Pages:
Author

Topic: Wallet software security - page 2. (Read 584 times)

legendary
Activity: 1918
Merit: 1157
Degens.bet - On-chain 1000x Futures
November 10, 2022, 04:25:12 PM
#15
The private key still functions as the main wallet security and the device security keeps the wallet software safe. This will be double security which certainly guarantees that it is not easy to break into, because the first layer of security from the device must be passed before being able to access the wallet application that is in the second layer of security.
maybe like the mockup that I made will describe the security of the device and mobile wallet software.
legendary
Activity: 2478
Merit: 2795
Top Crypto Casino
October 31, 2022, 05:45:26 PM
#14
There is a difference between the password you set to lock your device and the password you set to lock your wallet. And this does really matter.
The password you use to lock your wallet will be used to encrypt your wallet file (seed/private keys). In this case, even if someone somehow manages to access your device and extract it files he will be unable to steal your coins without knowing the wallet password.
On the other hand, mobile passwords/biometric security, afaik, do not encrypt your files. So, if someone manage to access your files he will be able to steal your coins.
legendary
Activity: 2716
Merit: 7007
Farewell, Leo. You will be missed!
October 31, 2022, 06:10:47 AM
#13
It's my understanding that every wallet, hardware or software (mobile), needs a private key to be able to sign transactions.
That's true, but there is a slight difference between custodial wallets (accounts) and non-custodial wallets. With a custodial wallet, like one created on an exchange, you don't have access to private keys. The keys belong to them, and they just top up or decrease your balance whenever you deposit coins into your account.   

In light of all of this, I think it's safe to suggest that a hardware wallet is the best choice for long-term storage of your cryptocurrency because it's an offline device that keeps your private keys safe from hackers.
Different people have different thoughts on how hardware wallets should be classified. Some do consider them cold wallets, others say they can't be cold since there is an internet connection. And then there are those who say they shouldn't be called hot or cold. Instead, they are a category of their own - hardware wallets. In that case, only truly airgapped hardware wallets can belong to the cold category. 
legendary
Activity: 1526
Merit: 6442
bitcoincleanup.com / bitmixlist.org
October 31, 2022, 02:38:53 AM
#12
And biometrics is weak security (fingerprints can be copied, fingers can be cut down, or you can be easily put asleep on medicines or drugs).

Biometrics is supposed to be accompanied with physical security otherwise it is an ineffective security measure. Things like retinal scan and fingerprint scan can be copied, but if there's an ID-based system in an organization then the crooks cannot even get to the scanner in the first place - it was more or less indented as a measure to block employees who've recently been terminated or otherwise had their access revoked.

If it's just you and the scanner, there's nothing stopping some casual electronic thief from getting the biometrics they need as well. It was a dumb idea from the onset, pushed first of all by Apple (and then everyone copied them), because they don't realize that passkeys and diceware passphrases are superior alternatives to passwords.



Which makes me think that all wallets in companies should be kept on airgapped computers in locked rooms guarded by security and requiring a biometrics recognition to get in and THEN a password is required to unlock the wallet. I wonder how many more exchange hacks can be prevented this way.
mk4
legendary
Activity: 2716
Merit: 3816
🪸 NotYourKeys.org 🪸
October 31, 2022, 12:12:04 AM
#11
I don't get the comparison. You don't enter in your private key every time you open the wallet app or make the transaction because the private key is stored on your device's storage. I guess the app lock thingy only helps if it adds a layer of encryption(?) for your private key.
LDL
hero member
Activity: 504
Merit: 569
October 30, 2022, 04:15:50 PM
#10
If someone installs a software wallet (say a mobile wallet) and then sets a password or biometric security instead of using the private key frequently, isn't that the same as thinning the security layer of the asset itself?
Did the privatekey really function as a key asset guard all this time?

Of course OP , sometimes many mobile apps require only password/pin with 4/6 digits but not required private key(PK) . I think it's not a good security system of those applications. It would be highly appreciated to keep the backup phase/ private key in the private note .

Did the privatekey really function as a key asset guard all this time?
Private key only not a fully secured, biometric, fingerprint, wallet backup phases, two factor authentication, SMS authentication etc can assure you strongly.
hero member
Activity: 2002
Merit: 633
Your keys, your responsibility
October 30, 2022, 12:27:25 PM
#9
passwords are not alternatives to your PK.

Not an alternative, but enough to represent it with conditions.
In practice I only need to use 1 time PK at the beginning (if I import the address), then (somehow) with the embedded security method in the wallet (password, pin, etc.) it's like a command to activate the PK functions to manage the wallet. It can be said that the application only ensures that the user is still the same person with that password and at the same time asks for the authorization of all subsequent user commands.
legendary
Activity: 1498
Merit: 4776
October 30, 2022, 10:53:03 AM
#8
And biometrics is weak security (fingerprints can be copied, fingers can be cut down, or you can be easily put asleep on medicines or drugs).
During the last bull run, I had a friend that got lucky and become very rich. Many of his friends knew about it. Suddenly one day, some of his coins were stolen on an online wallet. I wished I could have advice him to have used cold storage instead, but I thought he knew. Example is being around friends like I have used to before while in school, you may trsut some, but anything can happen. It is very possible you will sleep one day and only your finger will open your phone and wallet like Trustwallet that encourages fingerprint while setting it up. Password or pin is only advisable. Even people can think some attacks are online, but it can also be offline.

Your transaction still needs to be signed with the correct key whether you have 0 or 4 different security points to clear before you are allowed to use your wallet.
2FA is common on custodial wallets, while many people do not go for the option on noncustodial wallet, like Electrum. In most wallet design, the funniest part is that if a wallet has both password and fingerprint enabled, only one is just needed to access the wallet. If I remember correctly, close source wallets (close source not recommendable) like Coinomi, Atomic and Trustwallet work that way, in a way only one is needed to access it. Which means people using both will prefer using just fingerprint, not knowing how insecure it is. Although, some wallets add another means of encryption in a way another password that is different from the first password would later be required for making transaction, but how about the seed phrase that can be revealed which can be used to compromise the wallet if passphrase is not included while generating the keys.
hero member
Activity: 1358
Merit: 888
🇺🇦 Glory to Ukraine!
October 30, 2022, 10:51:18 AM
#7
Did the privatekey really function as a key asset guard all this time?

It's my understanding that every wallet, hardware or software (mobile), needs a private key to be able to sign transactions. The private key is most likely stored internally in encrypted form that requires your password or pin to unlock the wallet. Passwords/pins are not a substitute for private keys but an additional layer of security. If someone gets access to your wallet, they won't be able to use it without knowing your password or pin. However, what you should take away from this is that if someone manages to get a hold of your private key, they can access your funds without needing to enter your password or pin.

In light of all of this, I think it's safe to suggest that a hardware wallet is the best choice for long-term storage of your cryptocurrency because it's an offline device that keeps your private keys safe from hackers. It also protects against issues like malware, which can steal your coins if private keys are stored on a computer or phone.
legendary
Activity: 3402
Merit: 10424
October 30, 2022, 10:40:42 AM
#6
True security is only achieved when you start using a secure environment not by adding more layers of security on a base that is not safe to begin with. For example if you use a mobile wallet or a desktop wallet on a computer you use to connect to internet, even though adding a password provides a better security but because the base (or the environment) is not safe itself you can not claim to have security.

True security only exists in cold storage form.
legendary
Activity: 2716
Merit: 7007
Farewell, Leo. You will be missed!
October 30, 2022, 10:35:04 AM
#5
For a transaction from your wallet to happen, it needs to be signed with the appropriate private key. Bitcoin's don't move without the correct signature. Passwords, PINs, biometrics, 2FA devices just grant access rights to the device in question. They have got nothing to do with transaction signing process. Your transaction still needs to be signed with the correct key whether you have 0 or 4 different security points to clear before you are allowed to use your wallet.
legendary
Activity: 3500
Merit: 6205
Farewell LEO, you *will* be missed.
October 30, 2022, 10:32:21 AM
#4
Whether you put a password/pin/fingerprint to your wallet or not, it will still use internally private keys because that's how bitcoin works (if it's indeed a bitcoin wallet and not a custodian account).
The pin/password is protecting the access to the wallet software and maybe the wallet file, hence, as said, it's a (thin) extra security layer.

But keeping big bucks on mobile wallets is unadvised. Consider hardware wallet.
And biometrics is weak security (fingerprints can be copied, fingers can be cut down, or you can be easily put asleep on medicines or drugs).
legendary
Activity: 1498
Merit: 4776
October 30, 2022, 10:21:31 AM
#3
Not recommendable to use biometry (like fingerprint) for wallet. Most people use biometry to unlock mobile device (not recommendable too). Using it for wallet too, easy for such wallet to be compromised.

Password is not the same as private key, you do not use private key often. Private key can be used to recover your wallet and spend from the wallet.

Password is used to unlock your wallet on the device. If you import the wallet to another device, you will have to set another password. Old password will only be valid on your old wallet or device, once imported on another device or new wallet, the old password is no more useful or needed.

So you have to protect your private key and seed phrase, while password can help against those that wants to access your wallet to spend from it or to know your seed phrase or private key.
staff
Activity: 3402
Merit: 6065
October 30, 2022, 10:20:54 AM
#2
The private key is what allows you to spend your funds. If you set a password, you're adding an extra layer of security, passwords are not alternatives to your PK.

See this from Electrum's docs:

Quote
Electrum uses two separate levels of encryption:

- Your seed and private keys are encrypted using AES-256-CBC. The private keys are decrypted only briefly, when you need to sign a transaction; for this you need to enter your password. This is done in order to minimize the amount of time during which sensitive information is unencrypted in your computer’s memory.

- In addition, your wallet file may be encrypted on disk. Note that the wallet information will remain unencrypted in the memory of your computer for the duration of your session. If a wallet is encrypted, then its password will be required in order to open it. Note that the password will not be kept in memory; Electrum does not need it in order to save the wallet on disk, because it uses asymmetric encryption (ECIES).
Wallet file encryption is activated by default since version 2.8. It is intended to protect your privacy, but also to prevent you from requesting bitcoins on a wallet that you do not control.

Biometrics, on the other hand, is different. I asked a similar questions some time ago, see here: https://bitcointalksearch.org/topic/bluewallet-decrypt-storage-5215292
hero member
Activity: 2002
Merit: 633
Your keys, your responsibility
October 30, 2022, 10:17:16 AM
#1
If someone installs a software wallet (say a mobile wallet) and then sets a password or biometric security instead of using the private key frequently, isn't that the same as thinning the security layer of the asset itself?
Did the privatekey really function as a key asset guard all this time?
Pages:
Jump to: