Topic: Protecting your coins (Read 2313 times)

I'm using a wallet stored in multiple encrypted containers with enormous but memorable passwords. My main concern is losing access to the wallet, so I have a copy on my phone, laptop, desktop, flash drives, dropbox and email.

I'll eventually move to some other system where I have a single private key stored in stashes rather than wallet files, but I've not done this yet because never unencrypting my stash is the best way to keep it safe.

OP: any chance you've obtained your sudden windfall of bitcoins buy stealing them from Bitcoinica & Slush & the faucet?  

Be NICE if all our education back in June about protecting wallets would have applied to all the ^^ above.  

And this is exactly why I've started to use Armory    

problem is, there's never just one pw.  there's always multiple pw's in your head and then you may be constantly changing them.  you're bound to forget.

After 4 months I forgot my bitcoin password.....  Let me tell you that day sucked hard.
Finally cracked it but it took tons of beer.
True story

If you're really worried, you can make pictographic tattoos to remind you.

If you are worried about your memory consider that pass phrases can also be easily printed.  There doesn't need to be any indication that it is a bitcoin wallet/PK either, just gibberish on paper.  You can spend it pretty easily by importing the key with pywallet or the native privkey import coming in 0.6.

edit: I do agree that a lot of people may screw up using passphrase wallets but for the rest of us it's very easy and very secure. 

This is actually already possible for N=K using Armory's elliptic curve calculator (meaning that you need all of the pieces of paper to recover it).  For instance, you create 3 private keys and use the calculator to multiply them together.  The result is the final private key where the money is stored.  Then you print off all three keys separately.  To recover your wallet, you collect all three, and use the calculator again.

Even better, this can be implemented without any two keys ever touching the same computer!  Computer A produces a key, and gives the public key to Computer B.  Computer B mulitiplies PublicKey(A) by its own private key to make PublicKey(A*B).  Then this is given to computer C which multiplies it by his private key to make PublicKey(A*B*C).  This is now a public key which can be converted to an address and funded.  The only way to recover the private key, is to collect all three sheets of paper and multiply the private keys together!

I don't promote this as the best solution, but it's one that is already available with Armory 0.55-alpha.  In the future, this will all be unnecessary by simply putting all of your funds into a M-of-N multi-signature transaction.  If it's a 2-of-3 transaction, you backup all 3 private keys separately, and any two will work.  It's a protocol-level implementation of Samir's or Reed-Solomon.


I totally believe it.  A root CA key requires the highest level security, especially if it will be used for military operations.  I'm surprised thermite wasn't involved

I have considered brain wallets, but I think they are too risky, unless you include extra entropy stored on the computer (which partially defeats the purpose).  As mentioned above, too many users use passphrases that are way too simple, and will end up sharing wallets (or make it too easy for an attacker to create the same wallet without ever accessing your computer).  When their coins disappear, don't count on the user admitting that they used a weak passphrase.  Instead, it will make the protocol/program look insecure. 

Brain Wallet will be a killer app. I am choosing multiple encryption methods including mnemonics, music notation, a personally developed cryoptogrphic algorithm, and motor memory. It will be interesting to see how many keys I can create and remember, maybe enough to last a lifetime.

Storing your private key on paper is IMO the way to go for long term storage. However if I were to store my life savings I would not trust just one piece of paper. There are elegant solutions to this.

Shamir's Secret Sharing
Shamir's Secret Sharing is a mechanism where you split a secret into N pieces and decide for a number K which is less than N. If you have K different pieces of the original N it is trivial to calculate the secret. If you have K-1 pieces the secret is completely undetermined, meaning that any possible value is likely. Details here: Shamir's Secret Sharing

Example Choosing N=3 and K=2:

You split your secret into 3 pieces.
You then store those pieces in three different secure locations.
You delete any other trace of the secret.
If you ever want to recreate the secret you can do so by retrieving any 2 of the 3 pieces. If an attacker gets hold of one of your pieces he will not be able to determine the secret. Or if one of the pieces are lost you can still rebuild the secret from the other two.

You may also want to choose N=5 and K=3 or whatever makes you feel safe.

This could be an awesome addition to the paper backups of Armory, or even better, a small standalone tool that spits out:
N pieces of paper each containing its share of the private key as a QR-code and in HEX plus a description of the math on how to combine the shares
One piece of paper with the Bitcoin address as a QR code and in base58.

Believe it or not. I was once a consultant on a project where a similar procedure was done (paper shares, stored in various banks in different locations), where as a safety procedure the printer used had to be blown to pieces by the military afterwards. This was a backup for the root key of a CA. I guess they were paranoid of what you can get off a printer roller.

You are correct.  Most of my focus in Armory development has been online threats, not physical threats.  But that doesn't mean I've ignored it: I just think that having someone break into your house and going through your bookshelf to find the paper backup is 100x less likely than the random online attacker scanning millions of computers looking for open ports/vulnerabilities and getting access to your system.  In the future, I can add a feature in Armory to allow you to add a passphrase/encryption to your paper backup, but I honestly think that just adds more risk than it adds value:  your paper backup will likely not be used for years, and you're bound to forget the passphrase by then.  

If you're really concerned, put your paper backup in a safe-deposit box.  Or back it up to 5 different USB keys and put them all in your safe-deposit box.  Again, for the average user, I am most concerned about online threats, especially since a highly-targeted physical attack against your wallet will likely not be stopped by anything anyone can put in a Bitcoin client (keyloggers, especially).


Multi-signature transactions and two-factor authentication w/o third-party will become part of Armory.  But I have a few other priorities to implement first.

-1 IronKey
+1 TrueCrypt

Hardware encryption doesn't improve security; it actually makes it worse because there's no way to audit it.  How would you know if they added a back door?  I recommend sticking to TrueCrypt, GPG, FreeOTFE, or other open-source, software-based encryption based on AES or 3DES.

Edit:  And +1 paper.  The biggest threats right now are automated viruses collecting your data.  Keeping it in a form they can't easily steal is a big benefit.  You can GPG-encrypt your paper wallet if you want to protect against people stealing the paper.

Users don't use "good" passwords, regardless of whether they know it's a good idea or not.  Additionally, I hate the idea of scattering your encrypted wallet all over the internet... what if there's a bug in the wallet encryption that actually leaves the private keys unencrypted?  You probably won't even know until your coins are gone, and you know you can never remove your wallets entirely from these online storage places.  You can transfer the coins immediately to a new wallet, but then you have to store/backup those somehow.  And of course, even if you get all this right... see my previous comment about how easy it is to forget passwords...

EDIT: I overlooked the comment about TrueCrypt ... it removes most of the is-this-encryption-really-secure-? uncertainties, but there's still plenty of other reasons to not like it

I think the better way is to use wallet encryption on your own computer, and print off a paper backup.  Paper is cheap, easy to store, and visually verifiable: if you can read the letters on the piece of paper, your backup is safe.  Keep it in a book on your bookshelf, or store it away securely in a safe-deposit box.  If you don't have a printer, you can backup to USB key instead, but there's always a risk that that key isn't going to work when you plug it in the first time two years later.  

And, with the Satoshi client, backups are not "forever."  This may change in the future with deterministic wallets in the Satoshi client, but it's not currently there.  This is one of the key features of alternative clients like Armory, and Electrum -- you only need to create a backup once when you create the wallet, and never again.  With the Satoshi client, you need to create a new backup every 100 addresses, and thus you have to have some kind of regular backup solution which users are notoriously bad at doing (especially when you have to manually re-encrypt each time and redistribute it to your various backup locations).

Encrypt wallet.dat with Truecrypt, put a GOOD password and backup it in various hard disk/usb things and put it also online, like email or cloud storage services. <-make sure the password is a good one.

Yup it is ironic that the things people think are secure are very easy to forget or mess up and provide little hardening.  They are harder on humans than computers (a poor trade).  Things people assume would be easy have much more entropy and are difficulty to forget.

Diceware is one method but any random word list of decent size is effective.  A word list w/ 850 words will have about 9bits of entropy per word.  A word list w/ 2000 words has about 11 bits.  The key is to pick words AT RANDOM.  If you pick words by choice you introduce bias and reduce entropy.  

Reason I said 850 is because here is a standardized basic english worldlist containing 850 words.

For example I randomly (using an RNG) picked 5 words from this list:
http://www.langmaker.com/wordlist/basiclex.htm

chance owner bone market waiting = ~2^45 bits of entropy
I would recommend adding a salt to prevent precomputation & shared key attacks.  This doesn't have to be a secret (you can even email a copy to youself).  It can be purely random of something like your email address

chance owner bone market waiting [email protected]

Not the strongest password but with the key hardening computationally infeasible to brute force.

For more security use no wallet.  Make a public address from a private key derived from hashing the passphrase a large number of times.  Do it in a non-persistent linux environment (CD image or USB key) to prevent data recovery.

With key hardening and salt the computational power to brute force this makes it uneconomical for sums less than $1 mil USD.

I resort to buying an ironkey and storing on there. Seems to be a safe enough method.

I guess I never gave an official "Go-Ahead" for main-network.  But people have been using it, and I've only encouraged caution about using it with lots of money.  That's exactly why I encourage following the "I'm Scared" procedure, so that you don't have to trust me:  you can prove to yourself that it's reliable! 

Also, obvious substitutions like:

2 for to|too|two|Z
3 for E
5 for S
0 for O
! for i

etc add only about 1-1.5 bits worth of entropy each and are hard to remember long term.  You are much better off including a random number (about 3.3 bits per digit), a random lowercase letter (4.7 bits each), or best of all, some random words from the Diceware list (12.9 bits each).

When the only copy of the key is in your brain you don't want to make one that ends up being secure even from you.  

In my opinion keeping a backup copy on paper is a good idea.

Edit: to drive the point home, a 10-word (all-lowercase, no punctuation or substitutions) Diceware password has 129 bits of entropy, which is enough security to last forever.  There is no quantum algorithm to crack your die rolls.

Holliday,

What are you waiting for?  The offline wallets work already!  I use it for all my funds.  That doesn't mean you should dive in blindly... but it is 100% usable, you only need to follow the "I'm Scared" section of the Offline Wallets Page to convince yourself to use it, too.  If there's something missing, let me know what it is!

Unfortunately, this is a disaster waiting to happen.  No matter how much you try to memorize it:  you will forget it.  I have a 16 character password at work protecting my encrypted hard-drive.  It was trivial to remember it for 3 months straight, because I typed it in every day. But then I got a new primary system and didn't touch the old one more than once in 6 months -- by then, finger muscle memory was the only thing that saved me, but it took me about 20 tries to get it.  Fwhew!  From then on, I have it written down in a sealed envelope inside a safe.

The method described here is safe only if you write it down and store it safely somewhere.  But you won't be able to access the funds at all.  Sure, you can send money to it, and use blockexplorer to watch it:  but how do you spend any of the money?  How do you monitor incoming transactions?  Sit there refreshing blockexplorer every 10 seconds?