Topic: Saving your private key in your email is a lethal move (Read 1712 times)

That actually not as hard as you might think it is.

While it indeed could be quite frustrating to break into this from a different location, the easiest approach would be to compromise your mobile phone.
You wouldn't notice the notification. The verification would be given within a split second and the 6 digit code would be sent to the attacker.
The whole security in this kind of attack relies on your mobile phone security.


And that's just one attack vector, and definitely not the only one.

A little bit of social engineering is enough to get your phone number and account transferred to a new SIM card. Or maybe they stole your Apple account or email account log in with a key logger or other malware. Or maybe your passwords leaked in one of the multiple data breaches which happen every week. Or maybe your passwords have been stolen via a phishing site. Or maybe you've logged in via a public WiFi and they were stolen that way. Or maybe a security flaw in your browser, OS, or some other piece of software. Or maybe Apple's security isn't top notch. Or maybe a rogue employee has been digging through backed up data looking for something valuable.

There are endless security holes with storing your data online, especially when you aren't encrypting it yourself and are relying entirely on a third party, especially a third party who have been hacked repeatedly in the past.

There was quite a known hack some years ago, celebrities' private photos went online, you may remember that.
That has happened because somebody has managed to find a hole in iCloud security and exploited it.
Trusting others, especially if we talk about life changing funds, is a terrible idea.

But they sync only with iCloud. If someone tries to login in to my iCloud account, I'll receive a notification on the phone with map (ok, person can use VPN, but doubt that he will be in exact location where I usually used to be) asking for a verification, plus he'll need to enter 6 digit code.

How can someone hack or brute that?

Laminated paper in a safe may be almost as good.
Notes in a book in your library (if you have one) can be also pretty good, but you'll need a backup in case your house gets on fire.

The really good part with cryptosteel is that you can bury it and you're fine.

Yeah, otherwise anyone known with BTC may steal your private key. Or even someoe who don't know may throw away too  In my case, I'm storing all of my crypto stuff in my room which is very safe. Be cautious if you are using paper wallet. It may easily get destroyed.

Best way to store your private key physically?  Heard of cryptosteel but wouldn't that have to hidden somewhere similar to like if you wrote it down on the cards?

This is terrible way to store your private key. If I were you, I would be creating a new wallet and backing it up securely, and transferring all my coins to it immediately.

Notes will sync through both iCloud and other third party applications like Gmail, meaning there is a good chance that your private key is now stored on any number of servers located anywhere in the world, protected only by a simple password which you likely though up yourself and can remember, meaning it is both short, non-random, and easily brute-forced. You are also trusting Apple 100% in terms of security, password protection, encryption algorithms, uploading process, server security, etc., etc.

There is a reason that every good wallet tells you to store you seed phrases on paper and offline.

Your phone can easily be compromised and a hacker can get your private key. It's never a good way to go with such a sensitive matter. It's good for a small amount of BTC but for a bigger amount, you must use a paper wallet or hardware wallet. When you generate a seed key in electrum wallet, it's written that you must not store that electronic device because these are prone to be compromised.

Look how I've saved my private key - while making a wallet, I made a photo of private key in iPhone "notes" and put a password on on.
As a picture, it cant be copy/pasted from a document (so I wont fail with that somehow).

This is not a 100% safe way to keep the key, but at least I cant imagine how someone could connect to my iPhone, navigate in apps, tap on notes and fill the password form.

Actually, a physical backup of private key or seed phrase would be worse, than same backup of master password. The reason is that in case of random hackers attack, hackers need to know exactly what this is password for. It might be impossible for hackers to find out where to apply that password except that you were stupid enough to write all information next to it. However, both seed phase and private key have notable structure and might be easily recognized.

answer me this, lets say you did encrypt it with a password. how are you going to store that password?
is it something you can memorize? if yes, then there is a good chance that the password you used is a weak one and the encryption can easily be broken.
are you going to back that up also on your cloud? that obviously is not safe!
are you going to make a physical backup like writing it on paper? then why not print the private key or seed on paper in first place?

Not to mention people that have access to your emails all the time like for example gmail server maintance team. They can pull out all private keys from gmail. They probably want to keep their job so they won't do that for now but who knows?
Its really bad idea to store your private keys (BTC) on any cloud service (email included). Cloud service/synchronization options means in reality that your informations (private keys in this example) are put on other person/company server that they have full control of which is bad.

Thoughts on program like lastpass and typing it in there and storing it in email?  First that person needs to hack your email.  Then they need to know the master password. 


What about typing in a document but encrypting it with axcrypt?  That way someone get into your email, they still need axcrypt password?



Now what about lastpass.  But you encrypt lastpass too?  So basically you need your email password, axcrypt password and finally lastpass password?

What if you send potions of your Private key in no specific order and with several different emails within pictures with the help of Steganography? So you insert the first few letters and numbers within a couple of boring cat pictures and then you send a few more emails with different photos containing the remainder of the Private key to another email address you own or that someone else owns?

You then phone them and discuss the pictures in order, eg. So how did you like the picture with the cat in the basket? ....etc.. Nobody listening to the conversation will know that you are actually giving the receiver of that email the order in which he or she has to reconstruct that Private key.

In any way, if you are not under surveillance or a target from a hacker, normal people will not be able to decipher something complicated like this and it will be very difficult to spot. 

I also don't think it's infeasible for expect someone to remember a 10 character password. The majority of people in the world have memorized various phone numbers, addresses, email addresses, etc., which all contain more entropy than a 10 character password. The question isn't one of feasibility though, it's one of human nature. People choose passwords, and therefore passphrases, which are short, easy to remember, and quick to enter. Believing that everyone who owns a hardware wallet is using a long, random, and difficult to brute force passphrase is just wishful thinking. Given that only the minority do, it's not a good idea to tell people that they can safely store their seed online when in the vast majority of cases a compromised seed will lead to their funds being stolen.

They've calculated the costs like that :

rent out an NVIDIA Tesla V100 GPU from Amazon AWS, which can compute 2160 million SHA-512 hashes per second (see hashcat benchmarks) at $3.06 per hour (see Amazon EC2 Pricing).
With the recovery seed in hand, checking one passphrase requires 2048 HMAC computations, the derivation of some public keys, and checking whether any of them appear on the blockchain. That amounts to over 4096 SHA-512 computations plus additional work checking the blockchain. Thus the attacker could check no more than 620 million passphrases for $1
https://blog.trezor.io/is-your-passphrase-strong-enough-d687f44c63af

---

40.5 bits of entropy it's 7.8 random lower case alphanumeric characters, that's just 2 characters less than a $1.3M cost breakable password(9.8 char) according to this table. I don't think it's infeasible for most of people to remember 2 extra random alphanumeric characters of the same case.

The majority of users don't use a passphrase, and of those who do, the majority likely use something that is easy to remember that they have come up with themslves, meaning it is neither long nor random.

Studies show that the average password has only 40.5 bits of entropy. The 6 lines on the table you've shared correspond to roughly 51, 54, 57, 61, 64 and 67 bits of entropy respectively. It's not clear how they have calculated their "attack costs", but since we can see that for each increment of 3 bits of entropy results in a 10 fold increase in attack cost, we can work backwards and see that a 40.5 bit entropy passphrase would only require around $1,000 to break.

Think of the millions, if not billions of online accounts, emails, cloud servers, etc. that have been hacked. It is exponentially more common than a house being broken in to. Furthermore, someone can hack your email and steal your seed without you even knowing about, so you wouldn't even know to transfer your coins out while they are busy brute forcing your passphrase.

Storing your seed online is dangerous.

yes, today its computationally expensive, and as that chart points out its obviously less as time goes on. so long term largish amounts i would not want in any electronic form.

physical security of a printed/engraved/whatever seed is safer and easier for some, not so much for others. depends on your technical levels, the amounts, convenience, redundancy needed etc.

as long as people know how to calculate the risks they can choose what works best.

It depends on the amount you store in your seed but if it's not millions of $ it's very unlikely to happen.
The hackers will try to evaluate the amount of your funds first and they will compare it to the cost for them to try to break your passphrase... and it's huge!

sure, IF your passphrase is something like 36 truly random characters. but even then if a seed is compromised  i would still create a new wallet (with a new seed) and move the coins over.

the passphrase will slow them down, perhaps for a long time, but would you leave your coin there knowing that? considering youll probably never know someone has accessed your email/seed till its too late?

i wouldnt.

If you use a passphrase for your seed there are really few chances to be hacked. In reality I think they are fewer than losing your sheet of paper or being stolen by someone accessing your home.

this is my thought as well. once its in the cloud you have no control, and it WILL NOT be deleted everywhere, no matter what they say. so, sooner or later, that super dooper encryption wont be enough. out go your secrets.

this is why my backups are local (well near local i guess).

You are right that this is often more risky for beginners At first I didn't know anything about it i used to be putting my personal keys in an email and every one my information was hacked. But now i feel the USB flash is that the safest to stop. there's no fear of being hacked and no-one are going to be ready to log in to your ID easily.

Yes. I also saved it in my email. But I learned from being a hack victim. My email was hacked once and the hacker got my seed. As a result I lost some of my funds. So you should never save your seed in email. Someone else may get your seed because of your carelessness.

Why should you need to? You should only need your seed to recover access to a wallet you have otherwise lost. You don't need it day to day to use bitcoin. If I was going to be away from home for a significant period of time, I might take my seeds with me on an encrypted USB drive, but otherwise they stay firmly on paper only.

Then back it up multiple times, or use a 3-of-5 (or similar) Shamir Secret Share. I'd also much rather that somebody needs to break in my to my house than needs to break in to my email account.

But when you're not at home how do you use your seed if you haven't store it online?
Moreover people often complain about losing the sheet of paper where they've written their seed. And it can also be stolen by people accessing your home.

As an addendum to this, if you are planning to encrypt your seed/private key/wallet before uploading it to your email or cloud storage, you should do so on a clean, live OS on an airgapped machine. Much like creating a paper wallet, it doesn't matter how secure the final product is if it was created in an insecure way. Obviously you will need to have your seed or private key in plain text on your computer prior to encrypting it. If you have malware, keyloggers, screen captures, or something else malicious on the computer you are using, it could very well steal your details prior to them being encrypted. Encrypt it on a clean, airgapped machine, transfer to a live machine via clean removable media, and upload to the cloud.

However I also wouldn't recommend this. Offline backups are safer.

2FA on all your accounts is a good idea, but it should not be relied on. Depending on the type of 2FA you use, it is possible for an attacker to transfer or clone your 2FA method to a device they own, and it is also possible to disable it altogether.

Actually, that's the most unsafe wallet because you have no full control over it.
Imagine if an hack happens.

I always believe that a forgotten private key or wallet is still the best so far as a definition of unhackable wallet 😁.

It must be never, how much security you want to be, it's not possible as long as you are storing your private key or seed key in the device which has an online connection. You will be compromised although that depends on your holding value.

First of all, the private key should not be stored on the cloud or any email service. But even if you think of doing so, you should first secure your email with strong password and 2fa. Also you should keep your email and 2fa devices as secure as you will like to keep your exchange accounts secure.

i am not familiar with AxCrypt but google tells me that it is an open-source encryption software in which case it can be a good option for encrypting as long as you choose a very strong password (long, random and have mixed case and symbols) for your encryption and use a very strong encryption technique such as AES.

but remember that whenever you store your secrets in the cloud (whether it is a cloud server or email or anything like it) your secrets could potentially be accessed by hackers and who knows maybe they could some day break the encryption you used too. but storing them offline (like printed on paper) will always remain safer even if the encryption technique was broken someday.

What about using encryption problem like axcrypt?  Wouldn't that be good enough though like if you want to open the email document, you need to put in the axcrypt password?  Or is that still not good enough?

This is more common with newbies, they find it difficult or stressful saving their keys offline, forgetting that prevention is better than cure.
Personally i have my pks printed on papers and stored safely, its the best way so far and its working for me.

When I created my first wallet (on blockchain wallet), I had private key saved on my email, stupid I know, but when you are new you don't know any better. And more often than not, you learn after that mistake costs.

Most of us do this mistake, since we are in a hurry we just email the private key to our email or more worse take a picture of it from our mobile as we thinking it is time talking to write it down on a piece of paper. Saving these 5 minutes can cost you a lot of financial damage. Everyone should strictly follow this and never email or take snapshot of the private key.

Putting your keys in your email address is a very risky move indeed, simply because of your email got hack, even if you have backup in your local with the keys, still they can't open your wallet, before you even know it, i suggest here is the way to secure your wallet keys even online check the link
https://bitcoin.org/en/secure-your-wallet#online

And that's the most recommendable way to store your sensitive information but still we have countless amount if Investors storing their information online like email, cloud etc.

The information is out there, anyone doing exactly what they're advice not to do are only doing themselves harm because they'll be the ones to bare the consequences if their emails gets hacked and the sensitive information falls into the hands of hackers. They're just acting out of ignorance. They don't value the coins they have cause if they did, they would had safeguard it like it's a national treasure.

it was my mistake 4 years ago when my email was hacked and hackers got what I saved in that email.
I lost my bitcoin because of that carelessness.
since then I still use the manual method to save by taking notes in a book.
this is the old-fashioned way but it's very safe for me.

the real question that you should be asking yourself is why are you trying so hard to avoid using the real encryption methods that are designed by cryptography experts, have been tested already and are very strong (example: AES)?
and as long as you can't come up with a reasonable answer to this important question, you should stick to using real encryption methods and follow the security recommendations.

How about hiding the PK into the hex of a photo?
Of course that we won't put PK as a whole in a photo. For example, we distribute a PK to 3 parts as follows:

PK: E9873D79C6D87DC0FB6A5778633389F4453213303DA61F20BD67FC233AA33262
source https://en.bitcoin.it/wiki/Private_key

We prepare 3 photos, for example in the 3 of a mosaic photo

E9873D79C6D87DC0FB6A577 : photo_02.jpg
8633389F4453213303DA61F  : photo_03.jpg
20BD67FC233AA33262         : photo_01.jpg

Then save the photos on 3 different (private) cloud storage sites that we usually use to save other photos before.
Audio files can also be a pretty safe place for PK hex, or insert into the audio lyrics. IMO

Well I hope you  use Lastpass ? or any other type of password manager ?  And not just google drive.


Today, so many wallets are compatible with a ledger nano S / X that it is just careless not to have one.
And you can save the seed on a piece of paper, an engraved piece of metal or in your head.

I Know I shouldn't. But my online life and lifestyle is totally depended on google and it's ecosystem. Every of my device syncs through my google account and in one way or other, my key details and even the private keys, passwords and 2FA secret codes are stored online. I can't just stay in a place or use a single device, there's no other option than living in a cloud. I don't prefer mobile OTP verification as I don't trust my government.

Private key is what hold your bitcoins. Once its compromised or hacked you can have huge lose for that. Never store them electronically rather store them offline on paper. Most of us dont do that such to make our work easy. You only know worth of these keys once you lost them.

I still wouldn't recommend it.

There is a lot of heterogeneity in how secure archiving software is, and how securely it protects files when you apply a password to an archive. Even if it using a strong encryption algorithm, then it is only as safe as the password you set. If an attacker is able to access and download the file, then they can run a brute force attack limited only by their own hardware, meaning they can check millions of passwords a second. If you have thought up your own password, then it is likely to be broken quickly, and only long, random, computer-generated passwords are likely to be safe.

Given that storing your seed online is widely considered a terrible idea, the people who are likely to do so are therefore those with low knowledge of good security practices, and so are very unlikely to be able to securely encrypt the data with a strong password.

Better to just stick to the usual advice of writing down your seed phrase on paper.

Even if you stored it with a password hackers will still be able to get that file and then they will open it, yes it has password but you don't know what a experienced hacker can do so to be safe do not put something that can help open your wallets in your emails because once they get in your emails your so done and also if you are really wanting to be safe then use different emails, do mot use a single one because that will make hacker's job much easier because its like a one stop hack and then he can get anything from you, internet is a very dangerous place, we are not private in their so be careful and wise on your actions.

Maybe if your friend put those keys inside a ZIP with a password, it could be a 'secure' way to hold them in the mail. But you are right, save the private keys in the mail is a really insecure way to manage that sensitive information.

I keep on saying this same thing to a friend of mine couple of years back but he feels comfortable saving them on his emails, just last year november, his entire wallet was wiped off into multiple wallets, till now he has no idea of how the scammer got access to his wallets, so tragedic.
We need to be extra careful not to become victim of wallet hacks, cyber criminals dont sleep, they're always on the watch.

Totally agreed on this because saving private keys on our email is just like giving al our crypto to the hackers as they are very good on this ,but seriously never do such action if you wanna keep safe our crypto assets
Well thats why i always believed about having physical copy of each so whenever theres a moments like this then we can have another sets of back ups

I made this stupid idea in the past when I was still a newbie, I thought it's easier to access if I save it in email and I can access it anytime as long as there is an interne, but I realize it was a bad idea, and luckily no one were able to hack my private key with a thousand of dollars inside of the wallet.

We learn as we stay in crypto, but thanks to OP as this is necessary for newbie to know.

Though it has not happened to me before but I am very careful with my private keys and password.  I have an online wallet that I have used for more than three years now and I keep the private keys offline but still afraid of friends that may lay their hands on it and withdraw my funds or coins from my wallet.  I think we are at a time that we should follow op advice and recommendations since email is no longer safe to store our private keys.  I have enabled 2 factors authentication on all my account because of hackers activities and since there is no safe system I also pray that God should keep the eyes of evil people from anywhare I store my coins.

Even not inputting your private keys to a phishing link.

Simply leaving your private key to a cloud storage or email gives you a total risk whenever the email provider gets hacked or your email has been reached and accessed by a hacker.

Better to write it down manually.

Could be very risky or could be relatively safe depending on a number of factors.

Some older zip or rar archivers just slap a very easily broken password on an archive. Most up-to-date archivers will encrypt the file with AES. If you have the private key in plain text on a malware infected computer, use an old archiver which doesn't encrypt and/or use a weak password, and then upload it do an easily hacked server, the chance of you losing all your coins rapidly approaches 100%. On the other hand, if you were to encrypt it using a proper encryption program like Veracrypt, with a very strong password, on an airgapped computer, transfer it to an internet enabled device and upload it to an encrypted file server, the risk is much lower.

If you don't really know what you are doing, you are much better just writing your seed down and storing it in a physically secure location.

I want to ask  if it is safe to store private keys in secured .zip or .rar with password and stored it from email or any other online filehosting? Please explain also how it is risky or it is safe.

And where do you think the drafts are stored, if not online? Everything in your email (inbox, outbox, trash, drafts, etc) is copied to an unknown number of servers across the world. How do you know all of them are secure? How do you know all the employees are trustworthy? Just because your account itself wasn't broken in to, doesn't mean that all the data inside it can't be accessed by other means.

Additionally, although 2FA is obviously a good idea to have on all your accounts, having 2FA doesn't make your account immune to being hacked by any means.

Storing private keys online, especially in plain text format, and then double especially telling people on a public forum that you do that, is terrible security.

The ops is not saying that the private keys are shared online, there are ways you keep documents in your email for future use such as saving them in the draft folders. I have always save my private keys in my email drafts because I have strong security on my email such as the authentication of code before logging in and that is done using either my phone number or google authentication app.

Apart from what o_e_l_e_o said, you may also consider using tools like Crypto Steel too if you are paranoid about your paper getting destroyed.

Physical back ups in a variety of secure locations, that no one knows about. Encrypt the file on an airgapped PC, copy to a couple of USBs, and store them in a safe deposit box, vault, personal safe, or similar.

Having said that, the best method is to not store your keys or seed electronically at all - you are better off using paper wallets or hardware wallets with the seeds backed up on paper.

Saving the private keys online is risky.

Do you think gmail is hard to hack? It is not much harder to hack and we can see many people were complaining that they bitcointalk accounts were hcked due to their registered email was hacked so saving it physically is the better solution.

Those people that say don't store it online even if you encrypt it, then what happens if something happens to your computer or usb physically?  Say a theft or fire?  Where is your backup then?  That is why i thought online backup has to be a must because if that happens, you can access dropbox or gmail and the file is there.

That is certainly true. And not just emails, the same thing applies to all cloud storage hosts.

A lot of people say that as long as you encrypt it with a password, it doesn't matter where you store it. But in my opinion if someone is able to gain access to your email, it is likely that they were able to crack your password in the first place which makes encrypted file easy to crack as well, since so many people reuse their passwords for everything.

Even though it may seem convenient at the time and the risks are quite far away - trust me, you don't want to be placed in a situation where you are potentially out of pocket thousands of dollars if not more simply because you failed to follow simple procedures. Store it offline.

This may or may not be relatively safe, depending on what RAR archiver you are using and what encryption method it uses. Some don't encrypt the data at all, others use AES128 or AES256. A better option, in my opinion, would be use a proper encryption program like Veracrypt, and encrypt it with that, rather than relying on a RAR archiver to encrypt it for you.

The other weak link in this chain is where you are encrypting it. If you are talking about encrypting a plain text file on your usual, everyday computer which is internet enabled, you have no guarantee that the plain text data hasn't already left your machine or been otherwise accessed before you encrypt it. You should be encrypting it on a clean OS on a device without the capability for internet access, and then transferring the encrypted file to your internet enabled computer for uploading.

The best option is not to store any sensitive data, encrypted or not, anywhere near the internet, emails, cloud servers, etc.

Well what if something happens physically in your house then and everything is destroyed or stolen?


I understand backing up your seed in your camera by taking a picture is bad and sending it to an email is foolish.  But if its encrypted, thats not good enough?


Example you type your seed in lastpass or keepass.  You need a password to open the program to reveal all your passwords.  You then upload it to dropbox or google drive.  Now the hacker would need to first hack into your dropbox or google drive account.  Then they would need to know the password for you lastpass or keepass.  So isn't that hard already for them?  I can understand it being easy if say that person targeted your computer and send you link etc to keylog you or you download something.  Also say you use axcrypt to encrypt it.  Example you encrypt lastpass or keepass. 


Now they need to


1. hack into your dropbox or gmail

2.  Know your email and password connected with your axcrypt account to encrypt the lastpass or keepass file

3.  Know the password for lastpass or keepass



So aren't these steps already pretty tough for a hacker?  The issue here though is if you do it this way, you need to remember 2 things, your lastpass/keepass password and your axcrypt password.  But the issue here is don't most ppl use a very long complicated password for axcrypt?  Thus that would mean doing this wouldn't work since you won't know your axcrypt password since its probably put in lastpass/keepass?



Also dont most of you use password managers like lastpass/keepass?  I mean u guys dont know your email and banking passwords right?  Thus keep everything there.  So if you keep everything there along with your private key but make sure you have a strong master password, that isn't safe enough?



So what i described which is the better method?  The one with the 3 steps or


1.   Hacker needs to hack into your dropbox or gmail

2.  Know the password for lastpass or keepass




The thing is i think most ppl dont know their axcrypt pw right and store that in lastpass or keepass?

In my own keys and seed phrase, I put them into a plain text then I archive them to a rar file with password 3 times with 3 different passwords (what I mean is after I archived it to rar with the password I archive it again and add another password.) Then the 3rd archive I use base64 encode as my password to make sure if someone trying to brute-force my archived rar seed/privkeys it will take years before they can hack and since I archived it 3 times they can brute-force my archived seed/privkeys and hack after a decade.

The file is saved privately with google drive and I have a backup on my Gmail on the draft page.


As of now, no one knows that I have a backup on my email because I used a different email and never use it for online verification just to make sure no one knows my email.

I don't support the saving of private keeps on an email that's is foolhardy a thing to do.
But where ever is it one decided to safe there private keys the major aim should be apt security and ease for the owners to get.

This isn't a very good solution. Your plain text private key or seed phrase should ideally never touch an internet enabled device, even if the device is offline when you do it. You have no guarantees that there isn't malware on your device which will copy your key/phrase and transmit it to an attacker when internet access is restored.

If you want to save your phrase or key on a memory stick, then it should be encrypted and copied via a permanently airgapped device.

Hardware wallets are the best option to store your private key. But put on your mind that hardware and USB are the same, they are object in which we can misplace easily since they are small. If you are a sloppy person like me, USB flash could not be an option for me.

What I'll do in storing my private key is I'll use a notepad and write all of my private keys on all wallets on one of it and will save it on my desktop. Copy a file of that on my laptop, copy of that file to my phone, to my girlfriend's phone.

You are right when it comes more money demands it required more security needs. I do usually save my private key or seed phrase in the memory card from mobile, after saving my private key I'll remove it and put into my closet. But one thing that comes up in my mind, how about body implant like a microchip implant where your private key stored, I am sure it is secure but I don't know if safe for human.


Google credit

Do you think this is possible or the same on the lethal move?

Flashdrives might get corrupted so does computer/laptop, cloud storage can be hacked, so does email and Social media accounts. The best choice is to make a hardcopy of your private key and lock it somewhere safe, but you might forgot where you place it or might stolen. Hmm looks like everything is lethal huh? XD

Agree, its like actually saving it on someone else computer. You never know how many people have access to this data, its huge risk of your private key beign compromised.
Security need to be adjusted to person need's. Less money demands less security, more money demands more security.

Just treat your private address with a corresponding level of security to its value.

If you've got ten bucks in an address, sure you could save that in an email or on your desktop, the repercussions are fairly minor if someone gets access.

If you've got hundreds, or even thousands then write it down manually and put in a safe. Just use commonsense.

Simple answer: Mathematics.

Even with constantly increasing computing power, there are encryption algorithms which are (mathematically proven) secure.
RSA with a key length of 2048+ bit is safe for the next 10 years for example. 4096 bit keys are secure beyond 2030.

Same applies to AES with 256 bit. It is safe to use beyond 2030. Another good alternative is to use ECC.


In 10+ years, you could simply send all of your coins to a different address and encrypt that private key with a (more modern) encryption algorithm to have it secured for another period.




They don't find a way to "decrypt that encrypted mail", but to "break an encryption". And this - depending on the algorithm - is not possible, which is proven mathematically.




Security through obscurity is a very very VERY bad approach.
Just google it, you will find tons of arguments why you should never rely on this.

Yups that’s totally safe as long as the USB will remain safe and other than that i guess writing in paper will also beneficial for us and our successors as we really don’t know what will happen in future and accidents happen in none expected occasion
I have written my private keys in separate formats an gave to my children each they deserve so when time comes I’ll passed in unexpected ways they will continue my legacy here in crypto

Ignorance & lack of information is a major contributor to this, Here are some of the possible reason why newbies think storing of private on email is the best solution;

• They could easily remember where they stored their private key
• It can be easily access from any device as far they're connected to the internet
• They have been earlier misinformed that storing sensible information on their email is safe

Again the type of wallet they use play a major role in them storing their private key carelessly. A user making use of an online (web) or APP wallet is likable to store their private key in their email than a user making use of a hardware wallet. So again they need to be informed on the best wallet to use to prevent issues like this (them storing private key in emails) from occuring.

Emails aren't a good place to keep anything valuable, period. Even with multiple layers of security on your email like 2FA and SMS confirmation, there's still a chance your email could be compromised and you want to keep as little sensitive information as possible in your inbox when that happens. I periodically go through my emails and delete emails because of this.

Emails are completely unsafe for something like that. But it is necessary that at some point we have some kind of online solution to save a key. It may be just one, of multiple keys needed to open a wallet.

There are several reasons and times that you may have to see yourself completely away from several of your physical assets. As well as wallets, usb etc. When making a trip, being arrested, staying in the hospital. The simple way is to say that online and in the clouds is always the worst option. But in fact everything carries some kind of risk. And you should always analyze case by case.

In this student situation, it is important to demonstrate why email is unsafe to store the keys and also to exchange a range of information that may be confidential. A great opportunity to teach about encryption.

You can only change it with every message if you have a separate and 100% secure way of communicating with the recipient to reveal your new method, (in other words, meeting up in person with no electronic devices around), in which case you are far better just using that secure method to transfer for the information you need to. I make a point of keeping anything truly sensitive well away from the internet, email, cloud servers, etc., even if it is encrypted.

Additionally, if an agency had the computing power to break 256-bit, then they can certainly brute force anything along the lines of swapping digits around or including extra nonsense characters.

How sure are you that encryption technology are safe and that it would stay safe in the future? Let's say the "No Such Agency" finds a way to decrypt that encrypted email in the future, then your sensitive information would be exposed and used against you in the future. and encrypted data would be an ideal target for them.>

Security through obscurity can constantly change and it makes it very difficult for them to decipher the hidden messages.  

This is essentially security through obscurity, and is generally a bad way to store any sensitive information. If you absolutely must send something sensitive via email, the best way is an encrypted file with a previously (and securely) agreed upon key.

The same advice throughout this thread obviously applies to mnemonic seeds as well. Too many people store electronic copies of their mnemonic seed, which again, is a terrible idea. Write it down or engrave it, and store it somewhere physically secure.

Offcourse hardware wallets is the best choice, I already use it for almost few years. But still, USB flash is needed for me to keep recovery phrase. I have written it down to a sheet of paper, but as already said, paper isn't very safe thing - Iover the time ink fades, and paper deteriorates, it's easy to destroy it with water and it can get lost easily.

This is more secure than I thought of saving a private key in a usb for sometimes it could be misplaced or stolen by someone and could compromise your holdings.

BTW, do this USB has a safety feature to which if one will going to eat it will prevent damage from the liquids passed through the mouth? I hope so, so that it could be really helpful and it could be one of great saving device for wallet private key.

It seems like the majority of people still don't know how the email protocol works.

EVERY mail server (again: EVERY) between you and your recipient can read the mail in plain text.

It is (and never was) a good idea using (non-encrypted) emails to transmit sensitive information.
The email protocol is from 1980. It is extremely outdated and not secure at all.

Just because it is used everywhere, it doesn't mean it is something good / safe / secure.


Actually, you shouldn't store private keys on a device which is connected to the internet at all. Storing them on a mail server is just plain dumb.

Of course. Knowing how easy it is to actually get in on one's email and snoop on all of the contents of it, no one in their sane mind would even think of saving their private keys and other vital information on their email. If life's really that tough, then perhaps save your keys on your phone or write it down somewhere safe. It should be common knowledge that emails are insecure places to store sensitive data be it private keys, banking details, personal info.. the list goes on.

Well, not entirely true. If you and the recipient have come to some sort of agreement to obscure the whole private key, by for example breaking it up and sending it with other numbers/letters in several different emails, then people will not be able to extract the private key from your emails.

Let's say the sender and the recipient agrees that the first 3 numbers or letters will be ignored and then the 5th and the 7th and replaced with something else, then it would not make up a recognisable private key.      

You can hide your USB through like this I'm sure it is impossible to hack or steal from scammers or even one of your family member.

Anyone who wants to try this just sent me a PM.

There's a lot way of keeping your private, that is our responsibility to keep them safe. But in a small amount, I think that is not necessary to keep in USB, just a piece of paper would be fine and put into your personal pocket wallet.

even they are student and familiar with pen and pencil, you have to instruting them of all to write private key on paper, double check spelling of private key, then laminated paper on very safe place

no, it is saying that there are malwares that can hide on your USB disk and be transferred to your cold storage alongside the raw unsigned tx which you are transferring to be signed and they can steal your keys while you are transferring the USB disk back to the online computer to broadcast the signed tx.

a simple solution which 100% solves this is usage of QR codes with a camera instead of USB disk.

If I get the image correctly, it seems the reason why the private key was stolen is that the user downloaded malicious software from the internet and install it on his cold wallet. That's definitely not what we should do.

Yeap, even air gaps aren't sufficient to protect your keys since there are ways to bypass it. For example, see how Stuxnet spread.

Found this good illustration online to demonstrate how USB can be used to exfiltrate private keys.

Yes, but only IF you know and you're actually very sure that you know what you're doing. Your private keys can still be compromised even a USB flashdrive is offline, if you manage to mess something up when you're on the process of generating the keys and saving it to the USB flashdrive on your computer.

Trezor has made a good article on this: https://blog.trezor.io/https-blog-trezor-io-keep-your-seed-phrase-away-from-lions-edcc105457a0

While they talk about seed phrase instead of private keys, the recommendations provided are equally applicable to securing your private keys.

That's 100% correct.

Bitcoin is genius because the keys are hold offline, they cannot be hacked. If you hold them online, you are doing it wrong and making them available for hackers

You can just note down your seed and store in a safe physical location, hidden.

More than 2 Years i save my private key to USB Flash and this is very safe i think.
But you must be carefull to access your wallet with private key,. If you login in phising website, hacker can steal your wallet too.

Bookmark website is important but with Bruteforce they can move a website you visited to their phising site.
So, don't bookmark in your Searching Browser. Better you save it as text file and save to your USB Flash.

Storing private keys in USB FLASH is safe as long as they aren’t in the hands of an attacker. I hope you have hidden the USB Flash is a safe place.

But the first safest option is HARDWARE WALLETS, second USB FLASH, third is a paper wallet in my opinion. But paper wallets has some risks unless the user laminates it.

---

@OP, you may want to check this article for all the best possible options.

Storing private in email is stupid idea definitely. It's something similar like to lock your house and leave keys in the lock.
I heard some similar stories when people keep their private keys, back up file or recovery phrase in cloud storages like Google Drive because they consider that is safer place in case if something will happen to their computer. Also, I know that some people just take photo of their private key or recovery phrase and just keep it on their phone.
When I was less experienced user, I also had dilemma where to keep these things. I instantly rejected idea to write down it, because sheet of paper doesn't looks like safest thing. I also didn't saved it on my PC or online storages. It was difficult to choose where to keep these things. Finally I decided to USB flash, but I'm not sure that's safest place.

Saving private key online will only expose your private key to hackers out there where cloud save as an example can be hacked by hackers then they will be able to get your private key to access your crypto savings. It is already discussed here already on where or what is the best solution to save your private key which most cases is written on a piece of paper or a device where there is no internet connection like a USB for example.

A private key should never be sent or shared online either via email or saved on clouds, drives etc. Consider it compromised and funds protected by it.
Instruct your students to invest in a hardware wallet if they are serious about crypto currencies since the private keys in hardware wallets never leave the safety of the device.

Well I would not have made this post not until this week I have a cryptocurrency community on social media(telegram) we doing my own bit to enlighten and empower those I can.
We tell them about cryptocurrency wallet and how they go about it well I made it clear to them never to screenshot there private keys but rather write it down and put it away in a place safe.

But it's has occurred more times where private keys where written, sent and saved on some of my students emails...

Well this has huge consequences. I would want to reach out to the noobs never improvise instructions are instructions when creating a wallet you are told to write your private keys down(not on email or on your device).
Your email can not key your private key safe it's still could be hacked and the information collected.

 It's basic instructions and rules when over looked causes damages.