Topic: Security concerns of Bitcoin-QT with encrypted wallet? (Read 4609 times)

You would be better off doing this with a cheap dedicated device: http://youtu.be/1pDSzOiFgIk

OK quick question:

1) you have a dummy (empty) wallet.dat in .bitcoin so as your bitcoin-qt can stay up to date
2) you keep your real wallet.dat encrypted (say truecrypt) in a usb or maybe also on your mail or dropbox.
3) if you want to make a transaction:
    a) get your encrypted wallet
    b) decrypt it and copy it into .bitcoin
    c) make transaction
    d) replace real wallet.dat with dummy one

question: Is this secure enough or are you still in danger during the transaction (for as long as you have your real wallet.dat linked to bitcoin-qt)?

SK       

Jim, are you, by chance, a monolingual person? Are you capable of reading any other script than Latin?

Just lay off this problem. It tends to become a paranoidal obsession, similar to the one exhibited in other thread where very intelligent people assume that Internet is operational but all sources of time are compromised.

As far as your software: just make sure that Unicode and various Input Method Editors are operational.

Really just lay it off for a while: it isn't a technical issue and really a behavioral health issue.

But to answer the question, don't rely on something a simple key logger can defeat. I consider a password like a lock on a door. If you want security, get rid of the door!

Ugh. Please check your math.

In[1]:= 11^94

Out[1]= 7778796406007058285951393811497112871791787694\
6029329123560958680818697236800243835465535478292041

In[2]:= 94^11

Out[2]= 5062982072492057196544

My suggestion was to use a completely random set of capital letters, lowercase letters, numbers, symbols/punctuation which would provide 11⁹⁴ possible combinations.

You must not be very concerned about security if a couple of minutes of load time inconveniences you.

I used to be worried about keeping my Bitcoins safe, and being able to safely use them at the same time. Since I started using Armory it's no longer a concern. I keep multiple wallets with multiple levels of security and it works wonderfully. Put what you might spend on a more convenient wallet, put the rest in deep savings, offline only. Fund the spending wallet as needed with offline transfers.

I keep digital wallet backups in multiple physical locations to protect against disaster.

. . .  Are we talking 100's of universes of time to crack an 11-digit PW, or should I go with something even longer?

. . . If you use an eleven character password . . . If you really want it secure, use a completely random set of capital letter, lowercase letters, numbers, symbols/punctuation, and make sure that there aren't any "words".  Under those conditions, I'd expect an eleven character password to be beyond any current technology of cracking in your lifetime.  Want to be more sure?  Make it even longer . . .

A reasonable compromise would be a passphrase with just one non-word, e.g. "This is my gP#m6ij_% password." . . .

Correct Horse Battery Staple

You must not be very concerned about security if a couple of minutes of load time inconveniences you.

I used to be worried about keeping my Bitcoins safe, and being able to safely use them at the same time. Since I started using Armory it's no longer a concern. I keep multiple wallets with multiple levels of security and it works wonderfully. Put what you might spend on a more convenient wallet, put the rest in deep savings, offline only. Fund the spending wallet as needed with offline transfers.

I keep digital wallet backups in multiple physical locations to protect against disaster.

I wouldn't be worried about the encryption being cracked.  I'd be far more concerned with creating a password that won't be cracked.  If your eleven digit password is 11111111111, I'd expect it to get cracked.  If you use an eleven character password , but only use lowercase characters (such as "mysecurepwd"), I'd still expect it to be cracked.  Add in some numbers and symbols, and now you are improving your chances of having a secure password.  If you really want it secure, use a completely random set of capital letter, lowercase letters, numbers, symbols/punctuation, and make sure that there aren't any "words".  Under those conditions, I'd expect an eleven character password to be beyond any current technology of cracking in your lifetime.  Want to be more sure?  Make it even longer.  Of course, the problem with such a password is it can be difficult to remember it if you haven't used it in a while.  This tends to people writing the password down.  If you are going to put the password on paper, you might as well consider paper wallets, since either way you are subject to the same risks and benefits.

Just today I started playing around with Armory (offline and online wallets) and at first glance it seems pretty impressive.

Disclaimer: I am not exactly a technophobe, but compared to most others on this forum I'm quite close. So if anyone knows of any potential pitfalls with Armory, I'd like to hear about them.

I have a fresh install of Linux Mint on a Laptop that rarely touches the Net.
I use Armory and have a watch only Armory wallet on my Windows 8 machine.
I have multiple backups of my wallet in Truecrytpt containers... some in the cloud, some on a USB stick.
I feel pretty safe.

I wouldn't want bits of paper knocking around unless I had a fireproof safe.

A reasonable compromise would be a passphrase with just one non-word, e.g. "This is my gP#m6ij_% password.".

On the topic of passwords, the usage of Unicode characters hasn't been frequently discussed. It certainly broadens the dictionary that the attackers would have to use, at the cost of potentially finding encoding problems that prevent its legitimate usage. But think of it, a single "ñ", "β" or "©" can completely change the game.

If you really want it secure, use a completely random set of capital letter, lowercase letters, numbers, symbols/punctuation, and make sure that there aren't any "words".

How is the encryption?  Are we talking 100's of universes of time to crack an 11-digit PW, or should I go with something even longer?

Assuming that you don't have any old unencrypted copies of the wallet.dat sitting around anywhere, it sounds like you already understand it pretty well.  To steal/spend your bitcoins a potential thief would need both the encrypted private keys from your wallet.dat file and your password.  Electronically this can be done with a key logger.  I suppose it would also be possible to install a hidden camera that would record your keyboard to get the password.  Someone with that sort of access to your computer would probably be able to physically access your wallet.dat as well.  Same thing with looking over your shoulder while you type your password.

If we are talking really high tech, I suppose it might be possible to remotely record the sound of you tapping on the keyboard (laser picking up sound vibrations from your window?).  Using the rhythm, volume, and timing of your keystrokes, perhaps it would be possible to reduce the number of possible combinations to something that could be brute-forced?  If we want to think of this like a spy movie, I suppose someone could sneak in and clean all fingerprints off your keyboard just before you enter the room to send some bitcoins somewhere.  Then as soon as you leave they can identify which keys you hit by looking at the fingerprints?  A gun to your head might do the trick as well.