Storing my seed in Lastpass - page 2.

viking02

hero member

Activity: 770

Merit: 500

🌟 COMSA ICO: 10/02/17 🌟

Quote from: BitcoinNewsMagazine on June 07, 2017, 09:31:12 AM

Quote from: viking02 on June 07, 2017, 01:02:54 AM

Quote from: kolloh on June 06, 2017, 12:53:59 PM

Quote from: viking02 on June 06, 2017, 01:16:46 AM

Isn't putting your electrum phrase on keepass fine though?

Also i assume most people have a copy of keepass on dropbox right? So would that still be fine? The thing is if you have your electrum phrase on keepass and also on dropbox, then as long as you remember your keepass masterkey password and your dropbox password, then isn't that really all that is needed? I mean if dropbox gets hacked... has it? Well they still cannot open your keepass file without your master password right?

Thanks.

Yeah, I would think that should be fine as long as you are using a secure enough master password for KeePass that isn't easily brute forceable. Also, you must be sure that you never reuse your KeePass master password for any other websites which could end up leaking it in a compromise down the road.

Do others agree on this? Thus as long as you use a strong enough master password for keepass, then typing the 12 word phrase in there would be fine?

Also, keeping a keepass on file on dropbox would allow you to have an online backup? can someone tell me if this is pretty much good enough so you don't need to keep a piece of paper in your apt with your 12 word phrase there etc?

Dropbox is the last place you want to store a seed, encrypted or not. If you use a non-memorable password, that is at least 22 characters with symbols, you won't be able to memorize it. I think the definition of a secure password should be one that is so random it can not be memorized. You are always better off keeping your seed on paper only, never online.

I'm confused here. But don't you want an online copy of your keepass as well? I mean if you only store keepass on your computer and say external hard drive and usb... say something happens to all of these, then you have no keepass file anymore. Thus wouldn't it be a must to have keepass file stored online as an online backup?

When you say dropbox is last place to store the seed, you mean typing the seed on keepass counts as that? Obviously i dont mean typing the 12 word phrase on microsoft word and then putting that document on dropbox if thats what you mean? But is there really an issue with putting the phrase on keepass and then uploading it to dropbox or any other online place like google drive etc?

BitcoinNewsMagazine

legendary

Activity: 1806

Merit: 1164

Quote from: viking02 on June 07, 2017, 01:02:54 AM

Quote from: kolloh on June 06, 2017, 12:53:59 PM

Quote from: viking02 on June 06, 2017, 01:16:46 AM

Isn't putting your electrum phrase on keepass fine though?

Also i assume most people have a copy of keepass on dropbox right? So would that still be fine? The thing is if you have your electrum phrase on keepass and also on dropbox, then as long as you remember your keepass masterkey password and your dropbox password, then isn't that really all that is needed? I mean if dropbox gets hacked... has it? Well they still cannot open your keepass file without your master password right?

Thanks.

Yeah, I would think that should be fine as long as you are using a secure enough master password for KeePass that isn't easily brute forceable. Also, you must be sure that you never reuse your KeePass master password for any other websites which could end up leaking it in a compromise down the road.

Do others agree on this? Thus as long as you use a strong enough master password for keepass, then typing the 12 word phrase in there would be fine?

Also, keeping a keepass on file on dropbox would allow you to have an online backup? can someone tell me if this is pretty much good enough so you don't need to keep a piece of paper in your apt with your 12 word phrase there etc?

Dropbox is the last place you want to store a seed, encrypted or not. If you use a non-memorable password, that is at least 22 characters with symbols, you won't be able to memorize it. I think the definition of a secure password should be one that is so random it can not be memorized. You are always better off keeping your seed on paper only, never online.

viking02

hero member

Activity: 770

Merit: 500

🌟 COMSA ICO: 10/02/17 🌟

Quote from: kolloh on June 06, 2017, 12:53:59 PM

Quote from: viking02 on June 06, 2017, 01:16:46 AM

Isn't putting your electrum phrase on keepass fine though?

Also i assume most people have a copy of keepass on dropbox right? So would that still be fine? The thing is if you have your electrum phrase on keepass and also on dropbox, then as long as you remember your keepass masterkey password and your dropbox password, then isn't that really all that is needed? I mean if dropbox gets hacked... has it? Well they still cannot open your keepass file without your master password right?

Thanks.

Yeah, I would think that should be fine as long as you are using a secure enough master password for KeePass that isn't easily brute forceable. Also, you must be sure that you never reuse your KeePass master password for any other websites which could end up leaking it in a compromise down the road.

Do others agree on this? Thus as long as you use a strong enough master password for keepass, then typing the 12 word phrase in there would be fine?

Also, keeping a keepass on file on dropbox would allow you to have an online backup? can someone tell me if this is pretty much good enough so you don't need to keep a piece of paper in your apt with your 12 word phrase there etc?

BitcoinNewsMagazine

legendary

Activity: 1806

Merit: 1164

Quote from: kolloh on June 06, 2017, 03:19:26 PM

Quote from: BitcoinNewsMagazine on June 06, 2017, 01:39:21 PM

Quote from: CardShare on June 06, 2017, 12:55:25 PM

USB stick - Truecrypt volume pop it in there encrypt it. best place to keep them. and there encrypted so double protection. just make a couple of backups for emergency use.

Using a TrueCrypt container can give you a false sense of security. First, when you typed your seed or password in a document you later saved in the container, you briefly exposed the seed or password to logging malware. Worse, any time you open a TrueCrypt container your password and work is saved in virtual memory paging files which are not erased on shut down. You need to take steps to tell your machine to delete the paging files or (better) only run TrueCrypt from a computer with whole disk encryption.

Interesting, I hadn't heard about the password being stored in paging files. Is it possible to actually extract a truecrypt volume password from a paging file even if the container is not currently mounted? Any links to documentation or proof of concepts on this?

Take a look at the TrueCrypt user manual. Windows leaks a lot.

kolloh

legendary

Activity: 1736

Merit: 1023

Quote from: BitcoinNewsMagazine on June 06, 2017, 01:39:21 PM

Quote from: CardShare on June 06, 2017, 12:55:25 PM

USB stick - Truecrypt volume pop it in there encrypt it. best place to keep them. and there encrypted so double protection. just make a couple of backups for emergency use.

Using a TrueCrypt container can give you a false sense of security. First, when you typed your seed or password in a document you later saved in the container, you briefly exposed the seed or password to logging malware. Worse, any time you open a TrueCrypt container your password and work is saved in virtual memory paging files which are not erased on shut down. You need to take steps to tell your machine to delete the paging files or (better) only run TrueCrypt from a computer with whole disk encryption.

Interesting, I hadn't heard about the password being stored in paging files. Is it possible to actually extract a truecrypt volume password from a paging file even if the container is not currently mounted? Any links to documentation or proof of concepts on this?

CardShare

member

Activity: 98

Merit: 10

Quote from: BitcoinNewsMagazine on June 06, 2017, 01:39:21 PM

Quote from: CardShare on June 06, 2017, 12:55:25 PM

USB stick - Truecrypt volume pop it in there encrypt it. best place to keep them. and there encrypted so double protection. just make a couple of backups for emergency use.

Using a TrueCrypt container can give you a false sense of security. First, when you typed your seed or password in a document you later saved in the container, you briefly exposed the seed or password to logging malware. Worse, any time you open a TrueCrypt container your password and work is saved in virtual memory paging files which are not erased on shut down. You need to take steps to tell your machine to delete the paging files or (better) only run TrueCrypt from a computer with whole disk encryption.

True. Or just use air-gapped system when decrypting like you say on a machine with FDE add's 2nd layer of protection.

BitcoinNewsMagazine

legendary

Activity: 1806

Merit: 1164

Quote from: CardShare on June 06, 2017, 12:55:25 PM

USB stick - Truecrypt volume pop it in there encrypt it. best place to keep them. and there encrypted so double protection. just make a couple of backups for emergency use.

Using a TrueCrypt container can give you a false sense of security. First, when you typed your seed or password in a document you later saved in the container, you briefly exposed the seed or password to logging malware. Worse, any time you open a TrueCrypt container your password and work is saved in virtual memory paging files which are not erased on shut down. You need to take steps to tell your machine to delete the paging files or (better) only run TrueCrypt from a computer with whole disk encryption.

CardShare

member

Activity: 98

Merit: 10

USB stick - Truecrypt volume pop it in there encrypt it. best place to keep them. and there encrypted so double protection. just make a couple of backups for emergency use.

kolloh

legendary

Activity: 1736

Merit: 1023

Quote from: viking02 on June 06, 2017, 01:16:46 AM

Isn't putting your electrum phrase on keepass fine though?

Also i assume most people have a copy of keepass on dropbox right? So would that still be fine? The thing is if you have your electrum phrase on keepass and also on dropbox, then as long as you remember your keepass masterkey password and your dropbox password, then isn't that really all that is needed? I mean if dropbox gets hacked... has it? Well they still cannot open your keepass file without your master password right?

Thanks.

Yeah, I would think that should be fine as long as you are using a secure enough master password for KeePass that isn't easily brute forceable. Also, you must be sure that you never reuse your KeePass master password for any other websites which could end up leaking it in a compromise down the road.

viking02

hero member

Activity: 770

Merit: 500

🌟 COMSA ICO: 10/02/17 🌟

Isn't putting your electrum phrase on keepass fine though?

Also i assume most people have a copy of keepass on dropbox right? So would that still be fine? The thing is if you have your electrum phrase on keepass and also on dropbox, then as long as you remember your keepass masterkey password and your dropbox password, then isn't that really all that is needed? I mean if dropbox gets hacked... has it? Well they still cannot open your keepass file without your master password right?

Thanks.

kolloh

legendary

Activity: 1736

Merit: 1023

Quote from: jonald_fyookball on May 18, 2017, 11:47:16 PM

First of all, if its a medium to large amount, keep it in cold storage.

but even small amount, I'm not sure I recommend lastpass... my understanding was data Is kept locally but not the best idea if your computer dies..just email yourself the seed or write it down (again for small amounts)

If you value security, don't ever email yourself a seed. Email is extremely insecure and is in plaintext (unless encrypted with PGP or something). Storing in LastPass would be much more secure than email. That being said, it is probably a bit safer to store the seed offline in a secure place.

jonald_fyookball

legendary

Activity: 1302

Merit: 1008

Core dev leaves me neg feedback #abuse #political

First of all, if its a medium to large amount, keep it in cold storage.

but even small amount, I'm not sure I recommend lastpass... my understanding was data Is kept locally but not the best idea if your computer dies..just email yourself the seed or write it down (again for small amounts)

Freakin

full member

Activity: 154

Merit: 100

Bumping an old thread to add my $.02

Storing your seeds online is no good.

I personally use lastpass for all my passwords. The data are encrypted client side and never transmitted or stored unencrypted on Lastpass's servers. They were hacked a year or two ago but the databases storing the encrypted passwords were not compromised. I believe they only got user information. Lastpass caught the hack themselves (either in progress or shortly afterward) by detecting an abnormal traffic pattern between some of their servers.

So while I trust my encrypted passwords to lastpass, I don't trust the clients that decrypt those passwords (including my own computer) with my seed. There are vulnerabilities in Lastpass clients that essentially trick the lastpass extension into filling hidden form fields on a website with all your passwords and posting them to their server behind the scenes. This may be fixed already, but it doesn't mean another zero-day exploit won't be revealed in the client that can do the same.

Don't trust your seed to an online computer if you care about the BTC that the private keys can access.

BitcoinNewsMagazine

legendary

Activity: 1806

Merit: 1164

Quote from: NUFCrichard on June 01, 2016, 02:09:54 AM

Quote from: BitcoinNewsMagazine on May 31, 2016, 08:09:58 PM

If you are serious about security of your bitcoin your seed should never be displayed or typed on an online computer. Use a hardware wallet instead and write your seed on paper, store securely. If you use a hardware wallet that permits encryption of the seed with a passphrase you keep in your head you have an additional layer of protection. Using a PIN and simple passphrase on a Trezor provides very good security. Since the seed is worthless without the passphrase you can leave the seed with friends. Just do not forget your passphrase!

I am serious about security, but as this thread is showing, it really isn't as easy as it seems! I don't want to have to remember anything, if I leave my Bitcoin untouched for a while, I will forget any decent password/phrase.
I quite like BitcoinSupremos idea, but then where do you store the 2 strong passwords? I guess the chances of someone getting into lastpass, taking each of those passwords, and having access to my saved .rar file, is pretty remote.

I have read some trezor threads about them crashing/malfunctioning, I think I would go for a paper wallet before a trezor.

When you use Trezor the seed in effect is your bitcoin; the plastic device is a tool. You can crush your Trezor and be back up again in less than half an hour by recovering the seed to a new Trezor. Many folks who use Trezor keep a spare around in case of loss. I have never had a problem with Trezor crashing or malfunctioning. Once in a while the myTrezor.com site is down is all. If that happens you just use your Trezor with local Electrum.

NUFCrichard

legendary

Activity: 1218

Merit: 1003

Quote from: BitcoinNewsMagazine on May 31, 2016, 08:09:58 PM

If you are serious about security of your bitcoin your seed should never be displayed or typed on an online computer. Use a hardware wallet instead and write your seed on paper, store securely. If you use a hardware wallet that permits encryption of the seed with a passphrase you keep in your head you have an additional layer of protection. Using a PIN and simple passphrase on a Trezor provides very good security. Since the seed is worthless without the passphrase you can leave the seed with friends. Just do not forget your passphrase!

I am serious about security, but as this thread is showing, it really isn't as easy as it seems! I don't want to have to remember anything, if I leave my Bitcoin untouched for a while, I will forget any decent password/phrase.
I quite like BitcoinSupremos idea, but then where do you store the 2 strong passwords? I guess the chances of someone getting into lastpass, taking each of those passwords, and having access to my saved .rar file, is pretty remote.

I have read some trezor threads about them crashing/malfunctioning, I think I would go for a paper wallet before a trezor.

BitcoinNewsMagazine

legendary

Activity: 1806

Merit: 1164

If you are serious about security of your bitcoin your seed should never be displayed or typed on an online computer. Use a hardware wallet instead and write your seed on paper, store securely. If you use a hardware wallet that permits encryption of the seed with a passphrase you keep in your head you have an additional layer of protection. Using a PIN and simple passphrase on a Trezor provides very good security. Since the seed is worthless without the passphrase you can leave the seed with friends. Just do not forget your passphrase!

BitcoinSupremo

copper member

Activity: 1442

Merit: 529

I saved my Seed in a Libreoffice 5 document in Linux, and put a strong password to that document, in addition to that, compressed it and put also a strong password to the rar file. Put that file in different USB plus in my laptop and desktop. Today I needed that file and restored my electrum wallet in my laptop without any problem at all. This is the best way to store your seed in my opinion.

OmegaStarScream

staff

Activity: 3500

Merit: 6152

Quote from: NUFCrichard on May 30, 2016, 07:00:30 AM

Quote from: OmegaStarScream on May 28, 2016, 06:40:56 AM

LastPass is an online password manager ,It's definitely not recommended to store your seed or anything related to your private keys there.
I'd suggest storing them on KeePass instead since it's an offline password manager and you have a portable database file .kdx which you can use it anywhere as long as you have your Master key.

PS : LastPass got hacked last year - https://www.coinprices.io/posts/a-guide-to-basic-password-security-the-danger-of-last-pass

I had read that article, but it also seemed to be somewhat rubbished as advertising for KeePass.

KeePass had had it's problems too: https://thehackernews.com/2015/11/password-manager-hacked.html

I already have LastPass and love it, I just wasn't sure about using it for seeds

I'm only giving you an advice here man so it's up to you but I have to mention few things :

that hack was in 2015 and there were other versions of it and they keep updating it so it's secure now. Someone won't simply target you with a KeePass stealer in the first place unless he knows you are using it . Unlike LastPass where he won't target you personally but will target the whole database and get a lot of users passwords and then It's just a matter of time till the information's gets used or sold in the Darknet .
As a bitcoin , I suppose you understand that using online wallets (Coinbase/Blockchain.info) is unsecure , yes ? If it's the case then it's the same case for LastPass .

NUFCrichard

legendary

Activity: 1218

Merit: 1003

Quote from: OmegaStarScream on May 28, 2016, 06:40:56 AM

LastPass is an online password manager ,It's definitely not recommended to store your seed or anything related to your private keys there.
I'd suggest storing them on KeePass instead since it's an offline password manager and you have a portable database file .kdx which you can use it anywhere as long as you have your Master key.

PS : LastPass got hacked last year - https://www.coinprices.io/posts/a-guide-to-basic-password-security-the-danger-of-last-pass

I had read that article, but it also seemed to be somewhat rubbished as advertising for KeePass.

KeePass had had it's problems too: https://thehackernews.com/2015/11/password-manager-hacked.html

I already have LastPass and love it, I just wasn't sure about using it for seeds

OmegaStarScream

staff

Activity: 3500

Merit: 6152

LastPass is an online password manager ,It's definitely not recommended to store your seed or anything related to your private keys there.
I'd suggest storing them on KeePass instead since it's an offline password manager and you have a portable database file .kdx which you can use it anywhere as long as you have your Master key.

PS : LastPass got hacked last year - https://www.coinprices.io/posts/a-guide-to-basic-password-security-the-danger-of-last-pass

Topic: Storing my seed in Lastpass - page 2. (Read 3682 times)