Topic: Why I Am Not Using Hardware Wallet For Cold Storage - page 2. (Read 7265 times)

Paper wallets are hands down the best method of storing Bitcoin, it really surprises me that so called "experts" do not mention and promote them more considering how much theft and hacking goes on in this industry.

If everyone were to use paper wallets, I am convinced hackers would stop targeting these poor noobs as much given how easy it is these days. They just make a fake URL, use SEO to get a high rank and boom you make like $200,000 in a few days (I actually saw this happen right here on this forum).

The first thing all noobs should learn is how to make a paper wallet. It is so simple. Go to a site, generate your keys, write/print them, laminate or whatever, and then send Bitcoin to them and you can recover them on sites like Blockchain.info. There are just a few steps and the best part is it is like paper money which makes it easy for noobs to truly understand. This is opposed to hardware/software wallets which are a nightmare to setup for beginners.

Just use 2-3 flash drives in diff places - same functionality, low price, lower risks, independence from possible firmware bugs

Nah i'm form europe. That's the magic of Xapo, when you have btc in your xapo wallet, you can order a debit card that automatically converts your bitcoin to euros when purchasing something

You seem to have the assumption that all hackers and kidnappers are evil and sadistic enough to keep beating people for the hell of it... just in case you have more money. My point is that with a hardware wallet, there is no actual evidence anywhere how many wallets a person happens to have. They simply don't exist until a passphrase is entered...

However, if an attacker happens to find 20 items in my email account that are all encrypted... what do you think they're going to do if i stop at #1 and say I have nothing else? Perhaps they'll just ignore items 2 through 19?



I've taken the liberty of bolding it for your eyes to see
I'd already bolded that one before... so I've underlined it as well this time...



It's no different to using encryption software to decrypt your keys now is it? Or are you going to do the decryption by hand?



How can they? There is no proof. No evidence of how many wallets I have. I could 1 or I could have 10000000. They don't know because there is no tangible evidence of anything past the seed existing, unlike having a series of encrypted items on disk or in email etc. that are visible.



I never said it wasn't a 3rd party security risk... you claimed your method was better than hw wallet as it didn't rely on a 3rd party... but clearly it does rely on 3rd parties... unless you've gone ahead and written yourself an OS and some encryption software from scratch... I've been trying to point out, since I made the mistake of offending your ego, that NO method is 100% safe. There is always risk.



Pretty sure that there aren't any laws saying that 12/24 word seeds can't be stored in multiple places using multiple methods... but then legal systems around the world can be kinda crazy... so you never know. I'm also fairly sure that the hw wallet manufacturers don't limit purchases to 1 per person... Trezor sells 3 packs if I'm not mistaken.



Feel free to show where I have said that seeds don't need to be securely backed up somewhere...



Obviously people are spending cryptocurrencies every day without using hardware wallets... I never said they were required to spend. I stated they offer a level of convenience without sacrificing security, which I believe your method does not.



No solution for what exactly? How to store bitcoins securely while maintaining convenience? I thought that my solution would be fairly obvious... use a hardware wallet. In my opinion it offers the same level of security in some areas (securing seed), more in others (spending and dummy wallets) and is more convenient (portability, spending)... arguably it could be considered cheaper too, as a hw wallet is cheaper than a 2nd computer for spending or setting it all up offline.

While we're talking about solutions... I'm still waiting to hear how you propose to leave no evidence of multiple encrypted addresses in your email or on your thumbdrive etc and/or how you would implement a dummy wallet solution with your method.

Telling me I'm not creative enough to see it or that "my heart will point the way" doesn't really explain it... and is the sort of answer people resort to when they don't actually have a solution either. Despite what you think, I am genuinely interested in possible solutions to these issues...

I have no idea which wallet is the best choice to spend btc like a credit/debit card would.
But I personally do not use Xapo, and do not recommend using it.

Which country has such level of adoption already that you can spend btc at local shops?
Are you from Japan?

I use electrum it's okay everything is fine, but i want the ability to go a local shop that accepts bank cards, and use the xapo card to directly pay for my purchase in Euros using the xapo card that has a btc balance

For spending bitcoin, you should at least consider using a wallet that gives you control of the private key first.
Desktop wallet like Electrum is fine with me at the moment.
Hardware wallet is fine too, if you use it for spending (but I do not recommend it if it's for cold storage).
Xapo is a 3rd-party service provider that does not even give the user any control of the key.

You can check this out @ https://bitcoin.org/en/choose-your-wallet
Mobile wallet and web wallet should be 100% avoided.
So I would say go for desktop wallet and/or hardware wallet for spending only.

Hey thanks for the warning, I definitely did not read about xapo at all. Was recommended by a friend so i forgot to double check it  Could you recommend an alternative to xapo ? I mean for the visa card that you can withdraw $$ at an atm from bitcoin, or make purchases?

In a roundabout way, it would be stupid for any company to risk their reputation and their whole business on creating something that can be exploited by themselves. Ok, they might make a shitload of money, but they will also have to face jail time, once this goes public and go to court.

We unfortunately place our trust in third parties with every financial transaction we make. We use banks and ATM's and we make credit card payments and all of these services has been compromised in the past.

Online banking has been targeted the most and we still use it. ^hmmmmm^

I strongly do NOT recommend using Xapo for anything.
If you care enough, please go check the reviews given by others. I personally used it for a negligible while and the first experience is far more than enough to make me stay away from it. Even the founder (Wences Casares) has unethical business practice in the past that collects customers personal information and sold such data to 3rd-parties for profits. You use Xapo at your own risk. You have been warned.


Keyloggers are the biggest menace today. The malware can pretend to be a valid program and request the system to access certain file/registry or monitor clipboard changes.

What I do (beside installing anti-keylogger and anti-malware softwares) is that I encrypt my cold storage in an offline + formatted 2nd computer with very strong + long passwords and I never use these passwords on the computer I use for online purposes. As a last resort, I switch off the internet before using any password.

Edit:
I personally suggest SpyShelter Premium/Firewall.
Someone suggested Norton Power Eraser (@ https://www.bleepingcomputer.com/forums/t/640092/is-it-possible-that-i-have-been-hacked-strange-case/).
Generally, you better scan your system while in safe mode.

1. You are assuming hackers and kidnappers are so stupid that they do not know about dummy wallets. You have wrong assumption.
2. If you have tons of change addresses, your backup will be very problematic. You don't believe? Try it out. You should pray your hardware wallet will stay fine without glitches, or else you can say sorry to all your savings. Oh, yeah. Don't worry. You have the seeds written down and stored somewhere just in case for recovery. I assume they cannot be eaten, stolen, or destroyed.
3. What I mean is that 19 addresses are part of the change addresses as well, or else you will have far more than 20 addresses to look after.
4. You are avoiding the question on how to secure your hardware wallet's seeds/mnemonics/passphrases, which I believe you can never answer satisfactorily.
5. If you want to spend, you don't necessarily must use hardware wallets to do the job. Desktop wallets can work fine and they cost $0.

Come on. Give me a break. You are here arguing against my method without giving even a single credit to it, as if it is useless. Clearly you are here to argue for the sake of winning an argument and rest assured I will never let you win this argument.

Edit:
Notice I bold the 4th point for your eyes to see.


Nope, you are wrong. My method is not the same as using a hardware wallet.

A hardware wallet:
1. Doesn't give you 100% control of your keys. Using some source code to derive the keys from the seeds is bullshit as that's not the company's intention.
2. Doesn't protect you from a $5 wrench. Using dummy wallet as excuse is bullshit as we all know what you have is more than just dummy wallet.
3. Is a 3rd-party security risk. Denying this is bullshit. Saying/implying it is compulsory to use WinRar for my method is also bullshit.
4. Doesn't allow unlimited backups, vs my method that allows so.
5. Requires the same/similar need for encryption/security/backup (of seeds/mnemonics/passphrases). Implying they do not need so is bullshit.

There is NO such thing as needing hardware wallet to spend the cryptocurrencies easily, conveniently, safely, and securely. Implying that we need hardware wallet to spend is bullshit. In my article, I've said it clearly that hardware wallet is an option (but not the only option) when it's time to spend. You being a smartass, either do not read my article, or read it but have partial understanding of it, try to seek the pleasure of arguing with me. I will not let you win this argument. It is very easy to spot someone arguing for ego, and someone arguing for solution. You argue for ego, because you give NO solution.

To break can not, but you can lose the keys. If you store them on the computer then hack your PC and steal your codes much easier than to hack e-wallet. I think that in General it is impossible to store a large amount of bitcoins in one place.

What about a bank cold storage, where you place your bitcoins in a cold storage online, but they put it on a paper ant store it for you ? Xapo for example does this. What are your thoughts on this type of cold storage?

Wait... what?? The fraction of the 5 btc not spent will go to either a completely new "change" address, totally unrelated to all my other 19 addresses... or if I choose to not use change addresses as per the functionality offered in several wallets, the wallet will send the unspent amount back to the original address... which is also totally unrelated (from an external point of view) to all my other 19 addresses.

You have read BIP32 and BIP44 and understand about "external" (aka receive) and "internal" (aka change) addresses right? Pretty much all the hardware wallets that I'm aware of implement BIP44... and keep receive and change addresses separated as per the specification, that is to say using Derivation Paths of m/44'/0'/0'/0 and m/44'/0'/0'/1 respectively.

Most of them are also smart enough to prevent address re-use so while you could follow a chain of transactions that start with one 5 btc input... it'll never touch any of the other inputs (or their chain of transactions) until such time as you don't have enough coins in a single input to be able to send the amount you want to send and it needs to use 2 or more inputs.

All of which is relatively moot for "cold storage" anyway... and works pretty much the same way as your "paper" wallet system.

Like I've been saying all along... your system is pretty much the same as using a hardware wallet, without the convenience of being able to spend easily if required... or sign messages... or use on an online machine while maintaining security... or use easily with a mobile phone wallet... or use as a FIDO U2F secure key...

But hey, you're happy with it... and you saved yourself $100.

I know this... but you seem to insist that your method is completely trustless... I'm simply pointing out, that it is not as you are trusting WinRAR or . This directly counters what you consider to be advantages of your methods. Namely:
- maximum security (free of 3rd-party trust) - It isn't... you are trusting a 3rd party, with closed sources at this point in time.
- maximum trustless - Again, you are trusting a 3rd party.

Quote from: Dorky on August 09, 2017, 06:40:12 AM

If WinRar is not safe/secure, then tell me which software is. Or at least tell me or point out to me real-life cases of it being hacked, despite using very strong alphanumeric + symbol passwords.

That's my whole point... I (and others) have said several times now... that no method is 100% secure... but you seem to think yours is... who is not being objective again?

Quote from: Dorky on August 09, 2017, 06:40:12 AM

You talked about hardware wallet's dummy wallet, as if doing your own encryption will render you incapable of doing the same, as if doing dummy wallet is only a possibility if you rely on a 3rd-party. To me, that is very subjective and not smart at all.

And I also pointed out how having multiple copies of encrypted keys spread about the place in emails and on physical media leaves evidence behind that there is something hidden... whereas dummy wallets from seeds/passphrases do not. There is no evidence of anything existing other than the default wallet from the seed. You keep talking about being able to implementing a similar system using your method... but then just imply that I am unintelligent because I don't know how to do it... so would you care to enlighten us? I'm actually genuinely interested.

Quote from: Dorky on August 09, 2017, 06:40:12 AM

Quote

Huh Why would your total of 100 BTC be shuffled with every transaction?

Huh? I thought you know something about change addresses? If you are using hardware wallet, you should know what I mean.

I know what change addresses are used for and how they work... but I'm not sure why you think that hardware wallets only contain "a bunch of change addresses that reshuffle your .. btc with every transaction".

If I have 20x 5 BTC inputs in my hardware wallet and I spend 5 BTC like in your example... how are the rest of my 19 inputs being reshuffled?

Quote from: Dorky on August 09, 2017, 06:40:12 AM

All that hardware wallet can do for cold storage, my method can do the same. This appears to be beyond your comprehension.

You mean where I said "Is it "better" than a hardware wallet? A viable alternative sure, but better? I'd say that is somewhat debatable and likely dependent on the use case(s) of a given person"

You seem to be failing to grasp that I am not debating whether or not your system works... I've never once claimed that your system doesn't work... What I'm pointing out is that it is NOT 100% secure as you seem to believe... and that it is NOT 100% trustless (as currently implemented) and... in my opinion it is NOT better than a hardware wallet for the reasons I have explained.

Quote from: Dorky on August 09, 2017, 06:40:12 AM

You speak as if hardware wallet cannot be hacked. That's your subjectivity.

You mean where I have repeatedly stated that NO METHOD is 100% safe?? Unlike you and your magical "100% secure" method... subjectivity much?

Quote from: Dorky on August 09, 2017, 06:40:12 AM

I would like to send you a file encrypted with my method and see if you can actually hack it to rest the case.

Why? I'm not a hacker... I never claimed to be.

You claimed that a 24 word seed is easier to brute force than your 20+ alphanumeric+symbol password... I'm simply pointing out that you are incorrect and that seeds are in fact a lot stronger than a standard password. The maths already proves the case. But maybe you can just tell me what the seed is to my wallet and rest the case?

Quote from: Dorky on August 09, 2017, 07:04:54 AM

Above it all, refer to Matthew 6:19-21. The Bible is right.

Seriously? Now you want to make this a theological debate? According to those verses... you shouldn't even be using cold storage...

Let me say this to you:
Encrypting a paper wallet = encrypting a hardware wallet's recovery seeds/mnemonics/passphrases.
If only you can see this obvious truth...

Unless you say, "Well, there is no need to secure my recovery seeds/mnemonics/passphrases because I have 100% fail-safe brain memory."
In that case, I admit defeat.

Edit:
Or maybe I should be as specific as possible... just in case.
Digitally-encrypting or digitally-securing a paper wallet = digitally-encrypting or digitally-securing a hardware wallet's recovery seeds/mnemonics/passphrases.

The only difference with the former method is that I am 100% in control, don't need to do extra steps in securing/recovering the keys (like using a source code to derive the keys from the seeds), can customize the security to be as hardcore as I prefer, can do infinite backups, and don't need to spend more on any 3rd-party hardware.

Edit:
And please stop talking about dummy wallets.
In the future (or today?) hackers will know you will have a false seed standing by to trick them to a dummy wallet.
They will do far more than just accepting your dummy wallet.

Above it all, refer to Matthew 6:19-21. The Bible is right.

No, I'm not. You stated that you have "used WinRar for many several years and it never disappoint me, not even once" as some sort of proof that you can trust it 100%... so I pointed out that this is exactly the type of comment people have made about various services/software over the years... which then turn out to be a scam or buggy and financial and/or data loss occurs. Just because something hasn't "failed" yet, doesn't mean it won't.



Is that a serious question? Because it should be fairly obvious to "an intelligent man" how one could satisfactorily achieve that with a hardware wallet.

and I'm not quite sure what you mean by:
Do you realise that a 24 word seed... is effectively like having a 24 character password from an "alphabet" that has 2048 possible characters in it... whereas your proposed password of 20+ characters (we'll even be generous and say 24 character to compare apples to apples) using alphanumerics + symbols gives you a total of 26 upper + 26 lower + 10 numbers + say ~30 symbols... for a total "alphabet" size of ~92 total characters to choose from.

2048²⁴ combinations vs. ~92²⁴ combinations... Tell me again which one is going to be easier to brute force?