Author

Topic: How safe is an Encrypted Bitcoin core wallet with a strong password? (Read 2340 times)

copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
-snip-

If the NSA spends all its resources for a whole week to crack our wallet, nobody can save us..

So please try to discuss what is common, how can a mainstream man protect his wallet?
i am sure these sophisticated trojans wont bother this common man

If the NSA spend all their resources for a whole week to crack your wallet, theyd still be cracking. A properly secured wallet can not be bruteforced, not even by the NSA. They have slightly different ways however:



from: https://xkcd.com/538/ ofc

Zeus is what is (or was, there is better stuff now) after you and your bank accounts. 95% of the worlds mail came from botnets for a while. IIRC its less now, but that should give you an estimate what you are up against. The rest that your anti virus scanner detects is just the crap from last year or something a borred teen put together.
sr. member
Activity: 294
Merit: 250
i am sure these sophisticated trojans wont bother this common man

How can you be so sure?

For example even if I do not use twitter much I got some time ago this tweet claiming "US government trying to shutdown the bitcoin network.": http://www.thewhir.com/web-hosting-news/tweet-claims-us-government-wants-ban-bitcoin-actually-spreading-malware

Did not open the “video” however  Smiley

hero member
Activity: 756
Merit: 502

Nope, to be safe from keyloggers use something like keepas [1] which is designed to protect against keyloggers.

If malware hits even KeePass can not protetect you. Quoted from KeePass webpage: "For example, consider the following very simple spyware specialized for KeePass: an application that waits for KeePass to be started, then hides the started application and imitates KeePass itself. All interactions (like entering a password for decrypting the configuration, etc.) can be simulated. "

Ah yes, didnt think of that. So only a secure OS can.

Quote
"use a portable browser" might be usefull, however what is preventing the malicious internet cafe operator to make a copy of all of your data? There might be more interesting stuff. Public computers are not safe.

Again, if the computer is infected, the portable browser offers no protection.
-snip-

Yep that was what I wrote, the 3 tipps behind the link where pretty much useless.

It is also posssible that malware infects your machine’s BIOS. If it happpens then you are in big, big trouble.

Hardware trojans and not even your secure OS can help you. BadBIOS is the one that comes to mind.

If the NSA spends all its resources for a whole week to crack our wallet, nobody can save us..

So please try to discuss what is common, how can a mainstream man protect his wallet?
i am sure these sophisticated trojans wont bother this common man
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.

Nope, to be safe from keyloggers use something like keepas [1] which is designed to protect against keyloggers.

If malware hits even KeePass can not protetect you. Quoted from KeePass webpage: "For example, consider the following very simple spyware specialized for KeePass: an application that waits for KeePass to be started, then hides the started application and imitates KeePass itself. All interactions (like entering a password for decrypting the configuration, etc.) can be simulated. "

Ah yes, didnt think of that. So only a secure OS can.

Quote
"use a portable browser" might be usefull, however what is preventing the malicious internet cafe operator to make a copy of all of your data? There might be more interesting stuff. Public computers are not safe.

Again, if the computer is infected, the portable browser offers no protection.
-snip-

Yep that was what I wrote, the 3 tipps behind the link where pretty much useless.

It is also posssible that malware infects your machine’s BIOS. If it happpens then you are in big, big trouble.

Hardware trojans and not even your secure OS can help you. BadBIOS is the one that comes to mind.
sr. member
Activity: 294
Merit: 250
It is also posssible that malware infects your machine’s BIOS. If it happpens then you are in big, big trouble.
sr. member
Activity: 294
Merit: 250

Nope, to be safe from keyloggers use something like keepas [1] which is designed to protect against keyloggers.

If malware hits even KeePass can not protetect you. Quoted from KeePass webpage: "For example, consider the following very simple spyware specialized for KeePass: an application that waits for KeePass to be started, then hides the started application and imitates KeePass itself. All interactions (like entering a password for decrypting the configuration, etc.) can be simulated. "

Quote
"use a portable browser" might be usefull, however what is preventing the malicious internet cafe operator to make a copy of all of your data? There might be more interesting stuff. Public computers are not safe.

Again, if the computer is infected, the portable browser offers no protection.

One possible solution is boot computer from live linux cd when sensitive data need to be accessed.
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
I would partially disagree.
They have the password (to something) as you said, but they did not get the wallet.dat
So you have essentially protected the wallet.dat, Have you not ?


Why not install VirtualBox on the Windows PC. Then use a virtualized Ubuntu installation when you need to access your wallet?

Because it gives you complexity not security. If the host system is infected any virtualisation as protection is useless. While you might be able to fool very simple malware that just searches for the wallet.dat with this, it will not help you against a keylogger. If you type in a password in the VM ware it is still piped through the host OS.

Yes, I would argue against that however that simple malware is not something you need to be concerned about. Most malware today is no longer written by borred, talented teens, but by professionals. Modern malware C&C Servers even have support build in [4]. Thus a search for running VM Ware is routine

You can easily rename the file type to something else like .wkshw and rename it back to .dat when you needs it. They most probably won't spend time to search for a file type like this.

Which -again- only protects you against simple malware. It is not much more difficult to seach the fileheaders instead of the file ending.

I think always using on screen keyboard will make it very safe from keyloggers

Nope, to be safe from keyloggers use something like keepas [1] which is designed to protect against keyloggers. A screenkeyboard is easily detected and taking a screenshot for each click is something e.g. Zeus [2] does if you want. AFAIK Zeus isnt even the latest shit [3] out there.

Find a simple guide but useful : http://www.vistatalks.net/2009/11/3-simple-tricks-to-prevent-keylogger-from-stealing-your-password/ Smiley

edit : Search 'prevent keyloggers from grabbing your passwords' in google to get many tips and tricks.

Kindly,
      MZ

"use a portable browser" might be usefull, however what is preventing the malicious internet cafe operator to make a copy of all of your data? There might be more interesting stuff. Public computers are not safe.

-snip-
But, when talking about bitcoin, smart hacking tools DON'T EVEN NEED YOUR PASSWORD!
They just need your private keys to steal your money.

Yep.
-snip-
The best way to protect your coins is to NOT GET INFECTED
Just don't install crapware!

"Common sense" is probably the best (sometimes the only) line of defense against malware. Well a secure OS is helping as well.


[1] http://keepass.info/help/base/security.html#secdesktop
[2] https://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29
[3] https://en.wikipedia.org/wiki/Operation_Tovar
[4] AFAIK it was mentioned here https://www.youtube.com/watch?v=GA7S0JK8o_k - didnt check, its been a while since I lasted watched that talk. Watch it. It will make you think different about todays malware.
hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
Find a simple guide but useful : http://www.vistatalks.net/2009/11/3-simple-tricks-to-prevent-keylogger-from-stealing-your-password/ Smiley

edit : Search 'prevent keyloggers from grabbing your passwords' in google to get many tips and tricks.

Kindly,
      MZ
hero member
Activity: 602
Merit: 500
In math we trust.
There is no way to be safe from keyloggers.
Of course you can take some measures to limit the possibility of lousing your coins.

Use on-screen keyboard, to type your password, or even use a key scrambling software.
That makes it impossible for most keyloggers to record your keystrokes.
Sadly, more sophisticated hacking tools allows to get past the key scrambling and even record
 your screen and send screenshots the the hacker.
But, when talking about bitcoin, smart hacking tools DON'T EVEN NEED YOUR PASSWORD!
They just need your private keys to steal your money.
When your wallet program prompts you to enter password, it does because it needs to decrypt your wallet
to do something.(Like spend some coins)
When you do this, the wallet gets unencrypted for a very small period of time
which is enough for hackers to dump your private keys.
They can also read them from memory.
The best way to protect your coins is to NOT GET INFECTED
Just don't install crapware!

Using strong passwords only protects from brute-forcing.

End of story.
sr. member
Activity: 294
Merit: 250
I think always using on screen keyboard will make it very safe from keyloggers

Screen keyboard gives you protection against physical keyloggers like this: http://www.amazon.com/Keyllama-4MB-USB-Value-Keylogger/dp/B004ZGXU48. However there exist also keylogger software which can capture also screen keyboard.
hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
I think always using on screen keyboard will make it very safe from keyloggers

I only use on screen keyboard for simple purposes. How can you type everything in on screen keyboard? or Are you telling that you type passwords and other sensitive datas with on screen keyboard? Roll Eyes
Kindly,
         MZ
hero member
Activity: 756
Merit: 502
I think always using on screen keyboard will make it very safe from keyloggers
hero member
Activity: 658
Merit: 500
If you have a keylogger, no password is strong enough. Best to use a dedicated machine for bitcoin, and install nothing but your wallet software and no altcoin wallets either.
hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
Not very if you have a key logger and hacker can some how retrieve your wallet.dat

It is safer than having an easy to guess password and obviously having no password would be like handing it on a platter.

I would do this (after you have finished with the client each time) Rename wallet.dat to something else, move it out of the normal directory (preferably off the PC). You would still be vulnerable to key logger and 1000 other scenarios, but if someone got access to your PC they might search/scan for wallet.dat and hopefully moves on when they can not find it.


And what to do if the keylogger searches for ".wat" in the start bar?

You can easily rename the file type to something else like .wkshw and rename it back to .dat when you needs it. They most probably won't spend time to search for a file type like this.

All most all of the key loggers upload the inputs. I couldn't see any other types of key loggers.
Kindly,
        MZ
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
Not very if you have a key logger and hacker can some how retrieve your wallet.dat

It is safer than having an easy to guess password and obviously having no password would be like handing it on a platter.

I would do this (after you have finished with the client each time) Rename wallet.dat to something else, move it out of the normal directory (preferably off the PC). You would still be vulnerable to key logger and 1000 other scenarios, but if someone got access to your PC they might search/scan for wallet.dat and hopefully moves on when they can not find it.


And what to do if the keylogger searches for ".wat" in the start bar?

You can easily rename the file type to something else like .wkshw and rename it back to .dat when you needs it. They most probably won't spend time to search for a file type like this.
full member
Activity: 271
Merit: 100
Not very if you have a key logger and hacker can some how retrieve your wallet.dat

It is safer than having an easy to guess password and obviously having no password would be like handing it on a platter.

I would do this (after you have finished with the client each time) Rename wallet.dat to something else, move it out of the normal directory (preferably off the PC). You would still be vulnerable to key logger and 1000 other scenarios, but if someone got access to your PC they might search/scan for wallet.dat and hopefully moves on when they can not find it.


And what to do if the keylogger searches for ".wat" in the start bar?
legendary
Activity: 910
Merit: 1000
★YoBit.Net★ 350+ Coins Exchange & Dice
I would partially disagree.
They have the password (to something) as you said, but they did not get the wallet.dat
So you have essentially protected the wallet.dat, Have you not ?


Why not install VirtualBox on the Windows PC. Then use a virtualized Ubuntu installation when you need to access your wallet?

Because it gives you complexity not security. If the host system is infected any virtualisation as protection is useless. While you might be able to fool very simple malware that just searches for the wallet.dat with this, it will not help you against a keylogger. If you type in a password in the VM ware it is still piped through the host OS.
hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
Why not install VirtualBox on the Windows PC. Then use a virtualized Ubuntu installation when you need to access your wallet?

Because it gives you complexity not security. If the host system is infected any virtualisation as protection is useless. While you might be able to fool very simple malware that just searches for the wallet.dat with this, it will not help you against a keylogger. If you type in a password in the VM ware it is still piped through the host OS.

As it is said earlier, Brute-force attack will be hard. It isn't highly secure but it is good and try to install original OS and search for a way to detect and remove keyloggers from your computer for the preferred OS.
Kindly,
      MZ
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
Why not install VirtualBox on the Windows PC. Then use a virtualized Ubuntu installation when you need to access your wallet?

Because it gives you complexity not security. If the host system is infected any virtualisation as protection is useless. While you might be able to fool very simple malware that just searches for the wallet.dat with this, it will not help you against a keylogger. If you type in a password in the VM ware it is still piped through the host OS.
sr. member
Activity: 294
Merit: 250
Why not install VirtualBox on the Windows PC. Then use a virtualized Ubuntu installation when you need to access your wallet?

full member
Activity: 210
Merit: 100
i mean encrypting wallet with a very strong password and doing this in a freshly installed windows pc.

That will take care of keyloggers right!

Now tell me how safe is such an encrypted wallet
This would take care of keyloggers when  you create your password, but would not necessarily take care of keyloggers when you later need to input your password as your computer could potentially become compromised in the future.
legendary
Activity: 2058
Merit: 1452
Not much, Windows is known to have a lot of vulnerabilities, since you are exposed to the internet, you might get a malware. Installing Linux on an offline computer would be significantly safer.
windows does have vulnerabilities, but they're not so bad to the point that connecting a reasonably up-to-date windows machine to the internet will get you infected.
full member
Activity: 153
Merit: 100
How safe is an Encrypted Bitcoin core wallet with a strong password?

Actually it is very very safe if you have strong password, you just have to avoid keylogger which is easy...
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
i mean encrypting wallet with a very strong password and doing this in a freshly installed windows pc.

That will take care of keyloggers right!

Now tell me how safe is such an encrypted wallet
[...]
A fresh Windows will most likely be not fully updated, but unless you use something old (e.g. WinXP without Service packs) you should be fine. Its also unlikely that you "just get a keylogger" as long as you are carefull. Carefull as in: dont download something from shady sources, dont download any new alt coin wallet just because, etc. pp.
more importantly, make sure your operating system install disk is clean. if you're downloading pirated windows, make sure you check the .iso's checksum against the ones published by microsoft.

Yeah my friend has original win 8 , we are planning to fresh install, update it, then install firefox and bitcoin core, then transfer all coins and encrypt with a very strong password.

Now is it safe?
Not much, Windows is known to have a lot of vulnerabilities, since you are exposed to the internet, you might get a malware. Installing Linux on an offline computer would be significantly safer.
hero member
Activity: 756
Merit: 502
i mean encrypting wallet with a very strong password and doing this in a freshly installed windows pc.

That will take care of keyloggers right!

Now tell me how safe is such an encrypted wallet
[...]
A fresh Windows will most likely be not fully updated, but unless you use something old (e.g. WinXP without Service packs) you should be fine. Its also unlikely that you "just get a keylogger" as long as you are carefull. Carefull as in: dont download something from shady sources, dont download any new alt coin wallet just because, etc. pp.
more importantly, make sure your operating system install disk is clean. if you're downloading pirated windows, make sure you check the .iso's checksum against the ones published by microsoft.

Yeah my friend has original win 8 , we are planning to fresh install, update it, then install firefox and bitcoin core, then transfer all coins and encrypt with a very strong password.

Now is it safe?
legendary
Activity: 2058
Merit: 1452
i mean encrypting wallet with a very strong password and doing this in a freshly installed windows pc.

That will take care of keyloggers right!

Now tell me how safe is such an encrypted wallet
[...]
A fresh Windows will most likely be not fully updated, but unless you use something old (e.g. WinXP without Service packs) you should be fine. Its also unlikely that you "just get a keylogger" as long as you are carefull. Carefull as in: dont download something from shady sources, dont download any new alt coin wallet just because, etc. pp.
more importantly, make sure your operating system install disk is clean. if you're downloading pirated windows, make sure you check the .iso's checksum against the ones published by microsoft.
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
i mean encrypting wallet with a very strong password and doing this in a freshly installed windows pc.

That will take care of keyloggers right!

Now tell me how safe is such an encrypted wallet

What do you want to hear?

10 guesses per second (per core I assume) if you have a password with 12 symbols, which can be any char or number you have
(2*26+10)12~=3.22 *1021 possible passwords. In order to test them all with a 120 Core CPU you need 3.22*1021/1200*60s*60m*24h*365d ~= 85 billion years. Bruteforce is basically out of the question unless someone has a very short list that happens to have your password in it.

A fresh Windows will most likely be not fully updated, but unless you use something old (e.g. WinXP without Service packs) you should be fine. Its also unlikely that you "just get a keylogger" as long as you are carefull. Carefull as in: dont download something from shady sources, dont download any new alt coin wallet just because, etc. pp.
hero member
Activity: 756
Merit: 502
i mean encrypting wallet with a very strong password and doing this in a freshly installed windows pc.

That will take care of keyloggers right!

Now tell me how safe is such an encrypted wallet
staff
Activity: 4284
Merit: 8808
The software uses best-practices in handling, it's adaptively strengthened with a cryptographic KDF and salted (and cracks at no faster than 10 per second on the user's CPU)— but users (including myself) stink at producing passwords or if they manage to produce a good one, they can't remember it.

No amount of encryption can protect you from poor passwords, keyboard sniffers, or other local machine compromises... or from forgetting or disk corruption.  The wallet encryption helps against some things, but the rest is up to you currently.
legendary
Activity: 910
Merit: 1000
★YoBit.Net★ 350+ Coins Exchange & Dice
Not very if you have a key logger and hacker can some how retrieve your wallet.dat

It is safer than having an easy to guess password and obviously having no password would be like handing it on a platter.

I would do this (after you have finished with the client each time) Rename wallet.dat to something else, move it out of the normal directory (preferably off the PC). You would still be vulnerable to key logger and 1000 other scenarios, but if someone got access to your PC they might search/scan for wallet.dat and hopefully moves on when they can not find it.
hero member
Activity: 756
Merit: 502
How safe is an Encrypted Bitcoin core wallet with a strong password?
Jump to: