Bitcoin Forum

Question 1.
Let's say I have paper wallet "X" and paper wallet "Y". I also have a wallet for spending: wallet "Z"

I want to transfer 0.01Bitcoins from "X" to "Z" spend 0.005BTC and from there send the left over 0.005BTC to "Y".
‎
When I took the funds out of "X" I used the password "12345abcde" (which is BIP38 encrypted) and now that the 0.005BTC are in "Y" the password (which is BIP38 encrypted as well) is also "12345abcde. If I had malware and/or a keylogger are my funds at risk because the passwords are the same?

Question 2.

What ultra-paranoid method do you use to store large amounts of BTC? Why do you trust it and how is it 99.999% safe?

I'm just being ultra paranoid because when I started with Bitcoins I got hacked in under 24h. Mind you I was using the Blockchain.info android wallet so that was pretty newbie of me ;).

I know some people here: https://bitcointalk.org/index.php?topic=1013586.0 feel that paper wallets aren't actually as secure as they might seem. Just because you use a Ubuntu Live CD/USB doesn't mean if you had malware on your Windows system it won't also be able to infect the Ubuntu Live CD/USB. 

This is very top-notch ultra-paranoid stuff and I'd love to hear your expert opinion on the subject!

As long as you created correctly the paper wallet Y then it should be safe. The BIP38 encryption is just an extra security. The main protection is the fact it was generated randomly and it never touched the Internet. If the SW you used to create it was compromised or deficient, or if you exposed the keys to Internet in any way then of course you wouldn't be safe.

My paranoid method to store almost all of my BTC is using a deck of cards: https://bitcointalk.org/index.php?topic=811397.0

• 100% offline
• True physical randomness
• Immune to key-loggers

Thanks for your insight! I didn't think it would make sense that I could make 100 different paper wallets with the same password if it's a big security risk. I just wanted to make sure.

That looks like an interesting method. I'll have to read more about that app you've developed!

I wrote a guide about this
https://bitcointalk.org/index.php?topic=1263429.0

Probably in a bunker underground. Or throw the offline PC you generated the random number on into a black hole, that should be safe :D

If you truly want to be paranoid about it, you should probably have a separate computer that is NEVER connected to the internet.  Then use that offline computer for signing transactions (with keys from paper wallets or otherwise), and transport the signed transaction to an online computer for broadcast to the bitcoin network.

I think both the Armory and Electrum wallets make this possible. I'm not sure if any other wallets have implemented offline signing.

My ultra paranoid method is that I just use a different machine which stays off-line always for all my bitcoins cold storage, I use encrypted paper wallets and Electrum and keep my funds distributed among different paper wallets and Electrum addresses.

And the most important part is keeping various back-ups of paper wallets and a backup of Electrum seed in a way that only I can decipher it. And also making sure that the Paper wallets are safe from any sort of damage and degradation.

It can be a security risk if someone have access to your paper wallets physically or if you used them all on the same device for signing and broadcasting the TX. To use the funds in the address, the attacker requires an encrypted version of your private key and your password.

If I may ask, why would you want to use the same pass phrase for the BIP38 encrypted paper wallets? I write the pass phrase in a format only I know, on the back of these paper wallets and each of them is

different. The formatting allow me to have the password in plain sight, but still not recognisable.

The whole idea with this, is to make it difficult for other people to guess your pass phrase. Do you use the same password for every site you register on the internet? Not a good practice at all.  ::)

The password only comes into play when a hacker steals your actual wallet.dat file. If they somehow got their hands on your privatekey (which is protected by the password in your wallet.dat file) somehow else, your password does not matter anymore, as they have the private key.

Offline machine, random generation of a string of words, one way usb (hardware wallets), is probably the best way to protect your wallets.

ultra paranoid method would definitely be some online method, but for me i would simply go this route

buying a completely new motherboard and ssd install my safe OS copy, maybe linux if you do not own a secure version of w7(one that you bought...)

and make a backup from there

I would say "yes" to question 1.  if an attacker knows about address Y then i'm sure they would try the password that they have captured with there keylogger or screen grab.

in regards to question 2.  I created addresses and keys offline and store them on a usb which has never been online and backed up on paper wallets, which i watch only on blockchain.info.

You can have as many paper wallets as you have addresses in one single wallet in any software or online...
So, you can even choose to just cut out your coins into small pieces, distribute them in many paper wallets and save them at a safe place... :)

What anti keylogger software are you using? I have Malwarebytes Anti Malwaware Premium and Comodo as firewall, what else would I need to be safe? Im considering installing MSI (Microsoft Security Essentials) I heard it was a decent antivirus and it's free. Ideally I would use a Linux machine but a lot of software I need to use is Windows only.

Zemana AntiLogger. Used to have it, don't know how effective it did because I never had any keylogger.

Microsoft Security Essential isn't the best. IMO, Malwarebytes does a very good job. The main thing to keep safe is to just avoid downloading suspicious program. Till now, I haven't got hacked before.

First off all,the passwords don't really matter as much as the private keys. You could have same passwords for multiple accounts as far as you remember them.Secondly its not advised to use the same password for multiple wallets as if your one wallet is somehow hacked,it opens the doors for every other wallet.

As far as your storing bitcoins is concerned I personally use hardware cases to store my bitcoins as cold storage.Here are a few hardcore wallets you can use.I use trezor.

https://www.bitcointrezor.com/

Case is new and I like it too
https://choosecase.com/

I think that paper wallet is secure, but you need to save some where save.
And carefull with water and fire.

I used Zemana for quite a while and it seemed that it worked fine for me, at least I never caught any keyloggers. Now this doesn't mean anything of course, I might have just been lucky.

All of the above programs don't matter that much for the paper wallets, since the paper wallets if done properly, should be created and printed on a machine that has never been online.

The reason I was asking is because I made some paper wallets with a Ubuntu Live USB and not connected to the Internet. I made 3 wallets but now I realised I only made 1 password so all 3 must have the same password. I wouldn't want to punch/scan the private key to spend the funds, put in the password only to end up having a keylogger!

I think it's a very smart idea to have a machine completely offline but for the time being I'll be using paper wallets. Mainly for the price.

If I were to have a computer offline how would I send funds back and forth to it though? Don't you need data to actually do a transaction? I'm a little confused about that. Could I just somehow use an old computer and I USB?

2.

-generate very long random seed and write it down using pen and paper
-hash the seed with one or more mental passwords to form your private key
-compute wallet address from private key and put it wherever you want
-put away the paper in a safe place
-destroy all evidence of the private key and the computations
-do this all offline in tails.  Restart when you are done

-go online and send 0.01btc to the wallet address to make sure it works
-send the rest

-when ready to take coins OUT of cold storage,  find the paper and hash it with your mental passwords to form the private key again and import that into a secure wallet, or sign transactions offline.

For paper wallets, if possible, I would actually recommend getting a spare and clean phone that has Cyanogenmod rom in it. Cyanogenmod is opensourced and hence it is easy to look through for any possible exploits placed in deliberately.

You can generate a raw TX on the online computer and sign it with the private key on the offline computer then broadcast it on the network. You would require two computer, one offline and one online. This way, your private key is never directly exposed to the internet. The online computer can be used to script a raw transaction to be transferred to the offline computer to be signed with the private key. A raspberry Pi would work fine.

https://bitcoinarmory.com/tutorials/armory-advanced-features/offline-wallets/


The concept is to have your normal computer online with a "watching only" copy of the wallet.  This copy doesn't have any private keys, it only knows the bitcoin addresses.

Since it knows all the bitcoin addresses that you control, it is able to update your balances from the blockchain and let you know when you've received transactions.  Since it doesn't have any private keys, malware and hackers won't be able to gain access to your bitcoins from this computer.

Then you have a second computer that is never connected online.  This computer stores your private keys.  Since it has the private keys, it can sign transactions. It doesn't have access to the blockchain, so it doesn't know what your balances are.

You can create an unsigned transaction with the online computer.  Then save that transaction to media that can be carried to the offline computer (such as USB, or SD card).  Then you can use the offline computer to sign the transaction, and save the signed transaction to media that can be carried mack to the online computer.  Then broadcast the transaction from the online computer.


https://bitcoinarmory.com/tutorials/armory-advanced-features/offline-wallets/


Yes.