Topic: Electrum Wallet Bitcoin Security Precautions (Read 797 times)

I don't think so. Just don't download anything or click in suspicious links.

If he isn't trying to scam you, yes.

I don't think that's possible. You are just copying a text to your clipboard.

No. That's a virus that can be obtained when you download and run an infected software. This only happens when you are infected with the virus.

That's not necessary. Just double check the address before sending any coins.

Bob thanks for that information.  Makes sense now.


Another thing i want to ask is this.


If i add someone on skype who wants to exchange my bank funds for their bitcoin funds, lets just say this person is in a forum but is a reputable poster.  Its not this forum but another forum.  I do trades like this in another forum but its almost always with someone i done a few transactions with and trust.


First off, if i add them on skype and just speak to them via chat and do not click on anything such as link or pictures he sends or video chat, am i safe from this poster sending me a virus etc?  Is there anyway he could send me malware just by adding me on skype and me accepting and all i do is chat?


The thing is if im sending bank funds to his account and then supply him the btc address i want him to send it to, well then as long as he is legit, he will send the btc to me without any problems right?


The other thing that i just bought is this.


Let say i have btc and i want bank funds or say skrill from someone.  They first send me the bank or skrill funds.  When they give me their btc address by copying their btc address to me in skype, is there a chance that when i copy and then paste that address in my electrum wallet, there could be a virus?  Such as that btc address is actually a keylogger or trojan or malware?  I had just thought about this right now as people say don't click on suspicious links or open files from ppl you dont trust etc.  However, is it possible for keylogger or virus like this if you were to copy and paste the btc address given to you into electrum?  But if you were to paste it on say chrome search etc... that might be dangerous?  I also read about the copy and paste bitcoin virus etc where when you copy a btc address and then paste it to send to that address, it would change the address to something else.  Can you tell me if this is related to the example i used with skype such as someone giving you the btc address to send to?  Or its completely unrelated?  Because i had not thought about how someone giving you the btc address to send to... could possibly be a virus/malware?  I assume if you are somewhat skeptical, you could just manually type out their btc address to send the btc to them like that?  Of course you have to double check and make sure as you type the whole address manually.  I know im sounding very paranoid with this but since people say dont click on links etc... well this is sort of like that right?

We are both right.
pooya87 mentioned that (correctly implemented) encryption algorithms (which are 'accepted' in the crypto scene) are unbreakable if the password is strong enough.
I was refering to the option to infect your PC to log the password the next time you decrypt/access your encrypted file.

Those are 2 completely different attacking methods.




They could not just open it instantly (unless there is a 0-day exploit, noone is aware of).
But they could to safe the password the next time you login.
Or even easier. They could (the next time you open electrum with your very tough password) simply move all your funds to their addresses.
An attacker doesn't always have to break an encryption. He can easily wait until you use the software (unencrypt your wallet) to steal your funds.




If the PC is not infected, you are safe.




The moment you open electrum an attacker can instantly steal your funds.
But he can also 'just' install a keylogger and log your password, yes.




Yes. If not, you are running a big risk of your confidential data getting stolen.
After an infection you should completely(!) wipe your drive and install a fresh OS.

The best method to protect yourself against hacks/malware is to get a separate isolated environment aka cold storage. You can either buy hardware wallet or get a USB stick, install some decent Linux on it (I prefer Tails) and use it to sign transactions offline, preferably from a separate dedicated machine (and old PC or laptop, for example). This is the best method because all those security practices are not ensuring you for 100% - it takes just one mistake to lose all your coins, or maybe there's some zeroday vulnerability in software/OS you use and you will get compromised even if you follow all security rules. So, if you are holding any significant (for you) amount of coins, invest in a cold storage.

i did NOT say that. i said breaking the encryption of the file with a strong password is impossible.
stealing your password when you type it in is easy. and a malware recording your keystrokes can simply do that.

HCP, thanks for clarifying why an extra number would make it much more complicated.


Bob.  Pooya mentioned both keepass and electrum have strong encryption.  So if you have a strong password for both keepass and electrum, then its still not safe?  Pooya says its basically impossible even if someone puts malware on it but thats assuming your passwords are something like dfsamdfaljk3209309sasaskfjs2.  So can others tell me who is correct here... pooya or bob?


Okay well if someone put malware on your computer, could they open up keepass and electrum or not if you have a very tough password.  The other thing is what if you then open electrum on another computer then but not the one they infected or possibly infected.  Then you are safe there right?  But if you open electrum on your computer which might be compromised, then there will be problems since they could just put a keylogger and the moment you open electrum on the computer, then you have problems right?  So basically if you believe your computer is compromised, just no longer use that computer anymore and try to open keepass and electrum in a safe computer?

If someone has physical access to your computer, its an easy task to install malware on it.
The best encryption is useless if your pc is infected with malware. The next time you open your electrum wallet, the attacker will gain the control over your private keys.

Its not just about password security (anti bruteforce).
There are a lot of things which all play together to keep an IT system safe.

You won't achieve 100% security. Ever. But if you are concerned about the security of your coins either use a Hardware wallet, paper wallet or a dedicated (airgapped) pc as cold storage.
Anything else will be WAY less secured than those 3 options.

I doubt there are any people here who know what "most people" do... well... except for the NSA guys spying on us all


You'd be suprised the sorts of passwords people can remember...


Did you even read anything that the others wrote? Did you read the wikipedia entry? Did you check out the password meter?

The difference between jerrylikestoeatchickeneveryday (30% - weak) and jerry1likestoeat100chickeneveryday (98% - strong) is fairly obvious... adding a random symbol in somewhere makes it even stronger. The reason is simply because of the massive increase in the search space...

At the most basic level... consider a 1 character password... if you just use lowercase letters, the search space is 26. Make it also include uppercase letters and the search space is now 52.... now put in numbers = 62... now add symbols and you get 94... so, you now have 94 possibilities... PER CHARACTER... so even a short password of 8 characters has (94 * 94 * 94 * 94 * 94 * 94 * 94 * 94) possibilities... 6,095,689,385,410,816.

compare that with 26 characters... (26 * 26 * 26 * 26 * 26 * 26 * 26 * 26) = 208,827,064,576 possibilities... which  is some 30,000x smaller...

The larger the search space, the harder it is for someone to bruteforce... also, by putting in symbols and numbers, you make dictionary attacks harder, if not impossible... because there aren't too many dictionary words with a # or a 7 or a [ in them


Some do, some don't, some write it on post it notes, some put it on their fridge, some hide it in poems, some write it on a piece of paper and hide it in a book, some memorise long and complicated mnemonics, some study memory techniques for remembering 30 character passwords, some use stupid simple passwords, some use sentences with numbers in it, some don't use passwords, some use keepass, some use lastpass, some write it in a plain text file, some put it on their phone, some email it to themselves, some tattoo it on their forearm, some use encrypted file containers, some use encrypted disks, some use

Does that answer you question?

Okay but if thats the case, do most people know what their password for keepass and electrum is?  Or is it written down on a piece of paper?  I assume keepass, almost everyone knows what the password is?  However if thats the case, then most likely its something you could easily remember and not like askfsdk@3klasdflaksdfja@fkaslfkdsafkls.


You say dont use real words because its like a dictionary attack in that example i gave that i just made up with jerry likes to eat chicken everyday. 


Well what if you put numbers in it then like


jerry1likestoeat100chickeneveryday



So theres the 1, the 100.


Would that be thus strong?  Such as maybe even adding a question mark in the middle of the word etc.


So for electrum users who encrypt their electrum, do most people know what their password is?  And if not, i assume where do they keep that then? 

read this page to understand more about password strength: https://en.wikipedia.org/wiki/Password_strength

you can also check this tool out: http://www.passwordmeter.com/ it is a good measure of the strength. remember that using your password online in a website like this compromises it so don't use real passwords. just use different things to get the general idea.

and as you can the password i gave above gets a high Score and it is strong. but the one you chose "jerrylikestogotoeatchickeneveryday" gets a lower score although it is somewhat strong since it is long.
additionally one thing that this website doesn't mention is that you used real words.
"jerry likes to go to eat chicken everyday" can be susceptible to a dictionary attack.

Pooya thanks for that information.  So the person above me is incorrect then?  Yes i meant if someone has physical access to your computer, let say they have to go into your keepass and electrum etc.  But if your password is complicated and not something simple like jerry123, then it would be pretty hard then right?  what if the password was something like jerrylikestogotoeatchickeneveryday.  I assume something like that would be hard to brute force?


Also when you say if you are using a strong password like the one you posted with symbols etc... i assume you mean thats what you use for electrum and not keepass right?  Thus i cant imagine anyone could remember that keepass masterpassword?


I also assume for most people, they use a password on keepass where they could remember?  And not one where they have to open up their drawer to look at what it is and then type that?

Using Mac will reduce 90% chance of attack..

when an application like Keepass, Electrum,... have an option for encrypting their content (in this case passwords stored in keepass, and wallet file or private keys depending on your choice in Electrum) the strength of it depends on 2 things.
first the method they choose, Electrum uses a very strong method (AES256) and i believe keepass uses the same thing. so they are both strong.
second is the password you are using. if you use a simple one like "jerry123" then anybody can crack it. but if you are using a strong one like "sd2&hMt$J8Qshp*hdm" then nobody can crack it in a million years so you are fine even if someone had physical access to your computer.

Hi there.  Can others confirm that if a hacker has physical access to your laptop, they could basically open up keepass and/or your electrum wallet or any wallets you have on your comptuer even if you have a password for your wallet?  So they could crack the keepass file?   By this i mean someone has physical access of your laptop and they aren't going to push malware on it and then give it back to you etc.

Can someone tell me what video to watch on youtube for step by step instructions?  I seen a few of them on youtube and they are very confusing and not user friendly for someone not computer savy.

Use Linux, not windows.

rule 1

Just create a new e-mail very simple with an easy password and not very important. Then send the file to your new e-mail, print, and delete the e-mail.

Easy.

Yes.




Yes. I believe even with bitlocker thats possible.




You should.




Preferably both.




Assuming the encryption (used algorithm and implementation) is flawless, yes they are safe.




A keylogger logs keystrokes. If they infect your laptop with a keylogger just before stealing it, they would only be able to log the keys they typed themselves..




Bitlocker encrypts drives.
While you are using your drives (e.g. system drive while using windows) the drive is not encrypted.
You can get infected with malware in that time.




Protecting from login shouldn't be your concern.
Especially not when using windows.
If you want to store high amounts safely, you should definetely spend a few bucks for a hardware wallet.

You can store your private keys within an encrypted container, if thats what you are looking for.
But i wouldn't recommend bitlocker (closed source; made by microsoft   )
I'd rather recommend VeraCrypt (https://www.veracrypt.fr/en/Home.html).




Just create a hidden container with VeraCrypt and store your 'sensitive information' there.
But keep in mind that, the moment you open the container, any malware you have on your pc will have access to this container.
Its better than storing sensitive files on the desktop, but not ideal.

VeraCrypt tutorial: https://www.bestvpn.com/veracrypt-how-to-basics/

Does anyone have advice on that?


Also one other thing.  I will most likely do a trade with someone with my bank funds online for their btc.  But in order to do this, i would have to add them on skype etc since we speak in real time etc.  Thus i would send them my bank funds, they send me btc etc.  What i want to know is there any risk accepting someones friend request on skype?  Assuming you only chat with them and do nothing else, then you are pretty safe?  Thus as long as you dont click on a picture/link they send to you or video, you are fine?  However i heard a while back if someone has you on skype, they could detect your ip address?  But is that any risk if you use electrum?

Hey all.  If a thief gets access to your laptop, would that be the same thing as you getting malware on your computer?  Because all they have to do is download certain virus/malware and then they could find everything on your computer?  Or is that not possible?


The other thing is this.  If a computer hacker/thief has access to your laptop, could they install something where they could hack into say your keepass or axcrypt or any similar programs you have assuming you didn't use a program like bitlocker?


And to those of you with laptops and keep your bitcoin wallet there, do almost all of you keep a password on it?  And if so, is it the windows password or is it bitlocker?  I read that if you use bitlocker, you set up a password on your computer before login where if someone does not put in right password, its impossible to log into the laptop.  Can someone here confirm if this is true or not?  So for theft issues, is a thief having your computer where you didn't set up a password but you have documents that are encrypted and cryptowallets that are encrypted with a password, are those safe or not?  Because people mention about keyloggers etc.  The thing is if a thief has access to your laptop and puts a keylogger on it, well if they don't put the laptop  back or give it back to you, then wouldn't a keylogger not work?  Or that would still work?  Someone on another forum mentioned bitlocker wouldn't prevent your laptop from getting malware/keylogger/hack etc but it does protect you from a theif who wants access to your laptop.


So is bitlocker the recommended program to protect your laptop from login?  Does everyone here do this whether they have wallet on computer or not?  So the windows password is basically useless then right since i read that easily can be cracked?


And is bitlocker easy to download/install to basically do what i want it to do as in password protect my laptop?  And how long does process take?

i keep small amounts there (as the hot wallet) and keep the larger amounts in my cold storage (Electrum wallet installed on an offline Linux installed on a USB disk).

i am on windows and with an AntiVirus but you can move to linux and be a bit safer.

it can be a lot of different things for example:
- that popular clipboard hijacker which changes the bitcoin addresses you copy
- downloading the malicious version of Electrum from other websites than the original and not verifying the signature.

you can disable things like Flash, JavaScript,... in your browser through their settings or use ad blocks to block them to increase your security.

i do download torrents, never had any issues.

true.

- install an AntiVirus to scam the USB disks before you connect them or just move to Linux
- encrypt the document when you want to print it elsewhere
- burn that doc on a CD or DVD and take it to the print shop
- buy a printer, there are cheaper ones appropriate for home usages.

it depends on the website. most of them are fine. and also i hear that browsers such as Chrome run flash files in some sort of virtual thing that doesn't allow them much harm.

either buy a hardware wallet or you can do what i did, learn more about Linux, install it on a USB disk, boot up from that and have it as your bitcoin cold storage. you can encrypt it and everything to make it 100% secure.
you can also make another one for your bank transactions or doing whatever sensitive thing you might want to do. but this one will not be offline like the other. you boot up and connect to internet to do your stuff and then shut it down and boot in your main system to continue your daily work.