When you create a wallet, you get a list of words called a recovery phrase. Those words are not a password to an account. They are the wallet. Anyone who has them controls your funds from any device in the world, and anyone who loses them, with no other backup, loses access permanently.
This sounds dramatic because it is. Self-custody hands you full control, and full control includes full responsibility for this one piece of paper.
What the phrase actually is
The phrase encodes your master private key in a human-friendly form, using a standard called BIP-39. Because it is a standard, the same phrase opens the same wallet in Simple Base Swap on web, iOS and Android, and also in MetaMask or any other standard wallet. You are never locked into our app. That portability is a feature, but it also means the phrase is universally valuable to a thief.
Your unlock password, by contrast, only protects the app on one device. It cannot recover the phrase, and the phrase does not need the password. They are independent layers.
How to store it well
Write it on paper, by hand, at the moment the app shows it to you. Then store the paper where you would store cash or documents that matter: a drawer you trust, a home safe, a safe deposit box. For meaningful amounts, write a second copy and keep it in a different physical location.
If you want to go further, metal backup plates survive fire and water. They are cheap insurance for a wallet that holds real money.
What never to do
Do not photograph it. Do not screenshot it. Do not type it into a notes app, an email draft, a password manager synced to the cloud, or a chat with yourself. Every one of those puts the phrase on servers and devices you do not fully control, and photo libraries in particular get synced, backed up and breached.
And the big one: never type your phrase into a website or share it with a person. There is exactly one legitimate moment to enter a recovery phrase, and that is importing your own wallet into a wallet app you chose yourself.
How scammers actually ask
Nobody will ever need your phrase to help you. Not us, not an exchange, not a validator. The scam patterns repeat:
A fake support agent appears in replies or DMs minutes after you mention a problem, friendly and urgent, with a link to a "validation" site that asks for your phrase. A site offers an airdrop you can claim by "verifying your wallet" with the phrase. A wallet app clone, downloaded from an ad rather than the official store, asks you to import your wallet and forwards every word to its operator.
The defense is one rule with no exceptions: the phrase goes into a wallet app you installed from an official source, and nowhere else, ever.
If the phrase is ever exposed
If you typed it somewhere suspicious or a photo of it leaked, treat the wallet as compromised even if nothing has happened yet. Create a brand new wallet, which gives you a new phrase, and move your funds to it. Then retire the old wallet for good. Speed matters here; automated scripts drain exposed wallets within minutes.
Five minutes with a pen, a safe place for one piece of paper, and a single rule about never sharing it. That is the entire discipline of self-custody, and it is worth doing right.