Author

Topic: Blockchain.info wallet encryption (Read 762 times)

legendary
Activity: 2506
Merit: 1010
January 03, 2013, 03:02:20 PM
#5
Well, if you assume that the email isn't intercepted in-transit (which is a safe assumption for the vast majority of attackers), then the emailed backup is protected by your Blockchain.info password

I forgot the condition where you have your account configured with a second password for withdrawals, then the backup is protected with that password as well.   If the attacker obtained the wallet password by malware that does keylogging, then the attacker probably has the second password as well though.
legendary
Activity: 1204
Merit: 1015
January 03, 2013, 02:48:18 PM
#4
Now if the idea behind 2FA is that just a password is not enough security, it seems that having backups emailed to me partially defeats the purpose of 2FA in the first place, since the 2FA will do nothing for someone that may intercept a copy of the encrypted wallet file.
Well, if you assume that the email isn't intercepted in-transit (which is a safe assumption for the vast majority of attackers), then the emailed backup is protected by your Blockchain.info password plus whatever security mechanisms you have to use to access the email account. For example, you could also protect the email account that the backups are sent to with 2FA.
legendary
Activity: 2506
Merit: 1010
December 14, 2012, 05:30:28 PM
#3
Now if the idea behind 2FA is that just a password is not enough security, it seems that having backups emailed to me partially defeats the purpose of 2FA in the first place, since the 2FA will do nothing for someone that may intercept a copy of the encrypted wallet file.

Correct.  The 2FA is to protect against a replay attack using your password to access the Blockchain.info website.  It does not protect the backups.

Someone with your blockchain.info/wallet password and access to the encrypted wallet file can decrypt the file and spend your funds.  [Edit: If you have your account configured with a second password for withdrawals, then that password is required as well in order to decrypt and spend the funds.]
hero member
Activity: 826
Merit: 500
December 14, 2012, 01:26:47 PM
#2
i am not sure how 2fa auth on the wallet file can be done offline...
sr. member
Activity: 449
Merit: 250
December 14, 2012, 12:32:53 PM
#1
Though I'm not a newbie, this question is sort of basic, so here it is.

I have some bitcoins at blockchain.info. I have the site email me my wallet backup any time that I generate a new address there. To my understanding, these backups are sent to me AES encrypted and the encryption key is the same as my password for logging into blockchain.info, right?

I also have 2FA set up at blockchain.info with Google Authenticator.

Now if the idea behind 2FA is that just a password is not enough security, it seems that having backups emailed to me partially defeats the purpose of 2FA in the first place, since the 2FA will do nothing for someone that may intercept a copy of the encrypted wallet file.

Am I wrong about any of this?
Jump to: