Bitcoin Forum

Economy => Service Discussion => Topic started by: jubalix on April 17, 2013, 01:35:47 PM



Title: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: jubalix on April 17, 2013, 01:35:47 PM
how much BTC would you trust in a blockchain.wallet, how should password be??

note assumes you have got all your private keys backup and encrypted everywhere

me, unsure at this stage (hence the thread) but it seems with say a 20 plus letter password it should be ok????

EDIT what hapens if you use 2 factor and then loose your phone?

EDIT 2: I guess the issue is, if some one got access to the server and relevant web sites, they could inject a JavaScript that just collects you password as you enter it, and javascript checker would be no good either as they would change that on the check site as well....as the BTC goes up so does impetus to do this some how goes up too...even of you had distributed javascript to be checked agiasnt, but even the a dodge on could be distributed......

at least this is my understanding of how the javascript check works and its limitations.


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: siggy on April 17, 2013, 03:16:28 PM
how much BTC would you trust in a blockchain.wallet, how should password be??

note assumes you have got all your private keys backup and encrypted everywhere

me, unsure at this stage (hence the thread) but it seems with say a 20 plus letter password it should be ok????


About as much as I'd want to spend that day before I getting home and top it off from my personall wallet.

Sigg


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: justusranvier on April 17, 2013, 03:24:49 PM
Trust it with as much value as you'd feel comfortable carrying around as physical cash in your wallet on a daily basis.

Password should be at least 30 random characters and generated by a password generator, which itself is protected by a high-entropy passphrase.


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: whiskers75 on April 17, 2013, 03:39:26 PM
Well, mine was hacked, losing 1 bitcoin. USE TWO FACTOR AUTHENTICATION!


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: grue on April 17, 2013, 03:45:24 PM
I'll trust it for up to $50 worth of bitcoins, but I will never store any money on it. What's the point of that when you can run a lite/thin client on your desktop?

Trust it with as much value as you'd feel comfortable carrying around as physical cash in your wallet on a daily basis.

Password should be at least 30 random characters and generated by a password generator, which itself is protected by a high-entropy passphrase.
30 characters is extreme, unless you're trying to store thousands of dollars' worth of bitcoins.


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: Lethn on April 17, 2013, 03:47:28 PM
10 Bitcoins at most for me, then the loss wouldn't hurt so bad but honestly I don't trust the safety of anything that's on the internet, it's always safest offline.


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: btctrack on April 17, 2013, 03:55:23 PM
regarding password length

http://imgs.xkcd.com/comics/password_strength.png


http://xkcd.com/936/ (http://xkcd.com/936/)



Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: ivanol on April 17, 2013, 09:42:11 PM
Best to think up your own four word passphrase though.

correct horse battery staple
5KJvsngHeMpm884wtkJNzQGaCErckhHJBGFsvd3VyK5qMZXj3hS
https://blockchain.info/address/1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: Frozenlock on April 17, 2013, 09:47:23 PM
I would like an 'expert' opinion on this.

In 2011 it was really silly to use the webwallets.
However, because blockchain.info (and others) never touches your private keys, is it still as much a risk as many here pretend?
(Provided you use a secure password, of course.)


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: ivanol on April 17, 2013, 09:57:41 PM
In 2011 it was really silly to use the webwallets.
However, because blockchain.info (and others) never touches your private keys, is it still as much a risk as many here pretend?
(Provided you use a secure password, of course.)

How do you know they don't touch your private keys? They say they don't, but unless you read the javascript source code every time you access their website, you are taking that on trust. If their website is hacked, the hacker could edit the javascript to leak your private keys/password back to them and steal your bitcoins.

This is a much lower risk than an old style web wallet that stores your private keys. In the blockchain.info case you would only be at risk if you tried to access your webwallet in the window between the site being hacked and someone noticing and taking it offline.


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: glub0x on April 17, 2013, 09:59:46 PM
regarding password length

http://imgs.xkcd.com/comics/password_strength.png


http://xkcd.com/936/ (http://xkcd.com/936/)


IT still has a LOOOOOOOONG way to go ...


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: acoindr on April 17, 2013, 10:05:06 PM
In 2011 it was really silly to use the webwallets.
However, because blockchain.info (and others) never touches your private keys, is it still as much a risk as many here pretend?
(Provided you use a secure password, of course.)

How do you know they don't touch your private keys? They say they don't, but unless you read the javascript source code every time you access their website, you are taking that on trust. If their website is hacked, the hacker could edit the javascript to leak your private keys/password back to them and steal your bitcoins.

This is a much lower risk than an old style web wallet that stores your private keys. In the blockchain.info case you would only be at risk if you tried to access your webwallet in the window between the site being hacked and someone noticing and taking it offline.

This is correct.

Unless you are reading the code/information exchanged between your computer and blockchain.info (or elsewhere) EVERY TIME you connect and exchange information then you can't be sure things are happening as you imagine and hope they are.

For ANY online Bitcoin service I advise only storing as much there longer term as you are willing to lose completely if something unforeseen (like hacking/dishonesty/mistakes etc.) happens.


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: franky1 on April 17, 2013, 10:16:31 PM
using any remote service for storage that is not owned by you is risky.

no matter how much security a bank vault has, there have been hundreds of years of examples of bank thefts involving gaining entry to a vault.

no matter how much security a bank has on its computer systems there are decades of examples of hacking banking institutions.

the only reason to still trust banks is that your money is insured.

with bitcoin it is not insured.

so don't let third parties hold all your funds, no matter how much security they promise they have.

remember if the only copy of the private key is on your hard drive or a piece of paper in your possession then the coins only belong to you.

if a third party service has it, secured or not. there is always a risk.

so only risk what your willing to use/lose.


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: Dacm4n on April 17, 2013, 10:25:23 PM
how much BTC would you trust in a blockchain.wallet, how should password be??

note assumes you have got all your private keys backup and encrypted everywhere

me, unsure at this stage (hence the thread) but it seems with say a 20 plus letter password it should be ok????

I have all my bitcoins there in watch mode with a strong long password. I use paper addresses and I import the keys when I want to use the coins. Those coins might sit there a couple of days and I have no problems with that but long term I wouldn't let any coins sit there in case the site goes down and you can't access the website or something similar.


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: Frozenlock on April 17, 2013, 10:27:42 PM
Sure, local wallets will always be more secure when done correctly.

What I'm wondering about is the risk importance.


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: acoindr on April 17, 2013, 10:47:16 PM
Sure, local wallets will always be more secure when done correctly.

What I'm wondering about is the risk importance.

How important are your funds to you? If you lose whatever amount you have on an online service I daresay you would feel it's important. The only way to minimize that loss/importance is to minimize what can be lost that way.

Now if you're asking about likelihoods sure that can be a consideration. Is it likely Blockchain.info will be effectively hacked or that piuk, the site's creator, is dishonest and/or unreasonably incompetent on security matters? Given its history I'd say no that's not likely. That still doesn't mean I'm willing to trust 100% of my coins there. I'd put there as much as might be used for typical transactions, for example.

EDIT: now that I think about it where is Blockchain.info hosted? If it's not hosted under only piuk's administration (i.e. with a hosting provider) then anyone with access can compromise the site and steal coins with clever code.



Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: blockbet.net on April 17, 2013, 10:57:49 PM
I have 100% trust towards blockchain.info, but still, I would only store as little as necessary, for as short a time as necessary.

It's all subjective though, what one person might consider his life savings might be small money to somebody else. But frankly I can't see any reason why you'd put your bitcoins there unless you plan on spending it soon. If you have thousands of dollars worth of bitcoins, then in my opinion, it's a good idea to spend some time to study how local wallets work and how they can be kept safe.

Well, mine was hacked, losing 1 bitcoin. USE TWO FACTOR AUTHENTICATION!

Can you tell us what happened? Did you have a easy password, a trojan on your computer, or how did that happen?


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: Logik on April 17, 2013, 11:40:30 PM
Your password doesn't matter, the only thing that matters is password uniqueness. You shouldn't rely on your password to keep your account safe. You should rely on 2-factor authentication to keep your account safe; you should assume your password will be keylogged or stolen - if that's the case then the only risk (because you have 2-factor) is that your password will be tried by the crackers on other services to see if you re-used it. But, if you didn't re-use it then you're fine.

You know what I do with my Blockchain wallet? I have a 30 character password that I keep in a Google Doc, and I copy/paste it into Blockchain but I have Google Authenticator / 2FA on both the Google account that holds the password doc, and Blockchain.

This might seem insecure, but seriously, nobody has their password stolen because they wrote it down somewhere. People get hacked because they re-use passwords and because they don't 2FA. 2FA is never going to get hacked. Just don't lose your phone. :)

Unique passwords, even if you have to track them all in a document, or in KeepPass/LastPass etc is far more secure than using the same passphrase everywhere.

The other mistake people make is not securing their email address. If your email is compromised then it can be used for password reset.

Passwords = just for fun. 2FA = keep out crackers


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: bg002h on April 18, 2013, 12:36:26 AM
regarding password length

http://imgs.xkcd.com/comics/password_strength.png


http://xkcd.com/936/ (http://xkcd.com/936/)


IT still has a LOOOOOOOONG way to go ...

If we say there are 10,000 words and a password will be 4 words...that is 1E16 combinations. If we have 26 uppercase, 26 lower case, 10 numbers and 10 symbols, then a 9 char passwords has 72^9= 5E16 combinations. So, a good 9 char password (really hard to memorize) is as decent a password as a 4 word pass phrase.

That sound right?


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: jubalix on April 18, 2013, 01:38:52 AM
Well, mine was hacked, losing 1 bitcoin. USE TWO FACTOR AUTHENTICATION!

what happens if you loose your mobile, what happens to2 factor then?


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: Paul89273 on April 18, 2013, 10:27:29 AM
Well, mine was hacked, losing 1 bitcoin. USE TWO FACTOR AUTHENTICATION!

what happens if you loose your mobile, what happens to2 factor then?

If you're smart you'll have written down your 5 - 10 throwaway two factor authentication codes that you get when you signup for 2FA with Gmail and you'll use one of those to log into your account to turn off 2FA and change your password and reset everything.

Just my opinion but if you have a lot invested in Bitcoins/ALT currencies I'd have a separate phone locked in a safe so you don't lose it.


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: dogisland on April 18, 2013, 01:11:19 PM
Your password doesn't matter, the only thing that matters is password uniqueness.

This is very true. Password uniqueness and strength are the key to keeping Bitcoins safe online.

https://www.strongcoin.com/en/blog/are_you_guilty_of_the_following_password_mistakes



Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: Hei_ on April 18, 2013, 01:27:22 PM
2factor.


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: Abdussamad on April 18, 2013, 02:22:57 PM
Well, mine was hacked, losing 1 bitcoin. USE TWO FACTOR AUTHENTICATION!

What was your password? Do you use Windows?


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: Abdussamad on April 18, 2013, 02:32:09 PM
FYI blockchain is currently down because of a DDoS:

https://twitter.com/blockchain/status/324785363002458112

So not being able to access your account is another risk with blockchain.


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: acoindr on April 18, 2013, 03:23:25 PM
Your password doesn't matter, the only thing that matters is password uniqueness.

This is very true. Password uniqueness and strength are the key to keeping Bitcoins safe online.

https://www.strongcoin.com/en/blog/are_you_guilty_of_the_following_password_mistakes

No, that is not true.

Password uniqueness and strength, as well as two-factor authentication, are measures which HELP keep bitcoins safe online.

None of that matters if the online service you use becomes corrupted. Two-factor authentication would not have helped anyone with a mybitcoin.com account. Password uniqueness and strength would not have helped Bitcoinica customers.

I will say it again:

For ANY online Bitcoin service I advise only storing as much there longer term as you are willing to lose completely if something unforeseen (like hacking/dishonesty/mistakes etc.) happens.


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: Joshster on April 18, 2013, 05:28:57 PM
Only really trust Bitcoins in my own personal wallet. With all these sites going down and hackings seems to safest way.


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: whiskers75 on April 18, 2013, 06:09:12 PM
Well, mine was hacked, losing 1 bitcoin. USE TWO FACTOR AUTHENTICATION!

What was your password? Do you use Windows?
I would never! Completely clean Ubuntu computer. 'Twas a big 108 BTC major hack - others were affected. I only lost 1.2 however. Now I use 2FA and a paper wallet for my new Bitcoin :)


Title: Re: how much BTC would you trust in a blockchain.wallet,how long should passord be??
Post by: Abdussamad on April 19, 2013, 02:47:03 AM
Well, mine was hacked, losing 1 bitcoin. USE TWO FACTOR AUTHENTICATION!

What was your password? Do you use Windows?
I would never! Completely clean Ubuntu computer. 'Twas a big 108 BTC major hack - others were affected. I only lost 1.2 however. Now I use 2FA and a paper wallet for my new Bitcoin :)

Well that is odd. Linux rules out malware.

What kind of password was it?