|
Title: Encrypted wallet.dat but not entirely Post by: Frodek on September 24, 2011, 08:29:29 PM That's great that now wallet.dat file is encrypted. However, it is password protected only bitocin sending and anyone can easily preview them how much they have. It can be dangerous because someone could get thousands of wallet.dat files and force from someone who has a lot. And so we keep the files in Linux (eg VirtualBox) instead of Windows.
It is better to be able to run it in bitcoin client after entering the password from the wallet. Title: Re: Encrypted wallet.dat but not entirely Post by: Stephen Gornick on September 24, 2011, 09:55:15 PM It can be dangerous because someone could get thousands of wallet.dat files and force from someone who has a lot. I don't follow. Are you trying to say something like if for some reason someone learns how many bitcoins you have you would have a higher risk the more bitcoins you hold? (Which is probably true, by the way. As you hold more bitcoins, the level of importance placed on security of the wallet should increase). Title: Re: Encrypted wallet.dat but not entirely Post by: Gabi on September 25, 2011, 11:49:01 AM He is saying that the client encrypt only a part of the wallet.dat. If you steal a client-encrypted wallet.dat you can read how many bitcoins it have. And if you find a wallet with a LOT of btc it can be worth to try to bruteforce it.
Title: Re: Encrypted wallet.dat but not entirely Post by: kokjo on September 25, 2011, 11:52:16 AM That's great that now wallet.dat file is encrypted. However, it is password protected only bitocin sending and anyone can easily preview them how much they have. It can be dangerous because someone could get thousands of wallet.dat files and force from someone who has a lot. And so we keep the files in Linux (eg VirtualBox) instead of Windows. go tortur mtgox, i know that they have alot of btc...It is better to be able to run it in bitcoin client after entering the password from the wallet. Title: Re: Encrypted wallet.dat but not entirely Post by: memvola on September 25, 2011, 12:27:48 PM I think it's a good usability trade off for security. Wallet encryption does not protect you from a myriad of attacks. If I had the ability to access a lot of people's wallets, instead of downloading them and trying to brute force the one with the largest sum, I'd install keyloggers. Even better, I'd install a modified bitcoin client that silently sends some of the coins without displaying on the interface. If I don't have access to binaries, nor the system memory, but only the wallets, and lots of them, and there are people dumb enough to use simple passwords for large wallets; maybe then, knowing the balances would be helpful.
At any rate, it is worth adding a second layer of encryption as you said. It is still a good idea to use a savings wallet either way. One good addition would be, being able to use multiple wallets (a la MultiBit); I wouldn't mind entering a primary password for my savings wallet. Title: Re: Encrypted wallet.dat but not entirely Post by: ribuck on September 25, 2011, 12:40:28 PM ... I'd install keyloggers ... A quick question for anyone who knows about typical keyloggers: can you circumvent them by clicking around the entry field and typing the characters out of order (e.g. type the last half, then click at the start of the field and type the first half), or does the keylogger harvest the data after the field is complete?Title: Re: Encrypted wallet.dat but not entirely Post by: kokjo on September 25, 2011, 12:48:00 PM ... I'd install keyloggers ... A quick question for anyone who knows about typical keyloggers: can you circumvent them by clicking around the entry field and typing the characters out of order (e.g. type the last half, then click at the start of the field and type the first half), or does the keylogger harvest the data after the field is complete?install fake client. Title: Re: Encrypted wallet.dat but not entirely Post by: memvola on September 25, 2011, 01:22:08 PM A quick question for anyone who knows about typical keyloggers: can you circumvent them by clicking around the entry field and typing the characters out of order (e.g. type the last half, then click at the start of the field and type the first half), or does the keylogger harvest the data after the field is complete? AFAIK they usually get input directly from the device. It would be very complicated to get data from password fields of arbitrary programs. On the other hand, they can capture mouse movements and take screenshots, so clicking around wouldn't be an ultimate protection. I imagine, a program that automatically inserts your passwords bound to custom key combinations would work better. I don't know if there are any, but should work as long as the solution is not widespread enough for the attackers to care. :) Even so, it would be far easier for the attacker to target specific programs, such as bitcoin, and install fake clients, or read unencrypted keys from memory. |