Bitcoin Forum

Hi all,

How do you store your passwords?

This is how I store my password (and related recovery information):

1. First, use two factor authentication for your wallet.
2. Do not forget to store the keyphrase to re-enable this on another phone if needed (if you will loose your phone).
3. Use a long 'random' password, like: fLF)(kfkljf_(&F763kjhdlzpgfI46#_!eoslks9fPFODu38347dhls98f5vcte_BTC_RULES_O_YEAH
4. Store your password (and related info to recover) in a text file in an encrypted RAR file (which is encrypted by 128 AES, with a very long password with capitals and non standard characters)
5. Rename this RAR file to an innocent ZIP / DOC / JPG
6. Put this file on USB and to a well known online cloud service (if your house will burn down)

By the way, it seems people are able to recover passwords for bitcoin wallets if needed:
http://www.reddit.com/r/Bitcoin/comments/1v5o9c/dave_bitcoin_walletrecoveryservicesgmailcom_saved/
http://www.walletrecoveryservices.com/
I hope I will never have to use them.

Aegis secure key 16gb USB

Primary and backup

Paper wallets in a safe deposit box

One password needed

10 wrong attempts on that key scrubs the encryption key forever and destroys the data.

Hasn't been hacked at a convention yet. 

Oh  and the wallet key never touches an internet connected computer

I use LASTPASS.  (lastpass.com)

Cannot recommend it enough.  I have 15 character random unique passwords for every site I visit.

Great product for everything web based.  There are a few of them as well.  Roboform. Password box.  Etc.

I store them in my head, and they are 20 character passphrases not passwords.

I forgot one for a BTC wallet late last year. It wasnt fun but I remembered it after trying combinations for a few days. You have to be very careful.

Not backing up your wallet and losing or forgetting your passphrase are by far the easiest ways to lose your BTC. If your wallet is locked with a decent passphrase and backed up its 99.9999999999999% safe.

Also, consider the possibility, if you have a family, that something could happen to you. Plan for such a contingency (e.g., leave an envelope with passphrases for your wife in escrow with a 3rd party)

Thanks for the suggestion. Lastpass looks perfect. And I have a couple of yubikeys sitting around gathering dust that i can try to use after I get familiar with it. I guess now I have something to play with for the next few hours. Cool.

As far as the cold storage wallet, last week I bought a couple of ultra cheap android 4.X phones in china (~$28 each) and they have no sims, wifi disabled, factory reset etc. And the only app installed is mycelium. When I'm happy with the setup, and i've transferred the coins, I'll send one to my brother and mail him instructions on how to unlock it and/or recreate the wallet.

Any thoughts on that strategy?   

I think not made backup it, but I forget wallet number not my password  ;D

Keepass 2 on PC and kypass 3 on iPhone with dropbox to sync between them. The only password software you will ever need. Only have to remember the master password.

I just keep them on pendrive in an ordinary txt file. I don't use all this sneaky renaming, noone touches my stuff anyway  :D

And now anybody who wants to touch your stuff knows exactly where you hide your passwords.

Keepass2 running on PCs and on phone and tablet. All of these are kept in sync with btsync. I love btsync for this as it is p2p file sync. 

So now he has to get my address, come here, break in, spend hours turning my house up side down searching for that pendrive and get the reward. Any volunteers?  ;D

Don't like having my passwords at some online service...
Why not use Keepass2 / Keepassx? Same functionality, only completely in your control?

KEEPASS database inside a truecrypt container.

I keep my main password in my mind - I've memorised it over time and think it's the most secure - unless I die and no one can retrieve it  ;)

I recommend keeping passwords in your head, but not massive 20 character pass-phrases lol.

Haha yeah, anything past around 8 or 9 characters becomes had to remember if you don't think about it every day!

Hmm hide it in a swiss bank hahahah, overkill

Similar here. With a little maths (algorithm) involved to get the actual passwords.

As long as you use the pen drive on a safe computer. I recommend using a linux boot CD. If your computer is infected when you look at the password text file you could be in trouble.

If you have to write passwords down it kinda defeats the point. Just make a reminder. If your password is Bitcoinpimp2014 just write down btcp14.

Yeah, as long as you don't forget what btcp14 means lol.

I use a 9 word passphase with a acronym in the center, just what wikipedia suggests I do.

As an added bonus, I can't spend my coins while intoxicated because my password is way too complex to type properly when on drugs so I have my own anti-drug security measure on my bitcoin wallet, woho.

My password(s) is a 256 bit hash of several answers to very personal questions. Basically a puzzle that you have to solve in certain order.

Yes, it's a big hassle to retrieve it. On the other hand, yes it's a big hassle to retrieve it.  ;D

lol, big paswords wont matter if you've got a keylogger though  :D.

If you're incompetent enough to have a keylogger on your system and not understand why you should be regularly scrubbing your "run on start" programs (hijackthis! generally is my tool of choice) then you have bigger issues than keyloggers I reckon.

That's true. I prefer to use linux anyway.

Just because you're using linux doesn't mean your keylogger proof https://code.google.com/p/logkeys/

- pfsense firewall
- main wallet is on fully encrypted ubuntu pc, wallet again encrypted
- password storage is in text file within triple encrypted truecrypt container

Even booting from a cd?

I think your good with a live CD. Unless it included a keylogger, which is unlikely.

depends on the source of your CD .iso, it's definitely possible (although highly improbable) that you could download a dirty .iso from a backdoored or bitsquatted download page, you wouldn't even notice the ~2mb required for an attacker to have complete access to your computer.

One of the nice method I heard about, not tried yet:

Remember the number of a block and select a transaction that include multiple receiving adresses. Remember a special string in this transaction

For example: Select the first transaction with 12+ receiving adresses in this block, and compose a 12 letters string using the first letter of the first receiving adress, second letter of second receiving adress, third letter of third receiving adress, etc... As long as blockchain lives, the password is safe, and it is enough random  ;)

1password works pretty well as well

I have found that the letter "a" lowercase, by itself is a very easy password to remember.

Once a website's database is hacked or for those that store in plaintext all of your complex passwords are just as easy to grab :)

Lol that's the same way I am! They would have to scan through all the porn anyways (totally kidding)

Keepass, the only password manager I trust.  Lastpass and the like just give my a bad vibe, gotta be online to use them.

My primary .kdb file is sync'd across all my devices/pcs using a 2FA google drive.

http://amzn.com/1441303251

I use multiples of pi to 5 digits, and insert them periodically into a different spot inside my passwords, and keep a log of the way I do it as a system.

Complex passwords are a bit of a joke imo. Anything more than a few characters becomes impossible to crack if there are lockouts after "x" failed login attempts. And as someone pointed out, 99.9999% of password cracks are from sniffing the password, which means it doesn't matter how long it is. The apps that I would be most suspicious about collecting your data and especially logging keystrokes are firewalls and antivirus/antimalware - we all just seem to trust them without any real good reason. I like the way Kryptokit allows an onscreen virtual keyboard. Pen and paper is still the best option.

Funny, I've been testing lastpass for the past day and now it only gives me grief on one site. You guessed it: bitcointalk.org. It will not let me login from chrome. every other browser and on my phone are all ok. Wonder what's going on there? Probably some malware or the nsa. I love the functionality of lastpass. Hopefully the security is ok too.

Your strategy concerns me. I think you are in danger of obfuscating your password from yourself via an overly complex system. You need ONE strong password and effective file isolation, but changing file types etc its asking for trouble 6 months from now.

I am considering the following method:


1. memorable phrase

[i'll suck cock for bitcoin]

2. SHA-256 hash of memorable phrase

[904cc478b74282c130faaac1c205f19fa618e353a3e98c2a12b96192307b8825]

3. First 6 characters of hash output, dot, significant date

[904cc4.20140115]

4. SHA-256 hash again

[70ce70b2a9e41f3b16f817ed5d604a388db995ae5d85da77e54ccd0f012e827c]

5. That hash output, dot, significant person

[70ce70b2a9e41f3b16f817ed5d604a388db995ae5d85da77e54ccd0f012e827c.andreasantonop]

6. Hash again for final password

[f3e03c29384847dbbb88ec6d3b9420edee46159c2c4452b84f032057884f0e17]



Relatively simple to remember, impossible(?) to crack by brute force, and no need to write it down. What do you think?

You must not have as many passwords as I do.

Also WTF.

+1
Some of you guys are realy doing do much. As somebody said before 99% of btc theft happens through malware or online wallets. If you just keep your wallet ofline and your password on some kind of external drive you're 100% safe. If you want to increase the security don't store the password just hints (for instance dog+gf+drink). Even if you somehow lose the drive, its founder won't have your addresses so he can't use it.
Why would someone encrypt the password 3 times or use file renaming and hide it among common files if he has to use it for transactions anyway and that's when it usually leaks.

I agree for the most part but I don't think you can say you're 100% safe. I wouldn't even keep it on a usb. Just make sure you don't forget it or store it somewhere else that isn't obvious. Using dog+gf+drink your friends and family will know this, and I'm sure somebody could find out this info if they were smart enough.

So what's your favourite drink? :D.

If you can't trust your closest family you're probably screwed anyway. I bet they could find other ways to rob you than just trying to break into your bitcoin wallet. Dog+gf+drink was just an example you can make it much longer and more difficult, including a date that was important for you or your gf's bra size :D
And my favourite drink is beer, no particular brand I like tasting different ones.

Well friends and family can become enemies pretty quick once there's large amounts of money involved. If that 10 BTC on your USB becomes worth $10 million  you might see a different side to people. Money can corrupt anyone ,even the most trustworthy and loyal of people. There's always friends of friends you have to worry about too. I reckon if one of them tells somebody else about you and how you struck it rich on Bitcoins and they're all on a usb stick and you have the password on another, then possible badtimes. But I think we're getting too deep into this now lol.