Author

Topic: PSA to new users of bitcoin (Read 26031 times)

hero member
Activity: 952
Merit: 1009
July 25, 2013, 02:19:14 PM
#14
A sticky in the newbie forum is simmilar to this post

Not really. That's long gone.
member
Activity: 84
Merit: 10
July 25, 2013, 11:02:16 AM
#13
A sticky in the newbie forum is simmilar to this post
hero member
Activity: 616
Merit: 500
Firstbits.com/1fg4i :)
July 24, 2013, 02:42:25 PM
#12
Perhaps it would be a good idea to clone this thread on the newb area?
newbie
Activity: 33
Merit: 0
July 24, 2013, 02:01:26 PM
#11
Passwords managers can help you organize lots of strong, unique passwords.  Lastpass

Is it open source?

I would not trust a closed source password manager, and even less if recommended by Cnet.
legendary
Activity: 1400
Merit: 1013
July 24, 2013, 01:52:40 PM
#10
2)Get a HARDWARE WALLET like Trezor

Hardware wallet weren't available back in april but they are now. So go and get one. Problem solved.
The problem is never truly solved.
legendary
Activity: 1050
Merit: 1002
July 24, 2013, 01:07:49 PM
#9
How do you protect your offline computer from viruses that may try and transfer themselves via your usb stick? That seems to be the number one way offline computers can be compromised.... Stuxnet anyone?

Disable autorun on your OS. You should do that anyway.
legendary
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
July 24, 2013, 01:07:29 PM
#8
 Cheesy But they delivered... after months and months...  Cheesy
hero member
Activity: 952
Merit: 1009
July 24, 2013, 12:59:14 PM
#7
2)Ye well november, but you can already preorder it.



I'm getting BFL flashbacks when I hear the word preorder.   Cheesy

legendary
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
July 24, 2013, 12:54:04 PM
#6
2)Ye well november, but you can already preorder it.

hero member
Activity: 952
Merit: 1009
July 24, 2013, 12:50:56 PM
#5
1) This should have been stickied.

2) The trezor isn't available yet.
legendary
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
July 24, 2013, 12:47:46 PM
#4
1)This thread is from april

2)Get a HARDWARE WALLET like Trezor

Hardware wallet weren't available back in april but they are now. So go and get one. Problem solved.
hero member
Activity: 784
Merit: 1010
Bitcoin Mayor of Las Vegas
July 24, 2013, 12:35:22 PM
#3
dont use infectable media like that... use electrum and seedless wallets on the online side. then you create unsigned transactions from the online side, send them to the offline side via QR codes, sign them from the offline side, and send the signed transaction back to the online side and broadcast it to the network.
legendary
Activity: 817
Merit: 1000
July 24, 2013, 09:27:10 AM
#2
How do you protect your offline computer from viruses that may try and transfer themselves via your usb stick? That seems to be the number one way offline computers can be compromised.... Stuxnet anyone?
legendary
Activity: 2198
Merit: 1311
April 14, 2013, 11:36:04 AM
#1
This thread and others like it worry me.  I suspect a lot of people are buying and have bought something they don't understand, and I'm concerned that thefts are going to increase as a result.  If this is you, please read this.

Wallets

To access your bitcoins and transact with the network you're going to use a wallet.  This will either be a piece of software you install on your computer or an online wallet service like blockchain.info.  The wallet jargon is just a convenient way to refer to what's going on under the hood.  Every Bitcoin address has an associated private key, and the private key is really just a string of numbers and letters.  You can only spend bitcoins at addresses for which you also have the associated private key.  If you happen to find somebody else's private key, then you can import it into other Bitcoin clients or online wallets and then you have the ability to spend any coins associated with that private key's addresses.

Most wallet clients give you the option to encrypt your private key.  Please do that.  That means you can protect it with a password.  You will be asked for this password to create transactions.  Your blockchain.info login password serves that purpose, for example.

Passwords

Use strong and unique passwords.  That advice applies to your entire online life, really.  If you use weak passwords and/or you don't use unique passwords, then you are at risk of somebody guessing your password using a computer designed to make lots of guesses.  If your passwords are not unique that gives attackers the opportunity to compromise more than one service.  It's best to use a mix of lower case, upper case, numbers, and symbols in your passwords.  Your passwords should also be sufficiently long, around 16 characters, for services that you would really hate getting compromised.  You should still use unique passwords for services you don't consider critical, but for those services you might not feel it's necessary to use long passwords with a mix of all character types.  Of course, this is all up to you.

Passwords managers can help you organize lots of strong, unique passwords.  Lastpass is a fantastic password manager.  It works across all the major browsers and they even have mobile apps.  You create one really, really strong password that you must never forget, and then Lastpass organizes and remembers all of your other passwords for you.  Lastpass encrypts all of your data before it's sent to their servers, so they can't see your passwords.  If you forget your Lastpass password, then you lose access to passwords stored with them, unless you remember them or have them stored somewhere else.

You can make strong passwords easier to remember by increasing their length with a relatively simple pattern while still using each character type.  This is called password padding.  Security researcher Steve Gibson explains by comparing two passwords:

Quote
Which of the following two passwords is stronger, more secure, and more difficult to crack?

D0g.....................

PrXyc.N(n4k77#L!eVdAfp9

You probably know this is a trick question, but the answer is: Despite the fact that the first password is HUGELY easier to use and more memorable, it is also the stronger of the two! In fact, since it is one character longer and contains uppercase, lowercase, a number and special characters, that first password would take an attacker approximately 95 times longer to find by searching than the second impossible-to-remember-or-type password!

Strong, unique, but memorable passwords depend on using all character types and adding memorable length.  You really should also avoid dictionary words and common modifications of simple dictionary words (e.g. dog, d0g, etc.)  Consistent with the advice to use unique passwords, you wouldn't want to use the same padding technique for more than one critical password.

Multi-Factor Authentication

Many online services (e.g. gmail, blockchain.info, MtGox, Lastpass) offer the option to use multi-factor authentication.  If this service is offered, you should use it.  This means that you need more than your password to log into your account.  It can come in the form of a number sent as a text to your phone, a usb key that must be plugged into your computer, or an app like Google Authenticator.  When you log into a service for which multi-factor authentication has been activated you will be asked for both your password and an additional pin sent to or derived from a separate device.  This offers you some protection from key loggers which an attacker can install on your computer to see everything you type.  Even if they discover your password, they will be unable to log in without the additional pin from, say, your phone.  A previously used pin will not work, they would need one generated specifically for the most recent attempt to log in.

If the email provider that you use offers multi-factor authentication, and you use that email to register for important services (e.g. online banking, bitcoin wallets, exchanges, etc), then you should definitely enable multi-factor authentication.  If an attacker can compromise your email, then they can potentially access lots of websites your registered at, because they can ask the websites to reset your password.  Websites typically send a password reset email under the assumption that only you have control of your email.  If you don't, an attacker can change the passwords to your web services.  By enabling multi-factor authentication on your email, you can significantly decrease the odds of an attacker compromising your email.  You should likewise use multi-factor authentication with any password managers you use, if you choose to use one.

This might all seem very inconvenient.  However, the security gained far outweighs any convenience lost.

Advanced Bitcoin Wallet Security

The most secure way to safeguard your bitcoin value is to create and keep your private keys on systems that cannot be hacked into.  This can be a computer that is setup without ever touching the internet, or paper wallets.  A paper wallet is just some text based way to represent your private key.  An attacker cannot compromise an offline computer without physical access, and he would additionally need to know the passwords to log onto your offline computer.  If you have offline systems such as offline computers or paper or other physical wallets, then obviously the attack vector is basically physical burglary.

The Armory bitcoin client is a client designed to maximize security options.  Armory makes it relatively painless to setup an offline wallet.  A computer does not need to be connected to the internet to create valid bitcoin private keys with associated bitcoin addresses.  That's because their creation is determined by algorithms that can be copied and run on any computer with or without network connections.

With Armory you can setup offline bitcoin wallets.  In order to send bitcoins to that wallet you just need to copy an address created on the offline computer.  The offline wallet can create what's called a "watching only wallet".  This is a wallet you can import into an online installation of Armory on a different networked computer.  From the online watching only wallet you can see bitcoins sent to your addresses and you can create unsigned transactions.  You can try to broadcast an unsigned transaction, but it will not be confirmed in the blockchain, and is not a valid transaction.  In order to send the transaction into the blockchain and have it validated you will need to copy the unsigned transaction to a USB device, import it into the offline Armory wallet, sign the transaction, then copy and move it back to your online Armory wallet.  From there, it can be sent and received as a valid bitcoin transaction.  In this way it is made practically impossible for a network attack to steal your bitcoins.

It's a good idea to create additional offline backups of your Armory wallets.  Armory has a feature to create printable offline backups.  These can be used to restore your wallet in the event that your offline computer is destroyed or stolen.

Systems like this are more inconvenient, but offer the highest level of relatively easy to setup security.


Thanks, welcome to bitcoin, and stay safe.

-Proudhon
Jump to: