Bitcoin Forum

I have just seen this thread here: https://bitcointalk.org/index.php?topic=372118.0

It got me thinking, what is the best way to protect wallets? Are most compromised through a virus / keylogger and the like or are there other vectors?

Any reply is appreciated, quite new to all of this. Thanks!

From what I've read online, the best thing to do is to print an offline paper wallet, and store it away physically in a safe place, encrypt the wallet, save the wallet.dat file to a backup USB drive or offline drive, and that's all I know! 

Thanks for the advice. So as far as is possible, following all of this would make it impossible for the wallet to be stolen or "mined"?

Again, thanks for any replies :)

Coins cannot be mined once they exist, they're only mined once.  They can be stolen by having a transaction initiated that sends the coins out of the keys you control.

If you encrypt your wallet, it will be difficult for an attacker to use the wallet without your password, even if the attacker finds the wallet, as long as the password is computationally unfeasible to crack.

To protect against your own absent mindedness, which is sort of inevitable, you should keep multiple encrypted backups of your wallet/priv keys, which is what was suggested.  

To protect against your forgetting your password, its not a popular opinion but if you get your ducks in a row, you can also know the location of an unencrypted copy.

In all honesty, my security style has evolved in time and I've noticed everyones is different.  It is important you know the consequences of the decisions you make and think through the possible scenarios that may arise, trying to ensure that in any case, your coins aren't gone forever.  This came to mind recently for me when someone mentioned that if I were hit by a bus, where would the coins go?  I haven't figured out that one yet, because my girlfriend hates bitcoin with a fiery passion, and my parents are old.

When I referenced mining wallets, I meant bruteforcing wallets, is this even possible? I have seen it mentioned in a few placed recently.

Thanks.

It's possible if your password is short, or if your attacker has an idea of what keys may be involved or in which positions.  It's a pure combinatorics problem... there are calculators online that will return approximately how many years it would take a fast password guesser to guess your password by chance.  These calculators give overestimates, so try to billions of years.

So, to be clear. Wallets likely ARE being "mined", not coins which obviously can only be mined once. Reasonable passwords will hopefully negate this issue.

I think the TREZOR device will be a great security measure.  I can't wait to get one when they are available to order.   

I had to utilise Google to find out what they are all about but I think you are right. Protection is very important to me, thanks for the advice!

You know while we're on this subject, and this may need to be moved to another area of the forum, but if for example I have Ubuntu and installed a server, doesn't that open me up to more risk?  Can't I just open up a GUI for the firewall and watch my ports?  What is the safest way to monitor traffic on your own network on Linux?  Just curious what others do.

Protection overall has to be of the utmost importance. You could discuss the server security aspect all day and have so much to do that you would not sleep. Its all about what you are comfortable with. My question is what wallet security is suitable and I think there have been some good options presented. Looking forward to seeing if there are any more to take into consideration :)

Encrypt your wallet with a STRONG password .... just don't store the password on a computer connected to the Internet!

On this: If one were to use such a tool to test a password's entropy, what goal shall we be setting for ourselves.  I believe this results in bits per character?

http://www.shannonentropy.netmark.pl/ (http://www.shannonentropy.netmark.pl/)

The more bitcoins you have, the higher the entropy you need  :)

Do NOT use brain wallet. (This is when you use HASH(your favorite passphrase) as the private key to the bitcoin address) There are people with massive rainbow tables listening on the network.

Personally I have my coins in several different places.

Cold wallets: Funds spread across 10 different addresses, this is so that none of them look too big and attract attention, and if there was something wrong with my random numbers hopefully not all 10 addresses will be compromised. Generated offline on a linux live CD. Printed out (2 copies), sealed in envelops and kept in 2 different places. Printer used for the process was disconnected and powered off afterwards, and left for several days before being used again.

Warm wallets: Funds spread between 2 wallets on different machines, each encrypted with a different passphrase. 1 machine behind a NAT router, the other behind 2 NAT routers. 

Hot wallets, bitcoins for spending: Blockchain.info wallet 

I'm sorry, you misunderstand brain wallets. You do not use your "favorite passphrase". That would be stupid. You use 12 random words. I have seen the math, the entropy is huge. As for "listening on the network", I am not sure what you are talking about. You never broadcast these words.

Has anyone here used Armory for a wallet?  I am using it now and it really seems rock solid and I feel very safe with it.  You can import wallets into it, and I have it on the desktop (takes a while to download and requires bitcoind & bitcoin-qt).    About passwords, you can start off with a really hard password that you write down, random characters, numbers, and make it at least 15 characters long.  After a few weeks, you will memorize that crazy random number, I've done it many times.  After you get used to the memorization, you can add additional characters and before you know it, you can type out a very long, for example 20 or 25-long character random password in a few seconds, and the longer random passwords are more secure.  At least it's a step in the right direction, I know it's not for everybody.

Armory has a good reputation I believe. But honestly, I'm not sure about remember 20-25 length "random" characters ... recipe for future disaster ........ mnemonic based brain wallets are the way to go

You know I thought the same thing, I didn't think I'd really be able to memorize long chains like that, but I found it to be pretty easy.  Yeah I am liking Armory a lot, it hasn't finished installing but it looks like I can import wallets into it.  There are over 500 people with more than 1 million in BTC so I'm sure they have taken precautions to protect their money.  In fact, there may be info on that on google if you searched hard enough.  I find so much every day about BTC I get overwhelmed!  Good luck!

Armory has good rep. Solid software. No problems there. Just saying its easier to remember 12 words than 20-25 random characters. Human memory is a very frail thing

Yes, I'm using armory for quite a while now and I like it very much! I have a "watch-only" wallet on my desktop PC, which I can use to check my balance for incoming payments. I have little money in an online wallet from blockchain.info for the little expenses. If I have to pay something bigger, my desktop armory can create an offline transaction on an usb stick and I use an old umpc (xp tablet), which I keep offline, to sign the transaction. Then I put the usb stick back into my desktop PC to send the signed transaction.

So my private key was created offline and is kept on a machine, which I will never connect to the internet. Sounds pretty safe to me, I think it's like the upcoming trezor will work.

Yep. You've got it sorted.

The USB stick is kept "off-site" isn't it .........  :)

Speaking of that, try PasswordSafe.  I got it from Bruce Schneier's site, and I like that program too. 

I use KeePassX. Everyone should use a good password management program.

I have old ass legacy passwords burned in my head that are short, and then a code that instructs me how to manipulate the classics (concatenation, hashes and shit) that is written and chilling on my harddrive, but doesn't mention the passwords themselves. 

Cool story bro.  Yeah I need software...but I don't trust a goddamm.

I am so glad I asked this question and thank everyone for their advice. Lots of useful thoughts and processes you all use, going to look into each of them and see what will suit me the best.

Thanks again!

I love your ulimate level of paranoia. Keeps you safe. But paranoid as hell  ;)

Don't use gmail (, hotmail, yahoo, whatever).

Don't use the same password everywhere.

Don't park your coins with third parties.

If you must violate #3, don't use third parties that use access to your email as a way to bypass their authentication.

Once you've mastered these, you can move on to advanced techniques like picking passwords that don't suck.