Bitcoin Forum

How secure are my coins in the blockchain.info wallet?

I don't like the bitcoin.org official system, I don't trust my laptop even though it's fairly new.

I'm planning to be a long term hoarder so I need my wallet to be 100% trustworthy without worrying about some kind of website collapse.

I'm not a tech wizard so don't understand paper wallets, scanning etc.

It's only as safe as you are. Set up all - and I mean all - the security features and you'll be fine. 2-factor authentication can keep your coins very safe so that is the bare minimum I'd recommend and it can actually keep your coins safer than a desktop wallet. Make sure to keep a back-up of your wallet.dat stored offline though too.

you don't have to worry
your coins are safe with blockchain.info

There are several different ways you could lose bitcoin stored at blockchain.info.

• 1- Hackers break into blockchain.info's servers, steal your encrypted wallet, and then brute-force the password (if the password isn't strong enough).
• 2- Hackers break into blockchain.info's servers, steal your encrypted wallet, and replace the website with a look-alike which then steals your password. This type of password-stealing attack would eventually be detected, but it's impossible to guess how long it would go undetected. You would be vulnerable if you log into your wallet while the attack was still undetected.
• 3- An insider at blockchain.info executes the attack described above. Also as above, the attack would eventually be detected.
• 4- A piece of malware finds it's way onto your PC which targets blockchain.info. The next time you log into blockchain.info (even if you've enabled 2FA), the malware can steal your bitcoin.
• 5- You do not maintain backups of your blockchain.info wallets, and blockchain.info loses your wallet or closes up shop. By maintain, I mean that you need to back up your wallet after each new receiving address is created.

It's impossible to estimate the likelihood of any of the above happening... are there one or more of the above that particularly concern you?


Can you be more specific? Is it that Bitcoin Core is too resource-heavy? Are you talking about malware? Something else?


The only wallets which approach 100% trustworthiness are cold storage wallets and hardware wallets. If you're (like me) unwilling to deal with the inconvenience or cost of these solutions, you'll need to make some compromises...

I agree with most of this, but I have to disagree with "it can actually keep your coins safer than a desktop wallet."

One disadvantage of desktop wallets (as I'm sure you know) is that they are vulnerable to malware. Some types of online wallets (and mobile wallets in some cases, too) offer very good resistance against locally installed malware, but only if the online wallet implements per-transaction two-factor authentication. Blockchain.info only offers login two-factor authentication, which can protect against online (but not offline) brute-force attacks, but it doesn't prevent locally installed malware from stealing bitcoin after a user has logged in.

More technically speaking, malware can wait for you to log in, and then capture your password (it doesn't need to capture your 2FA code). Once you've logged in, your PC downloads the encrypted blockchain.info wallet. At this point, the malware has access to both your just-downloaded wallet and the decryption key (your just-captured password), and that's all it needs to steal bitcoin. In this manner, blockchain.info is essentially the same as a desktop wallet, except that the software and the encrypted wallet file are loaded from a remote server during each use.

That depends on how strong your password is, how good you are at keeping malware off your computer and other devices, and what process you've implemented for maintaining backups of your wallet.


Bitcoin.org has an "official" system?  What system is that?


Then how do you access your blockchain.info wallet?  If your laptop has malware and you access the blockchain.info wallet from the laptop, then the malware has access to the wallet.


Then you need to create secure backups of whatever wallet you choose.  You might want to look into creating paper wallets, or running either Armory or Electrum offline.


You don't need to be a tech wizard to understand paper wallets, or scanning private keys.  You do need to put a small amount of effort into protecting yourself against theft and loss.

Blockchain.info  have a google drive & drop box option to back up your wallet.

Would anybody recommend either?

As long as your password is strong enough, I wouldn't have an objection to either (or even better, both).

By default, blockchain.info wallet passwords use poor key stretching (https://en.wikipedia.org/wiki/Key_stretching). Before backing up your wallet online, I'd go into Account Settings -> Debugging, and change the PBKDF2 Iterations setting from its default of 10 to the max available of 20000. (For comparison, Bitcoin Core typically uses an iteration count that's about 10x higher than this).

its not safe, never loose control over your private key (your bitcoins)

If Blockchain.info did a MtGox are my coins safe as I have a note of my bitcoin address (the long number/letter thing)

That depends on what "did a MtGox" means, since we still don't know exactly what happened there...

I thought I answered all of these in my first post here, but maybe I was unclear.

If blockchain.info is hacked or if they have a crooked employee, there's some chance they will be able to steal your bitcoin (see my first post...)

If blockchain.info disappears, than as long as you have a recent* backup, (via one of the backup mechanisms on their web page), than you will be able to recover your bitcoin.

*by recent, I mean you haven't created any new receiving addresses since your last backup.

(ignore the generalization from Velkro which doesn't apply to blockchain.info...)

Thank you.

One last question - Say if I back up via drop box, if blockchain.info was to have problems where/how would you transfer the coins somewhere else as obviously dropbox isn't designed for bitcoin?

Would you be able to get them into another wallet provider?

Sorry for the stupid question, I only have 10 BTC, have never bought anything with them or had any other wallets.

i do not use any web wallets. i am VERY security conscious. this thread has me concerned mostly about android malware. :)

I cant open blockchain.info, it gave me an error message :

Secure Connection Failed

An error occurred during a connection to blockchain.info. The OCSP response contains out-of-date information. (Error code: sec_error_ocsp_old_response)

What about you guys ?

The Best Option to store your Bitcoins are bitpay wallet or  Coinbase wallet .

Those are 100% safe to use and store your precious Bitcoins.

Really? I was under the impression that off-line wallets which have never been on-line and of which no one but only you know the private key are the safest ones.

Safeish
It's not as safe as an encrypted to a USB stick full version Bitcoin client
But its not an instantwallet or inputs.io

I would say to keep a small amount in the blockchain wallet but for larger amounts go to cold storage if you don't trust your laptop.

OH and Online Wallets can scam you so even if its coinbase or bitpay would not give it all my trust could always end up goxed someday in the future.

I would not save any wallet backups anywhere online even with a strong password. It is not secure. I would at least use Electrum to generate an address, and enter that address into blockchain.info as read-only. Then send most of your coins to that address. Then make sure you keep your 12 word seed safe, uninstall Electrum from your computer and delete the Electrum wallet file.

You could also download the My Wallet add-on for Firefox.

This means you don't need to download the java-script from their servers each time (which may be compromised by a hack).
Only 790 people have downloaded this amazingly.

https://addons.mozilla.org/en-US/firefox/addon/my-wallet/?src=api


For a little additional security you could run it in Firefox portable and keep it on a USB stick away from your normal browser.

And use watch only addresses for large amounts of Bitcoin - with the private key secured on a paper-wallet or equivalent

I would go with a bitcoin core encrypted wallet.

That's not a stupid question at all...

See this thread for a discussion on methods to transfer your private keys from a blockchain.info wallet into other wallets: https://bitcointalk.org/index.php?topic=594570.0 (https://bitcointalk.org/index.php?topic=594570.0)

Make sure you have 2 factor authorization turned on. It will send you a text with a code when logging in. Also set a different, better password for the ability to send bitcoins out of the wallet. All of this can be found in the settings on the site.

It's simple :
1. Use very strong password
2. Use 2FA SMS Message
3. Enable second password
4. Activate another security protection


No, it's dangerous if you have weak security on google drive / dropbox & your device is infected virus / spyware
You need use clean device & downloadit securely

I believe that you can get around having to use 2FA if you can get your hands on a backup of the encrypted wallet file. 2FA for blockchain.info is only specific to your identifier, if someone were to make a new identifier with your password and had your encrypted wallet file they could import your keys and spend your money