Wallet Security | Bitcointalksearch.org

HappyScamp

sr. member

Activity: 314

Merit: 250

Quote from: greyhawk on October 28, 2013, 06:17:00 PM

Quote from: Alty on October 28, 2013, 04:16:32 PM

I'm not an expert on computers but doesn't the brain wallet provide a unique output when somebody inputs random typing like......

3903450EFZDFZOJF3405340F9ZDFF034T038TGERPJEPRFP034FZEFZEF03450324534508ZEFZOFJZ ELFJ345

In other words it would be unlikely anybody else would type that exact code in and get the same brain wallet results?

As Dan said, humans are a bad source of randomness.

For example your string above fails on several levels
- you are using only a very small selection of characters from the available keyspace
- there are several repetitions of sequences

From the line above alone I can conclude you most likely use a keyboard with french layout. Your left hand was hovering slighty above qsdf, your right hand was hovering over the lower part of the numpad, you moved the right hand over to the alphanumeric keys twice (once in the middle of the string and once near the end), you were subconsciously typing on the right hand with a rhythm of thumb-ring finger-index finger (producing the oft repeated 034 sequence), similarily you subconsciously used a rhythm of ring finger - middle finger - index finger with the left hand (producing the ZEF sequence)

I like you!

canton

sr. member

Activity: 261

Merit: 285

Quote from: Jan on October 30, 2013, 02:51:58 PM

Demo: http://youtu.be/1pDSzOiFgIk

I really like the overall process you show in the demo, and it's something I might do myself -- but I'm concerned that you're recommending a process in which only a portion of the BTC balance on a paper wallet is 'swept' and the balance is sent back to the same paper wallet. As I understand it, this undermines the pseudo-anonymity provided by using a paper wallet. The instructions I provide regarding paper wallets is:

1) ALWAYS sweep the entire balance
2) If you want to keep some of the balance on a paper wallet, generate a new paper wallet and transfer the coins there.

If anonymity is not an issue, I believe your instructions are fine. But it's worth at least mentioning that this procedure involves sacrificing one of the much-touted benefits to using Bitcoin.

See: https://bitcointalksearch.org/topic/reusing-bitcoin-addresses-139381

bitcoinchecker

full member

Activity: 182

Merit: 100

Provider of Bitcoin products and services

What do you guys think of these ...

http://www.bit-card.de/cards/passphrase-protected-cards-two-factor/passphrase-protected-wallet-cards.html

Are they secure?

By secure, I mean in the process of generating the password/private key using a so-called verification key.

Are keyloggers the only thing to worry about?

Gabi

legendary

Activity: 1148

Merit: 1008

If you want to walk on water, get out of the boat

http://www.bitcointrezor.com/

Quote

The Hardware Bitcoin Wallet

Sure, 200$ is a bit too much for that Cheesy

The 4ner

hero member

Activity: 602

Merit: 500

R.I.P Silk Road 1.0

Ha ha!

BitchicksHusband

sr. member

Activity: 378

Merit: 255

Quote from: greyhawk on October 28, 2013, 06:17:00 PM

Quote from: Alty on October 28, 2013, 04:16:32 PM

I'm not an expert on computers but doesn't the brain wallet provide a unique output when somebody inputs random typing like......

3903450EFZDFZOJF3405340F9ZDFF034T038TGERPJEPRFP034FZEFZEF03450324534508ZEFZOFJZ ELFJ345

In other words it would be unlikely anybody else would type that exact code in and get the same brain wallet results?

As Dan said, humans are a bad source of randomness.

For example your string above fails on several levels
- you are using only a very small selection of characters from the available keyspace
- there are several repetitions of sequences

From the line above alone I can conclude you most likely use a keyboard with french layout. Your left hand was hovering slighty above qsdf, your right hand was hovering over the lower part of the numpad, you moved the right hand over to the alphanumeric keys twice (once in the middle of the string and once near the end), you were subconsciously typing on the right hand with a rhythm of thumb-ring finger-index finger (producing the oft repeated 034 sequence), similarily you subconsciously used a rhythm of ring finger - middle finger - index finger with the left hand (producing the ZEF sequence)

Dang, Sherlock! That's impressive. Not that you would still crack that in 1 million years.

Shallow

sr. member

Activity: 938

Merit: 255

SmartFi - EARN, LEND & TRADE

If you intend to store alot of coins in cold storage best not connect it to the webs at all.

acoindr

legendary

Activity: 1050

Merit: 1002

Quote from: Scott J on October 31, 2013, 08:43:58 PM

What I'm struggling to get my head around is that I need a 'clean' PC to generate my private keys for a paper wallet, so why not just install Bitcoin-qt and do NOTHING else with this computer, but send/receive transactions?

Is connecting to the internet inherently dangerous even if you don't download ANYTHING?

That depends.

What you're basically asking is if you can have a pet snake and never be bitten. The best way to guarantee that is don't have the snake. Generally speaking, no, you wouldn't worry simply connecting to the Internet. Absent local machine access a hacker needs a machine to "answer" instructions in some way which can be exploited. This might be a daemon running like telnet or a web server etc. There is also software like PC anywhere which allows remote computer control. Modern Windows computers often reach out remotely for "automatic updates" unless disabled. Throw the NSA into the mix and who knows when your computer is being remotely controlled. However, if your machine isn't set up in anyway to respond to network connections, you do nothing via web browser, and nobody inadvertently turns on or installs exploitable software directly your machine should be okay. The uncertainty is knowing no doors exist over time.

bythesea

full member

Activity: 168

Merit: 101

I use laptop for my wallet transaction and everything else related to bitcoin and transactions. My wallet password has 30+ characters and so on.

Scott J

legendary

Activity: 1792

Merit: 1000

Quote from: The 4ner on November 01, 2013, 09:24:49 AM

Quote from: Scott J on October 31, 2013, 05:46:25 PM

Sorry to keep asking the same sort of questions, but...

If I were to have an online computer with a guaranteed clean OS, running only bitcoin-qt, with no other software ever to be installed, how could someone steal my coins?

(Ignoring offline attacks)

Don't mean to sound rude but these questions doing from someone with a high level of activity? Sort of weird.
Having all that experience I would assume you should know most all of this basic knowledge of bitcoin.

I have never stored a large number of BTC on a PC at home, but this is something I would like to do in the future (I have found blockchain.info with 2FA to be fine so far).

Of course, I understand that all it takes is for some malware to get onto the PC and the coins are gone - what I am trying to work out is if there is a way to run Bitcoin-qt on a fresh PC and ensure that it is impossible for malware to infect it through your actions (or rather, your lack of actions). If you don't download anything, how can someone gain access? I don't know enough about hacking - can they hack through your router possibly?

This is all good advice: https://bitcointalksearch.org/topic/m.3443370

This thread has served as a bit of a thought experiment for me (and hopefully helped some newbies too).

The 4ner

hero member

Activity: 602

Merit: 500

R.I.P Silk Road 1.0

Quote from: Scott J on October 31, 2013, 05:46:25 PM

Sorry to keep asking the same sort of questions, but...

If I were to have an online computer with a guaranteed clean OS, running only bitcoin-qt, with no other software ever to be installed, how could someone steal my coins?

(Ignoring offline attacks)

Don't mean to sound rude but these questions doing from someone with a high level of activity? Sort of weird.
Having all that experience I would assume you should know most all of this basic knowledge of bitcoin.

Valerian77

sr. member

Activity: 437

Merit: 255

Quote from: Morbid on November 01, 2013, 08:39:26 AM

how exactly the backup recovery process work? what if i have several backups but only manage to recover slightly older version. what happens then with funds and blockchain?

Since the wallet.dat only holds the private keys for the addresses you can access all money bound to that addresses. If the version is old and some addresses are missing in the backup version that money will be lost. The blockchain does care about anybody who looses his addresses.

Morbid

legendary

Activity: 1202

Merit: 1015

how exactly the backup recovery process work? what if i have several backups but only manage to recover slightly older version. what happens then with funds and blockchain?

Valerian77

sr. member

Activity: 437

Merit: 255

Quote from: Scott J on October 31, 2013, 08:43:58 PM

Is connecting to the internet inherently dangerous even if you don't download ANYTHING?

Yes it is inherently dangerous. But following some rule reduces risks:
https://bitcointalksearch.org/topic/m.3443370

I am thinking over long time on the same problem now. Finally the point is: Know your system.
Paper wallets etc also have their flaws.

Scott J

legendary

Activity: 1792

Merit: 1000

Quote from: Valerian77 on October 31, 2013, 06:12:23 PM

Quote from: Scott J on October 31, 2013, 05:46:25 PM

If I were to have an online computer with a guaranteed clean OS, running only bitcoin-qt, with no other software ever to be installed, how could someone steal my coins?

The same way someone could inject malware or a virus in your system without your direct support. Basically the attacker must be able to run some code or script on your computer. If your system was just clean (you never know if it was really clean even if you think so) then there might be three primary leakages:

1. you use any browser and it is able to execute code (Java, Javascript, ActiveX, etc ...) which simply reads your key input (keylogger) and/or your wallet.dat

2. you install some software which serves an attacker as intrusion point and reads your keys and/or wallet.dat

3. some process on your system (who knows how it came where it is now) serves an attacker as intrusion point and reads your keys and/or wallet.dat

You'll never be sure for 100%. But if you follow some rules (one of my previous postings in this thread) the probability to loose Bitcoins gets low.

Thank you.

What I'm struggling to get my head around is that I need a 'clean' PC to generate my private keys for a paper wallet, so why not just install Bitcoin-qt and do NOTHING else with this computer, but send/receive transactions?

Is connecting to the internet inherently dangerous even if you don't download ANYTHING?

Valerian77

sr. member

Activity: 437

Merit: 255

Quote from: Scott J on October 31, 2013, 05:46:25 PM

If I were to have an online computer with a guaranteed clean OS, running only bitcoin-qt, with no other software ever to be installed, how could someone steal my coins?

The same way someone could inject malware or a virus in your system without your direct support. Basically the attacker must be able to run some code or script on your computer. If your system was just clean (you never know if it was really clean even if you think so) then there might be three primary leakages:

1. you use any browser and it is able to execute code (Java, Javascript, ActiveX, etc ...) which simply reads your key input (keylogger) and/or your wallet.dat

2. you install some software which serves an attacker as intrusion point and reads your keys and/or wallet.dat

3. some process on your system (who knows how it came where it is now) serves an attacker as intrusion point and reads your keys and/or wallet.dat

You'll never be sure for 100%. But if you follow some rules (one of my previous postings in this thread) the probability to loose Bitcoins gets low.

Scott J

legendary

Activity: 1792

Merit: 1000

Sorry to keep asking the same sort of questions, but...

If I were to have an online computer with a guaranteed clean OS, running only bitcoin-qt, with no other software ever to be installed, how could someone steal my coins?

(Ignoring offline attacks)

Scott J

legendary

Activity: 1792

Merit: 1000

Quote from: Valerian77 on October 31, 2013, 05:08:18 PM

Maybe it would be a good concept to make Bitcoin addresses invalid after a certain period of time. It would give the miners the possibility to reuse lost coins.

Lets say Bitcoin addresses get invalid after 10 years (we can call it expiration). Then any Bitcoin holder must be aware to transfer his money frequently to a new addresses (latest before 10 years are over). Lost coins can be found by blockchain analysis and simplly be remined.

A lot of people are hostile to this idea (myself included).

Maybe only if the time period was greater than the average life expectancy.

Valerian77

sr. member

Activity: 437

Merit: 255

Maybe it would be a good concept to make Bitcoin addresses invalid after a certain period of time. It would give the miners the possibility to reuse lost coins.

Lets say Bitcoin addresses get invalid after 10 years (we can call it expiration). Then any Bitcoin holder must be aware to transfer his money frequently to a new addresses (latest before 10 years are over). Lost coins can be found by blockchain analysis and simplly be remined.

Valerian77

sr. member

Activity: 437

Merit: 255

Quote from: wachtwoord on October 31, 2013, 10:24:48 AM

Quote from: Valerian77 on October 31, 2013, 09:16:36 AM

Secondly - if you have an accident and loose your memory all Bitcoins will be lost too.

That's kinda true for my way of saving the Bitcoins too. If I'm the only one who knows it's a lot safer. I'm not responsible for anyone's lifelyhood though (except my own)

Little selfish - may it would be worth to leave a closed letter with the private key at your lawyer for the case of the cases.

Topic: Wallet Security (Read 3426 times)