Topic: So, bitcoin client still use unencrypted wallet.dat - page 3. (Read 7533 times)

I presumed that this was what he intended, and I pointed out the problem with that scheme. A human will have to choose a password simple enough that they can remember it for many years but complex enough that an attacker cannot brute force it even if the attacker specifically knows which wallets have the largest BitCoin balances and the attacker has a botnet to use to brute force passwords on.

I wasn't kidding about my example. I really did have a password I used at least 20 times a week for more than six years that I didn't use for 8 months and forgot. It was a short/simple password too.

How bad this is depends to some extent on password complexity rules. If you force a very complex password, you ease the brute forcing issue. If you don't, you ease the password forgetting rule. Maybe someone knows how to make this work. I don't.

Users do not really understand the concept of a password that absolutely cannot be bypassed. A regular question on many forums is some variant of "I forgot the password to my X, how do I recover it?" where X is a WinRAR archive or a disk encryption scheme. They are stunned that the answer is "you're 100% screwed".

But I cannot do a fair job of criticizing a scheme without knowing what that scheme is. Nor is it fair for him to argue we should add encryption because he imagines a scheme that is not actually capable of being realized.

You are making a bit of a strawman argument here.

Mike did not propose such a stupid idea to just protect the current wallet.dat file by password. He distinguished between the private and public keys, and he proposed that those private keys are protected only. And those private keys are only decrypted when an actual transaction is made.

It does not protect against everything - as I argued - but it isn't as stupid as you quote it either.

I don't think you understand what within wallet.dat needs to be protected and how passphrase based encryption works. If you did, you'd know the answers to your questions 2 and 3 are obvious.


Well, I'll leave you here demanding your scheme.

That's a trivial task. Every other video game kiddie knows how to cheat by manipulating RAM data. Reading only is even easier.

I don't think you understand the issue. By a "complete scheme", I mean answers to questions like:

1) Is password complexity enforced? If so, what are the complexity rules?

2) Is any other way provided to get into the private keys other than the password?

3) What is the password needed for? Only to send money? Or even to see what accounts exist on the system?

And so on.

Without a complete scheme, there is no way to evaluate the advantages and disadvantages. As I've said, I can't think of a scheme whose advantages outweigh the disadvantages.

1) Only if the client implementation allows this to be done. Memory pages can be locked and prevented from swapping to disk.

2) The private keys need only be unencrypted when payments are made or new addresses are created. And while possible in theory, for multiple reasons, reading the RAM of the Bitcoin client is probably the most difficult way to get the keys. A simple keylogger or even replacing the bitcoin client with your own (it's open source, after all) would work just as well. The thing is, these are very specific attacks and much more involved than just making a copy of wallet.dat. And the hacker still needs to wait until the passphrase is actually typed, giving the user time to notice something is wrong.

3) See second

And now I'm really done repeating myself.

1) Only true if you have full disk encryption. Otherwise, your operating system may have placed the unencrypted private data anywhere (temporary files, swap space ...)

2) Nonsense. Malware can just read the RAM of your Bitcoin client.

3) See second.

Please see the 9th post in this thread.

FWIW they are already implementing this. And I'm done arguing.

That doesn't protect you against malware at all.

Easier to understand now?

It isnt a bad thing that it may happen sometimes, but it would be a bad thing if it was the default.

Why do you say that as if it were a bad thing.

That's tools, not schemes.

But a forgotten password results in lost coins for the whole network, while stolen coins are still circulating.

The scheme is so standard from pgp, gpg, bcrypt, truecrypt etc it should be obvious.


The password (or in this case, passphrase) is as secure as the user chooses. ANY is better than none, because even a weak one needs some effort and custom tools to crack.


Then, write it down.


So you put lots of money in a bitcoin wallet and then don't use it?

People tend to be careful when it comes to money. If they aren't, they only have themselves to blame. I can't see how other peoples' idiocy is an excuse to hinder my security.


The first sentence makes no sense whatsoever. And I don't care how vast his network is, he is not going to crack my password in the remaining lifetime of the universe.

Maybe if BitCoins are successful it will be because a solution comes around that doesn't have either of these issues.

Someday I should tell you about the day my daughter fall and hit her head, and the many things she did that day that she has no recollection of. If you change your keypass password, keep a backup that can use the old password for at least a few days.

"If I'm in the hospital why don't I have one of those things on my wrist?" "Look at your wrist." "Oh!"
"Are you not supposed to tell me how I got here so they can see if I remember?" "Actually, I have several times."

I don't want to let the perfect be the enemy of the good. But I've yet to see a solution that I think is better than what we have now, for the average person.

Maybe thats true, in your case. But if bitcoins are 'successful' they will end up in the hands of a lot of users where this is not going to be true. I tihnk on average your statement will be false (and this prediction is tied to the adoption level of bitcoin in general).

BTW, I run keypass, with a monster master key. So I probably wouldnt remember my own bitcoin password. It would be stupidly complex. I would prefer that personally to a wallet.dat file in the open.

Because I believe they create more problems than they solve in this case. If you think otherwise, propose a schemce.

It applies only to this specific case. Passwords are great "is X allowed to do Y". They are *not* great for this case. At least, not in any of the proposals I've seen.

You are more likely to lose your BitCoins through forgetting your password than you are to have them stolen by a trojan. If the passwords are made short enough that people will remember them, they will be brute forced, giving the worst of both worlds -- a false sense of security, and a risk of losing your own wallet if you can't muster enough power to brute force.

I have yet to hear your proposal. I can't evaluate a proposal I haven't heard. I can't think of one that doesn't make things worse for the average user. Maybe you can. If so, let's hear it.

Why are you arguing against passwords? You seem to believe that passwords create more issues than they solve. Is this a universal thing, or does it only apply in the case of bitcoins (and why)?

I'm not asking if you think passwords have caveats (they do). I'm asking why you think they are worse than no encryption at all. For them to be worse, they would have to make MORE people vulnerable to bitcoin loss then unencrypted wallets. Seems unlikely. Surely, you don't advocate the universal abolishment of passwords? But that's exactly how I read your quote above.


*EDIT*
Let me say where I think this argument is coming from. Correct me if I'm wrong.
Your angle: People such as youself have secure machines, thus passwords do not add anything. For you, they only create the potential for a forgotten password.
My Angle: most people who pick up bitcoin will be vulnerable to wallet.dat theft, especially as the userbase shifts. Passwords can help protect a lot of them.

Solution? By default the client encrypts the wallet, but for advanced users it can be disabled (my target audience is likely to leave it an whatever the default is).

You haven't proposed a complete scheme, so you're comparing the advantages and disadvantages of something that exists to something that isn't even specified. For example, under 'encrypted', you assume the thief cannot brute force your password. That will mean that your password will have to be the kinds of things a human being can't memorize reliably. Yet you don't consider the risks of forgotten passwords.

Anyone who has been around computers for at least ten years has had the experience of using a system you used to use regularly one time after a year or more of not using it and having no idea what your password is. This is the #1 way people will lose their BitCoins.

Just a few months ago, I had to use a system I used to use daily for six years with the same password after having not used it for just 8 months. I had no idea what my password was and had to recover it. I must have typed that password at least 2,000 times. And this was a short/simple password, I think it consisted of a short English word and two digits that were meaningful to me -- but I don't even remember that for sure. A password that short would be useless for protecting your wallet. And there's nobody to recover your password for you with BitCoins.

Remember, if your password is only needed to transfer coins, the thief will know exactly how valuable cracking your wallet is. And he'll probably have access to a vast network of compromised machines to use to brute force your password.

If you have a scheme for wallet encryption that you think has advantages that outweigh its disadvantages, propose it.