Topic: Why to write down your seed? regular InfoSec policies say never write passwords (Read 511 times)

@nullius, thanks for that comic, reminded me exactly of where I first saw it. As nullius says, a lot of the old advice regarding password security (or InfoSec as OP calls it) probably is bad advice if taken at face value.

Even ex-NIST manager Bill Burr, supposedly credited with creating all the password tips that major firms used until last year (NIST Special Publication 800-63. Appendix A), said that he regretted all that bad advice, that made people lazy about creating passwords (yes, even I still revert to that laziness because I grew up with that old advice in mind).

We'll probably come up with new ways, better methods, more secure, etc. Until then, we've got a proven method for secure passwords, why not use it?

Keyphrases are fun.

We use a form of the diceware method, surely overkill, but we enjoy the "ceremony".  Only get to do it a couple of times a year.

I and the other two partners go into the only room in our office that has no electronic devices or windows (with one notable exception described below).  We shut and lock the only door.  We do not speak.

We unlock a cabinet (I hold the key offsite securely except when we need to generate a keyphrase) that contains our diceware supplies: logbook of usage, the directions written in a large font so that we can point to them instead of speaking, pencils, scrap paper, casino grade dice, professional rolling surface (and the little tumbler cup), and the diceware key book.

First we record the log: date, our names, and the purpose of keyphrase generation in a somewhat obtuse manner.

Then we roll a single die to select who will be person 1, 1-2 = me, 3-4 = T, 5-6 = J.

Then in sequence we roll, typically for an eleven word keyphrase.  The words are looked up in the key book and recorded on the scrap paper silently.

After we've completed rolling for words, we then roll two dice (subtracting 1 from the total, so the range is 1-11) to determine the word that has the first letter capitalized.  We've also done it a second time to determine a word with the last letter capitalized.

Then we roll 1-11 again to select a word to insert a symbol, rather than a space, after that word (roll twice, one for symbol selection, other for word selection).  We use eleven symbols on a chart to choose from.

We roll 1-11 one more time to select a word to insert a block of numbers after that word.  We then roll all of the dice and lift the rolling surface gently so they slide to the edge lip and record the numbers in sequence left to right.

Then the scraps are placed in the proper order, the capitalization and symbol is inserted in the proper place and we have the keyphrase ready to use.

We then power on an airgapped laptop (wireless card removed) that is running Qubes OS, person 1 logs in with their credentials, and the keyphrase is entered into an encrypted KeyPass store that is solely used for that purpose.

Any use of the keyphrase (such as for GPG or root certificate generation) is performed on that computer.  We use an offline root for our internal certificates and issue all from an intermediary.  Other stuff I'm not remembering but that's basically it.

It's a rather extravagant procedure, and I'm sure there's flaws with it, but it gives very high entropy keyphrases, and we're not exactly storing top secret documents or huge amounts of cryptocurrency (though we occasionally work with government confidential materials), but we like the "ceremony".  We have never had any unauthorized use of those keyphrases, so we're happy with that method.

If we had to do it all the time, however, I'm sure we'd end up relying on technology in some way, and there's certainly many ways that provide very good entropy.

Oh yeah, I forgot one part, we verify the serial numbers on the dice. Casino dice have serial numbers, so we figured might as well, since they're there.  That's a check we verify and mark in the logbook.  But we've never had any compromise of our diceware cabinet, and the Qubes computer (I call it "the vault") is stored in a good old-fashioned safe.  We shred the scrap paper in a P-7 shredder mixed in with other documents around the office (which we usually shred with P-5s that we have at our desks but mix in because we don't use the P-7 for much else.  It probably gets more shredder oil than any of our others).  The P-7 is a bit slow but it makes tiny confetti when it comes out.  It's the highest class of shredder (I think), but they also have something called a disintegrator, which literally makes it into dust.  Those are too expensive and unnecessary for our work.

Since forming BTRIC, we have upgraded our physical security systems significantly, including additional protection on our server room and the rack cabinets, video monitoring, as well as some work on our network infrastructure, with more to come once BTRIC can afford it.

Hmmm, I was reading about Zcash's ceremonies earlier tonight and had a laugh about their ceremony, but now I realize we're doing a very similar thing in my organization.

When we do a keyphrase generation, we typically go out to dinner that night after work.  So that's the best part lol.

[Not security advice, may cause unusual rashes. Ask your doctor if diceware is right for you.]

Best regards,
Ben

These are the sources that will help you recover your wallet should in case of challenges,i actually print them out from my computer  

To be honest, if something like that happens I hope the thief has the ability to understand that I do not have the password in my head. And that to recover it I need physical access to 5 sheets of paper that are in different places.

BTW I recommend reading about Shamir's Secret Sharing and tracking the updates of the iancoleman project

Agree and in my case the risk is not from hackers but the windows OS itself that has evolved into an animal that if it can steel, encrypt and upload anything it does
and we programmers are no longer in control of our own PC's

I packet sniff, watch router logs and run a file watch on root and by the time you have locked things down so much as to stop windows calling home
you may as well throw your machine in the dust bin because because nothing is left working so if I held more than just dust these days my advise would be
to run Linux Mint from a pen-stick for windows users.

Bug number 279,880

Audit your windows SSL certificate store and notice DoE certificates arriving in the middle of the night but I am sure
Microsoft will fix it soon and no I am not joking here.

"infosec" password advice is given for contexts where the account can be cheaply recovered if the password is lost.  Not for cases where there will be very large monetary losses if its lost.  Infosec advice is also overly focused on physically proximal threats.  This is outmoded advice: anyone who has physical access to your computer can easily compromise you 1000 ways without the password, and there are a thousand times more attacks from attackers that have no physical access.

Your goal at the end of the day is to keep access to your bitcoins. This means you must balance risks. If you only care about the risk of theft, destroy your private keys now and no one will ever steal them...

Someone who can break into your home can hold you at gunpoint and get you to type in basically any password you know... if the attacker is in your home you probably have bigger problems then them finding a hidden seed.

When it comes to boggo passwords I couldn't give a shit. You can reset that all day long.

When it comes to seeds you can bet your arse it's prudent to carry out every type of backup conceivable. A physical manifestation is a vital element of that. No way would I trust flash memory completely. I wouldn't have it lying around in the open or easily read, I'd divide it and distribute it, but I wouldn't risk not doing some form of it.

You need to evaluate the risks and potential rewards of writing down each a password and a recovery seed.

If you forget a password, you can often simply reset it using your email and other easy to remember information (such as challenge questions), so forgetting your password is usually not something especially detrimental to you beyond temporary loss of access to your account. If your password is compromised then your reputation can potentially be damaged and money stolen from you.

With a recovery seed, however if compromised, you will likely lose all money associated with that seed. However if you lose access to your seed, your money is gone forever and you cannot reset your password.

Also, as mentioned upthread, you need to access your password every time you access your account however you only need to access your seed when you spend money, and a written seed is usually meant to be a backup so you should only access it when your primary medium of storage fails. The lower frequency of access means you are likely to keep it in a more safe place, and the chances of compromise are lower as well.

When backing up private keys, you should have at least 3 copies of your keys, stored in at least 2 medium of storage, with at least one off site backup. (3-2-1).

One of the main advantages of backing up your seed on paper is that you have a separate physical backup. The problem with hard drives, USB sticks and other digital storages is that they are prone to hardware failures, data corruption, ransomware. You can read some stories on the Internet how people lost big amounts of BTC because their hard drive died.

I think it's quite wise to worry about security and all possible attacks, because those who don't often end up in news articles about the latest Bitcoin robberies as victims, so if you are not comfortable with storing your seeds in plaintext, you can store them on paper in encrypted form. For example, you can generate some random letters on your PC (make sure to use CSPRNG) and use it as one-time pad to encrypt your seed (by hand or on PC). Then you'll have to also backup this one-time pad.

And as for overall security, I think the most dangerous attack is "rubber-hose cryptanalysis" - all encryption becomes worthless if attackers break into your house and force you to reveal your keys. Even sophisticated schemes like key splitting can be defeated by kidnapping someone you care about and demanding ransom in Bitcoin.

I infer that you compare a cheap safe sold for home/consumer use.  That’s not a “vault”; I believe the correct word is “junk”, or perhaps “trash”.

cellard laughed at the concept of placing a valuable thing in a vault, and asked, “How does that protect you against real life thieves?”  Um—what is the purpose of vaults?  Why were they invented?

As for concealment:

---

How does it go?  (Words here set in bold) and his money...

15.9 BTC!?  I think that’s an evidentiary testament to the general intelligence level of brainwallet users, period.  Or, per my aphorism:  So-called “brainwallets” are wallets for the brainless.  I propose renaming to brainlesswallets.

Unfortunately, far too many people take advice like that LITERALLY.

The bitcoin address that you get if you use "correct horse battery staple" as a "brainwallet" (calculate the SHA256 hash of the phrase and use the result as a Bitcoin Private key) is 1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T and there have been more than 15.9 BTC sent to that address in the past 6 years. Some of those were small value at the time and probably sent as a joke.  Some were larger value and almost certainly were sent by a fool and quickly taken by someone else.

There are many ways to hide your seeds apart from putting them in a vault. Actually, I think a vault is the worst place.

A thieve wouldn't know I have bitcoin and wouldn't find my seeds because they are hidden among so many papers that even if he was trying on purpose it would take him a long time.

A thieve breaking into my house looks for money and metals and he is not going to be looking through thousands of papers, unfolding them, to try to find money or gold there.

Damn that was quite the read.


Good point, most of my points were rather under the assumption of a more "serious" security where it's expected that the storage medium is upgraded and updated on a regular basis. The average user wouldn't need most of the security measures that some others take.


As always there's a relevant XKCD sighs


rubs palms, laughs. I've got a nice one for this

https://imgs.xkcd.com/comics/security.png

---

Overall though that was a well researched answer. I guess very little I can actually "counter" since both sides have been spoken about.

Sometimes, the “standard advice” is wrong.  Specifically, most of the “standard advice regarding passwords” is just flat-out bad advice.  Comically bad advice!


The people who command as religious dogmata that you must never write down a password under any circumstance, and the same people who design password policies which password crackers laugh at.

Consider:

• For most people in most circumstances, it is wise to have a non-electronic, non-computer-dependent backup of your life’s savings.  Yes, such a backup requires a computer to restore.  However, the backup itself cannot go obsolete (have a 5.25" floppy drive handy?), and is not susceptible to the oft unforeseen degradation of many computer media (e.g., many CD-Rs can degrade to be unreadable within a few years; flash memory devices can forget things after a few years locked in a vault without being plugged in).
• A paper “backup” can also have other interesting use cases, such as writing your wallet seed into a sealed Last Will and Testament with a brief explanation of its value, and pointers to recovery instructions.  Have you even thought about what will happen to your Bitcoin after you die?  The easiest way to reliably handle this is to record recovery information in a non-electronic Very Important Document which, at least, will not be accidentally deleted or discarded by a potentially computer-illiterate executor. — Note:  I myself would much prefer to divvy up trust with an SSS scheme.  Working on it.  The biggest problem with such things is that recovery software must be readily available, and preferably conformant to a widely acknowledged standard.
• For much different use cases, a backup of pseudorandom words can be much easier to reliably conceal than any electronic backup.  I don’t want to go into details.  Suffice it must to say, spies have been hiding and clandestinely transporting/communicating small bits of information (including pseudorandom code words) ever since espionage existed; and in adverse circumstances, I’d rather devise some means of hiding 12 random words than make some likely futile attempt to hide a micro-SD card.

Others have already addressed many of your other statements.  I’ll leave it at that for now.

---

No, it’s not.  It does seem to be a VERY common fallacy.


How does placing valuables in a vault protect against real-life thieves?  Tough question!  I must pause, scratch my head, and think about that one.

“People in the Internet era often forget” that real-life people have been guarding against real-life criminals ever since human beings first came to exist.


Or if they suspect you have a large amount of money locked away inside your head, then they will perform rubberhose cryptanalysis, viz., “torture you or some other sick stuff” (such as kidnapping your children).  Note:  None of these issues is specific to Bitcoin.


This is VERY horrid advice.  And not the first time such things have been discussed, in various contexts; e.g.:


“Just practice a [lot]” is especially bad advice for a backup of a passphrase which you do not use regularly!  Modulo risk of head trauama, illness, etc., I think that I have a good chance to remember a long passphrase which I actively use.  But smart though I am, I know that I may as well throw my coins away as rely on my memory of a long passphrase used as a long-term backup.  (N.b. that for the purposes hereof, the passphrase must be used only for the long-term backup to avoid compromising its security.)


Paranoia is destructive.  This is paranoia.  I don’t at all mean that in the clinical sense, but rather:  Irrational and disproportionate fixation on the wrong measures of the wrong things (e.g.) rather than rational threat modelling.

Consider:

• Total, irreparable loss due to forgetting your backup passphrase is itself a threat, risk of which must be accounted for in your threat model!  If, for the sake of example, you have a vault suitable for storing gold bullion, bearer bonds, fiat cash, etc., and your principal threat is thieves seeking valuables, then it would be irrational to refuse to consider storing a paper backup of a Bitcoin mnemonic together with these other valuables.
• If you totally lack sufficient physical security for safekeeping of a piece of paper, then you certainly can’t protect the physical security of computers you use to actually transact in your hot wallets.  Worry about “evil maid” attacks.
• If your threat model includes “torture [] or some other sick stuff”, then a thwack upside the head with a $5 wrench will be just as likely to make you forget your backup phrase as to spill it out on the spot.  And vice versa.
• ...many other issues, here omitted on grounds that the $5 wrench would be hitting a dead horse.

Also, since you advocate keeping the only backup in your head, I must ask you:  Do you have any plan for what will happen to your Bitcoin when you die?  Even in the exceedingly rare persons graced with photographic memories, death does tend to induce forgetfulness.

This is VERY common sense. Whenever I heard people talking about how they "wrote their seed in paper and put them in a vault" I laugh. How does that protect you against real life thieves? people in the internet era often forget that real life criminals exist too, and they will try to steal your money. As bitcoin becomes more mainstream, thieves will train themselves to identify how a potential seed looks like. Whenever they see a bunch of incoherent words in a paper they will realize that's an Electrum seed most likely, and then you are fucked, because you either tell them or they may torture you or some other sick stuff.

Honestly, anything that isn't memorizing your password is a risk. And sure, keeping things in your head is a risk too, since you can forget about them, but it sure beats someone finding your seed. Just practice a low. I have lost access to encrypted stuff because I didn't pay enough attention, so I know about that risk myself... but still, I wouldn't feel safe keeping bitcoin stuff around.

The advice against writing down passwords was regarding the issue of users writing them down on a sticky and attaching that to their monitor. Of course it is not safe, anyone having access to your desk can see the sticky and get your password. Cryptography keys and seeds are very hard to remember and hardware cannot be 100 % secure or safe. Trust me I know, malfunctioning hard drives are a very sad experience. Recovering data is tough. The community mostly agreed that the best way was to write the important information on a piece of paper and put it in a safe, since usually only the owner of the safe has access to it. There were numerous attempts to simplify the process, like using brainwallets, which people can remember. This lead to more issues and stolen funds after hackers just rummaged through dictionaries and already known passwords (hail the LinkedIn leak *sarcasm*). Right now as I understand it, the best way is whatever the owner of the wallet decides. There is no "perfect" way for everyone. Multiple ways to back-up such information is preferable, there are plenty of "I forgot my password and key help" posts out there to prove it. Oh, almost forgot to mention. If you are writing down a seed and you are not sure that the place you will put it in is completely safe, just add an extra word somewhere in there, like third or fourth or whichever you chose, just remember which one you added extra. This will make your seed harder to crack, although I did see some python tools helping recover missing seed words.

The simple answer would be simplicity.

If you want more security there is an option to generate the seeds with a password (I’m not sure that’s in core though). That way people would need both to generate your private keys.

Yes. The medium of storage does definetely matter.
As you have mentioned, paper can be stolen via physical access.
All of your digital data can also be stolen via physical access AND additionally via malware from all over the world.

Its not just because the 'average user' is at greater risk, it is because 90%+ don't know how to properly secure their internet connected devices.
It would adjacent to scam if websites would tell people to store their mnemonic seeds / private keys on their (online) computer (which mostly runs windows..).




It doesn't really matter whether you encrypt your private keys on a hard drive or on a paper wallet.
Both can be compromised via physical access. None via internet. As long as the passphrase is strong enough (and the implementation of your encryption software is flawless) your fine.

Paper burns faster than a hard drive i'd say.. But a HD gets destroyed from an EMP..


No storage is perfect.. you just have to weigh the pros and cons of each method (and store several copies of your backup at different locations).

They are different things entirely.
Centralized websites differ widely from cryptocurrencies and the stakes are much higher with crypto.
Someone stealing the password to your Facebook account is very different from someone having your seed phrase or private key(s)
Also, the context is different.
Quoting the article you linked:
The admonishments against writing down passwords stem from the fact that in a corporate environment it is risky for passwords to the company systems to be left unprotected.
Corporate environments are more open than home environments are. The choices  of where you can store your written passwords are much smaller (your cubicle /desk) as against your home where you can store it anywhere in the house.

Also, company passwords are required frequently whereas you just need your seed phrase once, and you only need the private key/seed phrase when you want to move your funds . You can always receive crypto into your wallet with your public key/wallet address.

Yes, it matters.
Physical media are easier to secure than digital media; there is no risk whatsoever that a piece of paper can be infected with a virus or malware, and as you said....

Do you really think the average user that doesn't know the difference between a public and private key, that uses Windows OS and downloads warez that may or may not be infected with malware can make an adequately secured airgapped machine or environment?
The average user prefers convenience over security, and for them hardware wallets are the best option because it provides the convenience of a hot wallet with most of the security of a paper wallet.

PS wills have been written in paper for centuries now and they have been kept fairly safe.

For starters I'm not exactly sure if this is the right board but I feel it's more of a technical discussion regarding the security of a wallet seed and private keys (not to mention I don't want this to fall into the incessant cesspool of worthless megathreads preyed on by bounty hunters and other forum abusers and would rather see more quality discussion).

So back to the main question. Since early times the standard advice regarding passwords was to not write them down or rather to atleast avoid writing it down. A mainstream media article about this would be say this How To Geek article (https://www.howtogeek.com/howto/31259/ask-how-to-geek-what’s-wrong-with-writing-down-your-password/) which is rather adamant writing down your password may not be the best thing to do.

However then we move over to crypto. A large number of wallets and sites urge users to write down the passwords. To quote an example:


Source: https://blockonomi.com/keep-recovery-seed-safe/

Heck there's papers wallets which is basically the even more advanced version of that.

---

Thoughts

• If enough care is taken does the medium of storage matter? A paper is just as easy to steal details from as compared to a notepad file provided there's physical access though I do understand the average user is at much greater risk to malware than forced instrusion
• Wouldn't a air-gapped machine with an encrypted drive or atleast the file containing the seed secured by a competent passphrase be significantly more secure than something like a paper which can easily be lost or otherwise compromised