Topic: A Feature in electrum wallet - page 2. (Read 562 times)

I don't think you read my post correctly. I wasn't talking about a password but a passphrase, which is another layer of protection that works by extending the seed phrase and adds more protection to your funds, because if an attacker gets your seed phrase, they won't be able to steal your funds without the passphrase.
Yet again i wasn't talking about a password, and if you have a very strong passphrase and your seed phrase is stolen, it is very difficult for an attacker to brute force your passphrase, so your funds would not be stolen.
When you extend your seed phrase with a passphrase, a new wallet is created or generated and to open this wallet you must use the combination of your seed phrase + passphrase, but with just your seed phrase only your base wallet will be opened, and you can call it a 'dummy' wallet because it can be used to set up a situation of plausible deniability.

It is right.

It is inaccurate.

Seed phrase is seed phrase and its security depends on the BIP (Bitcoin Improvement Proposal) used to create it. It does not depends on the password to protect the wallet file created by that seed phrase. A wallet password is used to protect the file and you must differentiate two things: cracking the seed phrase is different than crack the wallet password.

It is true that if the hacker only can not hack the wallet password and can not have your seed phrase, your bitcoin will not be stolen. If the hacker can get your wallet password or your seed phrase, it's done, your bitcoin will be stolen.

but
A wallet with a password is not called as a dummy wallet, dummy means empty. You can use different passwords (like 3 different passwords) for 3 different wallet files with a same seed phrase but all of three wallets are not dummy.

Also it would be requested for when you want to check your seed phrase and private keys. But you can no more see the private keys of your addresses on mobile Electrum anymore in the recent updates.

On Electrum, you can be able to see the seed phrase together with the passphrase. Malware like screen scraping malware would be enough to steal both seed phrase and passphrase.

On Bluewallet, the passphrase is not with the seed phrase, maybe that will not be possible on Bluewallet.

For offline attack, a strong passphrase is enough.

---

There is nothing better more than to avoid malware.

This pin will only protect you from an attack on your local wallet file, it won't protect you if an attacker knows your seed phrase or your private keys. If an attacker has your seed phrase, they will steal your funds by importing your wallet on their own device and spend the funds, setting up a pin for payment can't protect you from that.

A passphrase is most appropriate if you want to add more security to your seed phrase, this will allow you have a 'dummy' wallet and another wallet that is protected by a passphrase, so even if your seed phrase is exposed to an attacker, they can't steal your funds without the passphrase.

I did, haha, but the typo is appropriate. Windows is a problem.

Yes. You can set up a 2FA in Electrum, in which case you require the authorization of a third party called TrustedCoin in order to make a transaction. You will need a 2FA authenticator app on a separate device to your wallet. In addition to paying a higher transaction fee because your transactions are larger since they are now a 2-of-3 multi-sig instead of a regular single sig, you also have to pay a fee to TrustedCoin for co-signing every transaction that you make.

I dislike this solution because I dislike involving third parties in my wallets, and I definitely don't want to pay them a fee for being involved in my wallets. If you want the security of a multi-sig, then you can set up a multi-sig yourself using multiple devices.

Agbe is referring to a feature which is available on the mobile version of electrum.
In the mobile version of electrum, you can set a pin code which is a 6 digit number and will be asked from you every time you want to make a transaction. That's different from the 2FA code in the 2FA wallet that is provided by a third party called trustedcoin.

I guess I heard about this before. Did you mean Windows Program? I have to move all my stuff to a separate SSD in case I mess with setting up the new OS. I am too lazy to do these things, and I fear my laziness might cost me a considerable loss. I will have to see some youtube videos regarding how I can run Windows programs in Linux. I was aware of this, but my brain was turned off for some reason.

My wallet is already encrypted and needs a password to make a transaction. I don't remember if I have seen the pin thing. Is the 3rd party 2fa thing available in Electrum, which may cost extra transaction fees?

Thanks for the security tip. I will keep that in mind.

Electrum is a non custodial wallet which is also decentralized, so it is very hard for unknown hacker to hack your wallet unless the hacker knows yours wallet details. Therefore, the best way for you to secure your Electrum wallet is to keep your password, seed phrase away from sight of people and you don't have to tell people about it. Securing your wallet is your personal issue mostly if you have big amount of funds inside.
You can still on the pin for payment so that whenever you are doing transaction it will request the pin before you click the pay button. And if the person only know your password and seed phrase, he can't transfer your coins without the pin.

Security advise #1: don't show off the amount of coins you have, regardless of the amount, as there's no need for. The higher the disclosed amount is, the more reckless it would be. (I have intentionally removed the number in your cited text but it's now public and cited by someone else anyway.)



Security advise #2: o_e_l_e_o already mentioned the very importance to verify the downloaded files of Electrum or any other wallet software. Never skip this! (Refuse to use Google or other engine search to find the download as fake Electrum copies pay to be on top of search results!)

I don't update my Electrum immediately when a new version is released, unless there's an urgent security issue in the release notes. I wait some days (varies) until a new version "matures" and no issues show up. At first e.g. I didn't like all new changes in the v4.4.x branch, but it's no solution to deny and stay on v4.3.4, so I accepted the new features and life goes on.

By no means complete, a lot of good suggestions have already been given.

For people moving from Windows, I usually suggest Linux Mint as a starting point. It is (as far as I am aware) the Linux distro with the most similar look and feel to Windows, so it eases the transition. It is also fairly newbie friendly and has a good amount of guides and troubleshooting online, as well as a good sized community which will help with any problems you might run in to.

In terms of software, then there are four options available to you if your particularly piece of software won't run on Linux -

• Find an alternative piece of software which does run on Linux (bonus here is the alternatively will probably be FOSS)
• Use Wine to run Windows programs inside Linux
• Dual boot, although doing this means you still end up with Windows on your device and you lose a lot of the benefits of moving to a Linux OS
• Have one Linux machine, and one Windows machine

Thanks, everyone for the suggestions!
I will make sure to use a new OS or a fresh OS to create a new wallet.
I understand that using a malware-affected computer and creating another wallet on the same device is useless.
I am using Windows 10 at this moment. I wanted to move to Linux but I never used it.
I am not sure if I will understand the new interface. Moreover, I am afraid of losing my current files and software that are available.
I don't know if I will be able to find this software for Linux.


Once again, Thanks, everyone!

If it is phone, do not leave huge amount of money on mobile wallets.

If you have high amount, go for airgapped option or hardware wallet. If you want to leave it untouched, you can use a paper wallet that is created on HD wallet like Electrum with passphrase recommended. Backup the passphrase and seed phrase differently in different locations.

For the low amount you have on your phone, you can still avoid malware. I am using Android  as example, but likely you will be able to do this on your iOS devices.

After formating your phone, go to Playstore -> settings -> network preferences and set app download preference to 'ask me everytime.

 

Always make sure that other apps are not allowed to install apps. Assuming you have just downloaded Electrum from https://electrum.org, you give the browser/app the permission to install app from unknown source. After you install Electrum, go to settings and disable back the browser to install from unknown source. Check other apps and browsers too to uncheck the ones that are checked to install from unknown source.

Make use of good browsers like Tor, Duckduckgo mobile (not the desktop version in beta, although not about this discussion) or Firefox. Use ad blocker, but still always avoid ads and link ads.

Visit the correct URL and avoid torrent files.

If you have another mobile device, you can go for Electrum 2FA wallet or multisig wallet. Electrum 2FA wallet has extra fee.

I have been somehow compromised lately. Here is the topic if you feel like checking it: https://bitcointalksearch.org/topic/i-thought-i-would-never-get-hacked-5461230

There is no way to tell if your wallet is compromised.

If you have second thoughts for some reason, I suggest you take immediate action sending your funds to another wallet that you own. Personally I also performed a factory reset on my phone.

If the device is airgapped, it will not connect to the internet. Bluetooth and WiFi card removed. Open source OS like Linux is recommended.

The purpose of having a watch-only wallet is not because you do not want to be opening the wallet on an airgapped device often. If you properly setup up the airgapped wallet, it is airgapped and safe.

The purpose of watch-only wallet is to for making PSBT (unsigned transaction), broadcasting transaction signed on an airgapped device and to easily know the total amount of your coins. For making transaction, you need to open the airgapped wallet and it will receive the unsigned transaction and sign it.

If 0.04 BTC is a good investment for you and you are skeptical or afraid, then I suggest that you read a little about how Bitcoin works and the basics of creating an airgapped system. It may be appropriate for you to buy a hardware wallet according to your budget, but without creating a new wallet in an environment that did not and will not connect to the Internet, or at least it is safe ( An open source OS, you do not download applications of unknown sources or randomly click on links) you will not get rid of these doubts.

creating a watchonly wallet would be a better option instead of reopening your wallet from time to time.

The story of 165K ETH may not be true, and Julerz coins had stolen because of malware, as the coins were stolen as soon as the wallet was opened, so the hackers might not have waited until the new BIG transfer happen.

Again, when you open your wallet, you are not "logging in" to anything. You are simply accessing the private keys and their derived addresses which are already stored on your computer.

And most importantly, verify your download before you install it. [GUIDE] How to Safely Download and Verify Electrum [Guide]

There is no vulnerability in the version of electum which is used by OP and it's not that the new version is more secure than that.
Usually, the new versions are released due to some improvements that have nothing to do with security of the wallet.

First things first, you are worried about the security of your wallet, but at the same time you are ok to use the previous version of the Electrum and not want to upgrade it. Do you know that every new version comes with some sort of security enhancement or at least remove any vulnerabilities found in the previous version.

Yes, if the computer is malware effected, or you share your seed with anyone, you may lose your funds but do the basis first.

Latest Electrum version is Electrum-4.4.5 which was released on June 20, 2023. Download it ASAP if you haven't done already.

Right. So, assuming you do not fully trust your current device (PC, smartphone, etc.) and want to take a step further to secure your wallet, it is best to follow hosseinimr93's suggestion and create your new wallet on an air-gapped device.

Probably the simplest method is to download a copy of Tails portable OS from the official source, prepare a freshly formatted USB drive, and create a bootable version on it. Turn off your computer, disconnect it from the Internet, and start the Tails OS from the USB drive. Electrum wallet comes already pre-installed and you can proceed with creating your new wallet. Write the backup seed phrase on a piece of paper that you will keep in a safe place and copy the xPub key to a USB that you will later use on your live device (PC or mobile) to create a watch-only wallet. This way, you can be pretty sure that your new wallet won't be compromised, as long as the backup seed is safe and protected from access by anyone but you. This type of wallet is good for long-term hodl, assuming you are not ready to invest in buying a hardware wallet.

If you are going to create the new wallet in the same device and in the same way, it would be as secure as the wallet you are now using an you wouldn't really increase your security. 
After some time, you will probably worry about the security of your wallet again and you will think of creating another wallet.

If you want to be completely secure, you should create your wallet on an air-gapped device or go for a hardware wallet.