If you have more than a few BTC, anything less than "Best" is unacceptable - that should be your starting point.
If you have more than a few BTC anything less than offline storage is unacceptable. Passphrases are useless when it comes to protecting against malware. 
Topic: How Strong Is Your Wallet Password? Wallet Backup + How to Avoid Keyloggers! (Read 2681 times)
July 01, 2013, 10:09:23 PM
July 01, 2013, 03:45:41 PM
The only way to protect from keyloggers and other spyware is to use offline clients. Passwords only helps when your laptop is stolen.
July 01, 2013, 01:41:56 PM
Running a linux client in a VM (eg openbox) should be pretty much immune to the copy-paste framegrabbers (provided you turn off the guest-host integration), though not the keyloggers. An on-screen keyboard within the VM should take care of this.
So I must be the only one in the world who switches to the linux tty (you know, that Ctrl-Alt-F1 "trick") to enter the bitcoind password, so only a kernel-level logger can break it, right? Never seen anyone even mention that
July 01, 2013, 12:05:14 PM
Yeah, if the NSA or LulzSec wants your BTC, you are pretty much boned.
Wrong attitude to have.
Look at what lulzsec (aren't they in prison??) and the NSA would do to get it, and fix the vulnerability.
For example, in my case I use a couple software repositories that are not official Fefora, so I have to look at the risk of how vulnerable those software repositories are being coerced into hosting trojans or having their signing key stolen.
For a wallet with a lot of bitcoin, I wouldn't take that risk.
Infact for a wallet with a lot of bitcoin, the system wouldn't be on-line much.
Make sure you have appropriate firewall. The firewall in your router is not good enough, they are notorious for having back doors.
The Linux firewall is decent.
Once your network security is taken care of, then think about physical access.
-=-
Point is, don't just give in and figure they are lulzsec or NSA so they can get me if they want me, that's lowering the bar. Raise the bar and do what you can to avoid them.
Many if not most of lulzsec's exploits were the results of laziness, corporations not taking steps to secure known vulnerabilities.
Don't make that mistake.
July 01, 2013, 11:26:59 AM
I believe that the order of likelihood of losing your entire Bitcoin wallet contents is:
- Not having any backup at all
- Forgetting your convoluted password
- < reserved >
- < reserved >
- < reserved >
- < reserved >
- < reserved >
- < reserved >
- < reserved >
- < reserved >
- < reserved >
- World War III
- Having your password stolen by a keylogger
July 01, 2013, 11:07:50 AM
I always use 16 digit alpha numeric password. It is hard to break.
July 01, 2013, 10:52:01 AM
The easiest way to avoid any type of keylogger is simple: type part of your passphrase into a blank document, and copy and paste it into your wallet. Then type some random gibberish into your open document. Then type another part of your password. Copy & paste. Repeat. Doing this 2 or more times makes it virtually impossible to have your password stolen via hardware or software.
any decent keylogger will also log clipboard:
http://en.wikipedia.org/wiki/Keystroke_logging#Related_features
best way to be secure is use a secure device, like a Chromebook, which are built with security in mind.
Will
July 01, 2013, 08:03:33 AM
How to Avoid Keyloggers
The easiest way to avoid any type of keylogger is simple: type part of your passphrase into a blank document, and copy and paste it into your wallet. Then type some random gibberish into your open document. Then type another part of your password. Copy & paste. Repeat. Doing this 2 or more times makes it virtually impossible to have your password stolen via hardware or software.
unfortunately, there are also screenloggers.
July 01, 2013, 07:36:08 AM
How secure are password manager like roboform? I usually generate a random password with it for every new account, online wallet, etc..
July 01, 2013, 06:47:45 AM
Obligatory XKCD http://www.xkcd.com/936/ 
@@@@@applebeesmakesmevomit12345&&&&& is probably going a bit too far. Its important that you don't forget your password (no drunk/stoned password changes please).
The keyloggers / copy-paster grabbers are a worry. Running a linux client in a VM (eg openbox) should be pretty much immune to the copy-paste framegrabbers (provided you turn off the guest-host integration), though not the keyloggers. An on-screen keyboard within the VM should take care of this.
PS "correct horse battery staple" is bonkers https://blockchain.info/address/1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T
@@@@@applebeesmakesmevomit12345&&&&& is probably going a bit too far. Its important that you don't forget your password (no drunk/stoned password changes please).
The keyloggers / copy-paster grabbers are a worry. Running a linux client in a VM (eg openbox) should be pretty much immune to the copy-paste framegrabbers (provided you turn off the guest-host integration), though not the keyloggers. An on-screen keyboard within the VM should take care of this.
PS "correct horse battery staple" is bonkers https://blockchain.info/address/1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T
Use KeePass with 32 char length mixed passwords. Really-really hard to crack.
And of course use a VM and backup your wallet.dat 3 times a day. 
July 01, 2013, 06:24:12 AM
Obligatory XKCD http://www.xkcd.com/936/
@@@@@applebeesmakesmevomit12345&&&&& is probably going a bit too far. Its important that you don't forget your password (no drunk/stoned password changes please).
The keyloggers / copy-paster grabbers are a worry. Running a linux client in a VM (eg openbox) should be pretty much immune to the copy-paste framegrabbers (provided you turn off the guest-host integration), though not the keyloggers. An on-screen keyboard within the VM should take care of this.
PS "correct horse battery staple" is bonkers https://blockchain.info/address/1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T
@@@@@applebeesmakesmevomit12345&&&&& is probably going a bit too far. Its important that you don't forget your password (no drunk/stoned password changes please).
The keyloggers / copy-paster grabbers are a worry. Running a linux client in a VM (eg openbox) should be pretty much immune to the copy-paste framegrabbers (provided you turn off the guest-host integration), though not the keyloggers. An on-screen keyboard within the VM should take care of this.
PS "correct horse battery staple" is bonkers https://blockchain.info/address/1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T
July 01, 2013, 06:19:22 AM
Hey man, Im just trying to do a public service and add something useful to this website. Please feel free to correct me or add some info.
No, you're totally right. I just like to have little bit of fun.
Speaking of which, I just asked my users on the forum I moderate to go to that howsecureismypassword site and test theirs out.
The results were..... disappointing, to say the least. Mostly in the range from 19 seconds to 11 minutes.
July 01, 2013, 05:59:09 AM
You can also use Inputs.io which has a an unkeyloggable PIN input pad.
link pl0z?
July 01, 2013, 05:52:30 AM
Thank you both. I have changed it to '@@@@@applebeesmakesmevomit12345&&&&&' as recommended.
It was pretty obvious from your first post but...
Hey man, Im just trying to do a public service and add something useful to this website. Please feel free to correct me or add some info.
Even if my post helps one person save their BTC, it will be worth the time it took me.
You can also use Inputs.io which has a an unkeyloggable PIN input pad.
Cool. Thank you for posting TradeFortress.
July 01, 2013, 05:48:22 AM
You can also use Inputs.io which has a an unkeyloggable PIN input pad.
July 01, 2013, 05:17:54 AM
My wallet password is 'swordfish'. How secure is that? Do you recommend I change it?
Pretty much this:
My wallet password is 'swordfish'. How secure is that? Do you recommend I change it?
Yes you should change it immediately, don't forget to take a backup first and mail it to me.
Thank you both. I have changed it to '@@@@@applebeesmakesmevomit12345&&&&&' as recommended.
July 01, 2013, 05:11:30 AM
How to Avoid Keyloggers[/b]
The easiest way to avoid any type of keylogger is simple: type part of your passphrase into a blank document, and copy and paste it into your wallet. Then type some random gibberish into your open document. Then type another part of your password. Copy & paste. Repeat. Doing this 2 or more times makes it virtually impossible to have your password stolen via hardware or software.
The easiest way to avoid any type of keylogger is simple: type part of your passphrase into a blank document, and copy and paste it into your wallet. Then type some random gibberish into your open document. Then type another part of your password. Copy & paste. Repeat. Doing this 2 or more times makes it virtually impossible to have your password stolen via hardware or software.
This will only make harder but not impossible to steal password while typing. There are already programs that read your clipboard, if they are used with keylogger and program which is reading in which window you are typing there is no way to securely enter your password because even most complicated system using ctrl+c ctrl+v and parts of passwords can be reverted back. The good thing is that there is not much keyloggers that does all that at once.
Yeah, if the NSA or LulzSec wants your BTC, you are pretty much boned. This is more just basic protection against hackers for the general public.
However, I believe that the biggest threat for 99% of people is losing their wallet by not creating a backup.
July 01, 2013, 05:09:02 AM
My wallet password is 'swordfish'. How secure is that? Do you recommend I change it?
Yes you should change it immediately, don't forget to take a backup first and mail it to me.
July 01, 2013, 05:05:47 AM
How to Avoid Keyloggers[/b]
The easiest way to avoid any type of keylogger is simple: type part of your passphrase into a blank document, and copy and paste it into your wallet. Then type some random gibberish into your open document. Then type another part of your password. Copy & paste. Repeat. Doing this 2 or more times makes it virtually impossible to have your password stolen via hardware or software.
The easiest way to avoid any type of keylogger is simple: type part of your passphrase into a blank document, and copy and paste it into your wallet. Then type some random gibberish into your open document. Then type another part of your password. Copy & paste. Repeat. Doing this 2 or more times makes it virtually impossible to have your password stolen via hardware or software.
This will only make harder but not impossible to steal password while typing. There are already programs that read your clipboard, if they are used with keylogger and program which is reading in which window you are typing there is no way to securely enter your password because even most complicated system using ctrl+c ctrl+v and parts of passwords can be reverted back. The good thing is that there is not much keyloggers that does all that at once.
July 01, 2013, 05:05:12 AM
My wallet password is 'swordfish'. How secure is that? Do you recommend I change it?
Pretty much this:
Blank document trick is old,and keyloggers are too,people mostly use stealers or formgrabber these days and that document method is not effective with formgrabbers.
However using a keyscrambler is better than typing gibberish words on blank document.
However using a keyscrambler is better than typing gibberish words on blank document.
I think formgrabber is mostly for online passwords and web browsers, but Im not a security expert, just an enthusiast. Keyscrambler sounds good.
Jump to: