Pages:
Author

Topic: How safe are offline wallets? (Read 450 times)

legendary
Activity: 2212
Merit: 7064
December 05, 2022, 03:25:21 PM
#30
I've noticed that Trezor and Ledger are the most common ones; are there any others that can compete with them?
There are many other hardware wallets and I would say they more advantage compared to this two devices.
If you want true offline wallet than you should go for airgapped options like Passport and Keystone, they are open source and they don't have any cable connection with computers.
I believe that Keystone still have big discounts around 30% to 40%, and that is one of the best deals for hardware wallets I ever saw.
I created topic Open Source Hardware Wallets and you can find more information there.

Thanks again for your detailed responses. I'm only interested in Bitcoin, thus the basic version of Trezor is more than enough, and quite affordable at the same time.
Passport is Bitcoin only hardware wallet, and Kestone have the option to choose Bitcoin only firmware or multi.coin firmware.
I think that Trezor also added option to use it only for storing Bitcoin, and ledger will never do this because they live from shitcoins.
legendary
Activity: 2730
Merit: 7065
December 05, 2022, 02:34:18 AM
#29
By the way, is it hard to set them up?
No. Keep in mind that hardware wallets are intended to be a good combination of convenience and security, so everything is quite self-explanatory and created for beginners to understand. I don't have a Trezor, but the onboarding process shouldn't be that different from that of Ledger.

You generate a seed, make backups of it, enter the words into the device to test if you wrote them down correctly, and that part is done. Trezor One generates 12-word seeds by default, Ledger generates 24-word seeds for its HWs. One thing that is interesting is that with the Trezor One, the seed words are entered into the software application and not the hardware device itself. With Trezor T and all Ledger wallets, that's not the case. I am not particularly fond of that process, but what can you do.

After that, you need to select a PIN and confirm it. The PIN is used every time you connect the device to your PC to unlock it.
The Trezor Suite should then give you an option to create a standard or a hidden account. The hidden account requires a passphrase. If you remember my post above, I suggested it's recommended to set up at least one passphrase for your Trezor to increase your security.

Before you send any money to your Trezor, make sure you wrote down your seed words correctly. Generate a BTC address and save it somewhere. Then reset your device, recover it from seed, and check if you still get the same address in the same account that you saved earlier. They must match. Alternatively, you can send some pocket change to it and then send it back to a wallet outside of Trezor just to check everything is working as it should. Once that is done, you move the bigger bags of your BTC to your HW.   
hero member
Activity: 1778
Merit: 907
December 04, 2022, 03:49:30 PM
#28
~Snipped~
Thanks again for your detailed responses. I'm only interested in Bitcoin, thus the basic version of Trezor is more than enough, and quite affordable at the same time. I don't think there's any reason to look anywhere else, since Ledger and Trezor are the leading competitors. By the way, is it hard to set them up?
It's interesting to notice how much hardware wallets have increased in price since the creation of that thread.
Hasn't the price of everything? Lol.

It really depends on what I do. If I end up buying a desktop, I'll still need the laptop when I'm away. On the other hand, if I end up buying another laptop, then it could be used as an airgapped device.
Fair enough. A good argument for a hardware wallet instead then. You could always wait another 9 years until your next new computer and then use your old old one as an airgapped wallet. Tongue
Of course it has, it just surprised me how cheap they actually were back then. I actually bought my laptop two years ago, but it's a refurbished machine dating back to 2013, bought it dirt cheap during Covid.  Tongue
legendary
Activity: 2730
Merit: 7065
December 04, 2022, 02:50:29 AM
#27
Thank you for your extremely detailed response. It contains a great deal of information that I wouldn't find otherwise. Based on the information you've provided, I'd go for Trezor, as it sounds like a safer option. I'll look into others as well, but I'm mostly heading towards Trezor. It's interesting to notice how much hardware wallets have increased in price since the creation of that thread.
Good choice. Trezor has been around for ages and their Trezor One is the first ever hardware wallet. Putting aside the design fault I talked about previously, it's still a great keeper of your private keys if you spend some more time to secure it. If you are only thinking of keeping BTC on it, you can install the Bitcoin-only firmware. You don't even have to go for the more expensive T model. Model T supports Shamir's Secret Sharing, more altcoins, and some more modern features. 

I personally like what Foundation Devices is doing with their Passport HW, but for me, it's still a relatively new device. I think they only sold a few thousand devices in total compared to Trezor that sold 2 millions or Ledger with 5. Ledger and Trezor have surely been scrutinized much more and have had more eyes checking up on them than Passport has. That alone is enough for me to wait a little bit before storing any serious coins onto a Passport.

Before I get attacked with the Foundation is open-source and you can check everything responses, no I can't. I can't check the code, and neither can many of those who use that argument. I am not talking about verifying the builds and ensuring the codebase is identical to what is publicly available, or using Wallet Scrutiny for the job. Everyone can do that by following a set of instructions. I am talking about sitting down and going through the code and understanding what it does. Since many can't do that, we rely on others who can. We hope and trust they did a good job.

I recently posted an article where researchers claimed that it takes on average a year to fix vulnerabilities in open-source software. Some previous examples have shown that faulty code was public for 800-1000 days before someone found out there were vulnerabilities and had them fixed. So If I have a choice of using a Trezor, released in 2013/2014, or a Passport, which came out in 2021 (I think), It's clear to me who the favorite is. And it's clear to me which one has been out there longer, has been used more by the community, and has had all sorts of attack attempted against it.   
legendary
Activity: 2268
Merit: 18771
December 03, 2022, 03:29:20 PM
#26
It's interesting to notice how much hardware wallets have increased in price since the creation of that thread.
Hasn't the price of everything? Lol.

It really depends on what I do. If I end up buying a desktop, I'll still need the laptop when I'm away. On the other hand, if I end up buying another laptop, then it could be used as an airgapped device.
Fair enough. A good argument for a hardware wallet instead then. You could always wait another 9 years until your next new computer and then use your old old one as an airgapped wallet. Tongue
hero member
Activity: 1778
Merit: 907
December 03, 2022, 02:56:01 PM
#25
~Snipped~
Thank you for your extremely detailed response. It contains a great deal of information that I wouldn't find otherwise. Based on the information you've provided, I'd go for Trezor, as it sounds like a safer option. I'll look into others as well, but I'm mostly heading towards Trezor. It's interesting to notice how much hardware wallets have increased in price since the creation of that thread.
But if you are buying a new one because your old one is getting very slow as you said above, then surely your old one then becomes the perfect candidate for an airgapped wallet? You don't need it anymore once everything is transferred to your new one, and the fact that the hardware is outdated is irrelevant for running something as simple as an airgapped Electrum wallet. You can format it and load any lightweight Linux distro to keep hardware demands to an absolutely minimum, and then the only piece of software you need to install on top of that is Electrum itself. Plus if it's an old device you aren't going to use anyway, then there are no issues with you opening it up and removing the WiFi module.
My main concern is that it's not that slow to render it unused. It's a 2013 refurbished laptop, but it runs quite decently for its age. It really depends on what I do. If I end up buying a desktop, I'll still need the laptop when I'm away. On the other hand, if I end up buying another laptop, then it could be used as an airgapped device.
legendary
Activity: 2268
Merit: 18771
December 03, 2022, 08:53:59 AM
#24
Buying a new computer was already on the schedule, but honestly, completely isolating it isn't always possible, and in my case, it probably isn't, because a functioning laptop is always handy.
But if you are buying a new one because your old one is getting very slow as you said above, then surely your old one then becomes the perfect candidate for an airgapped wallet? You don't need it anymore once everything is transferred to your new one, and the fact that the hardware is outdated is irrelevant for running something as simple as an airgapped Electrum wallet. You can format it and load any lightweight Linux distro to keep hardware demands to an absolutely minimum, and then the only piece of software you need to install on top of that is Electrum itself. Plus if it's an old device you aren't going to use anyway, then there are no issues with you opening it up and removing the WiFi module.
legendary
Activity: 2730
Merit: 7065
December 03, 2022, 02:40:18 AM
#23
I've noticed that Trezor and Ledger are the most common ones; are there any others that can compete with them?
There is a long list of hardware wallet manufacturers but Trezor and Ledger are surely the two most popular and most sold brands in this industry.

Ledger has had it's problems in recent years, particularly with the data leaks and battery issues with the Nano X. The Nano S Plus doesn't have an internal battery, so if that is your choice, you don't need to worry about that. You should know that all Nano HWs are closed-source due to the firmware and secure element chips found in them. That's a big no-go for many people, so take that into account when you make your decision. But all of that hasn't stopped Ledger to take 1st place as the world's most sold hardware wallet. They have superior marketing compared to the competition.

Trezor on the other hand is completely open-source. One reason for that is because they don't have a secure element component like Ledger. If they had, they wouldn't be. That makes the device a little more vulnerable to physical attacks if the culprit knows that they are doing. Trezor wallets have been hacked in the past where attackers have successfully gotten PIN codes and seeds extracted. Those vulnerabilities can't be resolved, but they can be mitigated. If you plan on buying a Trezor, it's recommended to extend your seed with a passphrase and use a secret code stored on a Micro SD card in case of the Trezor T. Trezor knows about this and they are working on a new type of hardware wallet that will be equipped with an almost open-source SE and be designed to once and for all get rid of the mentioned seed extraction vulnerability.

Yes, there is and you can find it here.  [BIG LIST] Hardware wallets (80+)
That list is too big and can be confusing. It also entails HWs that most people haven't even heard of. If you got rid of 90% of the names listed there, it would still be too much.

Here are 3 threads that are better in my opinion:
Open Source Hardware Wallets
AirGapped Hardware Wallets
*Will Hardware Wallet Manufacturers Leak Customer’s Email Data?

* The point of this one is something totally different. I am suggesting it because in the OP there is a list of some of the more popular and known brands.
legendary
Activity: 2534
Merit: 1233
December 02, 2022, 06:32:32 PM
#22
I've noticed that Trezor and Ledger are the most common ones; are there any others that can compete with them?
Yes, there is and you can find it here.  [BIG LIST] Hardware wallets (80+)
You can see the price, supported currencies, and the review.

Always find a legitimate store or an official reseller online store,
hero member
Activity: 1778
Merit: 907
December 02, 2022, 04:55:55 PM
#21
~Snipped~
I actually meant Ledger Nano (S Plus), but I confused both names and combined them into one. I've seen both devices, and during the Black Friday sale, they were a great bargain. An approximate of 50–60 euros isn't a big deal when it comes to protecting your funds and is far safer and more economical than a completely independent computer that is guaranteed to eventually be used for something else too. I'm looking forward to a possible promotion during the Christmas holidays and seeing if there are any decent deals. If not, I'll just purchase it at full price; it isn't that expensive.

I've noticed that Trezor and Ledger are the most common ones; are there any others that can compete with them?
legendary
Activity: 2730
Merit: 7065
December 02, 2022, 02:54:40 AM
#20
During the Black Friday special, the most affordable Ledger one Trezor One cost approximately €50, if I remember correctly.
You probably just made a typo. But yeah, the Trezor One was on sale for €48 if you live outside of the EU (+ possible taxes depending on your country's tax laws) or €55-€56 within the EU. Trezor just made this announcement yesterday introducing a new promotion for Christmas. 50% off for leather accessories (I couldn't care about this) and free delivery worldwide. I tried to check it out, but I don't see any price reduction. The EU price is €82 and around €70 for deliveries outside of the EU. I think those were the standard rates before the Black Friday promos began.

Buying a new computer was already on the schedule, but honestly, completely isolating it isn't always possible, and in my case, it probably isn't, because a functioning laptop is always handy.
I understand what you are saying. Dedicating a laptop just for a bitcoin cold storage is not for everyone. In that case, keep checking for a better promotion to get your hands on a good hardware wallet. The current one from Trezor isn't special compared to what we had a few days ago. But if the price suits you, go ahead.
hero member
Activity: 1778
Merit: 907
December 01, 2022, 02:49:38 PM
#19
~Snipped~
Thank you for your detailed response. I was already planning on buying a new computer because this one is getting rather old and slow. I struggled quite a lot a few months ago when I used more strenuous applications. This is why I considered isolating my older laptop with a Bitcoin wallet. Generally, hardware wallets seem like a decent measure to be on the safe side. During the Black Friday special, the most affordable Ledger one cost approximately €50, if I remember correctly. It sucks to have missed it.
I'm planning to purchase a new laptop or even a desktop computer quite soon, and was actually planning to install the wallet to the old one and isolating it. What happens if the HDD goes bad, though? Backing up the seed phrase enough to recover it from another computer, I guess.
As long as you have the ability to purchase a new computer, buying a hardware wallet wallet will be a better solution if you are the skeptical type or that clicks randomly and explore new applications or download many unknown closed source programs/crackers.

A cold storage management requires some knowledge and keenness, otherwise it is better to purchase hardware wallet.

Finally, being offline does not mean that you are safe. If hacker gets access to the root, he may do a lot of things, so closing the Internet, signing TX, and re-connecting to the Internet does not mean that you are safe.
I guess there isn't such a thing as 100% safety. So far, the hardware wallet option seems to be the safest and most affordable one. Buying a new computer was already on the schedule, but honestly, completely isolating it isn't always possible, and in my case, it probably isn't, because a functioning laptop is always handy.
legendary
Activity: 2702
Merit: 4002
December 01, 2022, 07:06:09 AM
#18
I'm planning to purchase a new laptop or even a desktop computer quite soon, and was actually planning to install the wallet to the old one and isolating it. What happens if the HDD goes bad, though? Backing up the seed phrase enough to recover it from another computer, I guess.
As long as you have the ability to purchase a new computer, buying a hardware wallet wallet will be a better solution if you are the skeptical type or that clicks randomly and explore new applications or download many unknown closed source programs/crackers.

A cold storage management requires some knowledge and keenness, otherwise it is better to purchase hardware wallet.

Finally, being offline does not mean that you are safe. If hacker gets access to the root, he may do a lot of things, so closing the Internet, signing TX, and re-connecting to the Internet does not mean that you are safe.
legendary
Activity: 2730
Merit: 7065
December 01, 2022, 05:11:50 AM
#17
How safe is a wallet like Electrum?
It's safe when used on a completely secure OS operated by a user that knows what they are doing. Ideally, the computer that holds your software wallets (if you insist on using software wallets and not cold storage or hardware wallets) shouldn't be used for general internet surfing or whatever you did that had you download a fake Google Sheets extension. Use it for one purpose only: sending and receiving crypto. Adding new use cases just increases the possibility of something going wrong.

If we suppose that my computer is infected with malware (or a Trojan horse, you name it), can someone access my wallet and send funds to another address?
Is it possible to have the wallet.dat file stolen and accessed even though it's protected with a password?
Depending on the type of infection, someone could get access to your PC and take whatever files they want. They could also encrypt your data and ask you to pay a ransom to have it decrypted. Your keystrokes and display could be recorded to discover what you are typing, like passwords, PINs, etc. A password could be brute forced depending on its strength. "123456" is much easier to hack than "LeT14=hUGo#$".

I generally feel a little paranoid after being infected with a fake Google Sheets extension. I didn't lose anything of value, but I don't feel comfortable having my funds on the computer I'm using...The best option, I guess, is a hardware wallet.
You could have taken advantage of the various Black Friday offers that allowed you to purchase a solid device for $50-$100 if weren't sick. Too bad. The investment is worth it. We might see new promotions closer to the new year.
legendary
Activity: 3472
Merit: 10611
November 30, 2022, 11:07:32 PM
#16
I'm planning to purchase a new laptop or even a desktop computer quite soon, and was actually planning to install the wallet to the old one and isolating it.
If you are willing to spend money on a computer it may be more convenient to purchase a hardware wallet instead. It is also cheaper.

Another method would be to use a live Linux which you could burn on a DVD to run offline without any network connection or access to hard disks, etc. and then creating the wallet in that environment and writing down the seed phrase on a piece of paper. Of course securing this wallet is harder and spending from it is more complicated compared to using a hardware wallet.
Also: https://bitcointalksearch.org/topic/diybitcoin-cold-wallet-usb-stick-creation-step-by-step-guide-853288

Quote
What happens if the HDD goes bad, though? Backing up the seed phrase enough to recover it from another computer, I guess.
That's right. It is always best to keep multiple backups so that you can reduce the risks of losing funds. Make sure to protect those backups though.
legendary
Activity: 2170
Merit: 1789
November 30, 2022, 07:49:55 PM
#15
The Electrum guide linked by charles might be able to help you get a better picture of how to do it (with pics and stuff like that). I do recommend you to read it. Try to practice it a bit if you're not used to this.

Buying an HW wallet is also a good idea even if it was not discounted imo, but if you already have another device that can run Electrum and you only plan to use Bitcoin, there's no need to rush it. CMIIW.
legendary
Activity: 2380
Merit: 5213
November 30, 2022, 02:21:37 PM
#14
What happens if the HDD goes bad, though? Backing up the seed phrase enough to recover it from another computer, I guess.
Right. All your private keys can be derived from your seed phrase and that's all you need for recovering your wallet.


So, if I understand correctly, backing up the seed phrase on paper, for example, and setting the wallet to watch-only removes the ability to send funds and practically secures your wallet. Thus, in case I want to send Bitcoin to someone, I have to recover my wallet using the seed phrase. Am I correct?
For spending bitcoin from your wallet, you should create an unsigned transaction on your watch-only wallet, sign it on the offline device and broadcast it using your online device.
In this way, you can make transaction without your seed phrase connecting to the internet.
hero member
Activity: 1778
Merit: 907
November 30, 2022, 02:04:57 PM
#13
Pardon me for not replying for over two days. I was having some health troubles and had some doc appointments and blood tests. Back to the subject now. Thank you for your replies, I'll try to respond to most of them.
I don't feel quite safe or comfortable practically having my bitcoin stored on my computer.
Your bitcoin isn't stored on your computer.  Your bitcoin is on the blockchain and the keys you need to access your bitcoin are on your computer.
Excuse me, wrong selection of words. You're correct.
It's not that Electrum is unsafe - it's that your entire set up is unsafe.

The current version of Electrum has no critical bugs or vulnerabilities which could directly lead to your coins being stolen. In that sense, it is a very safe piece of software. However, it cannot protect you against malicious parties attacking your computer, stealing your wallet file, planting clipboard malware, keyloggers, or other malware, and so on. You are storing funds in a hot wallet and so no wallet software, regardless of how good it is, can possibly mitigate against all potential threats.

I must say that downloading pirated software on the same computer that stores a bitcoin hot wallet is a particularly dangerous move. As is using anything Google related.
Certainly. Electrum is perfectly safe and have never faced any issues using it. My whole setup of storing my wallet in the computer I use sounds and is absolutely not that safe. I almost got burned once and could have lost a decent sum of money. I won't be that lucky next time.
The correct terminology for a wallet like Electrum is "desktop wallet" not "offline wallet".

The only true security is in cold storage which is where your wallet is created and stored in an air gap environment. The easiest solution is hardware wallets which I consider semi-cold since there still is a small chance to be compromised. The best solution is a completely offline PC that is cut off from the rest of the world.
Sorry, you're correct.

I'm planning to purchase a new laptop or even a desktop computer quite soon, and was actually planning to install the wallet to the old one and isolating it. What happens if the HDD goes bad, though? Backing up the seed phrase enough to recover it from another computer, I guess.
Today is the last day of the Black Friday sale and you can order hardware wallet at a 15-30% discount depending on the brand. Check out this section to find out more: https://bitcointalk.org/index.php?board=261.0
The idea of either buying a HW or buying a new laptop/desktop (which I was already planning to) are the most prevailing onces at the moment. Unfortunately, due to feeling unwell the past few days as explained before, I missed the Black Friday discount.
@Ultegra134, there is an option to still have Electrum on your computer, but at the same time you don't have any risk for your BTC. All you need to do is check whether your backup is correct and in a safe place, and then start the process of creating a watch-only wallet with which you can then have complete insight into your transactions and deposit addresses, but without the risk that you can in any way be hacked.

What you should pay attention to in that case is that if you want to recover the standard wallet again, be especially careful with your seed in the sense that you don't have a keylogger or some other dangerous malware on your PC.
Thanks for the suggestion. So, if I understand correctly, backing up the seed phrase on paper, for example, and setting the wallet to watch-only removes the ability to send funds and practically secures your wallet. Thus, in case I want to send Bitcoin to someone, I have to recover my wallet using the seed phrase. Am I correct?
legendary
Activity: 2212
Merit: 7064
November 28, 2022, 06:26:17 PM
#12
How safe is a wallet like Electrum? If we suppose that my computer is infected with malware (or a Trojan horse, you name it), can someone access my wallet and send funds to another address? Is it possible to have the wallet.dat file stolen and accessed even though it's protected with a password?
It's open source software and it's very safe if you use it correctly.
However, if your computer is infected with any malware than you shouldn't use any bitcoin wallet at all.
Even if you can access your wallet, malware can change your addresses or spy you in other ways to get your passwords and information.

I generally feel a little paranoid after being infected with a fake Google Sheets extension. I didn't lose anything of value, but I don't feel comfortable having my funds on the computer I'm using. Ever since, I've stopped downloading any pirated software and performed regular checks, but it's still unknown how I got infected. What other options do I have? Using a separate computer or hard drive for my wallet? The best option, I guess, is a hardware wallet.
It is best to use separate laptop with Linux OS installed, and this device should be used only for Bitcoin related stuff, and if possible offline.
Hardware wallet is most convenient option, it's like a mini dedicated computer that is great for mobility, but used laptop can often be cheaper and better than hardware wallet.
legendary
Activity: 2268
Merit: 18771
November 28, 2022, 09:59:38 AM
#11
No desktop or mobile hot wallet is safe, but I guess we can agree that it is safer to have a watch-only wallet than the standard version on the computer we use every day?
Sure, but simply deleting an already hot wallet and turning it in to a watch only wallet on the same machine isn't that safe, which was the point I was making. In fact, you might even expose yourself to more risk if you are going to have to import your seed phrase in plain text back on to that online computer every time you want to make a transaction, as opposed to having it stored encrypted on the same computer in your wallet file. If you want the real security that a watch only wallet brings you, then the seed phrase/private keys need to have been generated securely in the first place.

I just suggested him a completely free option so that he can sleep somewhat peacefully, but he should definitely think about a relatively cheap investment in a hardware wallet, or even better an airgapped device.
Yeah, this. No amount of tinkering around the edges of a hot wallet will make it safe.
Pages:
Jump to: