Author

Topic: Question : trezor without passphrase, thief can make transactions ? (Read 832 times)

member
Activity: 62
Merit: 10
hello, made a transaction from my trezor, it still shows unconfirmed on mytrezor.com, but on blockchain it already shows >7 confirmations...
i later sent some btc to my trezor, nothing shows up on mytrezor.com, but blockchain has already like 8 confirmations ?

do i have to worry ?

Edit : solved.
legendary
Activity: 1148
Merit: 1014
In Satoshi I Trust
If you have no passphrase, a thief can spend your coins only if :

He stole your Trezor AND you told him your PIN (the PIN cannot be key logged, cannot be spied on, cannot be brute forced)

---------------OR-------------------

He stole your seed (24 words given at initialisation).

This assumes that there is no bug or design flaw in the TREZOR.  For example, with firmware up to 1.3.2 it is possible to get the keys from a stolen TREZOR without the PIN.  For the current firmware I don't know an easy way (the hard way by carefully opening the chip and using an electron microscope is not preventable).  With a secure passphrase you would be safe against these attacks.  However, a targeted attack would first install a keylogger on your computer to get the passphrase and then steal your TREZOR.  Still, the thief would need an electron microscope or know a new attack vector to get around the PIN (a cheaper way may be a fault attack).




you can use a virtual keyboard like that from kaspersky to reduce the risk.

but of course, nothing is 100% safe.

i would recommend to split your funds and use several PCs for that.
full member
Activity: 217
Merit: 259
If you have no passphrase, a thief can spend your coins only if :

He stole your Trezor AND you told him your PIN (the PIN cannot be key logged, cannot be spied on, cannot be brute forced)

---------------OR-------------------

He stole your seed (24 words given at initialisation).

This assumes that there is no bug or design flaw in the TREZOR.  For example, with firmware up to 1.3.2 it is possible to get the keys from a stolen TREZOR without the PIN.  For the current firmware I don't know an easy way (the hard way by carefully opening the chip and using an electron microscope is not preventable).  With a secure passphrase you would be safe against these attacks.  However, a targeted attack would first install a keylogger on your computer to get the passphrase and then steal your TREZOR.  Still, the thief would need an electron microscope or know a new attack vector to get around the PIN (a cheaper way may be a fault attack).

This does not mean that hardware wallets are insecure.  A software wallet is much easier to compromise: You just need to install a Trojan on the victim's computer. The next time the wallet is used, the password and the private keys are sent to the command & control server.  With a TREZOR, you usually need a Trojan on the victim's computer (or physical access) AND you need to know a critical bug in the firmware that can be exploited.  These bugs usually get fixed quickly when they are discovered.
legendary
Activity: 1148
Merit: 1014
In Satoshi I Trust
Yes ofcause.

No that is not true.

You do not need a passphrase to protect your funds in Trezor. The Trezor passphrase is only for advanced users. If you are not sure, please don't use it. If you forget your passphrase, you will lose all your funds.

Your Trezor is protected by a PIN. And this PIN alone is a very good protection.

If you have no passphrase, a thief can spend your coins only if :

He stole your Trezor AND you told him your PIN (the PIN cannot be key logged, cannot be spied on, cannot be brute forced)

---------------OR-------------------

He stole your seed (24 words given at initialisation).


finally
a good answer (and a right one)  Roll Eyes
legendary
Activity: 1610
Merit: 1004
The PIN protects your Trezor from a thief.

You can set an optional passphrase for different accounts on your Trezor beyond that, if you want additional protection.

However, if you forget this passphrase your bitcoins will be LOST - the recovery seed will not help!

I think for most cases the PIN is enough security, unless you set a really weak PIN. Make it 6 digits.
member
Activity: 62
Merit: 10
the pin are the 9 numbers on the trezor screen right ?
member
Activity: 554
Merit: 11
CurioInvest [IEO Live]
Yes ofcause.

No that is not true.

You do not need a passphrase to protect your funds in Trezor. The Trezor passphrase is only for advanced users. If you are not sure, please don't use it. If you forget your passphrase, you will lose all your funds.

Your Trezor is protected by a PIN. And this PIN alone is a very good protection.

If you have no passphrase, a thief can spend your coins only if :

He stole your Trezor AND you told him your PIN (the PIN cannot be key logged, cannot be spied on, cannot be brute forced)

---------------OR-------------------

He stole your seed (24 words given at initialisation).
hero member
Activity: 490
Merit: 500
Captain
i added passphrase, but i cant see my balance..., it says 0.0 btc

edit: ahhh ok solved

Great!

I think that it is ok to have a simple password for the trezor, if you loose it, then is the chance of someone finding and at the same time know how to crack these things very small.

I also think you can justify to have one at home which does not have a password.

I know it sounds trivial, but remember to write the password down somewhere, many bitcoins have been lost over the time because of complicated password for wallet encryption which people forget.
member
Activity: 62
Merit: 10
i added passphrase, but i cant see my balance..., it says 0.0 btc

edit: ahhh ok solved
member
Activity: 62
Merit: 10
ok thx!

have to make sure i dont forget the passphrase...
hero member
Activity: 490
Merit: 500
Captain
Yes ofcause.

If you are bringing your trezor everywhere you go, then better pass word protect the device.
If you just keep your trezor in a safe or some other hidden place, then is a password not needed.
member
Activity: 62
Merit: 10
hi,

what if my trezor without passphrase gets stolen, can the thief make transactions?
Jump to: