Pages:
Author

Topic: How Strong Is Your Wallet Password? Wallet Backup + How to Avoid Keyloggers! (Read 2702 times)

legendary
Activity: 1400
Merit: 1013
If you have more than a few BTC, anything less than "Best" is unacceptable - that should be your starting point.
If you have more than a few BTC anything less than offline storage is unacceptable. Passphrases are useless when it comes to protecting against malware.
full member
Activity: 177
Merit: 101
The only way to protect from keyloggers and other spyware is to use offline clients. Passwords only helps when your laptop is stolen.
legendary
Activity: 1974
Merit: 1029
Running a linux client in a VM (eg openbox) should be pretty much immune to the copy-paste framegrabbers (provided you turn off the guest-host integration), though not the keyloggers. An on-screen keyboard within the VM should take care of this.

So I must be the only one in the world who switches to the linux tty (you know, that Ctrl-Alt-F1 "trick") to enter the bitcoind password, so only a kernel-level logger can break it, right?  Never seen anyone even mention that Roll Eyes
full member
Activity: 168
Merit: 100
Yeah, if the NSA or LulzSec wants your BTC, you are pretty much boned.

Wrong attitude to have.
Look at what lulzsec (aren't they in prison??) and the NSA would do to get it, and fix the vulnerability.

For example, in my case I use a couple software repositories that are not official Fefora, so I have to look at the risk of how vulnerable those software repositories are being coerced into hosting trojans or having their signing key stolen.

For a wallet with a lot of bitcoin, I wouldn't take that risk.
Infact for a wallet with a lot of bitcoin, the system wouldn't be on-line much.

Make sure you have appropriate firewall. The firewall in your router is not good enough, they are notorious for having back doors.

The Linux firewall is decent.

Once your network security is taken care of, then think about physical access.

-=-
Point is, don't just give in and figure they are lulzsec or NSA so they can get me if they want me, that's lowering the bar. Raise the bar and do what you can to avoid them.

Many if not most of lulzsec's exploits were the results of laziness, corporations not taking steps to secure known vulnerabilities.
Don't make that mistake.
legendary
Activity: 905
Merit: 1000
I believe that the order of likelihood of losing your entire Bitcoin wallet contents is:

  • Not having any backup at all
  • Forgetting your convoluted password
  • < reserved >
  • < reserved >
  • < reserved >
  • < reserved >
  • < reserved >
  • < reserved >
  • < reserved >
  • < reserved >
  • < reserved >
  • World War III
  • Having your password stolen by a keylogger
newbie
Activity: 42
Merit: 0
I always use 16 digit alpha numeric password. It is hard to break.
hero member
Activity: 767
Merit: 500
The easiest way to avoid any type of keylogger is simple: type part of your passphrase into a blank document, and copy and paste it into your wallet. Then type some random gibberish into your open document. Then type another part of your password. Copy & paste. Repeat. Doing this 2 or more times makes it virtually impossible to have your password stolen via hardware or software.

any decent keylogger will also log clipboard:

http://en.wikipedia.org/wiki/Keystroke_logging#Related_features

best way to be secure is use a secure device, like a Chromebook, which are built with security in mind.

Will
legendary
Activity: 1764
Merit: 1007

How to Avoid Keyloggers

The easiest way to avoid any type of keylogger is simple: type part of your passphrase into a blank document, and copy and paste it into your wallet. Then type some random gibberish into your open document. Then type another part of your password. Copy & paste. Repeat. Doing this 2 or more times makes it virtually impossible to have your password stolen via hardware or software.

unfortunately, there are also screenloggers.
member
Activity: 66
Merit: 10
How secure are password manager like roboform? I usually generate a random password with it for every new account, online wallet, etc..
sr. member
Activity: 420
Merit: 250
Obligatory XKCD http://www.xkcd.com/936/  Grin

@@@@@applebeesmakesmevomit12345&&&&& is probably going a bit too far. Its important that you don't forget your password (no drunk/stoned password changes please).

The keyloggers / copy-paster grabbers are a worry. Running a linux client in a VM (eg openbox) should be pretty much immune to the copy-paste framegrabbers (provided you turn off the guest-host integration), though not the keyloggers. An on-screen keyboard within the VM should take care of this.

PS "correct horse battery staple" is bonkers https://blockchain.info/address/1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T

Use KeePass with 32 char length mixed passwords. Really-really hard to crack.  Cheesy And of course use a VM and backup your wallet.dat 3 times a day. Tongue



full member
Activity: 196
Merit: 100
Obligatory XKCD http://www.xkcd.com/936/  Grin

@@@@@applebeesmakesmevomit12345&&&&& is probably going a bit too far. Its important that you don't forget your password (no drunk/stoned password changes please).

The keyloggers / copy-paster grabbers are a worry. Running a linux client in a VM (eg openbox) should be pretty much immune to the copy-paste framegrabbers (provided you turn off the guest-host integration), though not the keyloggers. An on-screen keyboard within the VM should take care of this.

PS "correct horse battery staple" is bonkers https://blockchain.info/address/1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T
hero member
Activity: 952
Merit: 1009

Hey man, Im just trying to do a public service and add something useful to this website. Please feel free to correct me or add some info.

No, you're totally right. I just like to have little bit of fun.

Speaking of which, I just asked my users on the forum I moderate to go to that howsecureismypassword site and test theirs out.

The results were..... disappointing, to say the least. Mostly in the range from 19 seconds to 11 minutes.
legendary
Activity: 1652
Merit: 1029
You can also use Inputs.io which has a an unkeyloggable PIN input pad.

link pl0z?
hero member
Activity: 1036
Merit: 500
Thank you both. I have changed it to '@@@@@applebeesmakesmevomit12345&&&&&' as recommended.

It was pretty obvious from your first post but...  Grin



Hey man, Im just trying to do a public service and add something useful to this website. Please feel free to correct me or add some info.

Even if my post helps one person save their BTC, it will be worth the time it took me.

You can also use Inputs.io which has a an unkeyloggable PIN input pad.

Cool. Thank you for posting TradeFortress.
vip
Activity: 1316
Merit: 1043
👻
You can also use Inputs.io which has a an unkeyloggable PIN input pad.
hero member
Activity: 952
Merit: 1009
My wallet password is 'swordfish'. How secure is that? Do you recommend I change it?

 Grin

Pretty much this:



My wallet password is 'swordfish'. How secure is that? Do you recommend I change it?

Yes you should change it immediately, don't forget to take a backup first and mail it to me. Cheesy

Thank you both. I have changed it to '@@@@@applebeesmakesmevomit12345&&&&&' as recommended.
hero member
Activity: 1036
Merit: 500
How to Avoid Keyloggers[/b]

The easiest way to avoid any type of keylogger is simple: type part of your passphrase into a blank document, and copy and paste it into your wallet. Then type some random gibberish into your open document. Then type another part of your password. Copy & paste. Repeat. Doing this 2 or more times makes it virtually impossible to have your password stolen via hardware or software.

This will only make harder but not impossible to steal password while typing. There are already programs that read your clipboard, if they are used with keylogger and program which is reading in which window you are typing there is no way to securely enter your password because even most complicated system using ctrl+c ctrl+v and parts of passwords can be reverted back. The good thing is that there is not much keyloggers that does all that at once.

Yeah, if the NSA or LulzSec wants your BTC, you are pretty much boned. This is more just basic protection against hackers for the general public.

However, I believe that the biggest threat for 99% of people is losing their wallet by not creating a backup.
legendary
Activity: 1274
Merit: 1004
My wallet password is 'swordfish'. How secure is that? Do you recommend I change it?

Yes you should change it immediately, don't forget to take a backup first and mail it to me. Cheesy
hero member
Activity: 546
Merit: 501
How to Avoid Keyloggers[/b]

The easiest way to avoid any type of keylogger is simple: type part of your passphrase into a blank document, and copy and paste it into your wallet. Then type some random gibberish into your open document. Then type another part of your password. Copy & paste. Repeat. Doing this 2 or more times makes it virtually impossible to have your password stolen via hardware or software.

This will only make harder but not impossible to steal password while typing. There are already programs that read your clipboard, if they are used with keylogger and program which is reading in which window you are typing there is no way to securely enter your password because even most complicated system using ctrl+c ctrl+v and parts of passwords can be reverted back. The good thing is that there is not much keyloggers that does all that at once.
hero member
Activity: 1036
Merit: 500
My wallet password is 'swordfish'. How secure is that? Do you recommend I change it?

 Grin

Pretty much this:



Blank document trick is old,and keyloggers are too,people mostly use stealers or formgrabber these days and that document method is not effective with formgrabbers.

However using a keyscrambler is better than typing gibberish words on blank document.

I think formgrabber is mostly for online passwords and web browsers, but Im not a security expert, just an enthusiast. Keyscrambler sounds good.
Pages:
Jump to: