Bitcoin Forum

Other => Beginners & Help => Topic started by: aantonop on March 11, 2013, 09:33:24 PM



Title: Security starts with a good password/passphrase
Post by: aantonop on March 11, 2013, 09:33:24 PM

There's a lot of good security advice all around these forums (and plenty of bad advice too).

This posting is to present some information about passwords and passphrases.

Most wallets, bitcoin websites, bitcoin exchanges and markets use passwords for security. Fortunately, many also offer additional security with two-factor authentication, since passwords are a poor security mechanism. Passwords should be used together with some form of alternative authentication, such as a hardware token (Yubikey, SecurID etc.), or one-time-password generator (SMS, Google Authenticator etc).

But, sometimes a password is all you can use, so you'd better make it good. The rules for good passwords, that are common wisdom are either wrong or contradictory. You can't do a random password that is long enough and not write it down. So how do you generate secure passwords that are strong, yet memorable?

One of the best approaches is to use a word-list to generate a passphrase instead of a password. Passphrases are both easier to remember and harder to crack. The words in a passphrase can also be concatenated by a period, dash or other character of your choice, making a long password which is very hard to crack.

One of my favorite geek artists XKCD explains it best in his Internet Classic http://xkcd.com/936/ (http://xkcd.com/936/) comic

There are two ways to generate a good, strong and memorable passphrase:

Manual - Diceware is the manual and most secure way. You throw dice, selecting one word for each 5 dice-throws, from a predefined dictionary. See the complete explanation here: http://world.std.com/~reinhold/diceware.html (http://world.std.com/~reinhold/diceware.html)

Automatic - The same concept, implemented entirely in Javascript in a client-side page. You can load it and use it to generate very secure passphrases offline. There are a few sites that do this, here's one: https://entima.net/diceware/ (https://entima.net/diceware/)

Hope you enjoyed!


Title: Re: Security starts with a good password/passphrase
Post by: aantonop on March 11, 2013, 09:45:52 PM
The most important passphrase you may ever generate for bitcoin, would be the passphrase for your brain wallet https://en.bitcoin.it/wiki/Brainwallet (https://en.bitcoin.it/wiki/Brainwallet).

Since the balance and public key (address) of the brain wallet will be know and visible on the blockchain, brain wallets are prime targets for a dictionary attack, generating addresses from common words and phrases, until one is found that matches an address with a balance.

Naturally, many people will use their names, addresses, birthdays, children's names, highschool name, favorite team, klingon words, movie references etc. These people will lose their bitcoin. Don't be one of them.


Title: Re: Security starts with a good password/passphrase
Post by: davincisolari on March 11, 2013, 11:28:47 PM
Thanks for the great resource