Author

Topic: Encrypted wallet.dat but not entirely (Read 906 times)

hero member
Activity: 938
Merit: 1002
September 25, 2011, 08:22:08 AM
#8
A quick question for anyone who knows about typical keyloggers: can you circumvent them by clicking around the entry field and typing the characters out of order (e.g. type the last half, then click at the start of the field and type the first half), or does the keylogger harvest the data after the field is complete?

AFAIK they usually get input directly from the device. It would be very complicated to get data from password fields of arbitrary programs. On the other hand, they can capture mouse movements and take screenshots, so clicking around wouldn't be an ultimate protection. I imagine, a program that automatically inserts your passwords bound to custom key combinations would work better. I don't know if there are any, but should work as long as the solution is not widespread enough for the attackers to care. Smiley

Even so, it would be far easier for the attacker to target specific programs, such as bitcoin, and install fake clients, or read unencrypted keys from memory.
legendary
Activity: 1050
Merit: 1000
You are WRONG!
September 25, 2011, 07:48:00 AM
#7
... I'd install keyloggers ...
A quick question for anyone who knows about typical keyloggers: can you circumvent them by clicking around the entry field and typing the characters out of order (e.g. type the last half, then click at the start of the field and type the first half), or does the keylogger harvest the data after the field is complete?
solution:
install fake client.
donator
Activity: 826
Merit: 1060
September 25, 2011, 07:40:28 AM
#6
... I'd install keyloggers ...
A quick question for anyone who knows about typical keyloggers: can you circumvent them by clicking around the entry field and typing the characters out of order (e.g. type the last half, then click at the start of the field and type the first half), or does the keylogger harvest the data after the field is complete?
hero member
Activity: 938
Merit: 1002
September 25, 2011, 07:27:48 AM
#5
I think it's a good usability trade off for security. Wallet encryption does not protect you from a myriad of attacks. If I had the ability to access a lot of people's wallets, instead of downloading them and trying to brute force the one with the largest sum, I'd install keyloggers. Even better, I'd install a modified bitcoin client that silently sends some of the coins without displaying on the interface. If I don't have access to binaries, nor the system memory, but only the wallets, and lots of them, and there are people dumb enough to use simple passwords for large wallets; maybe then, knowing the balances would be helpful.

At any rate, it is worth adding a second layer of encryption as you said. It  is still a good idea to use a savings wallet either way. One good addition would be, being able to use multiple wallets (a la MultiBit); I wouldn't mind entering a primary password for my savings wallet.
legendary
Activity: 1050
Merit: 1000
You are WRONG!
September 25, 2011, 06:52:16 AM
#4
That's great that now wallet.dat file is encrypted. However, it is password protected only bitocin sending and anyone can easily preview them how much they have. It can be dangerous because someone could get thousands of wallet.dat files and force from someone who has a lot. And so we keep the files in Linux (eg VirtualBox) instead of Windows.
It is better to be able to run it in bitcoin client after entering the password from the wallet.
go tortur mtgox, i know that they have alot of btc...
legendary
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
September 25, 2011, 06:49:01 AM
#3
He is saying that the client encrypt only a part of the wallet.dat. If you steal a client-encrypted wallet.dat you can read how many bitcoins it have. And if you find a wallet with a LOT of btc it can be worth to try to bruteforce it.

legendary
Activity: 2506
Merit: 1010
September 24, 2011, 04:55:15 PM
#2
It can be dangerous because someone could get thousands of wallet.dat files and force from someone who has a lot.

I don't follow.  Are you trying to say something like if for some reason someone learns how many bitcoins you have you would have a higher risk the more bitcoins you hold?   (Which is probably true, by the way.  As you hold more bitcoins, the level of importance placed on security of the wallet should increase).
member
Activity: 138
Merit: 25
September 24, 2011, 03:29:29 PM
#1
That's great that now wallet.dat file is encrypted. However, it is password protected only bitocin sending and anyone can easily preview them how much they have. It can be dangerous because someone could get thousands of wallet.dat files and force from someone who has a lot. And so we keep the files in Linux (eg VirtualBox) instead of Windows.
It is better to be able to run it in bitcoin client after entering the password from the wallet.
Jump to: