Topic: Why saving seed in mail (secret words) isn't safe ? (Read 1006 times)

The e-mail system is painfully insecure due to its age. TLS is a bolt on.

When you write an e-mail and send it - first it goes from your client (web or real) to an SMTP server. That connection probably uses TLS but it might not, you should verify. It is difficult to verify with webmail.

When it gets to the incoming SMTP server, it is no longer encrypted. It is in their server as plain text.

That server then does a DNS lookup for the MX records associated with the receiving domain. Unless the receiving domain uses DNSSEC *and* your sending server enforces DNSSEC, it could be lied to about the answers.

That server then attempts to make a connection to the receiving server specified in the MX record.

That connection may or may not be encrypted and you really have no control over it. The RFC says that the a non-encrypted server MUST be acceptable. Encryption only happens when both support encryption *and* both support a common cipher suite. That may be a weak one like RC4.

When an encrypted connection is used, the certificate is rarely signed by a certificate authority because they never check anyway. They never check anyway because there is no agreed upon list of certificate authorities.

Once the message gets to the specified MX server, if it even was sent encrypted it is decrypted again. And then it is sent to the server where the IMAP/POP3 takes place, and that may or may not be encrypted and you have no way to know.

This btw is why what Hilary did was so dangerous. Within the .gov system, they have control over the servers but as soon as an e-mail is outside their system, they have no control.

Anyway, how fundamentally insecure the e-mail system is is why secret things should not be stored in e-mail.

If you must, encrypt it first using something like GnuPG.

-=-

Using something like hiding your passphrase in a poem - that's called Security by Obscurity and it is a very very VERY bad practice.

I guess it never really is safe anywhere at the end of the day. Offline, you have robbers or 'friends' and online there are hackers.

Prob paranoia starts to take effect and we are suddenly afraid for our e-mails getting hacked although we have been using it for a long time without issues.

As long as you keep a low-profile online/offline and not brag about the coins you have, you should be ok.

As for the e-mail concerns, maybe you could store the pgp key on a different e-mail account or you could use this guide for a little more protection for your phrases and keys:

http://www.howtogeek.com/howto/windows-vista/stupid-geek-tricks-hide-data-in-a-secret-text-file-compartment/

Google never delete mails and will never do..

well goodluck if google decides to automatically delete emails over 30 days, or you forget your password or your 2FA fails because your phone breaks or you forget your PGP

but with that said, ok use email for a convenience thing if your ever on vacation and need to get to your coins without traveling back home.. but dont rely on third parties as your sole store of private keys.

i suggest keeping a copy locally offline aswell

yep. just write it down on 2-3 different papers and store them somewhere. of course you should not write "THIS IS MY SEED TO ALOT MONEY AND COINS!" on that piece of paper 

True.
But what if your PC gets crashed and you had to format it, eventually losing the private key of your encryption software?
You just got screwed!

Yes, there might be one way to prevent this and that is to have a backup computer or laptop and using it for restoring your keys. Or, installing the software directly onto your flash drive but the latter option is more vulnerable in case you unknowingly use that flash drive on any compromised PC.

I would rather suggest not to save your password on emails because, modern password crackers are much more efficient these days.

The efficiency of password cracking depends on two largely independent things: power and efficiency.

Power is simply computing power. As computers have become faster, they're able to test more passwords per second; one program advertises eight million per second. These crackers might run for days, on several machines, simultaneously. For a high-profile police case, they might run for months.

Efficiency is the ability to guess passwords cleverly. It doesn't make sense to run through every eight-letter combination from "aaaaaaaa" to "zzzzzzzz" in order. That's 200 billion possible passwords, most of them are very much unlikely. Password crackers try the most common passwords first.

Modern password crackers combine different words from their dictionaries. They can crack these passcodes such as; "k1araj0hns0n," "Sh1a-labe0uf," "Apr!l221973," "Qbesancon321," "DG091101%," "@Yourmom69," "ilovetofunot," "windermere2313," "tmdmmj17," "qeadzcwrsfxv1331." "gonefishing1125" etc. within seconds.

Nowadays, the attacker will feed any personal information he has access to about the password creator into the password crackers. A good password cracker will test names and addresses from the address book, meaningful dates, and any other personal information it has. Postal codes are common appendages. If it can, the guesser will index the target hard drive and create a dictionary that includes every printable string, including deleted files. If you ever saved an e-mail with your password, or kept it in an obscure file somewhere, or if your program ever stored it in memory, this process will grab it. And it will speed the process of recovering your password.

One solution for not saving your passwords on your email account would be to choose something that these password crackers will miss to formulate. My advice is to take a sentence and turn it into a password. Something like "This little piggy went to market" might become "tlpWENT2m". That nine-character password won't be in any cracker's dictionary. Of course, don't use this one, because I've written about it. Choose your own sentence, something personal.

---

tl;dr: Make your own password which is easier to remember but harder to crack. (even with super computers )

up

thats a bit overkill methinks

do a search for 20 pound watermarked paper, that should find some quality stuff. its what I use.  get it at any office supply place.

They say that because your email could easily be compromised, it's really up to you how you want to keep  those keys safe. That's the freedom you get with bitcoins and a wallet. It's purely up to you. You can't blame anyone else if you lose your keys or anything like that.

paper wallet can last 100 years, you surely have other thign to worry about than your paper wallet

usb instead are know to report some malfunction after some times, let's say 10 years at max

Nothing last forever, but when you laminate normal paper, it will outlast you (unless burn in fire obviously).

Does cotton paper last forever? Surely normal paper will fade with time and can be damaged.

My subject is similar to this one "kjzsdrhb"
Although its a tedious job to make access via 2FA every time but I literally enjoy doing that many times.



Wow. I thing you are talking about this one --- http://www.lcipaper.com/digital-print-cotton-paper.html
This is a better idea IMHO for those who do not feel safe on emails. Maybe I will try it later.

use high rag content bond paper. print on a laser printer. seal in multiple layers of baggies or seal in plastic laminate.

They advice you not to storing on mail, because normal users don't have a good protection on their mail. Ask to your friends how many have a 2FA protection on their mail activated. And be sure that some users will store it with a subject "Bitcoin Private Key".

Yes I have a premium version of Norton Internet Security + Bitdefender compiled together.

Hopefully they are not flawed like Cena...

---

I have tried using many paper wallets but they all got damaged in no time.
So I chose this option at last. If anyone having any other suggestions please share with us.

I don't think so. Google employees are not that creepy IMHO. Never seen anyone suing google for their compromised email accounts or Google-Drive files and photos. All you can see in news are occurring by other private parties like Apple (ICloud), Dropbox, Skydrive/Onedrive etc.


Do you know my real personal email? Heck even I never shared that email to my peers also.
Also I have been trained on how to tackle social engineering injections.


Never going to happen. All he has to do is to get access to both my PC/Laptop and my phone at the same time because you need that Google Auth code for an access every time. And everyday I always delete every history, passwords, caches etc. before I go to bed. Apparently he has to kill me before getting that access because I don't let anyone to play games even on my PC/Laptop.

---

franky, you missed my 3rd point out there. Can Google compromise my PGP key? I have not saved it there.

apart from google itself which is well documented as happening..
i really wonder why people love storing private keys on third party services.

its funny that you would trust google who is known to read emails far more then relatives in your own house.
its funny that you would put the seed into a encoded narrative, but feel that your family have a higher technical understanding to decode it, compared to google

let 1000 geeks try to decode this and they won't succeed
and why should his email gethacked when he keep him safe and probably equipped with the newest antivurus