Pages:
Author

Topic: Electrum Wallet Bitcoin Security Precautions (Read 844 times)

legendary
Activity: 2758
Merit: 6830
Is there anyway he could send me malware just by adding me on skype and me accepting and all i do is chat?
I don't think so. Just don't download anything or click in suspicious links.

The thing is if im sending bank funds to his account and then supply him the btc address i want him to send it to, well then as long as he is legit, he will send the btc to me without any problems right?
If he isn't trying to scam you, yes.

When they give me their btc address by copying their btc address to me in skype, is there a chance that when i copy and then paste that address in my electrum wallet, there could be a virus?  Such as that btc address is actually a keylogger or trojan or malware? I had just thought about this right now as people say don't click on suspicious links or open files from ppl you dont trust etc.  However, is it possible for keylogger or virus like this if you were to copy and paste the btc address given to you into electrum?
I don't think that's possible. You are just copying a text to your clipboard.

I also read about the copy and paste bitcoin virus etc where when you copy a btc address and then paste it to send to that address, it would change the address to something else.  Can you tell me if this is related to the example i used with skype such as someone giving you the btc address to send to?
No. That's a virus that can be obtained when you download and run an infected software. This only happens when you are infected with the virus.

I assume if you are somewhat skeptical, you could just manually type out their btc address to send the btc to them like that?
That's not necessary. Just double check the address before sending any coins.
full member
Activity: 1792
Merit: 186
Bob thanks for that information.  Makes sense now.


Another thing i want to ask is this.


If i add someone on skype who wants to exchange my bank funds for their bitcoin funds, lets just say this person is in a forum but is a reputable poster.  Its not this forum but another forum.  I do trades like this in another forum but its almost always with someone i done a few transactions with and trust.


First off, if i add them on skype and just speak to them via chat and do not click on anything such as link or pictures he sends or video chat, am i safe from this poster sending me a virus etc?  Is there anyway he could send me malware just by adding me on skype and me accepting and all i do is chat?


The thing is if im sending bank funds to his account and then supply him the btc address i want him to send it to, well then as long as he is legit, he will send the btc to me without any problems right?


The other thing that i just bought is this.


Let say i have btc and i want bank funds or say skrill from someone.  They first send me the bank or skrill funds.  When they give me their btc address by copying their btc address to me in skype, is there a chance that when i copy and then paste that address in my electrum wallet, there could be a virus?  Such as that btc address is actually a keylogger or trojan or malware?  I had just thought about this right now as people say don't click on suspicious links or open files from ppl you dont trust etc.  However, is it possible for keylogger or virus like this if you were to copy and paste the btc address given to you into electrum?  But if you were to paste it on say chrome search etc... that might be dangerous?  I also read about the copy and paste bitcoin virus etc where when you copy a btc address and then paste it to send to that address, it would change the address to something else.  Can you tell me if this is related to the example i used with skype such as someone giving you the btc address to send to?  Or its completely unrelated?  Because i had not thought about how someone giving you the btc address to send to... could possibly be a virus/malware?  I assume if you are somewhat skeptical, you could just manually type out their btc address to send the btc to them like that?  Of course you have to double check and make sure as you type the whole address manually.  I know im sounding very paranoid with this but since people say dont click on links etc... well this is sort of like that right?
legendary
Activity: 1624
Merit: 2481
So can others tell me who is correct here... pooya or bob?

We are both right.
pooya87 mentioned that (correctly implemented) encryption algorithms (which are 'accepted' in the crypto scene) are unbreakable if the password is strong enough.
I was refering to the option to infect your PC to log the password the next time you decrypt/access your encrypted file.

Those are 2 completely different attacking methods.



Okay well if someone put malware on your computer, could they open up keepass and electrum or not if you have a very tough password. 

They could not just open it instantly (unless there is a 0-day exploit, noone is aware of).
But they could to safe the password the next time you login.
Or even easier. They could (the next time you open electrum with your very tough password) simply move all your funds to their addresses.
An attacker doesn't always have to break an encryption. He can easily wait until you use the software (unencrypt your wallet) to steal your funds.



The other thing is what if you then open electrum on another computer then but not the one they infected or possibly infected.  Then you are safe there right? 

If the PC is not infected, you are safe.



But if you open electrum on your computer which might be compromised, then there will be problems since they could just put a keylogger and the moment you open electrum on the computer, then you have problems right?

The moment you open electrum an attacker can instantly steal your funds.
But he can also 'just' install a keylogger and log your password, yes.



So basically if you believe your computer is compromised, just no longer use that computer anymore and try to open keepass and electrum in a safe computer?

Yes. If not, you are running a big risk of your confidential data getting stolen.
After an infection you should completely(!) wipe your drive and install a fresh OS.
legendary
Activity: 3038
Merit: 2162
To those of you who use electrum and keep bitcoin there and also use the computer as your daily computer, what precautions should you be taking?  I guess this could be said for those with other similar wallets as well.



The best method to protect yourself against hacks/malware is to get a separate isolated environment aka cold storage. You can either buy hardware wallet or get a USB stick, install some decent Linux on it (I prefer Tails) and use it to sign transactions offline, preferably from a separate dedicated machine (and old PC or laptop, for example). This is the best method because all those security practices are not ensuring you for 100% - it takes just one mistake to lose all your coins, or maybe there's some zeroday vulnerability in software/OS you use and you will get compromised even if you follow all security rules. So, if you are holding any significant (for you) amount of coins, invest in a cold storage.
legendary
Activity: 3472
Merit: 10611
Pooya says its basically impossible even if someone puts malware on it but thats assuming your passwords are something like dfsamdfaljk3209309sasaskfjs2. 

i did NOT say that. i said breaking the encryption of the file with a strong password is impossible.
stealing your password when you type it in is easy. and a malware recording your keystrokes can simply do that.
full member
Activity: 1792
Merit: 186
HCP, thanks for clarifying why an extra number would make it much more complicated.


Bob.  Pooya mentioned both keepass and electrum have strong encryption.  So if you have a strong password for both keepass and electrum, then its still not safe?  Pooya says its basically impossible even if someone puts malware on it but thats assuming your passwords are something like dfsamdfaljk3209309sasaskfjs2.  So can others tell me who is correct here... pooya or bob?


Okay well if someone put malware on your computer, could they open up keepass and electrum or not if you have a very tough password.  The other thing is what if you then open electrum on another computer then but not the one they infected or possibly infected.  Then you are safe there right?  But if you open electrum on your computer which might be compromised, then there will be problems since they could just put a keylogger and the moment you open electrum on the computer, then you have problems right?  So basically if you believe your computer is compromised, just no longer use that computer anymore and try to open keepass and electrum in a safe computer?
legendary
Activity: 1624
Merit: 2481
Yes i meant if someone has physical access to your computer, let say they have to go into your keepass and electrum etc.  But if your password is complicated and not something simple like jerry123, then it would be pretty hard then right?

If someone has physical access to your computer, its an easy task to install malware on it.
The best encryption is useless if your pc is infected with malware. The next time you open your electrum wallet, the attacker will gain the control over your private keys.

Its not just about password security (anti bruteforce).
There are a lot of things which all play together to keep an IT system safe.

You won't achieve 100% security. Ever. But if you are concerned about the security of your coins either use a Hardware wallet, paper wallet or a dedicated (airgapped) pc as cold storage.
Anything else will be WAY less secured than those 3 options.


HCP
legendary
Activity: 2086
Merit: 4363
Okay but if thats the case, do most people know what their password for keepass and electrum is? 
I doubt there are any people here who know what "most people" do... well... except for the NSA guys spying on us all Roll Eyes


Quote
Or is it written down on a piece of paper?  I assume keepass, almost everyone knows what the password is?  However if thats the case, then most likely its something you could easily remember and not like askfsdk@3klasdflaksdfja@fkaslfkdsafkls.
You'd be suprised the sorts of passwords people can remember...


Quote
You say dont use real words because its like a dictionary attack in that example i gave that i just made up with jerry likes to eat chicken everyday. 
Well what if you put numbers in it then like
jerry1likestoeat100chickeneveryday
So theres the 1, the 100.
Would that be thus strong?  Such as maybe even adding a question mark in the middle of the word etc.
Did you even read anything that the others wrote? Did you read the wikipedia entry? Did you check out the password meter? Huh

The difference between jerrylikestoeatchickeneveryday (30% - weak) and jerry1likestoeat100chickeneveryday (98% - strong) is fairly obvious... adding a random symbol in somewhere makes it even stronger. The reason is simply because of the massive increase in the search space...

At the most basic level... consider a 1 character password... if you just use lowercase letters, the search space is 26. Make it also include uppercase letters and the search space is now 52.... now put in numbers = 62... now add symbols and you get 94... so, you now have 94 possibilities... PER CHARACTER... so even a short password of 8 characters has (94 * 94 * 94 * 94 * 94 * 94 * 94 * 94) possibilities... 6,095,689,385,410,816.

compare that with 26 characters... (26 * 26 * 26 * 26 * 26 * 26 * 26 * 26) = 208,827,064,576 possibilities... which  is some 30,000x smaller...

The larger the search space, the harder it is for someone to bruteforce... also, by putting in symbols and numbers, you make dictionary attacks harder, if not impossible... because there aren't too many dictionary words with a # or a 7 or a [ in them Tongue


Quote
So for electrum users who encrypt their electrum, do most people know what their password is?  And if not, i assume where do they keep that then? 
Some do, some don't, some write it on post it notes, some put it on their fridge, some hide it in poems, some write it on a piece of paper and hide it in a book, some memorise long and complicated mnemonics, some study memory techniques for remembering 30 character passwords, some use stupid simple passwords, some use sentences with numbers in it, some don't use passwords, some use keepass, some use lastpass, some write it in a plain text file, some put it on their phone, some email it to themselves, some tattoo it on their forearm, some use encrypted file containers, some use encrypted disks, some use

Does that answer you question? Roll Eyes
full member
Activity: 1792
Merit: 186
Okay but if thats the case, do most people know what their password for keepass and electrum is?  Or is it written down on a piece of paper?  I assume keepass, almost everyone knows what the password is?  However if thats the case, then most likely its something you could easily remember and not like askfsdk@3klasdflaksdfja@fkaslfkdsafkls.


You say dont use real words because its like a dictionary attack in that example i gave that i just made up with jerry likes to eat chicken everyday. 


Well what if you put numbers in it then like


jerry1likestoeat100chickeneveryday



So theres the 1, the 100.


Would that be thus strong?  Such as maybe even adding a question mark in the middle of the word etc.


So for electrum users who encrypt their electrum, do most people know what their password is?  And if not, i assume where do they keep that then? 
legendary
Activity: 3472
Merit: 10611
read this page to understand more about password strength: https://en.wikipedia.org/wiki/Password_strength

you can also check this tool out: http://www.passwordmeter.com/ it is a good measure of the strength. remember that using your password online in a website like this compromises it so don't use real passwords. just use different things to get the general idea.

and as you can the password i gave above gets a high Score and it is strong. but the one you chose "jerrylikestogotoeatchickeneveryday" gets a lower score although it is somewhat strong since it is long.
additionally one thing that this website doesn't mention is that you used real words.
"jerry likes to go to eat chicken everyday" can be susceptible to a dictionary attack.
full member
Activity: 1792
Merit: 186
Pooya thanks for that information.  So the person above me is incorrect then?  Yes i meant if someone has physical access to your computer, let say they have to go into your keepass and electrum etc.  But if your password is complicated and not something simple like jerry123, then it would be pretty hard then right?  what if the password was something like jerrylikestogotoeatchickeneveryday.  I assume something like that would be hard to brute force?


Also when you say if you are using a strong password like the one you posted with symbols etc... i assume you mean thats what you use for electrum and not keepass right?  Thus i cant imagine anyone could remember that keepass masterpassword?


I also assume for most people, they use a password on keepass where they could remember?  And not one where they have to open up their drawer to look at what it is and then type that?
newbie
Activity: 88
Merit: 0
Using Mac will reduce 90% chance of attack..
legendary
Activity: 3472
Merit: 10611
Hi there.  Can others confirm that if a hacker has physical access to your laptop, they could basically open up keepass and/or your electrum wallet or any wallets you have on your comptuer even if you have a password for your wallet?  So they could crack the keepass file?

when an application like Keepass, Electrum,... have an option for encrypting their content (in this case passwords stored in keepass, and wallet file or private keys depending on your choice in Electrum) the strength of it depends on 2 things.
first the method they choose, Electrum uses a very strong method (AES256) and i believe keepass uses the same thing. so they are both strong.
second is the password you are using. if you use a simple one like "jerry123" then anybody can crack it. but if you are using a strong one like "sd2&hMt$J8Qshp*hdm" then nobody can crack it in a million years so you are fine even if someone had physical access to your computer.
full member
Activity: 1792
Merit: 186
Hi there.  Can others confirm that if a hacker has physical access to your laptop, they could basically open up keepass and/or your electrum wallet or any wallets you have on your comptuer even if you have a password for your wallet?  So they could crack the keepass file?   By this i mean someone has physical access of your laptop and they aren't going to push malware on it and then give it back to you etc.

Can someone tell me what video to watch on youtube for step by step instructions?  I seen a few of them on youtube and they are very confusing and not user friendly for someone not computer savy.
member
Activity: 137
Merit: 10
Use Linux, not windows.

rule 1
member
Activity: 137
Merit: 10
Quote
Then if you don't have a printer, then what is the best way to print documents on a public computer?  Now if you send everything to your email, you still have to log into email from a public computer.  So how could you print something then? 

Just create a new e-mail very simple with an easy password and not very important. Then send the file to your new e-mail, print, and delete the e-mail.

Easy.
legendary
Activity: 1624
Merit: 2481
Hey all.  If a thief gets access to your laptop, would that be the same thing as you getting malware on your computer?

Yes.



The other thing is this.  If a computer hacker/thief has access to your laptop, could they install something where they could hack into say your keepass or axcrypt or any similar programs you have assuming you didn't use a program like bitlocker?

Yes. I believe even with bitlocker thats possible.



And to those of you with laptops and keep your bitcoin wallet there, do almost all of you keep a password on it?  

You should.



And if so, is it the windows password or is it bitlocker?  

Preferably both.



So for theft issues, is a thief having your computer where you didn't set up a password but you have documents that are encrypted and cryptowallets that are encrypted with a password, are those safe or not?  

Assuming the encryption (used algorithm and implementation) is flawless, yes they are safe.



Because people mention about keyloggers etc.  The thing is if a thief has access to your laptop and puts a keylogger on it, well if they don't put the laptop  back or give it back to you, then wouldn't a keylogger not work?  Or that would still work?  

A keylogger logs keystrokes. If they infect your laptop with a keylogger just before stealing it, they would only be able to log the keys they typed themselves..



Someone on another forum mentioned bitlocker wouldn't prevent your laptop from getting malware/keylogger/hack etc but it does protect you from a theif who wants access to your laptop.

Bitlocker encrypts drives.
While you are using your drives (e.g. system drive while using windows) the drive is not encrypted.
You can get infected with malware in that time.



So is bitlocker the recommended program to protect your laptop from login?

Protecting from login shouldn't be your concern.
Especially not when using windows.
If you want to store high amounts safely, you should definetely spend a few bucks for a hardware wallet.

You can store your private keys within an encrypted container, if thats what you are looking for.
But i wouldn't recommend bitlocker (closed source; made by microsoft  Roll Eyes )
I'd rather recommend VeraCrypt (https://www.veracrypt.fr/en/Home.html).



And is bitlocker easy to download/install to basically do what i want it to do as in password protect my laptop?  And how long does process take?

Just create a hidden container with VeraCrypt and store your 'sensitive information' there.
But keep in mind that, the moment you open the container, any malware you have on your pc will have access to this container.
Its better than storing sensitive files on the desktop, but not ideal.

VeraCrypt tutorial: https://www.bestvpn.com/veracrypt-how-to-basics/
full member
Activity: 1792
Merit: 186
Does anyone have advice on that?


Also one other thing.  I will most likely do a trade with someone with my bank funds online for their btc.  But in order to do this, i would have to add them on skype etc since we speak in real time etc.  Thus i would send them my bank funds, they send me btc etc.  What i want to know is there any risk accepting someones friend request on skype?  Assuming you only chat with them and do nothing else, then you are pretty safe?  Thus as long as you dont click on a picture/link they send to you or video, you are fine?  However i heard a while back if someone has you on skype, they could detect your ip address?  But is that any risk if you use electrum?
full member
Activity: 1792
Merit: 186
February 17, 2018, 04:49:55 PM
#5
Hey all.  If a thief gets access to your laptop, would that be the same thing as you getting malware on your computer?  Because all they have to do is download certain virus/malware and then they could find everything on your computer?  Or is that not possible?


The other thing is this.  If a computer hacker/thief has access to your laptop, could they install something where they could hack into say your keepass or axcrypt or any similar programs you have assuming you didn't use a program like bitlocker?


And to those of you with laptops and keep your bitcoin wallet there, do almost all of you keep a password on it?  And if so, is it the windows password or is it bitlocker?  I read that if you use bitlocker, you set up a password on your computer before login where if someone does not put in right password, its impossible to log into the laptop.  Can someone here confirm if this is true or not?  So for theft issues, is a thief having your computer where you didn't set up a password but you have documents that are encrypted and cryptowallets that are encrypted with a password, are those safe or not?  Because people mention about keyloggers etc.  The thing is if a thief has access to your laptop and puts a keylogger on it, well if they don't put the laptop  back or give it back to you, then wouldn't a keylogger not work?  Or that would still work?  Someone on another forum mentioned bitlocker wouldn't prevent your laptop from getting malware/keylogger/hack etc but it does protect you from a theif who wants access to your laptop.


So is bitlocker the recommended program to protect your laptop from login?  Does everyone here do this whether they have wallet on computer or not?  So the windows password is basically useless then right since i read that easily can be cracked?


And is bitlocker easy to download/install to basically do what i want it to do as in password protect my laptop?  And how long does process take?
legendary
Activity: 3472
Merit: 10611
September 24, 2017, 12:00:51 AM
#4
To those of you who use electrum and keep bitcoin there and also use the computer as your daily computer, what precautions should you be taking?
i keep small amounts there (as the hot wallet) and keep the larger amounts in my cold storage (Electrum wallet installed on an offline Linux installed on a USB disk).

i am on windows and with an AntiVirus but you can move to linux and be a bit safer.

Quote
I have heard of cases where bitcoin wallet been hacked because someone downloaded malware etc.  But what kind of malware is this usually?  A torrent, porn?  Clicking on someones signature or links here on bitcointalk?  How do electrum wallets generally get hacked?
it can be a lot of different things for example:
- that popular clipboard hijacker which changes the bitcoin addresses you copy
- downloading the malicious version of Electrum from other websites than the original and not verifying the signature.

Quote
And by the way as many of you know, most posters here have lot of links on their profiles etc.  Are these links potentially dangerous or not?  Many seem to be icos or other things but could you get a virus from clicking on someones links in their profile?  Thus it could be you click on it and they could hack your bitcoin wallet no matter what it is?
you can disable things like Flash, JavaScript,... in your browser through their settings or use ad blocks to block them to increase your security.

Quote
1.  Do not download torrents or anything like that
i do download torrents, never had any issues.

Quote
2.  Do not click on links you are not sure of whether online or email
true.

Quote
3.  What if you do not have a printer and need to print something in an outside computer.  Thus you save the document on a usb and bring that to a copy printing place to use the computer to open the document up and print it.  However i heard that usb in public computers could cause a virus?  Does that mean never use a usb from your own computer on a public computer?  Then if you don't have a printer, then what is the best way to print documents on a public computer?  Now if you send everything to your email, you still have to log into email from a public computer.  So how could you print something then? 
- install an AntiVirus to scam the USB disks before you connect them or just move to Linux Wink
- encrypt the document when you want to print it elsewhere
- burn that doc on a CD or DVD and take it to the print shop
- buy a printer, there are cheaper ones appropriate for home usages.

Quote
4.  Is streaming from sites generally fine?  Like streaming tv shows or sports from sites like adthe etc like those okay?  I noticed sometimes they ask you to download flash player otherwise it would not work etc.
it depends on the website. most of them are fine. and also i hear that browsers such as Chrome run flash files in some sort of virtual thing that doesn't allow them much harm.

Quote
6.  I assume most people with a lot of money in their bitcoin wallet or other wallets keep a computer separately for bitcoin and bank transactions?  Thus thats all it does and nothing else?  Thus not even web browsing or youtube etc?
either buy a hardware wallet or you can do what i did, learn more about Linux, install it on a USB disk, boot up from that and have it as your bitcoin cold storage. you can encrypt it and everything to make it 100% secure.
you can also make another one for your bank transactions or doing whatever sensitive thing you might want to do. but this one will not be offline like the other. you boot up and connect to internet to do your stuff and then shut it down and boot in your main system to continue your daily work.
Pages:
Jump to: