Bitcoin Forum

The problem is that you must secure your wallet from both loss AND theft, but to reduce the chances of loss by making more backups, you increase your chances of theft.

The answer: use Shamir's secret-sharing scheme.

Wikipedia: http://en.wikipedia.org/wiki/Shamir's_Secret_Sharing (http://en.wikipedia.org/wiki/Shamir's_Secret_Sharing)
Command-line implementation (ssss): http://point-at-infinity.org/ssss/ (http://point-at-infinity.org/ssss/)

You could store one copy on your hard drive, one you email to yourself, one on a USB key drive, one in a safe deposit box, one in your safe, one with a friend, etc.  If you have shares stored in 6 different locations, and you require 3 to recover the password to your encrypted wallet, then you can lose 3 of those shares with no problem!  A thief would also need to get 3 of the shares to recover the password.

But how do you chop down the password? What if you have 3 pieces, but 2 of them are the same?

No, all three pieces would be different.  The secret-sharing algorithm does the chopping down automatically and correctly for you.

Do you know why an integer implementation is insecure as stated on the Wikipedia page? I built a toy implementation in Mathematica but I can't see any way one could recover the constant term with fewer than k-1 points on the line.

This is awesome, I didn't realize there was an easy to use program for that.

For OS X users:


Ubuntu / Debian

I'm not sure, but I believe it has to do with the infinite extent of integers.  I'm guessing that if you did it only with integers modulo a large prime number, it would be more secure.  I encourage you to read up on it :)