Bitcoin Forum

I am making this thread for ones to protect themselves from being compromised. You may add this to your sig to spread the knowledge for ones to protect themselves from being compromised.

============================================================================================

Note: A) Lastpass is freeware, but for some stuff you can pay, but the general use of lastpass is freeware. LastPass Password Manager is closed source, though many of the extensions can be run in a non-binary mode where the source is available, but LastPass maintains all rights.
Note: B) Keepass is freeware. KeePass is an open source password manager.
Note: C) Password Safe is freeware & opensource. (Courtesy of traderjoe)

A) https://lastpass.com/
B) http://keepass.info/
C) http://passwordsafe.sourceforge.net/

============================================================================================

Create an account with lastpass, use a strong master password. Don't ever forget your master password, as you are the only one that has it.

You may download Lastpass as an Application or as a browser addon for, Firefox, Chrome, IE, etc.

Lastpass application. Download, install, input email that you used to register with lastpass and the master password you created. Get familiar with the program.

Lastpass addons. Install the Lastpass addon that is appropriate for your browser. Once done, you see a Lastpass icon somewhere in one of your toolbars of your browser, input the email you used to register with Lastpass, into the Email section of the login area then following by your master password that you created.

============================================================================================

Keepass, is all saved encrypted with one master password on your pc. No cloud servers or nothing. If you use keepass, backup your file in a truecrypt container file on a cloud server like dropbox or as wuala encrypts data on your pc before it gets sent to wuala servers.

Here is a How-to for Keepass. http://keepass.info/help/base/firststeps.html

============================================================================================


============================================================================================

I recommend to use a strong Master Password and never use the same password for 2 or more accounts. Never give out your master password. Never use words from a dictionary.

Lastpass encrypts all your data on your pc or mobile device before lastpast sends off it off to their servers and you only hold the key "master password" to all your saved passwords, notes and etc. I find this addon - application the best imo.


Additional Notes:
With the latest LastPass as of the moment 3.1.0, and you have a system strong computer system you may up the PW iterations. Raise in increments of 100 or 1000. Anything high might be bad for mobile devices or slow computers. I set mine at 200000 Not recommended if you do not know what you're doing..
https://helpdesk.lastpass.com/security-options/password-iterations-pbkdf2/

============================================================================================

Lastpass Introduced Support for Google Authenticator for Mobile Devices (http://blog.lastpass.com/2011/11/introducing-support-for-google.html)


============================================================================================


============================================================================================

Explanation of PGP Encryption

Courtesy of CypherPunk



pgp tutorial for newbies gpg4win (http://www.deepdotweb.com/2013/11/11/pgp-tutorial-for-newbs-gpg4win/)


By GoldenWings91

Proper way to Create & verify GPG Signature using Kleopatra on Windows (https://bitcointalk.org/index.php?topic=297434.msg3202050#msg3202050)

============================================================================================


============================================================================================
Android Security

TIP #1 Don't store bitcoins on a rooted cellphone.
Rooting your device increases the security exposure to malicious applications and potential application flaws, thus any malware can steal your wallet/keys stored in a protected directory.
Malware on a rooted phone can also access other applications like google authenticator and read/write phone logs,sms etc which are needed for verification process in many websites/apps.

TIP #2 – Don’t install apps from untrusted third party apps stores.
TIP #3 – Use an anti-virus app for an extra layer of protection.

APK scanners:
http://apkscan.nviso.be/
http://mobilesandbox.org/
http://virustotal.com/
http://scan.netqin.com/en/
https://anubis.iseclab.org/

============================================================================================

These are technique everyone should exercise.

============================================================================================

Here are a few examples why one should use these techniques.
https://bitcointalk.org/index.php?topic=92471.msg1020087#msg1020087
https://bitcointalk.org/index.php?topic=91701.msg1009976#msg1009976

============================================================================================

Block unencrypted content on encrypted sites with Firefox or a browser equivalent to Firefox.

With the latest Firefox ESR or latest release of firefox, you may block mixed content at about:config. I don't know about earlier versions of FF.


Also two addons add two buttons to easily disable or enable these settings.
https://addons.mozilla.org/en-US/firefox/addon/toggle-mixed-active-content/
https://addons.mozilla.org/en-US/firefox/addon/toggle-mixed-display-content/

Block unencrypted content on encrypted sites with adblockplus.

Steps to produce:

Step 1:  -- Click on AblockPlus icon, Click filter preferences.
Step 2:  -- Click Custom Filters Tab.
Step 3:  -- Click add filter group., name it Blocking HTTP Content on HTTPS Enabled Sites
Step 4:  -- Click Add Filter.
Step 5:  -- Add for example, for bitcointalk.org, add Step 6:  -- For other sites that use https, like google.com, add
Note: Just replace the domain name with the one you prefer. E.G. |http://*$domain=example.com

To force HTTP to HTTPS.

Step 1: Install Noscript addon.
Step 2: Click Noscript icon, click options, click advance tab, under advance tab is https tab, click https tab, under https tab is a behavior tab, click it.
Step 3: Drop the menu down to to Never.
Step 4: Add the domain name you prefer to Window.
Note: Example: google.com youtube.com www.youtube.com

============================================================================================

Block bad stuff with Hosts file by MVPS


============================================================================================

By Tomatocage

[EDU] How to spot a scammer (Read this before doing any transactions!) (https://bitcointalk.org/index.php?topic=137288.0)

============================================================================================

By escrow.ms

Clickable link - Keep your system updated and stay secure. Tips to avoid viruses trojans (https://bitcointalk.org/index.php?topic=203876.0)

============================================================================================

Avoid Link-Scammers

Avoid Link-Scammers (https://bitcointalk.org/index.php?topic=336505.msg3692526#msg3692526)

============================================================================================

An option too up your google account security.

The security question for google, allows you to change it to a custom question.
I took with my lastpass addon and generated a character password with Show advance options ticked, everything ticked to make your password the strongest. Copy generated password, paste as security question.

Go back to generate a new password and generate a new password with highest strength possible, copy and paste for the answer.
Save/update google settings.

Open a secure note for lastpass and keep these two generated password stored under its title question/answer, which is protected by your masterpassword for lastpass.

It's just a blockade against a security question attack on your google account or any other account that has this security question feature.


============================================================================================

As always, comments and suggestions are always welcomed to better these techniques as I will do my best to fill them.

If you have enough character count in your signature please represent this in your signature.

============================================================================================

Thank you for all the information. I will put it to use.

BTW, can you give a simple explanation of what PGP is and how to use it? And do you have any recommendations for related freeware? Thanks.

Great info thanks!!

I have so many passwords now, that it's insane!

Thanks!

I do not, I did at one time read up on pgp, my best guess is to check out the wikipedia. As to recommendations I have no idea.

Yup, np.


Yup, np.

PGP is strong encryption software. Think military grade encryption. It allows you to encrypt emails and files in such a way that they are theoretically unbreakable. It uses the concept of a private and a public key. You give your public key to everyone so they can encrypt stuff to you but whatever is encrypted to you can only be decrypted by your private key (which you protect with a passphrase and your freaking life!)

There is an open source version of PGP canned GnuPG (or GPG for short). It functions the same as PGP and can even read PGP generated files (and vice versa).

Related software you should look into is Keepass (open source, secure password storage), Tor (open source, anonymity software), TrueCrypt (open source, drive or file encryption).

Advice: if you are serious about security, do not use ANY program that relates to security and is not open source. You simply can't know what it's doing and it may compromise your security.

HTH,
CypherPunk

OP updated, thanks!

Are there any tools for command line?  I would love a MySQL database of my encrypted passwords, info with some kind of link to an encryption/decryption library like libmcrypt or gnupg.

Keepass 2.22 was released on the 5th.

Thank you for this information!

Solid advice.

Regarding security and protection - hardware options are relatively a good choice as well. For example Yubikey, which can be linked to MtGox, which is still used by many. Affordable and acts as an extra layer of protection.

I've updated the end of the OP:

Please stay safe

About HTTPS this is the addon i use https://www.eff.org/https-everywhere

Of course you can have https only if the website support it  ;)

Very helpful information. I think the fact that these programs are open source is a good guarantee that they are free of malware which is very important when it comes to password protection.

Thank you for information.

This is amazing. Bookmarked, thank you for it.

Sticky this thread NAO.

Too good to let get smothered in the Newbie sewage.

Better safe than sorry! May get a Yubikey, heard good things about it and widely used on exchanges

Great thread, thanks :).

A like thread like this, well, exactly this info but not this thread was once stickied, until a goober pissed me off, I did something I should have not, I took it down, it got unstickied. Then some admins were against it being stickied i believe in the first place. But we can go forth and see if it may get stickied again, I use medication now that keeps me calm. This is the reason I never asked for it to be stickied again because I once lost my temper, and might have thought that had ruined me asking for it to be stickied again. We'll see how it goes and if it can get stickied again, if they be so kind.

very helpful. THANKS. I was already using Keypass for a while but will take a look at ur other suggestions too

Thank you pekv2, great tutorial! :)

Excellent advice.

Don't keep all your money in one place.

I would never trust a closed source password manager!

Who is closed source?

Edit:
I see, lastpass is closed source in a certain way.

LastPass Password Manager is closed source, though many of the extensions can be run in a non-binary mode where the source is available, but LastPass maintains all rights.

https://en.wikipedia.org/wiki/LastPass_Password_Manager

I've updated the OP with this information. I've also updated the OP of keepass is opensource.

I recommend https everywhere by eff. it does exactly what you think it does.

Very helpful information.

Thank you for pointing me to these programs!

Those are some cool programs. Now which one to try? keepass or lastpass?

Going forward I see multi-factor authentication gaining traction for most online accounts (ie password + code sent via sms to phone, etc). This eliminates the very real threat of keystroke logging malware and other forms of authentication theft which lastpass et al is not immune to. The recent AP Twitter hack made the case for this and Twitter was very quick to add it as an option for authenticating their users. http://www.usatoday.com/story/tech/2013/04/23/ap-twitter-hack-was-trivial/2107427/

Wow, didn't know about these sites. Thanks!

http://cdn.memegenerator.net/instances/400x/28242260.jpg

PS: +1

+1 for HTTPS everywhere https://www.eff.org/https-everywhere

Very interesting article on SSL "security": https://www.grc.com/fingerprints.htm

Thanks for the Keepass recommendation for the masses.

There is also Keepassx [1] w/ cross-platform support (ex: Linux, OSX) and it works quite nicely w/ minimal memory usage compared to Keepass2 & .Net. I use both in different scenarios - Keepass2 for by main accounts / etc where I typically access via powerful PC and Keepassx when I have to work on a not-so-powerful PC w/ more protected accounts.


1: https://www.keepassx.org

I have been using LastPass Premium for about 3 years now.
It is a stunning program, keeping my 400-500 passwords neat and secure.
I also love the fact that I can share a password with someone, and then rescind access.

Their latest additional security feature is great too, whenever you login to a site with a poor or duplicate password, they notify you via the browser plugin.
This I find very helpful in reminding me to update passwords on sites I don't access very often, making my life more secure every day.

Thanks for the post, keeps my eyes open to other options

I love Keepass! I just made the switch for everything into Keepass and its good not having to repeat passwords between websites!

All this Bitcoin stuff made me a lot more interested in cryptography. But it makes me think... how often do people get their CC and passwords stolen online? Its never happened to me or anyone I know.

excellent advice

great tutorial

thanks

yes safe is good

I suppose I can squish this in the topic. The hosts part. Also, Keep your system updated and stay secure. Tips to avoid viruses trojans (https://bitcointalk.org/index.php?topic=203876.0)

OP updated.

Thanks! Really useful post!

Thanks for all the good info!

I've added

By Tomatocage

[EDU] How to spot a scammer (Read this before doing any transactions!) (https://bitcointalk.org/index.php?topic=137288.0)


to the OP.

Cool, thanks man. Donated :)

wow, thank you as well.

Thank you for this nice guide. Much more secure that I using now...

Thank you for information.

Good info, thx.

Great info!
Thanks!

I wanna also thanks the people that have already done the most critical work for the system to be working and have the ability to saw us the path!

wow, thank you for the write up.

Good thread

Great information, thanks for posting.

thank you for great info

Thankx

Great tips thanks for sharing. I didn't realise LastPass was Google Authenticator enabled, might be time to switch from the 1Password!

Not only if I were you, switch to lastpass. 1Password is 30 day trial or pay $49.99. 1Password is also closed source. I wouldn't use it.

thanks!

Thanks for the guide !

wow! So much info thanks! :) I'll look into Yubi keys

Great info that everyone should follow in order to stay safe.

Have used 1password for years now its one of the best Apps out there.
closed source .. maybe... but highly trusted by all its users.

Than you very much !  ::)

Yeah great ! nice info

I am safe :(

I love it !  ;D

Hmmmm ! Thank you ! but i'm safe ! :B

Thank you. It was very helpfull for me.

thanks for the advice. good read.

Does any of these password managers sync your passwords with other devices?

I know lastpass syncs period. If you create a new username and password for some new site on your pc machine, login to lastpass say like on android or touchpad, that newly created username and password for that new site from the pc machine will be there on your android, touch, laptop ect. Basically yes, lastpass does. Or same as if you have three different browsers, which ever one you change/add will sync your other browsers or devices once you login with them. Imo, very handy.

Saaaafety!!  I experienced a password compromise just recently and thus have had to open new accounts.  Annoying!!! But better than compromising my goodies  ;)

Cheers for an informative post!!

The section concerning is awesome.

I had no idea such a simple yet powerful technique exists!!!

Thanks!

It's what I love about PC, it's so versatile, it's yours, nothing like a gaming console and such a like.

Maybe add that Android apps (and I guess iPhones apps too) should not be run on rooted phones, as this opens the door to malware to read sensible information (at least that's how I understand it).

Stay safe. Just a reminder.

Your thread should be stickied in the newbies section.

Awesome thread, Im going through it now and im gonna do some of it!
Thanks

I've added something to the OP that might save someone much trouble if practiced.

Added to the OP:

Avoid Link-Scammers

Avoid Link-Scammers (https://bitcointalk.org/index.php?topic=336505.msg3692526#msg3692526)

Is there not a way to require 2-factor Google Authenticator keys for login?

great advice thanks

This is great! Thanks!

np, guys.


For? I do not fully understand your question.

Wow GREAT article especially for a new guy! Thanks :)

If using Windows, would it be a good idea from security point of view to handle all wallets by running a virtualized Linux on top of Windows? This way I wouldn't need to start the computer to Linux with CD everytime I need to handle wallets, but are the any risks from security point of view?

They are still on the same computer and using the same memory, but I would think that if the Windows is affected by some malware, it shouldn't be possible to address Linux applications anyhow.

Interesting. I have tried all before I read this thread though but it's a good one for newbies, especially for those who just can't stay "safe".

By "not staying safe", are you referring to using Windows over all..?   ???

My wife uses this PC also, so unfortunately there really isn't any option for Windows.

Thinking more about this Linux virtualization; theoretically if there where some key tracking malware on Windows, it could read all keys pressed when using the Linux wallet. But I'm not sure if this could cause any problems or not?

How about the wallet file; is it safe when using virtualized Linux? Where exactly would it be stored, and could it be possile that some Windows malware could access it?

Block bad stuff with Hosts file by MVPS < Has been edited.

MVPS is now supplying their hosts file with 0.0.0.0 rather 127.0.0.1.

Good move on mvps's part. Saves them space as well.

Edit:
I suppose if you want to be hardcore secure, linux is the route. No windows>linux virtual stuff. No windows period.

This is a good safety guide, I'd like to throw in a vote for Password Safe.

I'd also like to suggest you check out TrueCrypt, an Open Source solution for encrypted file storage. It's portable and works under Linux, Windows and Mac.

Finally, I have to wish more sites were willing to use Google's OTP 'Authenticator'. It's one of the reasons I like Slush's pool.

-Edited for spelling

keepass has addons which allow sftp of the database file to a selected server. This is a good option to back up you password database.

http://keepass.info/plugins.html#ioprotocolext for sftp addon KeePass 2.x

Great site.  Thanks for the info.

Do you recommend getting the Xmarks bundle package with LastPass premium?

Cheers,
James

security.mixed_content.block_display_content : true
security.mixed_content.block_active_content : true

great information, thanks!
about the software, what about PASSWORD SAFE?
it's open source and it's  free!

Me gusta this thread.
Thanks for the advice op, bookmarked this thread.

Thanks OP for the great info. Was looking for tips on security. PGP was on my to do list :)

Thanks for sharing this usefull info :)

Heartbleed bug. List of site reported that was effected.

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

Lastpass was the last on the list. Fixed and patched.

Great thread , thanks for valuable info.

Useful information for all

This thread should be stickied.

It once was, then trolls got to me, I took everything in the thread out [Im a to fast of a thinker and what I did was wrong so I very much doubtfully it will be stickied again.] it got unstickied so now it is located through https://bitcointalk.org/index.php?topic=177133.0

I feel I broke the freedom of speech when I removed the thread and betrayed us all by doing it :/, It's something I learned from.

Check out your sites.

https://lastpass.com/heartbleed/

Neat little web program.

Always concerned for my security especially with all the news coming out these days.. thanks alot for sharing the information with the rest of us.

Why can't they just sticky this again? Shouldn't be hard, and would be really appreciated.

This.

At the very least, a link to this thread could be placed somewhere in the newbie readme.

That could work too, however it's not only for newbies, so rather a sticky where -everyone- can see it.

It's a matter of against theymos's advice to be stickied and a trust thing against me I am guessing.

Edit:
I also try to bump it here n there.

That's good. And I suppose you're right, might be odd if he stickied it.

I never knew this.

Care to explain? Only if you can. In detail why and how it is very bad. I'll add it.

I was running a rooted android but nothing to real connected to sensitive data, separated email account, used it as a 2ndary pc for when I had problems or doing technical work with pc off, I need a laptop.

Its in the op. added it a while back long time ago.

I am retiring from this thread. I will be giving permission to escrow.ms for the new OP.

Thank you all for your generous help.

https://bitcointalk.org/index.php?topic=576036.msg6285515#msg6285515

Thanks for everything you've done here, it's been really useful information spread and I'm sure lots of people have benefited from it.

Thanks again! :)

this is a very good information and very helpfull speacialy to those people who is new to bitcoin this will help them to be safe keep it up escrow ms

It's actually pekv2's thread. He transferred this thread to me yesterday. I'll update it with more info soon.

I have added a new thread about IPO investments. I hope new users will read it, before investing their hard earned money.

https://bitcointalk.org/index.php?topic=577790.0;topicseen

I've been using lastpass for quite some time now and it gives me peace of mind knowing my passwords are always safe and secured.

It's great to have this thread up. Thanks.

Nice.


It is, Also, for everyone to know, they may export their lastpass as lastpass csv file and then import it to keepass2 as Lastpass CSV by signing into lastpass, left click the lastpass addon icon, Tools/Advance Tools/Export to/Lastpass CSV , save where ever.

Open keepass2, make a new data base, create strong PW for keepass2 new database.

On the Menu bar of keepass2, click File/Import/ scroll down to /Lastpass CSV. Highlight it. Click the folder icon that appears that says "File to be imported". Navigate to your exported Lastpass CSV file click ok.

Reason of this new plugin is it handles PW's, secure notes, ect ect ect just like how lastpass handles everything which is very very awesome.

The two mixes very nicely now.

Nice, thank you.

Didn't know I can import my lastpass passwords and notes to keepass2. It's really awesome.

I can have a secured backup of my passwords and notes in keepass2 now. +1

The one I remember off the top of my head is an early version of the blockchain.info app where users lost funds running the app on rooted phones. Blockchaininfo kept the password in a plaintext file that would not have been accessible on a sandboxed phone. Since it was rooted that info was accessible to the malware. A combination of things for sure, but if you're phone was not rooted, the malware could not have gotten to it.

A second example would be your Google Authenticator keys, which can be relatively easy read out from a rooted phone (I did this myself when I had to switch phones). Not so from a sandboxed one.

Holy Moly. Not good.

Thanks Newar, I have Added it in android security

Some more stay safe ideas: 

http://crunchbang.org/forums/viewtopic.php?id=24722

Thanks, It's really good. I am also making same kind of detailed guide.

Ps: APK scanner links added.

I am very happy I have resigned. Thread is already improving. Great work.

Thanks :)

Just added a link of GPG guide by GoldenWings91

Proper way to Create & verify GPG Signature using Kleopatra on Windows (https://bitcointalk.org/index.php?topic=297434.msg3202050#msg3202050)

Bump.

I read up to the password part of Lastpass and freeware.

I`ll continue to read where i left to for your safety tips.

Bookmarked, and thank you  :)

Can you also link your escrow stuff?

Edit: Never mind, just overlooked the small words "escrow" in your signature lol.

I like Lastpass's password generator. Nice tutorial though.  :D

If this is true, watch out for malicious browser addons.

https://bitcointalk.org/index.php?topic=584963.msg6400146#msg6400146

Don't use online wallet storage and divide your btc up into multiple dif wallets if you have a lot.

Bump for the community.

Paper wallets isn't the safest way?

IMO, paper wallet is one of the safest way to keep your bitcoin as long as you set it up correctly.  :)

Thanks , i am going to search for instructions for set up in the forum.

http://www.coindesk.com/information/paper-wallet-tutorial/

Thank you.  :)

The coindesk article is good, but you should read the "Security Concerns" section (especially the part of creating your private keys offline) before following the 10 steps :)

See also: http://localbitcoins.blogspot.com/2012/11/start-your-own-money-press.html?m=1


Mycelium works great to spend from paper wallets.

Don't think this was posted before. A good tool to check for your password strength (includes english dictionary and patterns):

https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html

Thanks Newar both links are really useful.

Thanks author very informative, big thumbs up.

Thank you for taking the time to post this

Thanks for the link. It really is useful.
Password : You can make harder pass with some sentences too. Eg:- My Name Is Zakir . Take first letters of all the word, i.e., MNIZ . Try to use some signs instead of letters, i.e., /\/\|\||$z . Try not to use any phrases or words. Use random letters - both uppercase and lowercase, signs and numbers . You can use Bitgo for checking password strength too by clicking sign up wand entering the password but it is better to use the link given by Newar as it gives more details. Don't ever store your password in any digital things, store it in any book and try not to give any headings or something like that, which can will lead a person to think it is a pass. Try to write it as you write other contents in it, in a usual way.

Kindly,
      MZ

IMO, the main factor is length. Once you got at least one of each (of course more symbols are better), length becomes most important since the attacker can not know the length. He has to start from low character count passwords and work his way up. (And I feel zxcvbn doesn't take that into account enough.)

https://www.grc.com/haystack.htm

Great topic!
Thank you