Topic: Bitaddress.org (Read 1762 times)

HUmmms!! Sweet thanks, I will trythis.

Assuming you have two PC, download coinb.in and save it in offline computer. Using online computer, go to https://coinb.in/#newTransaction and enter your Bitcoin address(never enter your private key there). After completing the process, you will get an unsigned raw transaction. You can copy-paste that into offline computer or transfer using Qr code+webcam. Then sign it with coinb.in and then transfer signed transaction to online computer and broadcast it using Blockchain.info/pushtx.

I decrypt it on the offline computer first to ensure the passphrase IS correct..

Then, I do import on an online wallet but instantly send the BTC I want to keep safe to a different wallet I have created in this fasion.  Usually I use the android phone bitcoin app to bring my BTC onto an online wallet. 

If I was going to import a large value of BTC I would probably import it via the bitcoin core on a harddrive that has just had a fresh install of windows. I know windows isn't the best but.. I figure there is a very small time frame for my stuff to get taken.

I don't understand how to do the siging of transactions from an offline wallet. I just assume one I've importated the paper wallet it is I consider that wallet hacked and no longer safe.  I know it requires me to make a bunch of different wallets on an offline computer but.. I like being as safe as I can be.  I was running the BTC core on an offline computer and doing it that way for a bit but I really like the bitaddress paper wallet layout and use, hence my curiousity for how safe it is.

Both Bitaddress and Bitcoinpaperwallet have pages to decrypt the private key into the public key to see if they go back and forth. It's always important to do that. Bitcoinpaperwallet with bitcoin has never had problems, but I did have one dogecoin address that didn't match up (private to public).

Just don't run it online and don't upgrade. Last version is verified and I didn't find any problem.

I think mouse cursor + checking the sha value of the page should be enough

When minimal code inspection is wanted, you can cast dice and use this page

http://www.swansontec.com/bitcoin-dice.html

"The beautiful thing about this script is that it is only 150 lines of relatively straightforward code, so it is easy to audit. Trusting this code is easier than trusting a long, complicated web page filled with Javascript, which would be the alternative to using this script."

What are the chances of the public & private key generated not matching up?
Any way of checking (safely) before you send coins to the address?

AFAIK bitcoinpaperwallet.com is fork of bitaddress.org with some extra features, for example... on bitcoinpaperwallet.com you can create BIP38 private key from previously existing non BIP38 private key (starting with 5).

Regarding OP: bitaddress.org is well known site and has been reviewed by many well known developers. There are no known errors / malfunctions after version v2.2.

Also check this little BIP38 private key test of mine:
https://bitcointalksearch.org/topic/im-bip38-curious-please-help-me-out-1014202

I gave BIP38 private keys away and specifically explain what passwords look like. If those would be encrypted 7z or zip or rar files... all of them would be cracked in a matter of seconds.  In our case... wallet no.3 bounty is still available... and password is only 6 characters long! I wonder how long will it take...  : )

And another important note: If you create your paper wallet properly (virgin clean OS booted from CD, air-gapped comp, checking file signature, no internet connection, private place while doing this, using dice and mouse movements for random seed, etc...), two things have to happen in order to "hack" your paper wallet:

1. attacker has to FIRST physically find your paper wallet
2. at the moment 1. is true, attacker is able to start cracking your BIP38 password

And cracking BIP38 passwords is very slow... if you have super cool cracking rig, maybe 100-1000 tries per second  (compared to many millions for encrypted 7z, zip, rar, etc files)

I find this paper wallet guide pretty decent...
http://bitzuma.com/posts/bitcoin-paper-wallets-from-scratch/

Hope this helps...

Why just Bitaddress.org, what about bitcoinpaperwallet.com?

I'm not saying it's a unique weakness - just pointing out that such a weakness does exist and so it is important to at least check signatures and match hashes if you can't/aren't bothered to check the source yourself. I have a basic proficiency in programming so I'd doubt I personally would be able to go over the whole code without at least a couple of days of research into JS. Some people just can't at all - and that's understandable - it's simply important to provide easy access to safeguards and precautionary measures.

So their weakness is they might get hacked? So can any other website. The code is available as a zip on github so you can run it offline.
Also you should review the code yourself when you have time. I have and it's well put together IMO.

if you would like, try using multibit, i think an offline wallet is more secure than an online one

Well aside from RNG weaknesses - the other main issue is the potential for someone to hack the site and upload a version that has predetermined private keys. That way when it's used the private keys produced will be the same and thus the hacker can steal without ever having to have a direct internet connection or break through encryption. Albeit it would be rare, and the best way around it would be validating the source code for yourself and checking GPG signatures.

You don't have to use the uncompressed keys, click on over to the wallet details tab and paste in the private key. Viola, you now have different options, compressed, uncompressed, Private Key Hexadecimal Format, Private Key Base64, heck you can even make an address using dice by inserting your own Base6 key 99 digits(0-5). Create one with dice and do it offline and you'll have a very secure key. 6^99 different possible outcomes.

Agreed, running it offline seems secure. I stored a decent amount on a paper wallet from bitaddress.org for a year before moving the coins to another address. The only possible issue was RNG, and that was solved when they added the cursor movement for entropy, even a tiny 600x400 screen would have plenty of entropy to be random enough to avoid any collisions.

To be honest I don't like the look of the site.  There is no explanation section for newbies and the whole thing looks sort of tossed together.  I like the idea a lot.  However for now I am skeptical of ANY online storage method or generation thereof.  I prefer to use paper wallets and maybe I will eventually break down and buy a Trezor.  I might wait for the next generation of hardware wallets though.  I really want something that can store altcoins and bitcoins. 

I have already created bunch of paper wallets with his tool, It's nicem I will keep using it

Yes, I always make the paperwallets in that site, I love the designs

BIP-38 is very secure as long as your passphrase is strong. A passphrase with 20 random characters is fairly strong and not likely to be cracked, but a passphrase with 4 5-letter words is not.

I would use a local copy, in an offline environment, and instead of trusting a random generator, I would create brainwallets. But not brainwallets from actual passphrases that I remember, but brainwallets from gibberish passphrases of 100+ random keystrokes and noise and even parts of intermediary addresses that are generated half way, and crap.

I'd consider the private keys generated this way (i.e. as sha256 hashes of very long, random gibberish input) to be safe.

How do you decrypt the private key when you need to import it? Use the offline copy of the site?

This looks to be a safe method of generating a paper wallet. I am using electrum and the seed is 12 English words. I think it is more user friendly that way.

I wouldn't trust it .. use bitcoin core or electrum

Using Bitaddress.org to generate a paper wallet, does have some risks and issues. For example, one of the minor issues is the private keys that begin with 5 are uncompressed private keys. These are an older type of private key. Meaning with these the transactions they make are bigger, as a result you'll likely need to pay slightly higher transaction fees. Although, it's not a huge inconvenience.

Gmaxwell and a few other members have urged users not to use ANY browser based private key generator as you expose yourself to many different kind of attacks. I would have to agree.

Sounds like a plan, I haven't moved it to an e-mail yet.  I'll move it to one not tied to this one in any way.

It's encrypted so you should be absolutely fine.
One thing though & it's probably a tiny chance of getting compromised but don't use the same email as you used to sign upto this forum.
It's encrypted so I'm 99.999999999% sure it'd be fine but just for peace of mind don't use the email you use here to store the PDF, too many elite scammers/hackers here.

I did something like this.

Copied the site to a CD, ran it on a harddrive that has never / will never touch the internet.
Created a few wallets, encrypted with BIP38.
Passwords have been written down.

I printed the wallets to a PDF file and burnt it to CDs .. lots of them.. Then copied the wallet from the CD to my actual computer, copied the PDF to many USB's.. I also put the PDF on my work network LOL.


Wondering if there is an issue putting the PDF onto my e-mail.  It is encrypted soooo.. am I good to do that.

Bitaddress.org is really secure imo.
As long as you disconnect from the internet when you create your randomness & then generate the wallet is should be fine.
Use a cheap, shitty printer that doesn't have internet capabilities.
I'd split up your stash into smaller amounts on different paper wallets too.
Use BIP38 encryption too.
Write your passwords on the paper wallet too, laminate it & hide it somewhere safe.
Maybe print 2 copies.

I would prefer bitcoin core-->safe paper wallet instead. Why risk it if we are talking about 1000BTC here? For smaller amounts and day to day wallet I would recommend trezor.  

1000 BTC !!! That is an enormous amount you have made. Bitaddress code downloaded from Github and used to create private key offline is good. But, I'd prefer multisig to keep this type of enormous amount, if I can ever make. This is because you never know how random is your random seed.

To be honest. No. They announce this as open source project and it looks cool, when you can mouse over to add some randomness to your newly generated address but I wouldn't use it.
I've seen many good ideas turned into scam or being used in a wrong way. I don't need another wallet.

Only if you can review the code yourself or someone else you trust.
But this is also true for bitcoin core.
There is no absolute trust.


I would not passphrase the paper wallet. It makes it more vulnerable for errors. Saw someone talking about passwords not working anymore for some wallets (think it was safari browser related)

I'm slow to change. If it stands the test of time and gets adopted by a large user bae then I might consider using it. Until then I'll wait to find out how well it works for other people.

Would you trust that encryption to protect your coins?  Basically if you had 1000 BTC on the paper wallet and a +20 char passphrase should one be confident that crackin your actual private key is not possible?