Topic: Bitaddress.org (Read 1752 times)

HUmmms!! Sweet thanks, I will trythis.

Assuming you have two PC, download coinb.in and save it in offline computer. Using online computer, go to https://coinb.in/#newTransaction and enter your Bitcoin address(never enter your private key there). After completing the process, you will get an unsigned raw transaction. You can copy-paste that into offline computer or transfer using Qr code+webcam. Then sign it with coinb.in and then transfer signed transaction to online computer and broadcast it using Blockchain.info/pushtx.

I decrypt it on the offline computer first to ensure the passphrase IS correct..

Then, I do import on an online wallet but instantly send the BTC I want to keep safe to a different wallet I have created in this fasion.  Usually I use the android phone bitcoin app to bring my BTC onto an online wallet. 

If I was going to import a large value of BTC I would probably import it via the bitcoin core on a harddrive that has just had a fresh install of windows. I know windows isn't the best but.. I figure there is a very small time frame for my stuff to get taken.

I don't understand how to do the siging of transactions from an offline wallet. I just assume one I've importated the paper wallet it is I consider that wallet hacked and no longer safe.  I know it requires me to make a bunch of different wallets on an offline computer but.. I like being as safe as I can be.  I was running the BTC core on an offline computer and doing it that way for a bit but I really like the bitaddress paper wallet layout and use, hence my curiousity for how safe it is.

Both Bitaddress and Bitcoinpaperwallet have pages to decrypt the private key into the public key to see if they go back and forth. It's always important to do that. Bitcoinpaperwallet with bitcoin has never had problems, but I did have one dogecoin address that didn't match up (private to public).

Just don't run it online and don't upgrade. Last version is verified and I didn't find any problem.

I think mouse cursor + checking the sha value of the page should be enough

When minimal code inspection is wanted, you can cast dice and use this page

http://www.swansontec.com/bitcoin-dice.html

"The beautiful thing about this script is that it is only 150 lines of relatively straightforward code, so it is easy to audit. Trusting this code is easier than trusting a long, complicated web page filled with Javascript, which would be the alternative to using this script."

What are the chances of the public & private key generated not matching up?
Any way of checking (safely) before you send coins to the address?

AFAIK bitcoinpaperwallet.com is fork of bitaddress.org with some extra features, for example... on bitcoinpaperwallet.com you can create BIP38 private key from previously existing non BIP38 private key (starting with 5).

Regarding OP: bitaddress.org is well known site and has been reviewed by many well known developers. There are no known errors / malfunctions after version v2.2.

Also check this little BIP38 private key test of mine:
https://bitcointalksearch.org/topic/im-bip38-curious-please-help-me-out-1014202

I gave BIP38 private keys away and specifically explain what passwords look like. If those would be encrypted 7z or zip or rar files... all of them would be cracked in a matter of seconds.  In our case... wallet no.3 bounty is still available... and password is only 6 characters long! I wonder how long will it take...  : )

And another important note: If you create your paper wallet properly (virgin clean OS booted from CD, air-gapped comp, checking file signature, no internet connection, private place while doing this, using dice and mouse movements for random seed, etc...), two things have to happen in order to "hack" your paper wallet:

1. attacker has to FIRST physically find your paper wallet
2. at the moment 1. is true, attacker is able to start cracking your BIP38 password

And cracking BIP38 passwords is very slow... if you have super cool cracking rig, maybe 100-1000 tries per second  (compared to many millions for encrypted 7z, zip, rar, etc files)

I find this paper wallet guide pretty decent...
http://bitzuma.com/posts/bitcoin-paper-wallets-from-scratch/

Hope this helps...

Why just Bitaddress.org, what about bitcoinpaperwallet.com?

I'm not saying it's a unique weakness - just pointing out that such a weakness does exist and so it is important to at least check signatures and match hashes if you can't/aren't bothered to check the source yourself. I have a basic proficiency in programming so I'd doubt I personally would be able to go over the whole code without at least a couple of days of research into JS. Some people just can't at all - and that's understandable - it's simply important to provide easy access to safeguards and precautionary measures.

So their weakness is they might get hacked? So can any other website. The code is available as a zip on github so you can run it offline.
Also you should review the code yourself when you have time. I have and it's well put together IMO.

if you would like, try using multibit, i think an offline wallet is more secure than an online one

Well aside from RNG weaknesses - the other main issue is the potential for someone to hack the site and upload a version that has predetermined private keys. That way when it's used the private keys produced will be the same and thus the hacker can steal without ever having to have a direct internet connection or break through encryption. Albeit it would be rare, and the best way around it would be validating the source code for yourself and checking GPG signatures.

You don't have to use the uncompressed keys, click on over to the wallet details tab and paste in the private key. Viola, you now have different options, compressed, uncompressed, Private Key Hexadecimal Format, Private Key Base64, heck you can even make an address using dice by inserting your own Base6 key 99 digits(0-5). Create one with dice and do it offline and you'll have a very secure key. 6^99 different possible outcomes.

Agreed, running it offline seems secure. I stored a decent amount on a paper wallet from bitaddress.org for a year before moving the coins to another address. The only possible issue was RNG, and that was solved when they added the cursor movement for entropy, even a tiny 600x400 screen would have plenty of entropy to be random enough to avoid any collisions.

To be honest I don't like the look of the site.  There is no explanation section for newbies and the whole thing looks sort of tossed together.  I like the idea a lot.  However for now I am skeptical of ANY online storage method or generation thereof.  I prefer to use paper wallets and maybe I will eventually break down and buy a Trezor.  I might wait for the next generation of hardware wallets though.  I really want something that can store altcoins and bitcoins. 

I have already created bunch of paper wallets with his tool, It's nicem I will keep using it

Yes, I always make the paperwallets in that site, I love the designs

BIP-38 is very secure as long as your passphrase is strong. A passphrase with 20 random characters is fairly strong and not likely to be cracked, but a passphrase with 4 5-letter words is not.

I would use a local copy, in an offline environment, and instead of trusting a random generator, I would create brainwallets. But not brainwallets from actual passphrases that I remember, but brainwallets from gibberish passphrases of 100+ random keystrokes and noise and even parts of intermediary addresses that are generated half way, and crap.

I'd consider the private keys generated this way (i.e. as sha256 hashes of very long, random gibberish input) to be safe.