Bitcoin Forum

How do the Electrum pros here feel about storing the seed in Lastpass?

I haven't done it at the moment, but I do feel like storing bits of paper with seed codes on isn't a great long term strategy.

LastPass Password Manager is made to do this.
Do not forget to make backups and use a strong password.

ok thanks, I don't like to keep all my eggs in one basket, so even though I trust lastpass, I wasn't sure about having my seed(s) on there.
I guess I will keep my hard copy stored away and investigate further if storing my seed in lastpass is 100% safe.

LastPass is an online password manager ,It's definitely not recommended to store your seed or anything related to your private keys there.
I'd suggest storing them on KeePass instead since it's an offline password manager and you have a portable database file .kdx which you can use it anywhere as long as you have your Master key.

PS : LastPass got hacked last year - https://www.coinprices.io/posts/a-guide-to-basic-password-security-the-danger-of-last-pass

I had read that article, but it also seemed to be somewhat rubbished as advertising for KeePass.

KeePass had had it's problems too: https://thehackernews.com/2015/11/password-manager-hacked.html

I already have LastPass and love it, I just wasn't sure about using it for seeds

I'm only giving you an advice here man so it's up to you but I have to mention few things :

that hack was in 2015 and there were other versions of it and they keep updating it so it's secure now. Someone won't simply target you with a KeePass stealer in the first place unless he knows you are using it . Unlike LastPass where he won't target you personally but will target the whole database and get a lot of users passwords and then It's just a matter of time till the information's gets used or sold in the Darknet .
As a bitcoin , I suppose you understand that using online wallets (Coinbase/Blockchain.info) is unsecure , yes ? If it's the case then it's the same case for LastPass .

I saved my Seed in a Libreoffice 5 document in Linux, and put a strong password to that document, in addition to that, compressed it and put also a strong password to the rar file. Put that file in different USB plus in my laptop and desktop. Today I needed that file and restored my electrum wallet in my laptop without any problem at all. This is the best way to store your seed in my opinion.

If you are serious about security of your bitcoin your seed should never be displayed or typed on an online computer. Use a hardware wallet instead and write your seed on paper, store securely. If you use a hardware wallet that permits encryption of the seed with a passphrase you keep in your head you have an additional layer of protection. Using a PIN and simple passphrase on a Trezor provides very good security. Since the seed is worthless without the passphrase you can leave the seed with friends. Just do not forget your passphrase!

I am serious about security, but as this thread is showing, it really isn't as easy as it seems!  I don't want to have to remember anything, if I leave my Bitcoin untouched for a while, I will forget any decent password/phrase.
I quite like BitcoinSupremos idea, but then where do you store the 2 strong passwords?  I guess the chances of someone getting into lastpass, taking each of those passwords, and having access to my saved .rar file, is pretty remote.

I have read some trezor threads about them crashing/malfunctioning, I think I would go for a paper wallet before a trezor.

When you use Trezor the seed in effect is your bitcoin; the plastic device is a tool. You can crush your Trezor and be back up again in less than half an hour by recovering the seed to a new Trezor. Many folks who use Trezor keep a spare around in case of loss. I have never had a problem with Trezor crashing or malfunctioning. Once in a while the myTrezor.com site is down is all. If that happens you just use your Trezor with local Electrum.

Bumping an old thread to add my $.02

Storing your seeds online is no good. 

I personally use lastpass for all my passwords.  The data are encrypted client side and never transmitted or stored unencrypted on Lastpass's servers.  They were hacked a year or two ago but the databases storing the encrypted passwords were not compromised.  I believe they only got user information.  Lastpass caught the hack themselves (either in progress or shortly afterward) by detecting an abnormal traffic pattern between some of their servers. 

So while I trust my encrypted passwords to lastpass, I don't trust the clients that decrypt those passwords (including my own computer) with my seed.  There are vulnerabilities in Lastpass clients that essentially trick the lastpass extension into filling hidden form fields on a website with all your passwords and posting them to their server behind the scenes.  This may be fixed already, but it doesn't mean another zero-day exploit won't be revealed in the client that can do the same.

Don't trust your seed to an online computer if you care about the BTC that the private keys can access.

First of all, if its a medium to large amount, keep it in cold storage.

but even small amount, I'm not sure I recommend lastpass... my understanding was data Is kept locally but not the best idea if your computer dies..just email yourself the seed or write it down (again for small amounts)

If you value security, don't ever email yourself a seed. Email is extremely insecure and is in plaintext (unless encrypted with PGP or something). Storing in LastPass would be much more secure than email. That being said, it is probably a bit safer to store the seed offline in a secure place.

Isn't putting your electrum phrase on keepass fine though? 


Also i assume most people have a copy of keepass on dropbox right?  So would that still be fine?  The thing is if you have your electrum phrase on keepass and also on dropbox, then as long as you remember your keepass masterkey password and your dropbox password, then isn't that really all that is needed?  I mean if dropbox gets hacked... has it?  Well they still cannot open your keepass file without your master password right?


Thanks.

Yeah, I would think that should be fine as long as you are using a secure enough master password for KeePass that isn't easily brute forceable. Also, you must be sure that you never reuse your KeePass master password for any other websites which could end up leaking it in a compromise down the road.

USB stick - Truecrypt volume pop it in there encrypt it.  best place to keep them. and there encrypted so double protection. just make a couple of backups for emergency use.

Using a TrueCrypt container can give you a false sense of security. First, when you typed your seed or password in a document you later saved in the container, you briefly exposed the seed or password to logging malware. Worse, any time you open a TrueCrypt container your password and work is saved in virtual memory paging files which are not erased on shut down. You need to take steps to tell your machine to delete the paging files or (better) only run TrueCrypt from a computer with whole disk encryption.

True. Or just use air-gapped system when decrypting like you say on a machine with FDE add's 2nd layer of protection.

Interesting, I hadn't heard about the password being stored in paging files. Is it possible to actually extract a truecrypt volume password from a paging file even if the container is not currently mounted? Any links to documentation or proof of concepts on this?

Take a look at the TrueCrypt user manual (http://www.mia-net.org/pub/pc/win/crypto/TrueCrypt/TrueCrypt%20User%20Guide.pdf). Windows leaks a lot.

Do others agree on this?  Thus as long as you use a strong enough master password for keepass, then typing the 12 word phrase in there would be fine?


Also, keeping a keepass on file on dropbox would allow you to have an online backup?  can someone tell me if this is pretty much good enough so you don't need to keep a piece of paper in your apt with your 12 word phrase there etc?

Dropbox is the last place you want to store a seed, encrypted or not. If you use a non-memorable password, that is at least 22 characters with symbols, you won't be able to memorize it. I think the definition of a secure password should be one that is so random it can not be memorized. You are always better off keeping your seed on paper only, never online.

I'm confused here.  But don't you want an online copy of your keepass as well?  I mean if you only store keepass on your computer and say external hard drive and usb... say something happens to all of these, then you have no keepass file anymore.  Thus wouldn't it be a must to have keepass file stored online as an online backup?


When you say dropbox is last place to store the seed, you mean typing the seed on keepass counts as that?  Obviously i dont mean typing the 12 word phrase on microsoft word and then putting that document on dropbox if thats what you mean?  But is there really an issue with putting the phrase on keepass and then uploading it to dropbox or any other online place like google drive etc?

One of my friends had a Google Authenticator for his LP and one day his phone was stolen and he couldn't log in to his LP account without the GA code. He was in panic but everything ended well.

Storing encrypted seed in LastPass is OK. The question is: how and where do you encrypt it?  I would not trust my PC, even though it has all the antivirus software one can get.

I went further and created a simple encryption program which runs as a web page and can be opened in any old smart phone.  The phone should be put in 'airplane mode', encryption done, and the resulting codes photographed from the screen by another device.  The phone should be then factory-reset (or destroyed).  As a result you get a picture of encrypted codes on the other device, and your secret never touches the web even if the phone was swarming with viruses.

So, this is the idea, please, take a look at  https://messagesafe.github.io/ . At this point I need feedback, may be I missed something. If there is any interest, I will start a thread to discuss any issues.

The problem is you cannot make a truly random strong password that you can remember reliably, so you wind up writing the password down. Can you remember a random string of numbers, letters and symbols longer than 20 characters? I sure can't. If you allow a password manager to remember your password you have an attack vector. Hardware wallet manufacturers recommend you write your seed on paper and store in a safe place for legitimate reasons.

The thing is, there is almost no perfect way to store your Bitcoin in a 100% safe way, whilst still being able to access it yourself.
You can write down your very strong password, but there is always the chance that you lose your note. So you could save it somewhere or photograph it, but both aren't safe!

So you could use a password manager, but then you have your attack vector as you said. I personally see my very strong password hidden in my strong password/2FA protected password manager as a pretty good solution.

Could it be better? Yes probably. But if it were safer, it would probably be difficult for me to access. Another thing is to not keep all your eggs in one basket. I mean losing some of your bitcoins is obviously a nightmare, but that is preferable to losing all of your bitcoins!

Paper wallets are good, but nowadays with stuff like BCC and Byteball around, it is necessary to sign messages or split your coins, so just leaving your Bitcoin in an offline paper wallet is actually missing earnings opportunities.

Reviving this a bit.

how is encrypted keepass on dropbox any different than lastpass? you're talking about client-side encryption being stored on a 3rd party service in both cases.
i realize there is a difference in relying on the lastpass client to perform the encryption vs handling that all yourself on an air-gapped machine, but there is always going to be some trade-off between usability, recoverability, memorability, and security. memorability being the biggest one there. which brings me to:

it is definitely possible to have a secure and memorable pass phrase to decrypt your secrets - contrary to what some people have said here. I have a few 8-10 word phrases that I've trained myself to remember and haven't written down anywhere (at least not altogether... I've left a few hints and fragments for myself just in case).

But the issue, as NUFCrichard said, is that there is always going to be a weakest link in your security - and if not there's a good chance it's so safe that you are at risk of losing access yourself. People say "just write it down and keep the paper safe" -- that's a huge understatement/misdirection! how do you keep a piece of paper safe?! in a literal safe? then how do you prevent someone from walking away with it? how to you keep the combination or physical key secure? what if there's a fire? The only truly safe place to store a piece of data is in your brain (torture notwithstanding) but then you're really talking about irrecoverable data loss if you happen to forget it...

So if you had to choose, its better to type it in on keepass as opposed to lastpass right? 

So if you upload your keepass or lastpass file on dropbox... well you still need to get the password of keepass or lastpass in order to access it.  So wouldn't that be the best way so that you would have a keepass or lastpass file backup on the internet such as dropbox in case you dont have your copy on your computer or usb etc?

Like the other mentioned... people say write your word on a seed and keep the paper safe.  Where do you keep this paper then?  Do you keep it in a safe?  Do you keep it in a safe in the bank?  Do you keep it in a drawer in your home?  Do you have the paper broken in 2 or more parts that way the one piece of paper doesn't have all the word?  The thing is someone mentioned what if there is a fire.  Well if there is, that means your computer and everything might be gone.  The other thing is what if someone breaks in your apartment or something like that and then takes your paper.  Or maybe they come and just take a picture of your seed and then leave etc.

So if this is the case, isn't what i mentioned a while back probably the best idea to do would be just type your phrase on keepass or lastpass and then upload it on dropbox?  Because that way, the person would need to not only hack your dropbox account, but they would the password to your keepass or lastpass etc.  That way you dont have to worry about your piece of paper?  Also even if you put it in a safe in a bank, there has been cases where safes have gotten destroyed in banks etc.

Thoughts on this?  I really don't think having the entire phrase written down on a single piece of paper is good idea.  I could understand if you have it broken down in say 2 or 3 pieces etc though.  But in any case, shouldn't you have a copy of the seed online somewhere in keepass or lastpass?  That way you dont have to think about the physical piece of paper?

There are some really, really bad ideas in this thread.

Please exclude from consideration all the programs, cloud storage and other crap.

But if you don't believe me, then take your seeds and keys, change the encoding as required and stuff them in a file entitled "Damn Microsoft Serial Numbers and Restore Keys"

what physical locations are you guys putting the seeds into?  So you break it into 2 parts?  So whether its electrum or ledger wallet which has 24 or 25, you do the same?  Now what happens if you computer with electrum gets stolen.  And also 1 part of the seed in your apartment/house get stolen.  The other part let say you put in a bank safety deposit box.  First off, is that even safe?  That seems like a really bad idea as i heard of safety deposit box in banks getting broken into/drilled etc.  Then what happens then?  Same as if your nano ledger wallet gets stolen.  Half of the seed got stolen, the other half its somewhere else.  If you have no online backup, then what do you do here?  The other thing i thought was this.  If you keep it in keepass and put a copy of it online such as dropbox or google drive... well as long as you remember your dropbox/google drive password and keepass, that is all that is needed.  Don't you guys agree?  The other thing might be... how about create 2 different keepass files?  Where half the seed is on one keepass file... the other is on another file?  And each one is on 2 different dropbox/google drive email?  That way if somehow your dropbox/google drive account got hacked... well they still need the password for keepass. And if they somehow get it... well they still need to hack your other dropbox/google drive account and also hack the other keepass file.  So basically create different passwords for your different dropbox/google and for each keepass file.  Yes you would have to remember a few more passwords.  But wouldn't this probably be the safest way to store a password on keepass and keep an online backup?


12 word phrase, i could definitely see how people could remember that.  24 word or 25 word seed is basically impossible i think.


Because if you dont keep a copy of it online, well there is always a chance it physically could get destroyed/stolen.  So thoughts on that?  I mean there has to be lot of cases where people either did not wrote down their 12 word phrase or... they wrote it down but no idea where it is etc and they cannot access it anymore.

try not to overthink things! you have a bunch of words that you need to remember. if you have one of those strong memories then memorize them. and if you don't then simply write it down on a piece of paper, in a book or basically anywhere physical (no digital storage). then place that paper in a safe place.
now you can increase the resilience of that paper in a lot of different ways like laminating it or even using a metal plate instead of paper and etching your words on it.

The other thing is this.  Most ppl store passwords on these programs.  So its not safe putting your 12 word or 24 word seed on it?  Because someone still need to know your password to lastpass or keepass.  But if someone installed malware or trojan, then it record your keystrokes so that means all your passwords are not safe?

well you want to use it in a safe/clean environment. if for example you use it on a computer that has a malware that can steal your encrypted keypass file + the password you enter in it, then it is obviously not going to be the safe way of using it. it would be like having a safe in your wall but instead of locking it, you leave the door open with your valuables inside!

I have never been a fan of these password managers, they are useful, sure, but we are still somehow giving control to a third party when it comes to password generation and storage. We are trying to move away from centralised control when it is related to our private keys but we give another party the option to generate the passwords that we use. 

Has lastpass ever been hacked before?  Someone mentioned of a password manager that was recently hacked... and said like if you installed updates during a certain time, then you got hacked.  Anyone know anything about this?


Also would you store it on lastpass or keepass or are they about the same?

They have been hacked a few times. 2-3 times I think. I don't know if Keepass was ever hacked.

I wouldn't store my seed in either of the two software no matter what anyone else says. Recovery phrases shouldn't have digital backups, period.
How do you get from wanting to store your seed in multiple bank accounts across the country to wanting to store them on your computer or online service in any format?   

I would personally choose not to store it anywhere electronically. It's losing its point. The seed phrase should and is being defined as a list of words which store all the information needed to recover your funds. Most of the software wallets will instruct the user to write them down on a paper.

The developers didn't choose to warn the user such thing casually. Besides the fact that your chances of getting robbed by anything malicious are less, there's another reason:  Which item would you be more comfortable with if you wanted to keep it working for 10+ years?   rhetorical

It's an open-source software. You can't hack it same like lastpass.

Okay didn't know that about lastpass.  So is keepass the only password program to never gotten hacked then?  I heard some other one like lpassword i think but maybe thats the wrong one?



Umm... i store my seeds online with a password manager as i described.  I know people said don't do that... because I didn't have any good option because i thought... as long as i have my encryption password and cloud password aka dropbox/gmail...i thought that was fine.  Of course that would mean making sure my computer has no malware/virus.



That is why i started asking... maybe its maybe to just store the seeds in multiple safe deposit boxes at different banks.  Im not asking the other way around...


Well is passwords to your email/sites and banking all you should put in keepass/lastpass then?



I always felt seeds would be safe there... since well... someone needs to have your password for keepass/lastpass... but also they need your cloud username/password as well.  Now the cloud part is obviously much easier... but how they going to get your keepass/lastpass password assuming its completely unrelated to your email if you never wrote it down anywhere online.  Now i know if you get malware/keylogger on laptop, then thats completely different story. 

You can't exactly make sure your computer doesn't have malware and virus, it can just be undetectable and storing it offline is the only way for non-physical attacks to be prevented.



Storing your seeds in any digital medium will open up a whole range of attack vectors, malware, password compromise, encrypted data leak from the password manager. If you're storing your seeds on the cloud, I consider that as good as giving someone else your password. Most password manager encrypts your data locally but that doesn't mean an attacker can't get your encrypted string and start bruteforcing it. While it is unlikely that people can crack your encrypted strings unless you're using a weak password, why would you even take the risk?

There are no guarantees that Keepass wont suffer a breach in the future. Just because they weren't hacked yet, doesn't mean it can't happen in the future. Not to mention that you have to consider all the possible attack vectors that can go through the devices that you use with Keepass. Remember that users considered many crypto exchanges to be a safe storage mediums until they started getting hacked and people started losing their mind.

Is there nothing in your house or apartment were you can hide a piece of paper that contains your seed? Look around. Do you have an old office chair. Unscrew one of its wheels, put the seed phrase in the tube and screw the wheel back on. You just hid your seed in plain sight. The chances of a thief stealing your chair or taking it apart to see what is inside are very small.

I know a friend who kept jewelry in and old pair of computer speakers from the 90s. That's also an option. Hide it inside a VCR recorder for example. No one is going to take that even if it's free. Look around the place you live in and find something.     

Don't store your seed phrase in any password manager online or offline! (not even keepass)

Buy a safe a store your offline copy in there. There are small portable ones you can buy that are inexpensive.


Don't do that, my brother hid something like that once and we couldn't get it out again...

It was just an example to show that there are so many hiding places all around you if you look carefully enough. Scenarios like those that jerry0 considers regarding splitting up the seed in small chunks and storing them in multiple safety deposit boxes in different banks are outrageous. And then, after so many years of asking questions he goes and stores his recovery phrase online...