This seems to be a pretty common myth among Bitcoiners now. Often what I hear people say is that paper is not hackable, therefore your Bitcoins are safe from hackers. However given actual realworld scenarios I am going to show you that a paper wallet provides no extra security than a properly made encrypted wallet stored on the PC.
For my examples, here are how the two types of wallets are created.
Paper wallet:The user downloads software to generate a paper wallet, a common one is
https://bitaddress.org.
Often times the user will disconnect their internet when generating the wallet, or if they are extra paranoid they will also use a live operating system, like a Ubuntu live CD, to run the paper wallet software.
The user generates a number of paper wallets, paranoid users will encrypt them with a password. The user will either print these out or handwrite them
Encrypted wallet:The user downloads wallet software such as electrum
The user then creates a new wallet and encrypts it with a strong unique password, the user should never enter this password anywhere else other than the wallet software, and the password should be at least 80bits strong. In my example the user will use a randomly generated 16 character password made up of upper and lower letters, numbers and special symbols, which is 106bits.
The creation process:We are going to pretend that the OS you use everyday on your computer is infected with malware during the creation process and see how the two types of wallets are vulnerable.
Paper wallet:When you are creating the paper wallet, any malware on your PC can read the private keys. What most people will tell you to do is disconnect from the internet, that this will prevent the malware from sending back the private key, but it won't, the malware will simply wait until you reconnect to the internet and send the private key then.
But it doesn't even need internet to steal your bitcoins. The malware can interfere with the generation process itself, and give you a private key and Bitcoin address that is already known to the hacker. This is called
backdooring the random number generator.
Now one will be quick to point out that if we are using a live OS like ubuntu that the malware won't be running and cannot do anything. That might be the case for many types of dumb malware, however there does exist malware that can hide in the BIOS and firmware of your computer and can infect your live operating system. Here are some examples of this type of malware in the wild:
http://www.theregister.co.uk/2015/02/17/kaspersky_labs_equation_group/https://en.wikipedia.org/wiki/BadBIOSIf you print out your wallet, the printer provides a whole other avenue for attack. If it is a networked printer, when you hit print
your computer will send your wallet out over the network unencrypted to the printer, allowing anyone to listen in and steal it. Some printers also have a built-in memory that stores what is printed out, even if you clear this memory it is possible to recover it in some cases with proper forensics tools.
Encrypted wallet:An encrypted wallet is just as vulnerable as a paper wallet during the creation process. It too can have it's private keys transmitted by malware, or it's random number generator backdoored.
Summary:Both wallets are just as vulnerable to theft. Paper wallets are slightly more vulnerable if you use a printer.
Disconnecting from the internet is entirely pointless and provides no extra security whatsoever. Running a live OS will somewhat protect you from dumb malware, however this is basically
security through obscurity.
While your bitcoin is in storage:Now we are going to pretend you've been infected with malware while your Bitcoins are in your wallet.
Paper wallet:There is a small chance that whatever software you used to generate the paper wallet has left a trace behind on your computer during the creation process. The private key may have accidentally entered your swap and ended up written to disk. If this has happened then the malware can steal your Bitcoins.
If this has not happened then you are safe, because malware can't "jump" from your PC onto your paper wallet.
However you are not safe from physical theft unless you encrypted your paper wallet.
Encrypted wallet:The malware can steal your wallet file, however, the wallet file is encrypted. Because the password is 16 characters long, the hacker cannot access your wallet.
If the hacker had the computing power of all Bitcoin miners combined it would take 45964.97 years to crack just your wallet - and thats under a best case scenario. So even though the malware can read the wallet, it cannot do anything with it. Now some of you are going to say "keylogger" - we'll get to that in the next part.
Summary:While the Bitcoins are being stored in the wallet, both wallets are very safe. Bitcoins can be physcially stolen from paper wallets if they are not encrypted, and if you use a weak password on your normal encrypted wallet then they can also be stolen.
While Sending Bitcoins:Now we are going to pretend you've been infected with malware while you attempt to send Bitcoins from your wallet:
Paper wallet:Once you enter in the private key into your computer the malware can immediately steal it and it's game over. Much like the creation process disconnecting from the internet or using a live OS won't help much as Bitcoin transaction has a random number called a K value, which the malware can backdoor to steal your Bitcoins even if you are offline. Also you need to go online to broadcast the transaction anyway.
Encrypted wallet:Once you enter in the password into your computer the malware can immediately steal it (keylogger) and it's game over.
Summary:Both wallets are completely vulnerable to theft.
Conclusion:Paper wallets are hackable, despite claims that some people make, and are just as vulnerable as properly created encrypted wallets.
Paper wallets also have extra security concerns such as physical theft or if you use a printer.
Paper wallets may be cool, and they may be useful for some situations, but if you want to secure your Bitcoins, ignore all of the half-informed sheeple telling you to create a paper wallet and create a normal encrypted wallet, encrypt it with a strong randomly generated password and never enter this password anywhere other than the wallet software. This is safer than a paper wallet and MUCH more convenient. Also paper wallets encourage
address reuse which is bad, if you use paper wallets you need to make a new wallet everytime you make a transaction if you want any kind of privacy at all.