a compromise, reset all security verifications
  5. Contact support: If there is any asset loss, contact Binance support immediately

5. Withdrawal Whitelist

Feature Overview

The withdrawal whitelist is an important security feature. When enabled, cryptocurrency can only be withdrawn to addresses pre-added to the whitelist. Even if your account is compromised, attackers cannot withdraw assets to their own addresses.

How to Set It Up

  1. Go to Security Center -> Withdrawal Whitelist
  2. Enable the whitelist feature
  3. Add your commonly used withdrawal addresses
  4. Each new address addition requires passing all security verifications
  5. Newly added addresses may have a 24-hour cooling period

Usage Tips

  • Only add wallet addresses you control
  • Carefully verify every character before adding
  • Regularly check the whitelist and remove unused addresses
  • Once enabled, all withdrawals must go to whitelisted addresses

6. Login Security Settings

IP Address Restrictions

Some security settings allow restricting the IP range for logins:

  • If your IP address is relatively fixed, consider enabling IP restrictions
  • Logging in from a new IP requires additional security verification

Login Notifications

Make sure all login notifications are enabled:

  • Email notifications: Send an email alert for every login
  • APP push notifications: Real-time push alerts for logins
  • SMS notifications: SMS alerts for important security events

Auto-Lock

Set the account to automatically lock after a period of inactivity:

  • Web version: Closing the browser tab requires re-verification
  • APP: Can be set to require re-verification after a period of time

7. API Key Security

When Do You Need API Keys

If you use third-party trading tools, quantitative trading bots, or data analysis tools, you may need to create API keys.

API Security Principles

  1. Principle of least privilege: Only grant the necessary permissions (e.g., if you only need to read data, do not grant trading permissions)
  2. IP restrictions: Restrict the API key to specific IP addresses
  3. Do not grant withdrawal permissions: Unless absolutely necessary, do not enable API withdrawal functionality
  4. Regular rotation: Periodically change API keys
  5. Secure storage: Do not store API keys in insecure locations

Creating Secure API Keys

  1. Security Center -> API Management
  2. Create a new API key
  3. Only check the required permissions
  4. Set an IP whitelist
  5. Securely save the Secret Key (displayed only once)

8. Recognizing and Preventing Common Attacks

Phishing Attacks

Characteristics:

  • Fake websites mimicking Binance with slightly different domain names
  • Claims of needing "security verification" or "account upgrade" requesting information
  • Links spread via email, SMS, or social media

Prevention:

  • Manually type the URL or use bookmarks
  • Check the anti-phishing code
  • Do not click links in emails
  • Use your browser's built-in phishing detection

Social Engineering Attacks

Characteristics:

  • Impersonating Binance customer service via social media
  • Claiming prizes or promotions requiring cooperation
  • Requesting passwords or verification codes under the guise of "helping resolve issues"

Prevention:

  • Binance support only contacts through official channels
  • Never share your password or verification codes with anyone
  • Be skeptical of any "unexpected good news"

SIM Card Hijacking

Characteristics:

  • Attackers use social engineering to get carriers to transfer your phone number to a new SIM card
  • The attacker can then receive your SMS verification codes

Prevention:

  • Do not rely solely on SMS verification; enable Google Authenticator
  • Set up additional verification for SIM card changes with your carrier
  • Do not publicly share your phone number on social media

Malware

Characteristics:

  • Keyloggers recording your passwords
  • Clipboard hijackers replacing cryptocurrency addresses you copy
  • Remote control trojans directly operating your device

Prevention:

  • Install reliable security software
  • Do not download programs from unknown sources
  • Regularly scan your system
  • Carefully verify every character of the address when withdrawing

9. Security Checklist

It is recommended to perform the following security checks regularly (monthly):

Basic Checks

  • [ ] Is your password still secure (any recent data breaches involving services you use)
  • [ ] Is Google Authenticator working properly
  • [ ] Is the anti-phishing code set
  • [ ] Are login notifications being received normally

Device Checks

  • [ ] Are there suspicious devices in device management
  • [ ] Is security software on your phone and computer updated
  • [ ] Is the operating system up to date

Advanced Checks

  • [ ] Are API key permissions reasonable
  • [ ] Are withdrawal whitelist addresses correct
  • [ ] Are there any abnormal recent transaction records
  • [ ] Are the bound email and phone number secure

10. Emergency Response

If Your Account Is Compromised

If you suspect your account has been compromised, take immediate action:

  1. Change your password: Use a completely new strong password
  2. Remove suspicious devices: Delete all unrecognized devices in device management
  3. Check transactions and withdrawal records: Confirm whether there were unauthorized operations
  4. Contact Binance support: Report the security incident through official channels
  5. Freeze the account (if necessary): Temporarily freeze the account in security settings
  6. Reset all security verifications

Phone Lost

  1. Log in to Binance via computer and check account security
  2. If you have a Google Authenticator backup key, restore it on a new device
  3. If there is no backup, go through Binance's security verification reset process
  4. Contact your carrier to report the SIM card lost
  5. Change passwords for all associated accounts using another device

Summary

Account security is a systematic effort, not something you can set once and forget. The security measures in this article cover everything from basic password management to advanced API security, spanning all aspects of Binance account protection.

For mainland users, the core recommendations are:

  1. Set a strong password and use a password manager
  2. Enable Google Authenticator and properly back up the key
  3. Set up an anti-phishing code
  4. Regularly check device management and login records
  5. Enable the withdrawal whitelist

Security is no small matter. Spending a few minutes on security settings can prevent potentially massive losses in the future.

Register on Binance | Download Binance APP