Author

Topic: [Guide] Use Bitcointalk (more) privately (Read 709 times)

legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
June 15, 2023, 11:24:26 PM
#47
The information shared in this thread may be useful while using other sites on internet in future.
You're missing the point: I'm much less worried about my privacy on KnittingParadise.com than I am on Bitcointalk. I'm pretty sure a knitting granny doesn't do $5 wrench attacks to steel my wool.
I left you neutral feedback from LoyceMobile (not on DT) after your plagiarism in January. I've replaced it by the same feedback from this account.
full member
Activity: 1470
Merit: 108
Well, too late Sad And that's the thing with privacy: once it's gone, you can't get it back.

But it is never late to learn something new. The information shared in this thread may be useful while using other sites on internet in future.
newbie
Activity: 18
Merit: 2
Online wallet, one email for all services, one password for all services - this is the harsh reality of most crypto users.

For many of them it is enough and it does not raise any problems for them. It is common for other services like normal banking as well. Some bad instances may occur to some users but for majority, life will complete peacefully even after not following the precautions in this thread.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
~snip~
But does TOR for example work in China? I've always wondered about this.

According to what can be read on the official site TOR can be used in China, but requires some additional actions by users. It would be interesting to know how many people in China use TOR or VPN, or how many dare to go against the regime, given the penalties in that country. I assume that every ISP can see what the user is doing, and therefore I do not doubt that the Chinese ISPs in its fanatical surveillance monitors these activities as well.

Quote
There are three options to unblock Tor in China:

Snowflake: uses ephemeral proxies to connect to the Tor network. It's available in Tor Browser and other Tor powered apps like Orbot. You can select Snowflake from Tor Browser's built-in bridge menu.

Private and unlisted obfs4 bridges: contact our Telegram Bot @GetBridgesBot and type /bridges. Or send an email to [email protected] with the phrase "private bridge cn" in the subject of the email. If you are tech-savvy, you can run your own obfs4 bridge from outside China. Remember that bridges distributed by BridgeDB, and built-in obfs4 bridges bundled in Tor Browser most likely won't work.

meek-azure: makes it look like you are browsing a Microsoft website instead of using Tor. However, because it has a bandwidth limitation, this option will be quite slow. You can select meek-azure from Tor Browser's built-in bridges dropdown.

legendary
Activity: 1862
Merit: 1327
Thank you for this guide, certainly very useful especially in countries where there is repression.
It is not only useful for using bitcointalk but in general where some things are not allowed.
But does TOR for example work in China? I've always wondered about this.
full member
Activity: 443
Merit: 110
So having a reputation doesn't go with having privacy.
i have to agree with this statement. it's difficult to choose both coz eventually you'll have to choose one and proceed with that.

i do prefer using my opera rather than tor and changing browsers is not that convenient for me, i have tried tor once and we are not compatible so i just choose a browser which is convenient for me.
legendary
Activity: 1792
Merit: 1296
Playbet.io - Crypto Casino and Sportsbook

TOR is terribly inconvenient, I'd rather continue to use Opera. Most users do not need it at all, as well as its use, this option is more suitable for those who are completely turned on privacy or those who have something to hide. There is a strong opinion that privacy is a myth, and if really want to, will still find you.
Why Opera and not another browser? For example, Firefox. Will Opera be able to provide a level of privacy at least close to TOR, or have you chosen what is convenient and familiar to you without giving a damn about privacy?


I disagree; you should try it out. In my experience, websites did load pretty slowly a few years back. But nowadays, it has gotten a lot better, especially if the website doesn't need JavaScript and doesn't use lots of graphics (like Bitcointalk).

I tried repeatedly. He loses on almost all fronts. Moreover, TOR itself does not provide proper privacy, without the necessary settings. I do not argue, it's a matter of habit, but for most users, this TOR will instill not a sense of privacy, but a feeling of irritation. And then they think for a moment, why the hell do they even need this privacy? For what? And after that, they will choose what is more convenient.
But other browsers also need to be configured before initial use, and not use the default settings.

Although, you can’t argue here: most users will always choose convenience and practicality over privacy.
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
Even if you want to hide your VPN usage from ISP, you can use VPN with obfuscated servers like ProtonVPN with Stealth mode or setup OpenVPN with obfsproxy.

ProtonVPN servers can also be exported as OpenVPN profiles. None will work in eg. China, unfortunately.
But ProtonVPN's obfuscated servers work in Russia, Iran and Egypt.
China is a very individual case, sometimes some VPNs work in China, sometimes - not. At the moment, Astrill VPN is very popular in online Chinese communities. Chinese usually use Shadowsocks, V2Ray, Xray, Trojan, VLESS, or gRPC to bypass Great Firewall of China.
By the way it's a good idea to add in my thread VPNs or methods that work in China to bypass their internet cencorship.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
For iOS, 'Onion Browser' exists and is recommended by the Tor Project:
https://onionbrowser.com/

I use an app called "TOR Browser", because the onion browser does not reliably work for me (or should I say not at all)!

It's good if you don't mind the occasional nagging to use the built-in VPN - honestly, I never use it, as a Proton Visionary subscriber.

Even if you want to hide your VPN usage from ISP, you can use VPN with obfuscated servers like ProtonVPN with Stealth mode or setup OpenVPN with obfsproxy.

ProtonVPN servers can also be exported as OpenVPN profiles. None will work in eg. China, unfortunately.
legendary
Activity: 1862
Merit: 5154
**In BTC since 2013**
Sorry but I have to say that you are making perfect recipe for disaster with your unique password model, whatever that is.

Why? We all have models for passwords, even if it is the simple fact of using "software" to create passwords.

Also, the main passwords should be kept in a safe place, in case something goes wrong.
legendary
Activity: 2212
Merit: 7064
"I'd like to give the t-shirt I won to a Newbie who lives in the same country as me"....
I don't think your are the only guy in bitcointalk forum from same country, but they could also send that same t-shirt to any neighboring country PO Box of mysterious person, since there are no real borders in EU  Wink

I also wouldn't trust passwords created by a password system, because if a system can create them, it can also crack them.
LoL, but you brain is also a system, and when it breaks that means you don't have any backups.
You can do whatever you want, but most cases of people losing passwords and bitcoin keys is when they tried to act smart creating their own ''systems''.

Either way, you can rest assured that I have my own password model, different in many aspects from those discussed here, which, as you may understand, I will not share here. Wink
Sorry but I have to say that you are making perfect recipe for disaster with your unique password model, whatever that is.


hero member
Activity: 1302
Merit: 561
Leading Crypto Sports Betting & Casino Platform

There is not much to discuss; it is mathematically proven that truly randomly generated passwords are much stronger than real words and sentences. We don't need to mix a strong system with a weaker system, either, that only reduces security.
My mate, I honestly suggest you go and change all of your passwords, now.. Grin

Having strong passwords is good, but 2FA is better because no password is strong enough not to be cracked with a quality config and combolist. A lot of accounts could get cracked using good checkers, so when that happens even if the cracker got the username and password they can't access the account if s/he don't pass through the 2FA requirements. For a forum like this having the question and answer feature set up is also recommended, to enable easy account recovery. Hence, since the forum is not a target to crackers, its nothing to worry about, since the forum account sales market is falling on daily basis. Though, your thread is very excellent, as we are meant to be security conscious online and keeping things private is important.

I also have a question, what happens to a person that doesn't have a picture anywhere online, how can he be traced? if their privacy is leaked that is they don't use VPN, Tor or all the tools you just mentioned, between the forum encourage users not to attach their real faces on the site.
legendary
Activity: 1862
Merit: 5154
**In BTC since 2013**
That's entirely backwards. The second option is orders of magnitude easier to crack, since it is just 7 words and a number. As the sentence even makes semantic sense, some crackers should have an even easier time guessing that password.
Meanwhile the first option consists of 15 random characters, so wordlist-based attacks don't work and one would have to default back to the much slower / 'legacy' byte-by-byte bruteforcing approach.

Maybe I didn't explain it well. And what I did was just an example. Furthermore, the world does not only speak in English.
The idea I mean is that it doesn't necessarily have to be random in human eyes, but rather random in machine eyes.

This is a little bit what I want to say:
That's true but I always wonder what kind of prediction can someone find, for example, in this password: 'railWayZDanieAccCausticCornUebung'. I'll explain: Railway is railway, ZD is Russian word, short version of здapoвa (Hello), Zdanie is also Russian word здaниe and means building, Acc is a short version of Account, Caustic is caustic, for example caustic soda, Corn is a corn and Uebung is a German word Übung that means practice.
I agree that humans are very bad at randomness but I'm curious why these combination of words doesn't sound or look random.

Maybe my English is not the best and I can't explain it in the best way.
I apologize.



My mate, I honestly suggest you go and change all of your passwords, now.. Grin

I also wouldn't trust passwords created by a password system, because if a system can create them, it can also crack them.

Either way, you can rest assured that I have my own password model, different in many aspects from those discussed here, which, as you may understand, I will not share here. Wink
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
I only remember a few passwords, but I use hundreds of different ones. Most of them look like "(f#L!{p[oKGzz[2aV$'[P6!n$", and I'm not even going to try to remember them.
That's the type of password everyone should be using. It's your choice if you try to remember them or not but believe me, if you try, that's not difficult to remember. Type that hard password frequently for months, for a year and then you'll realize that you have memorized it
Like I said, I can remember a few passwords. But I can't remember hundreds of them, and most of them I don't need very often. If I'd try to remember them all, I'd either have weak passwords, of lose access all the time.

Quote
you can type it with your eyes closed.
I always type with my eyes closed Wink
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
Is it better idea to show your ISP that you are using Tor? Don't you think it's alarming?
Is it less alarming to show your ISP that you are using a VPN?
Definitely it is less alarming. VPN is used by people to bypass restrictions that mostly include access to some games, game servers, netflix/hulu and so on. A lot of people use vpn with servers in Turkey to get cheap access to digital services.
Even if you want to hide your VPN usage from ISP, you can use VPN with obfuscated servers like ProtonVPN with Stealth mode or setup OpenVPN with obfsproxy.

By the way, if you use Tor bridges without VPN, node owner may know your IP address and in case nodes get compromised, others will know it too.

I think the use of real words, depending on how they are used, is a not bad model.
A machine finds random letters faster than real words. Logically it cannot be just a word or two. But, a sentence, with three or four words, can be very difficult to crack as a password.

In reality it all depends on how you build your password.
Random letters and numbers can be as easy to break as a few words together.

The suggestion I always give is to build passwords that you can memorize, but at the same time are complex.

"Waterwithsaltandsugar!1" it could be someone's password, which will be very difficult to be cracked.
Well... now it's not... it's better that no one uses it.  Roll Eyes Tongue
That is unfortunately completely wrong. Your example password is extremely easy to crack. Password crackers nowadays don't brute-force letter by letter anymore, but are based on wordlists. They also take into consideration that people like to append special characters and numbers to the beginning or the end of the password. Humans are way too predictable to be trusted to generate randomness; this is a scientifically proven fact.
That's true but I always wonder what kind of prediction can someone find, for example, in this password: 'railWayZDanieAccCausticCornUebung'. I'll explain: Railway is railway, ZD is Russian word, short version of здapoвa (Hello), Zdanie is also Russian word здaниe and means building, Acc is a short version of Account, Caustic is caustic, for example caustic soda, Corn is a corn and Uebung is a German word Übung that means practice.
I agree that humans are very bad at randomness but I'm curious why these combination of words doesn't sound or look random.
hero member
Activity: 924
Merit: 5943
not your keys, not your coins!
But it's not the special characters that make the difference in this example password. It's the phrase. Systems typically match words, but not phrases.
The system can combine "water" "salt" "sugar". But combining as a phrase "water" "with" "salt" "and" "sugar" is more unlikely.
No, that's wrong. These are all regular English words found in every wordlist and cracked in minutes.
https://en.wikipedia.org/wiki/Dictionary_attack

As you said rightly, the systems normally check letter by letter.
No, I said the opposite. Letter-by-letter bruteforcing is probably dead for well over a decade now.
https://ieeexplore.ieee.org/document/4799025

Therefore, it is more likely to pick up a combination of random letters than a sentence that is understood by a human.

Which do you think is easier for an automatic system to find:
"1McY1aGwc8jvFtA."
or
"My2YearOldCatLikesYoWalk."

Both are equally strong, but the second option is much more difficult to be recognized by an automatic system than the first.
That's entirely backwards. The second option is orders of magnitude easier to crack, since it is just 7 words and a number. As the sentence even makes semantic sense, some crackers should have an even easier time guessing that password.
Meanwhile the first option consists of 15 random characters, so wordlist-based attacks don't work and one would have to default back to the much slower / 'legacy' byte-by-byte bruteforcing approach.

  • Ironically: mix, tumble, CoinJoin or submarine-swap your campaign funds to a Lightning wallet. Anything that improves your on-chain privacy.
It will be great if anyone can tell the procedure of doing this with a lighting wallet. A step by step procedure or guide may be really helpful along with links to site / wallets etc. Usually how much fee is involved in this process ?
Sure; thanks for the suggestion. I will do such a guide in the future. But in essence, you just connect to https://boltz.exchange/ via Tor (you will be redirected to their Tor site), enter the amount you want to send to your Lightning wallet (such as Core Lightning) and send the amount shown on screen through a regular on-chain transaction.

The point I wanted to emphasize is that for a hacker who steals hundreds of passwords, he will use automatic systems that will try to match the victim's password letter by letter.
No, he won't.

The probability of him hitting random letters is greater than a sentence.
That is wrong. By definition, a sentence has less entropy since it does not consist of random letters.

I am not recommending this or any other type of password here. Just to point out that both types of passwords can be safe if used correctly.

Perhaps a mix of the two options could be something interesting to explore.
There is not much to discuss; it is mathematically proven that truly randomly generated passwords are much stronger than real words and sentences. We don't need to mix a strong system with a weaker system, either, that only reduces security.
My mate, I honestly suggest you go and change all of your passwords, now.. Grin
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
I think the use of real words, depending on how they are used, is a not bad model.
A machine finds random letters faster than real words.
It depends: if you're comparing one random character to a word, the word is harder to find. But if you compare 4 random characters to a 4-letter word, the word is easier to brute-force (by using a dictionary attack).

Is it better idea to show your ISP that you are using Tor? Don't you think it's alarming?
Is it less alarming to show your ISP that you are using a VPN?
Both isn't ideal, but VPNs are often used to connect to a company network too. Or for streaming.

You could eaisly use secondary accounts for purchasing stuff from forum... and I don't mean LeyoceV Mobile  Cheesy, but some random newbie account.
"I'd like to give the t-shirt I won to a Newbie who lives in the same country as me"....

Which do you think is easier for an automatic system to find:
"1McY1aGwc8jvFtA."
or
"My2YearOldCatLikesYoWalk."

Both are equally strong, but the second option is much more difficult to be recognized by an automatic system than the first.
What makes you think they're equally strong? If the first one is generated randomly, it's much stronger. If you want to use words as a password, at least generate them randomly. Kinda like Electrum does it.

The probability of him hitting random letters is greater than a sentence.
You should look up the words "dictionary attack" Wink
legendary
Activity: 1862
Merit: 5154
**In BTC since 2013**
If it is people around you and know you love cat and some other information about your cat, he will put words like "cat" "2" "old" into inputs of brute force and make it becomes more easily to bruteforce your passwords.

The phrase indicated was just an example, I do not recommend that it be used, much less that it be so logical.

The point I wanted to emphasize is that for a hacker who steals hundreds of passwords, he will use automatic systems that will try to match the victim's password letter by letter. The probability of him hitting random letters is greater than a sentence.

I am not recommending this or any other type of password here. Just to point out that both types of passwords can be safe if used correctly.

Perhaps a mix of the two options could be something interesting to explore.
hero member
Activity: 2464
Merit: 877
Well, too late Sad And that's the thing with privacy: once it's gone, you can't get it back.

When I started with Bitcoin, I was bright enough to use a random generator to create a username. But I now realize that isnt' enough, and I never expected to use it this long. By now I've also used it on other sites. I can't take that back without giving up everything I've done in the past 8 years, and being a Newbie again. So having a reputation doesn't go with having privacy.

Guess what, i have made a username with my real name. Never thought about the privacy back then when i created this bitcointalk account, but now its too late.

Generally, the IPs are logged for last 30 days. So if we opt for this limited IP retention, won't they be logged at all ?

  • Ironically: mix, tumble, CoinJoin or submarine-swap your campaign funds to a Lightning wallet. Anything that improves your on-chain privacy.
It will be great if anyone can tell the procedure of doing this with a lighting wallet. A step by step procedure or guide may be really helpful along with links to site / wallets etc. Usually how much fee is involved in this process ?


sr. member
Activity: 854
Merit: 424
Playbet.io - Crypto Casino and Sportsbook
"My2YearOldCatLikesYoWalk."

Both are equally strong, but the second option is much more difficult to be recognized by an automatic system than the first.
The second one looks pseu-do strong but in fact it is not. It is more vulnerable to bruteforce process because you don't know what are bad guys who intend to steal your passwords.

If it is people around you and know you love cat and some other information about your cat, he will put words like "cat" "2" "old" into inputs of brute force and make it becomes more easily to bruteforce your passwords.

If a person has his habit to create password like this, possibly he will have other passwords like
My3YearOldCatLikesYoWalk
My4YearOldCatLikesYoWalk
My2YearOldCatLikesFish

https://www.youtube.com/watch?v=rMtW8vIHHek
legendary
Activity: 1862
Merit: 5154
**In BTC since 2013**
That is unfortunately completely wrong. Your example password is extremely easy to crack. Password crackers nowadays don't brute-force letter by letter anymore, but are based on wordlists. They also take into consideration that people like to append special characters and numbers to the beginning or the end of the password. Humans are way too predictable to be trusted to generate randomness; this is a scientifically proven fact.

But it's not the special characters that make the difference in this example password. It's the phrase. Systems typically match words, but not phrases.
The system can combine "water" "salt" "sugar". But combining as a phrase "water" "with" "salt" "and" "sugar" is more unlikely.
Of course, this is just an example, and I'm not saying it's invalid, just that it's less likely to happen.

As you said rightly, the systems normally check letter by letter. Therefore, it is more likely to pick up a combination of random letters than a sentence that is understood by a human.

Which do you think is easier for an automatic system to find:
"1McY1aGwc8jvFtA."
or
"My2YearOldCatLikesYoWalk."

Both are equally strong, but the second option is much more difficult to be recognized by an automatic system than the first.
legendary
Activity: 2212
Merit: 7064
I decided to compile a list of sensible advice that forum users can take to improve their privacy. More suggestions are of course welcome!
I assume that various AI programs are already mass collecting information for anything related with specific IP addresses, names, usernames and style of writing.
Anyone that is using modern smartphone is in much worse situation for privacy and Tor on Android or iOS is not as good as on regular computers, plus there are many other things smartphones record about users (like we saw in recent CM incident).
My main suggestion is to stop using smartphones and switch back to old mobile phones if you care about privacy, but if that is to drastic than use de-googled phone (GrapeheneOS is interesting).

Full IP addresses and geolocation data retained for months or even years. Your posts are [4-6] archived basically forever.
This is happening for almost all websites and forums, so it's even worse if someone used same real IP address on multiple websites.
Maybe you can add suggestion for people to use temp emails, or services that allow creation of alias and additional email addresses.
It would be perfect to self host your own email address, as we already saw how Proton mail and other ''private'' services can give all information to authorities.

Ironically: mix, tumble, CoinJoin or submarine-swap your campaign funds to a Lightning wallet. Anything that improves your on-chain privacy.
+ Joinmarket (jamapp.org)
+ Mercury wallet (second layer Bitcoin privacy)
+ Ironically XMR

For exactly this reason, I've refused physical prizes that I was offered, and never bought collectibles. It's unfortunate, but each time a "Trusted member" turns out to be a scammer I'm very happy I kept this part of my privacy.
You could eaisly use secondary accounts for purchasing stuff from forum... and I don't mean LeyoceV Mobile  Cheesy, but some random newbie account.
hero member
Activity: 924
Merit: 5943
not your keys, not your coins!
Is it better idea to show your ISP that you are using Tor? Don't you think it's alarming?
Is it less alarming to show your ISP that you are using a VPN?

If we wanted to go all the way, we would also have to delete the metadatas included in the photos of the narketplace's ads posted, not use an address that has been in contact with a CEX for a signature campaign (and I imagine that this is quite often the case).
Yes, I highly recommend doing these things, I consider them standard procedure.

I think the use of real words, depending on how they are used, is a not bad model.
A machine finds random letters faster than real words. Logically it cannot be just a word or two. But, a sentence, with three or four words, can be very difficult to crack as a password.

In reality it all depends on how you build your password.
Random letters and numbers can be as easy to break as a few words together.

The suggestion I always give is to build passwords that you can memorize, but at the same time are complex.

"Waterwithsaltandsugar!1" it could be someone's password, which will be very difficult to be cracked.
Well... now it's not... it's better that no one uses it.  Roll Eyes Tongue
That is unfortunately completely wrong. Your example password is extremely easy to crack. Password crackers nowadays don't brute-force letter by letter anymore, but are based on wordlists. They also take into consideration that people like to append special characters and numbers to the beginning or the end of the password. Humans are way too predictable to be trusted to generate randomness; this is a scientifically proven fact.


Privacy is not my ultimate priority but who really needs should practice all the points mentioned by OP to achieve it.
I noticed that you are advertising for Roobet; a mostly unregulated crypto casino registered in Curacao. It may be desirable for your real identity not to be linked to Roobet, due to obvious reasons.
I understand the risk of providing KYC documents to centralized platforms but it's somehow unavoidable [...]
I was hinting at reasons privacy may be of interest to you, after all. Especially in relation to your forum profile. It is possible and maybe desirable to e.g. have and use a KYC-ed account on an exchange (although I highly advise against it) and have a completely separate online identity with no ties to that account. It is not too hard to accomplish, as I outlined in the OP.
full member
Activity: 784
Merit: 112
Quote
As people tend to have dozens to hundreds of accounts, if you can memorize all of your passwords, they are either:
Not distinct enough (i.e. not a fresh one per account)
Not independent enough (e.g. you have a 'master password' with numbers at the end or something like that)
Not random enough (e.g. you use real words)
It is not recommended to memorize all your passwords because they should be unique, complex, and random for better security. Instead, consider using a password manager to securely store and manage your passwords.
hero member
Activity: 2366
Merit: 793
Bitcoin = Financial freedom

Privacy is not my ultimate priority but who really needs should practice all the points mentioned by OP to achieve it.
I noticed that you are advertising for Roobet; a mostly unregulated crypto casino registered in Curacao. It may be desirable for your real identity not to be linked to Roobet, due to obvious reasons.

I understand the risk of providing KYC documents to centralized platforms but it's somehow unavoidable at all circumstances for instance I used to trade a lot so I don't have any other option than doing KYC verification then only I get the higher trading limits, and for casino it's almost become mandatory on every crypto casino so it's you decision whether you want to use their platform or not but I have done KYC on Roobet since I am using their service and also I can't advertise without knowing anything about the platform.
legendary
Activity: 1862
Merit: 5154
**In BTC since 2013**
When I started with Bitcoin, I was bright enough to use a random generator to create a username. But I now realize that isnt' enough, and I never expected to use it this long. By now I've also used it on other sites. I can't take that back without giving up everything I've done in the past 8 years, and being a Newbie again. So having a reputation doesn't go with having privacy.

I think this was one of the best sentences I've read about privacy!
Sometimes people focus a lot on privacy today, but forget what they did 10 years ago, which ends up destroying that supposed privacy.

I'm in a similar situation with you. Therefore, today I only take the measures that I think are necessary for privacy, for the level of privacy that I still manage to maintain. For the rest, I just have to be attentive and take the necessary care not to fall into schemes that could harm me.



As people tend to have dozens to hundreds of accounts, if you can memorize all of your passwords, they are either:
  • Not distinct enough (i.e. not a fresh one per account)
  • Not independent enough (e.g. you have a 'master password' with numbers at the end or something like that)
  • Not random enough (e.g. you use real words)

I may disagree with some of the points mentioned, but I think the use of real words, depending on how they are used, is a not bad model.
A machine finds random letters faster than real words. Logically it cannot be just a word or two. But, a sentence, with three or four words, can be very difficult to crack as a password.

In reality it all depends on how you build your password.
Random letters and numbers can be as easy to break as a few words together.

The suggestion I always give is to build passwords that you can memorize, but at the same time are complex.

"Waterwithsaltandsugar!1" it could be someone's password, which will be very difficult to be cracked.
Well... now it's not... it's better that no one uses it.  Roll Eyes Tongue

legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
In absolute terms, you should not buy or sell anything on the forum in order to protect your privacy. You don't know who you are sending your address to.
For exactly this reason, I've refused physical prizes that I was offered, and never bought collectibles. It's unfortunate, but each time a "Trusted member" turns out to be a scammer I'm very happy I kept this part of my privacy.

Quote
I am sure that a lot of members can be already linked to a deposit/withdrawal made from a CEX via an address they posted here. Even with all the effort, the CEX will cooperate with law enforcement if necessary, and the efforts to protect themselves here will have been for nothing.
It depends on who you're hiding from. I'm not hiding from taxes, and I'm not hiding from law enforcement. But if you are, you should indeed not use any centralized service that requires your real data.
hero member
Activity: 504
Merit: 1065
Crypto Swap Exchange
If we wanted to go all the way, we would also have to delete the metadatas included in the photos of the narketplace's ads posted, not use an address that has been in contact with a CEX for a signature campaign (and I imagine that this is quite often the case).

In absolute terms, you should not buy or sell anything on the forum in order to protect your privacy. You don't know who you are sending your address to.

In my opinion, being careful on the forum is not especially necessary (even if I actively support the principle you defend in this post), because I am sure that a lot of members can be already linked to a deposit/withdrawal made from a CEX via an address they posted here. Even with all the effort, the CEX will cooperate with law enforcement if necessary, and the efforts to protect themselves here will have been for nothing.
legendary
Activity: 3556
Merit: 7011
Top Crypto Casino
I'm nearly almost relatively 86.72% convinced that if law enforcement needed to track down a member of bitcointalk, they wouldn't need a trail of pizza-sized breadcrumbs to do it (except for Satoshi, apparently).  Nor does Chipmixer even stand out in my mind as anything special in terms of crypto debacles aside from the fact that I and many others didn't know what was *apparently* happening, or what would happen.

Part of me thinks this has become such a big deal on the forum because their signature campaign was extremely selective and had a lot of not only excellent posters but trusted members as well, and they like to see them get a sort-of comeuppance.  Like Schadenfreude, you know?

Or maybe that's me just being my misanthropic self again.  Nasty mindset to get out of, let me tell you.
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
I'm not losing my account, but many people do. And when it happens, for instance because someone gains access and changes the password, it's good to have a recovery option. That's one of the reasons I staked an address.
Note that "recovery options" are often a risk factor on their own. If a service uses SMS for recovery, gaining access to your phone is enough to gain access to that service. That's why I prefer not to enable recovery options, although a signed Bitcoin message is safe enough for me. If anyone gets access to my wallet, they have access to my forum account already.
I know that many people do lose their accounts but here we talk about improved security.
If a service uses SMS for recovery, that means that you have to leak your mobile number. Yeah, it doesn't need to be actually your phone number but I would avoid it. And I don't understand how can someone gain access to your phone that way? What does SMS recovery option has to do with your phone access?

If you use bitcoin address without transactions just for signing a message, okay but if you use it for transactions, I don't think your info is safe.

Quote
I have a lot of different passwords, strong ones with a combination of random characters, uppercases, numbers and special characters. I memorize them, type them regularly very frequently
I only remember a few passwords, but I use hundreds of different ones. Most of them look like "(f#L!{p[oKGzz[2aV$'[P6!n$", and I'm not even going to try to remember them.
That's the type of password everyone should be using. It's your choice if you try to remember them or not but believe me, if you try, that's not difficult to remember. Type that hard password frequently for months, for a year and then you'll realize that you have memorized it so well that you can type it with your eyes closed.

Tor without VPN is a bad idea, you should hide your Tor activity from your ISP. It's always good idea to use Qubes OS, a Linux distribution instead of Windows and combine it with good VPN and Tor. I'll use this moment and share a List of VPN Service Providers - 2023
A VPN is a central point of failure potential spying, so that's why I do not blanketly recommend  using VPNs. They have their use cases, but may not be a good idea for everyone.
Is it better idea to show your ISP that you are using Tor? Don't you think it's alarming? You may use tor just for your privacy but a lot of people use it for illegal activities, your ISP doesn't care what your actual purpose is, your are under their radar.
sr. member
Activity: 854
Merit: 424
Playbet.io - Crypto Casino and Sportsbook
Forgot about Orbot that is useful if you need Tor for other things than only web browsing.

https://support.torproject.org/tormobile/
Another common mistake is using a few different passwords, and not remembering which one is used where. So when trying to get access, those people try all passwords they know  until one of them works, without realizing they've just compromised them all.
They can use password generator to have unique, fresh passwords and must be aware how weak their previous passwords are.
[GUIDE] How to Create a Strong/Secure Password
Are Your Passwords in the Green?


Dumb question

Anyone know who to use two features on mobile
New identity: Ctrl+Shift+U
New Tor circuit for this site: Ctrl+Shift_L
The second one is important because when you use Tor, sometimes it sucks and if you close it, you lose your post content.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
As people tend to have dozens to hundreds of accounts, if you can memorize all of your passwords, they are either:
  • Not distinct enough (i.e. not a fresh one per account)
  • Not independent enough (e.g. you have a 'master password' with numbers at the end or something like that)
  • Not random enough (e.g. you use real words)
Another common mistake is using a few different passwords, and not remembering which one is used where. So when trying to get access, those people try all passwords they know  until one of them works, without realizing they've just compromised them all.
hero member
Activity: 924
Merit: 5943
not your keys, not your coins!
You know what got to me? Saying ""motivated by recent events" and a straight forward list of guidance to stay anonymous in order to conduct criminal activity [emphasis mine] and pay a few bucks to a few shills so that they could defend your nefarious shenanigans for years"".
And the fact that someone else posted: "well too late  Sad "
A sad fucking emoji, really? I guess we should keep our identities safe from criminals like you guys, because your behaviour is more scary than of that of black op unit members. What is wrong with you?
You must be really biased, otherwise I see no way how you can misinterpret my reference to recent events and the topic as a whole so badly.

It's also sad to see forum members buy into this 'privacy = criminal' misinformation campaign. Privacy should be a fundamental human right for everyone. It has nothing to do with criminal activity.. sigh. Next time you are going to tell me Bitcoin is only for criminals, because it is pseudonymous? We should tie our real identities to our Bitcoin address if we have nothing to hide? Why do you use new addresses for different payments, are you a criminal?

The Privacy Culture Manifesto

should generally forget about everything that is convenient:
~snip~
This is a common fallacy. Limiting the amount of data you leak to the world is always good for your privacy; there is no black-or-white, no 'private' and 'unprivate'. The more you share, the lower your privacy; it is a gradient, a spectrum.

I don't get it, why should you lost your account? Set a difficult password, write down, type a lot of times, a lot of times that will definitely imprint it into your muscle memory and then you'll write it down with your eyes closed.
Ask the millions of people resetting passwords every day.. Wink This is also off-topic. Of course you don't need account recovery if you properly stored your password, I know. But things can go south (house burnt down, password manager hacked, whatever) and you may still have access to your Bitcoin keys. The staked address is just one extra layer of security.

Doesn't that break rule number one?
Obviously don't use an address tied to your identity. You do know you can create 'sub-wallets' under a certain seed by using derivation paths and passphrases, for instance.

Tor without VPN is a bad idea, you should hide your Tor activity from your ISP. It's always good idea to use Qubes OS, a Linux distribution instead of Windows and combine it with good VPN and Tor. I'll use this moment and share a List of VPN Service Providers - 2023
A VPN is a central point of failure potential spying, so that's why I do not blanketly recommend  using VPNs. They have their use cases, but may not be a good idea for everyone.

Newbies may not know, Tor is available for Android too.  Smiley

Download its Android version https://www.torproject.org/download/#android

Reference
Retention /Privacy info

Delete your PMs and backup them by your own
https://bitcointalksearch.org/topic/--5284282
They're "personal messages", not "private messages". Wink
Thanks, adding this to OP!

Quote
I have a lot of different passwords, strong ones with a combination of random characters, uppercases, numbers and special characters. I memorize them, type them regularly very frequently
I only remember a few passwords, but I use hundreds of different ones. Most of them look like "(f#L!{p[oKGzz[2aV$'[P6!n$", and I'm not even going to try to remember them.
I agree with Loyce. You should have a different password for each account and they should look like that (no regular words, no dates etc.), absolutely. As people tend to have dozens to hundreds of accounts, if you can memorize all of your passwords, they are either:
  • Not distinct enough (i.e. not a fresh one per account)
  • Not independent enough (e.g. you have a 'master password' with numbers at the end or something like that)
  • Not random enough (e.g. you use real words)
legendary
Activity: 1596
Merit: 1288
The forum is not only central, but:

Quote
Bitcointalk.org is in US jurisdiction, and is subject to US subpoenas, wiretap orders, preservation orders (which would negate the above retention rules), and similar. Furthermore, our service providers could also be subject to similar orders without our knowledge. Note that we consider PMs to require a warrant in order to be released.

You can read more in the privacy page https://bitcointalk.org/privacy.php

In short, all the data that you share here, I assume that everyone knows it, because the IP addresses, your private messages, etc. can all be reviewed by the administrators.
Using a centralized platform wallet, social media accounts, keeping cookies, javascript enable etc. are all things that help identify you.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
I tested the Tor browser, it loads this forum fast (I may update the desktop version to test it too). But one of the reasons I prefer my browser is because it does not log me out, it keeps the tabs I have opened before intact
Tor browser can do that too, but it ticks "Always use private browsing mode" by default.

I don't get it, why should you lost your account? Set a difficult password, write down, type a lot of times, a lot of times that will definitely imprint it into your muscle memory and then you'll write it down with your eyes closed.
I'm not losing my account, but many people do. And when it happens, for instance because someone gains access and changes the password, it's good to have a recovery option. That's one of the reasons I staked an address.
Note that "recovery options" are often a risk factor on their own. If a service uses SMS for recovery, gaining access to your phone is enough to gain access to that service. That's why I prefer not to enable recovery options, although a signed Bitcoin message is safe enough for me. If anyone gets access to my wallet, they have access to my forum account already.

Doesn't that break rule number one?
Stake an unused address.
sr. member
Activity: 854
Merit: 424
Playbet.io - Crypto Casino and Sportsbook
Newbies may not know, Tor is available for Android too.  Smiley

Download its Android version https://www.torproject.org/download/#android

Reference
Retention /Privacy info

Delete your PMs and backup them by your own
https://bitcointalksearch.org/topic/--5284282
They're "personal messages", not "private messages". Wink
legendary
Activity: 1064
Merit: 1228
Playgram - The Telegram Casino
  • Do not post privately identifiable information about yourself.
  • Do not post information that ties your Bitcointalk identity to other online identities.
  • Use a dedicated Email address for your Bitcointalk account.
  • Opt into limited IP retention.
  • Use Tor Browser to access Bitcointalk.
  • Bookmark your personal Captcha Bypass URL to avoid JavaScript and connection to Google (as well as the hassle of solving those).
  • Stake your Bitcoin address for account recovery (since IP-based won't work now).
  • Ironically: mix, tumble, CoinJoin or submarine-swap your campaign funds to a Lightning wallet. Anything that improves your on-chain privacy.
Thanks for your advice, I think I've put most of your points into practice so far.
While this may seem too late for someone, it's always good reminder that privacy is important. Many people may forget that posting something detrimental to their privacy in forum is basically detrimental to them. So I think it's wise to consider not posting things that you might not want to keep forever on the internet wisely even if they don't seem that serious today.

Online wallet, one email for all services, one password for all services - this is the harsh reality of most crypto users.
You might be able to exclude some user who very care about privacy, but not about most crypto users in general.
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
Your IP-address can be used for account recovery purposes. If it's no longer stored, you'll need an alternative.
I don't get it, why should you lost your account? Set a difficult password, write down, type a lot of times, a lot of times that will definitely imprint it into your muscle memory and then you'll write it down with your eyes closed.

I don't get it why it's so hard for people to memorize things, I don't think I am the only exception who can memorize things easily. I have a lot of different passwords, strong ones with a combination of random characters, uppercases, numbers and special characters. I memorize them, type them regularly very frequently and then I know it so well that I can type it very quickly with my eyes closed.
But it's okay, if people can't remember their passwords, then they shouldn't follow my advice. But they should find safer ways, i.e. write it down and save in a safe place without underlying the website this password belongs to, I wouldn't even mention that it's a password and shouldn't focus on recovery options if they want to be more anonymous.

Doesn't that break rule number one?

Tor without VPN is a bad idea, you should hide your Tor activity from your ISP. It's always good idea to use Qubes OS, a Linux distribution instead of Windows and combine it with good VPN and Tor. I'll use this moment and share a List of VPN Service Providers - 2023
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
March 19, 2023, 02:41:56 PM
#9
@Ratimov
Privacy is a matter of choice. You can be private in some areas and not private in some areas. It all depends on how you want it. You may as well not want to be private.

I work more on my mobile device on this forum, I tested the Tor browser, it loads this forum fast (I may update the desktop version to test it too). But one of the reasons I prefer my browser is because it does not log me out, it keeps the tabs I have opened before intact and also the dark mode. I like the dark mode at night.

But if privacy is advised on this forum, I think it is a good thing.

Ways to privacy is not easy, but people that are very rich in bitcoin or other crypto should be concerned about privacy. Nobody can be 100% private, but they may prefer to have privacy in one area or the other.
copper member
Activity: 1330
Merit: 899
🖤😏
March 19, 2023, 02:19:12 PM
#8
only lightning, only mixers, only a new address on every transaction. Cheesy Such sweet self-care bordering on paranoia. Smiley

Well since using lightning contradicts with privacy advices mentioned, means an obvious shill. Mixing as mentioned in OP, is good to hide campaign earnings, as advised in OP, but using change addresses is absolutely a brilliant financial security advice, don't mix them with other things, some people might be blinded by greed but they are not stupid.
copper member
Activity: 1330
Merit: 899
🖤😏
March 19, 2023, 01:49:05 PM
#7
Ok, let me get this straight, you guys are unhappy that a criminal was busted and you lost your few bucks of an income and now are trying to help future criminals on how to stay under the radar?
I mean who gives a fack about your identity if you are not Satoshi or a criminal/ financial terrorist/ scammer?
You know what got to me? Saying ""motivated by recent events" and a straight forward list of guidance to stay anonymous in order to conduct criminal activity and pay a few bucks to a few shills so that they could defend your nefarious shenanigans for years"".
And the fact that someone else posted: "well too late  Sad "
A sad fucking emoji, really? I guess we should keep our identities safe from criminals like you guys, because your behaviour is more scary than of that of black op unit members. What is wrong with you?
hero member
Activity: 924
Merit: 5943
not your keys, not your coins!
March 19, 2023, 01:44:03 PM
#6
~
You can argue that using your default web browser is more convenient, I'm not denying that. This is not a topic about the most convenient way to access Bitcointalk or a place to discuss the convenience of Tor browser.. Grin

Everyone has something to hide.

Apparently I have nothing, since I use Opera. Cheesy
It is good for you that all opinions you express and all actions you do online are now and forever will be legal, but that is a relatively rare and risky assumption.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
March 19, 2023, 01:36:09 PM
#5
or those who have something to hide.
Everyone has something to hide.

Quote
I don't understand how this relates to privacy. How does this relate to my privacy? It's more of a security issue.
Your IP-address can be used for account recovery purposes. If it's no longer stored, you'll need an alternative.
hero member
Activity: 924
Merit: 5943
not your keys, not your coins!
March 19, 2023, 01:35:17 PM
#4
Well, too late Sad And that's the thing with privacy: once it's gone, you can't get it back.
Not sure; for some people and some privacy goals, it may be 'too late' to follow this advice, others are doing at least some of the steps outlined here, already.

While the second statement is true, it is important to note that data 'ages'. What I mean by that: your primary email address may change, your physical location may change, the list goes on. A record of your personal information from 2019 may be mostly worthless today. The information may all be wrong by now.

Privacy is not my ultimate priority but who really needs should practice all the points mentioned by OP to achieve it.
I noticed that you are advertising for Roobet; a mostly unregulated crypto casino registered in Curacao. It may be desirable for your real identity not to be linked to Roobet, due to obvious reasons.

TOR is terribly inconvenient, I'd rather continue to use Opera. Most users do not need it at all, as well as its use
I disagree; you should try it out. In my experience, websites did load pretty slowly a few years back. But nowadays, it has gotten a lot better, especially if the website doesn't need JavaScript and doesn't use lots of graphics (like Bitcointalk).

this option is more suitable for those who are completely turned on privacy or those who have something to hide.
Everyone has something to hide. For example their affiliation with crypto casinos. Others earn money online without declaring it to the taxman. And even others post their opinions freely on here, meanwhile those opinions aren't legal to post in the country they're living in. Lots of reasons, scenarios and risk profiles. In general, you probably want to better be safe than sorry.

There is a strong opinion that privacy is a myth, and if really want to, will still find you.
I'm not arguing that my recommendations fully protect you if you are a highly sought-after criminal, but it's a 'bare minimum' that can go a long way.

I don't understand how this relates to privacy. How does this relate to my privacy? It's more of a security issue.
If you hide your IP and use the privacy measures mentioned, you cannot restore your password by e.g. sending a message from the IP you last logged in with. I think that's what the warning in the Bitcointalk account settings hints at, so I wanted to present an alternative in case that ever happens to someone.
hero member
Activity: 2366
Merit: 793
Bitcoin = Financial freedom
March 19, 2023, 12:13:50 PM
#3
Avoid using your real name as username because some members used to register with their own name and few of them managed to get them changed by requesting theymos but in future it should be avoided.

I used Tor for accessing bitcointalk but even though the forum UI is simple which still feels lags while clicking thread or posting so I am mostly using it on chromium but only in my personal devices and I never logged in from any other devices and also I am using always logged in feature so captcha doesn't bother me much.

Privacy is not my ultimate priority but who really needs should practice all the points mentioned by OP to achieve it.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
March 19, 2023, 12:11:27 PM
#2
Well, too late Sad And that's the thing with privacy: once it's gone, you can't get it back.

When I started with Bitcoin, I was bright enough to use a random generator to create a username. But I now realize that isn't enough, and I never expected to use it this long. By now I've also used it on other sites. I can't take that back without giving up everything I've done in the past 8 years, and being a Newbie again. So having a reputation doesn't go with having privacy.
hero member
Activity: 924
Merit: 5943
not your keys, not your coins!
March 19, 2023, 11:42:24 AM
#1
Motivated by recent events [1-2], I decided to compile a list of sensible advice that forum users can take to improve their privacy. More suggestions are of course welcome!

To be clear: Bitcointalk is a centralized forum, whose operator(s) may or may not [3] have to hand out IP addresses and other personally identifiable information in the worst case. Full IP addresses and geolocation data retained for months or even years. Your posts are [4-6] archived basically forever.

  • Do not post privately identifiable information about yourself.
  • Do not post information that ties your Bitcointalk identity to other online identities.
  • Use a dedicated Email address for your Bitcointalk account.
  • Opt into limited IP retention.
  • Use Tor Browser to access Bitcointalk.
  • Bookmark your personal Captcha Bypass URL to avoid JavaScript and connection to Google (as well as the hassle of solving those).
  • Stake your Bitcoin address for account recovery (since IP-based won't work now).
  • Ironically: mix, tumble, CoinJoin or submarine-swap your campaign funds to a Lightning wallet. Anything that improves your on-chain privacy.



I am aware that Tor is not perfect and not entirely untraceable and that better privacy measures do exist, but these should provide you with relatively good privacy at little 'extra cost'. Especially with that captcha code, and the lightweight nature of the forum without lots of fancy, big graphics, it is extremely usable through Tor.



Tor Browser exists for Windows, MacOS, Linux, but also Android!
https://www.torproject.org/download/#android

For iOS, 'Onion Browser' exists and is recommended by the Tor Project:
https://onionbrowser.com/

[1] https://bitcointalksearch.org/topic/m.61920144
[2] https://bitcointalksearch.org/topic/m.61916953
[3] https://bitcointalk.org/privacy.php
[4] https://ninjastic.space/search
[5] https://loyce.club/archive/posts/
[6] https://archive.today
Jump to: