Security in Altrady
At Altrady, we take the security of your API keys and account details very seriously. The way you manage your account details is also an important part of keeping your account secure.
See also: How to Keep Your Altrady Account Safe
Best practice is to use a strong, unique password for your Altrady account, and keep this in a secure place such as a password manager. Within your password manager, if there is an option to require the master password to be entered again for the site, then we recommend that you select that option.
If you log in to your Altrady account from a shared computer, do not tick “Keep me logged in”.
If there is a sign-on to your account from a new location, Altrady will send a notification email to your account email address. So make sure Altrady's email address is whitelisted in your email manager. If you believe the log in is not you (keeping in mind that if you use a VPN, then the IP address and location might have changed), then we suggest that you reset your password immediately. This can done under Settings>Account Security.
FYI: You can also check whether your email address has been compromised by checking here. Enter your email address to find if it has been compromised on any websites where you have used it. If it has, then the password that you used on that compromised website will also have been revealed.
Note that Altrady has very tight security; passwords are encrypted; and no email addresses or passwords have ever been hacked.
Your next level of protection comes from adding Two Factor Authentication to your account. If you don’t already have 2FA enabled, you will be prompted to add it each time you log in. It can also be added under Settings>Account Security.
When 2FA is set up, you are also provided with a backup code. This code can be used to recreate the 2FA if you lose your phone. This code must be kept in a secure place such as a password manager.
If you lose your phone and don’t have a backup code, you can reach out to our Customer Support to reset the 2FA. However, it will always be necessary to complete an identity verification check to ensure that you are the genuine owner of the account before we can reset 2FA.
The next level of protection is provided by the 5 word password. It is the encryption key for your API keys and is stored locally on your computer.
This password must be entered whenever:
On the browser: to add, edit or delete API keys
When a new device is used for the first time. A device includes: a new computer, browser, phone or tablet. Without the 5 word password, the device cannot be activated for trading.
So even if a hacker or thief has logged into your account, and used your phone to retrieve the 2FA, they will still not be able to trade on your account.
It is important to keep your 5 word password securely stored. If you don’t have a good password manager, then it should ideally not be on your computer.
Altrady encrypts your API keys in the client and then stores your encrypted API keys on our server. They can only be decrypted using the five word password (as above). So Altrady's security keeps your keys safe from misuse. Note that, Altrady has no control over other places where your API key might be stored, such as on the exchange itself, or if you keep a record elsewhere of your keys and secrets. I these places, the Keys and Secrets might not be encrypted and can be vulnerable to hackers.
After generating API keys to use in Altrady, do not enter or record the Secret (Private Key) anywhere else.
Use a different API key for each purpose, and only grant the permissions that are necessary.
Altrady offers the option to bind IP addesses to your API keys and we recommend this. It will protect you in case your API key/Secret pair is hacked or stolen, outside Altrady.
Also, Most exchanges will limit the liifespan of an API key with no IP whitelist, and the API key will have to be replaced or updated. For example, Binance API keys last only 1 month if they do not include an IP whitelist. API keys with a whitelist do not expire.
The IP addresses to be whitelisted are copied from Altrady when an API key is created. They can also be added to an existing API key.
When an IP whitelist is added to an API key, access to that API key is restricted to calls from the list of IP addresses. The IP addresses are only accessible from Altrady's servers, and not by any third party. So IP whitelisting provides another level of security to your exchange accounts.
The full guide to adding an Altrady IP whitelist to an existing API key can be seen here
For new API keys, instructions on adding an IP whitelist are included in the documentation for adding an API key for the specfic exchange
If you have further questions, please contact our Customer Support team, linked at the bottom of this page.
See also: How to Keep Your Altrady Account Safe
Log in details
Best practice is to use a strong, unique password for your Altrady account, and keep this in a secure place such as a password manager. Within your password manager, if there is an option to require the master password to be entered again for the site, then we recommend that you select that option.
If you log in to your Altrady account from a shared computer, do not tick “Keep me logged in”.
If there is a sign-on to your account from a new location, Altrady will send a notification email to your account email address. So make sure Altrady's email address is whitelisted in your email manager. If you believe the log in is not you (keeping in mind that if you use a VPN, then the IP address and location might have changed), then we suggest that you reset your password immediately. This can done under Settings>Account Security.
FYI: You can also check whether your email address has been compromised by checking here. Enter your email address to find if it has been compromised on any websites where you have used it. If it has, then the password that you used on that compromised website will also have been revealed.
Note that Altrady has very tight security; passwords are encrypted; and no email addresses or passwords have ever been hacked.
2FA
Your next level of protection comes from adding Two Factor Authentication to your account. If you don’t already have 2FA enabled, you will be prompted to add it each time you log in. It can also be added under Settings>Account Security.
When 2FA is set up, you are also provided with a backup code. This code can be used to recreate the 2FA if you lose your phone. This code must be kept in a secure place such as a password manager.
If you lose your phone and don’t have a backup code, you can reach out to our Customer Support to reset the 2FA. However, it will always be necessary to complete an identity verification check to ensure that you are the genuine owner of the account before we can reset 2FA.
Five Word Passkey
The next level of protection is provided by the 5 word password. It is the encryption key for your API keys and is stored locally on your computer.
This password must be entered whenever:
On the browser: to add, edit or delete API keys
When a new device is used for the first time. A device includes: a new computer, browser, phone or tablet. Without the 5 word password, the device cannot be activated for trading.
So even if a hacker or thief has logged into your account, and used your phone to retrieve the 2FA, they will still not be able to trade on your account.
It is important to keep your 5 word password securely stored. If you don’t have a good password manager, then it should ideally not be on your computer.
API Keys
Altrady encrypts your API keys in the client and then stores your encrypted API keys on our server. They can only be decrypted using the five word password (as above). So Altrady's security keeps your keys safe from misuse. Note that, Altrady has no control over other places where your API key might be stored, such as on the exchange itself, or if you keep a record elsewhere of your keys and secrets. I these places, the Keys and Secrets might not be encrypted and can be vulnerable to hackers.
Recommended Practices
After generating API keys to use in Altrady, do not enter or record the Secret (Private Key) anywhere else.
Use a different API key for each purpose, and only grant the permissions that are necessary.
Bound API keys/IP whitelist
Altrady offers the option to bind IP addesses to your API keys and we recommend this. It will protect you in case your API key/Secret pair is hacked or stolen, outside Altrady.
Also, Most exchanges will limit the liifespan of an API key with no IP whitelist, and the API key will have to be replaced or updated. For example, Binance API keys last only 1 month if they do not include an IP whitelist. API keys with a whitelist do not expire.
The IP addresses to be whitelisted are copied from Altrady when an API key is created. They can also be added to an existing API key.
When an IP whitelist is added to an API key, access to that API key is restricted to calls from the list of IP addresses. The IP addresses are only accessible from Altrady's servers, and not by any third party. So IP whitelisting provides another level of security to your exchange accounts.
The full guide to adding an Altrady IP whitelist to an existing API key can be seen here
For new API keys, instructions on adding an IP whitelist are included in the documentation for adding an API key for the specfic exchange
If you have further questions, please contact our Customer Support team, linked at the bottom of this page.
Updated on: 18/04/2024
Thank you!