|
Title: Is it safe to store encrypted wallet files all over the internet? Post by: mcplums on January 17, 2015, 12:17:31 PM I have heard that the encryption used for electrum wallets is somewhat open to brute force attacks, which makes me think that even if I've encrypted the wallet, I should still try and keep it offline.
Thoughts? Title: Re: Is it safe to store encrypted wallet files all over the internet? Post by: shorena on January 17, 2015, 08:20:09 PM I have heard that the encryption used for electrum wallets is somewhat open to brute force attacks, which makes me think that even if I've encrypted the wallet, I should still try and keep it offline. Thoughts? Thats true for any encryption. Maybe you can explain in more detailed fashion what you heard. Title: Re: Is it safe to store encrypted wallet files all over the internet? Post by: PolarPoint on January 17, 2015, 09:33:00 PM Encrypted wallets are always vulnerable to brute force attacks. It's money you are talking about. You shouldn't have a wallet file stored online.
Title: Re: Is it safe to store encrypted wallet files all over the internet? Post by: shorena on January 17, 2015, 10:07:35 PM Encrypted wallets are always vulnerable to brute force attacks. It's money you are talking about. You shouldn't have a wallet file stored online. Its probably fine as long as the encryption used is strong and the password good enough. see: http://www.stealmywallet.com/ Title: Re: Is it safe to store encrypted wallet files all over the internet? Post by: btchris on January 18, 2015, 12:01:52 AM I have heard that the encryption used for electrum wallets is somewhat open to brute force attacks, which makes me think that even if I've encrypted the wallet, I should still try and keep it offline. Thoughts? You do need to be more careful when it comes to storing Electrum wallets online compared to many other wallets. As others have already noted, nearly all wallets are open to brute force attacks. However, given a strong-enough password, any wallet can be safely stored online. The big problem is in determining whether or not your password is strong enough to resist brute forcing attacks, and there's no easy way to be sure. This javascript site is the best I know of (thanks to Newar) at estimating password strength: https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html (https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html). There's an accompanying article discussing its method's strengths and weaknesses here (spoiler: it might be very good, but it's definitely not perfect): https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/ (https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/). What's different about Electrum is that it doesn't use any key stretching (http://en.wikipedia.org/wiki/Key_stretching), so if you don't use a very strong password, you're much more vulnerable to brute force attacks than some other wallets such as Bitcoin Core or Armory. Here's a quick overview of how many cryptographic operations must be done to check a single password for these two wallet formats: Electrum: 2 SHA-256's (each a single block long) and 1 block of AES-256 decryption Bitcoin Core: approximately 100,000 SHA-512's (each a single block long) and 2x blocks of AES-256 decryptions TL;DR: use a strong-enough password, and you'll probably be safe from brute force attacks, but it's really hard to know what "strong-enough" means. |