I have heard that the encryption used for electrum wallets is somewhat open to brute force attacks, which makes me think that even if I've encrypted the wallet, I should still try and keep it offline.
Thoughts?
Thoughts?
You do need to be more careful when it comes to storing Electrum wallets online compared to many other wallets.
As others have already noted, nearly all wallets are open to brute force attacks. However, given a strong-enough password, any wallet can be safely stored online. The big problem is in determining whether or not your password is strong enough to resist brute forcing attacks, and there's no easy way to be sure.
This javascript site is the best I know of (thanks to Newar) at estimating password strength: https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html. There's an accompanying article discussing its method's strengths and weaknesses here (spoiler: it might be very good, but it's definitely not perfect): https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/.
What's different about Electrum is that it doesn't use any key stretching, so if you don't use a very strong password, you're much more vulnerable to brute force attacks than some other wallets such as Bitcoin Core or Armory. Here's a quick overview of how many cryptographic operations must be done to check a single password for these two wallet formats:
Electrum: 2 SHA-256's (each a single block long) and 1 block of AES-256 decryption
Bitcoin Core: approximately 100,000 SHA-512's (each a single block long) and 2x blocks of AES-256 decryptions
TL;DR: use a strong-enough password, and you'll probably be safe from brute force attacks, but it's really hard to know what "strong-enough" means.
