Bitcoin Forum

How safe is an Encrypted Bitcoin core wallet with a strong password?

Not very if you have a key logger and hacker can some how retrieve your wallet.dat

It is safer than having an easy to guess password and obviously having no password would be like handing it on a platter.

I would do this (after you have finished with the client each time) Rename wallet.dat to something else, move it out of the normal directory (preferably off the PC). You would still be vulnerable to key logger and 1000 other scenarios, but if someone got access to your PC they might search/scan for wallet.dat and hopefully moves on when they can not find it.

The software uses best-practices in handling, it's adaptively strengthened with a cryptographic KDF and salted (and cracks at no faster than 10 per second on the user's CPU)— but users (including myself) stink at producing passwords or if they manage to produce a good one, they can't remember it.

No amount of encryption can protect you from poor passwords, keyboard sniffers, or other local machine compromises... or from forgetting or disk corruption.  The wallet encryption helps against some things, but the rest is up to you currently.

i mean encrypting wallet with a very strong password and doing this in a freshly installed windows pc.

That will take care of keyloggers right!

Now tell me how safe is such an encrypted wallet

What do you want to hear?

10 guesses per second (per core I assume) if you have a password with 12 symbols, which can be any char or number you have
(2*26+10)¹²~=3.22 *10²¹ possible passwords. In order to test them all with a 120 Core CPU you need 3.22*10²¹/1200*60s*60m*24h*365d ~= 85 billion years. Bruteforce is basically out of the question unless someone has a very short list that happens to have your password in it.

A fresh Windows will most likely be not fully updated, but unless you use something old (e.g. WinXP without Service packs) you should be fine. Its also unlikely that you "just get a keylogger" as long as you are carefull. Carefull as in: dont download something from shady sources, dont download any new alt coin wallet just because, etc. pp.

more importantly, make sure your operating system install disk is clean. if you're downloading pirated windows, make sure you check the .iso's checksum against the ones published by microsoft (http://msdn.microsoft.com/en-us/subscriptions/downloads/).

Yeah my friend has original win 8 , we are planning to fresh install, update it, then install firefox and bitcoin core, then transfer all coins and encrypt with a very strong password.

Now is it safe?

Not much, Windows is known to have a lot of vulnerabilities, since you are exposed to the internet, you might get a malware. Installing Linux on an offline computer would be significantly safer.

Actually it is very very safe if you have strong password, you just have to avoid keylogger which is easy...

windows does have vulnerabilities, but they're not so bad to the point that connecting a reasonably up-to-date windows machine to the internet will get you infected.

This would take care of keyloggers when  you create your password, but would not necessarily take care of keyloggers when you later need to input your password as your computer could potentially become compromised in the future.

Why not install VirtualBox on the Windows PC. Then use a virtualized Ubuntu installation when you need to access your wallet?

Because it gives you complexity not security. If the host system is infected any virtualisation as protection is useless. While you might be able to fool very simple malware that just searches for the wallet.dat with this, it will not help you against a keylogger. If you type in a password in the VM ware it is still piped through the host OS.

As it is said earlier, Brute-force attack will be hard. It isn't highly secure but it is good and try to install original OS and search for a way to detect and remove keyloggers from your computer for the preferred OS.
Kindly,
      MZ

I would partially disagree.
They have the password (to something) as you said, but they did not get the wallet.dat
So you have essentially protected the wallet.dat, Have you not ?

And what to do if the keylogger searches for ".wat" in the start bar?

You can easily rename the file type to something else like .wkshw and rename it back to .dat when you needs it. They most probably won't spend time to search for a file type like this.

All most all of the key loggers upload the inputs. I couldn't see any other types of key loggers.
Kindly,
        MZ

If you have a keylogger, no password is strong enough. Best to use a dedicated machine for bitcoin, and install nothing but your wallet software and no altcoin wallets either.

I think always using on screen keyboard will make it very safe from keyloggers

I only use on screen keyboard for simple purposes. How can you type everything in on screen keyboard? or Are you telling that you type passwords and other sensitive datas with on screen keyboard? ::)
Kindly,
         MZ

Screen keyboard gives you protection against physical keyloggers like this: http://www.amazon.com/Keyllama-4MB-USB-Value-Keylogger/dp/B004ZGXU48. However there exist also keylogger software which can capture also screen keyboard.

There is no way to be safe from keyloggers.
Of course you can take some measures to limit the possibility of lousing your coins.

Use on-screen keyboard, to type your password, or even use a key scrambling software.
That makes it impossible for most keyloggers to record your keystrokes.
Sadly, more sophisticated hacking tools allows to get past the key scrambling and even record
 your screen and send screenshots the the hacker.
But, when talking about bitcoin, smart hacking tools DON'T EVEN NEED YOUR PASSWORD!
They just need your private keys to steal your money.
When your wallet program prompts you to enter password, it does because it needs to decrypt your wallet
to do something.(Like spend some coins)
When you do this, the wallet gets unencrypted for a very small period of time
which is enough for hackers to dump your private keys.
They can also read them from memory.
The best way to protect your coins is to NOT GET INFECTED
Just don't install crapware!

Using strong passwords only protects from brute-forcing.

End of story.

Find a simple guide but useful : http://www.vistatalks.net/2009/11/3-simple-tricks-to-prevent-keylogger-from-stealing-your-password/ (http://www.vistatalks.net/2009/11/3-simple-tricks-to-prevent-keylogger-from-stealing-your-password/) :)

edit : Search 'prevent keyloggers from grabbing your passwords' in google to get many tips and tricks.

Kindly,
      MZ

Yes, I would argue against that however that simple malware is not something you need to be concerned about. Most malware today is no longer written by borred, talented teens, but by professionals. Modern malware C&C Servers even have support build in [4]. Thus a search for running VM Ware is routine


Which -again- only protects you against simple malware. It is not much more difficult to seach the fileheaders instead of the file ending.


Nope, to be safe from keyloggers use something like keepas [1] which is designed to protect against keyloggers. A screenkeyboard is easily detected and taking a screenshot for each click is something e.g. Zeus [2] does if you want. AFAIK Zeus isnt even the latest shit [3] out there.


"use a portable browser" might be usefull, however what is preventing the malicious internet cafe operator to make a copy of all of your data? There might be more interesting stuff. Public computers are not safe.


Yep.

"Common sense" is probably the best (sometimes the only) line of defense against malware. Well a secure OS is helping as well.


[1] http://keepass.info/help/base/security.html#secdesktop
[2] https://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29
[3] https://en.wikipedia.org/wiki/Operation_Tovar
[4] AFAIK it was mentioned here https://www.youtube.com/watch?v=GA7S0JK8o_k - didnt check, its been a while since I lasted watched that talk. Watch it. It will make you think different about todays malware.

If malware hits even KeePass can not protetect you. Quoted from KeePass webpage: "For example, consider the following very simple spyware specialized for KeePass: an application that waits for KeePass to be started, then hides the started application and imitates KeePass itself. All interactions (like entering a password for decrypting the configuration, etc.) can be simulated. "


Again, if the computer is infected, the portable browser offers no protection.

One possible solution is boot computer from live linux cd when sensitive data need to be accessed.

It is also posssible that malware infects your machine’s BIOS. If it happpens then you are in big, big trouble.

Ah yes, didnt think of that. So only a secure OS can.


Yep that was what I wrote, the 3 tipps behind the link where pretty much useless.


Hardware trojans and not even your secure OS can help you. BadBIOS is the one that comes to mind.

If the NSA spends all its resources for a whole week to crack our wallet, nobody can save us..

So please try to discuss what is common, how can a mainstream man protect his wallet?
i am sure these sophisticated trojans wont bother this common man

How can you be so sure?

For example even if I do not use twitter much I got some time ago this tweet claiming "US government trying to shutdown the bitcoin network.": http://www.thewhir.com/web-hosting-news/tweet-claims-us-government-wants-ban-bitcoin-actually-spreading-malware

Did not open the “video” however  :)

If the NSA spend all their resources for a whole week to crack your wallet, theyd still be cracking. A properly secured wallet can not be bruteforced, not even by the NSA. They have slightly different ways however:

https://sslimgs.xkcd.com/comics/security.png

from: https://xkcd.com/538/ ofc

Zeus is what is (or was, there is better stuff now) after you and your bank accounts. 95% of the worlds mail came from botnets for a while. IIRC its less now, but that should give you an estimate what you are up against. The rest that your anti virus scanner detects is just the crap from last year or something a borred teen put together.