Bitcoin Forum

I've been wrestling with the obstacles that I see to mass adoption of bitcoin. Some, such as merchant adoption and software tools to make BTC more accessible are being solved little by little every day. But I'm struggling with what I perceive may be a security paradox with Bitcoin. In fairness, it is probably inherent to other online transaction systems such as for fiat as well. But it is more severe for cryptocurrency because there is no centralized authority, no 1-800 phone # you can call when things go wrong.

The basic issue I'd like to resolve is: How do you make BTC so safe and secure that over a person's lifetime they never experience (A) theft or (B) loss of some or all of their BTC holdings? By "loss" I mean losing access to your BTC permanently due to lost wallets or passwords with no chance of recovery. The possibility of loss due to mis-addressing a BTC payment is a separate issue I'll leave alone for now.

Ideally we'd like to get BTC security to the point where it is virtually impossible to permanently lose BTC or have them stolen from an account, on the same level of confidence that we have in SHA vs. password hacking, for example.

Problem is, the dual issues of BTC loss and BTC theft are mitigated by countermeasures that largely contradict one another:

1. To prevent accidental loss, a person should keep multiple copies of their passwords and/or wallets in secured locations where their is minimal risk of them being lost, thrown away, burned to a fiery crisp, etc. Multisig should be avoided to prevent the risk that any one signature authority is lost (for any reason), preventing access to the account.

2. But to prevent theft, a person should minimize deploying copies of their passwords and/or wallets to multiple locations, multiplying opportunities for theft to occur. Multisig should be used to block theft in cases where one password is compromised.

3. Just to compound the challenge, for BTC to reach mainstream adoption, complexity must be avoided. So a solution that prevents both theft and loss, ideally, should also avoid complexity.

For example, as a best practice I might recommend using a multisig account requiring 3 approvals/passwords. Then store Password A on my computer with backups on DVD and my brother's computer in another state. Password B is on my cell phone, with backups in my wife's cell phone and a secured cloud storage account. And Password C is on a paper certificate in a safe in my house, with hardcopies with my mother's house in a 3rd state and a safe deposit box. This _might_ be robust enough versus theft and loss, but would be a pain to implement and maintain. Especially for everyday use.

So who has a solution to this conundrum? One that really would be reliable over the events of a person's lifetime and all manner of disasters (war, fire, economic collapse and so forth)?

I don't like the idea of centralized authorities for currency in principle, but more and more I'm leaning to the idea that there will necessarily be "bitcoin banks" who take on the complexity of securing bitcoin funds in exchange for a fee. Someone you can call after your dog pees on your computer the same day your brother's house goes up in flames and you realize your kids have been using your backup DVD's as frisbees.

Of course with bitcoin one can still be your own bank if you make the effort, and I think that is essential. But I'm thinking it may be the exception rather than the norm over the long run, and that we will have too many horror stories from BYOB people who didn't think through their own security from a decades-long perspective.

Flame away! :-)

************************

Excellent comments below; summary (to date, 2/23/15) of best practices in post #27:
https://bitcointalk.org/index.php?topic=962306.msg10555369#msg10555369

One thing did come to my mind though while reading your post, and that was, if something like Fukushima happens in my town, where a whole city goes under water, i would lose all my BTCs. I need to figure something out. Thanks.

if you need to ask yourself how to secure it. just simply compare it to fiat, or things in your house that hold value.

1) would you hand it over to a stranger you have never met?
2) would you store it in a place thats not insured/secure?
3) would you leave it out in the open for anyone to grab?
4) would you shout out to everyone around you that you have X funds just sitting on your table

Why would anyone flame? It's a perfect, great thought-out post.

I also was thinking of having paper wallets for security, but it would be pretty easy for a hacker to come up with a paper generator program/site, that they know all the private keys to, right? It might not happen while most people are in-the-know, to not use untrustworthy sources of paper wallet generators, but as exchange after exchange steal money from people who trust them when they shouldn't, you could see how someone could easily set up a nice, sleek-looking designed site, that enough people (new to the Bitcoin world) might end up using, thinking they're safe, when months or years down the line, the funds end up being withdrawn.

I created paper wallets for family members, (offline, in a new OS, old printer, etc). But not everyone is going to be able to do that for themselves, or want to, even if they could. Then they may ask someone else to, and that someone else (though a friend now), may steal the funds if they keep a copy for themselves.

I think we're going to end up seeing hardware wallets more, and hopefully cheaper.

There was news a few weeks ago that pointed out exactly how this could be done. The idea was that the paper wallet generator would produce specified outputs that the hacker who originated the software could look for in the blockchain, giving them full access to the funds in the cold wallet. I remember saying something like "beware anyone announcing new wallet generator programs about a month from now" in response.

Thanks for the feedback so far everyone!

I agree with the above post.
But sadly, since most people (including the twitter/facebook/supposed knowledgeable crowd) are not actually competent in a day to day aspect,
I think we are going to need bitcoin banks that help store your funds (in some way or fashion).
Not because its necessary or safe, but because people are generally stupid and its easy for them.
When bitcoin goes mainstream, the average joe will not be interested in Bitcoins fundamentals and ideal.

I'm not terribly familiar with the HW wallets out there, so I have to ask: What happens if a HW wallet is lost/broken/eaten by a rhinoseros? How do you access your account in that case?

You could always store your paper wallets/backups in a safety deposit box, or multiple copies in multiply boxes, I think that would alleviate much of your worries.

I would think, if I had a lot of BTC to protect, I would use a HW wallet to hold the majority, (like people save thousands in their bank accounts), in a bank safe. Maybe a couple of safe deposit boxes for copies, even.


Which leads me to this, you must make sure your paper wallet is safe, but if it truly is, multiple copies work well.

-Partition into as many wallets as can be managed so that no loss is catastrophic
-Store all wallets offline
-Make multiple encrypted wallet backups
-Use multisig

Who is your hypothetical "thief" adversary?  It makes all the difference.

Diversification into multiple wallets/accounts is a good idea in principle, but the downside is the resulting increase in complexity, and risk that funds of one of those accounts could be lost or stolen. People could argue endlessly about whether it is better to have one tightly secured wallet or 10 wallets with less exhaustive security.

One approach would be to tightly secure a "long term savings" account that is not accessed very often, while holding a smaller amount of BTC in a 'daily use' wallet. But this doesn't evade the conundrum in the OP, of theft mitigation vs. lost password mitigation. If anything relying on multiple accounts (which I agree is a good idea) makes everything even more complicated.

Regarding the ID of the thief, I'm trying to be all-encompassing here - seeking a "best practices" approach that will span a person's life with minimal risk of BTC loss from either theft (of any sort) or loss of account access (for any reason).

Necessity may be the mother of invention but invention necessitates capability.

I've always thought this, storing/protecting is far too complex for the masses, myself included.

I wonder if there is a way to minimize risk by having two accounts. One loaded for "walking around" use, and another where you would store the bulk of your holdings in an account which simply requires some form of facial or retinal ID to access your main account to transfer funds to your wallet or paying bills, large purchases and such.

You could always add extra layers of passwords but wouldn't it be cool to know that you can access your "cold storage" by taking a real time selfie?

Then again there's the risk of a new crime wave of selfie theft by gun point.


Just a thought...DNA encryption? They can read a person's blood for diabetes...perhaps they'll come up with an ap for that.

Estate transfer is a whole different kettle of lawyers...I'm sure.   

One idea I've thought about is a system where you have multiple accounts like others have mentioned, but with different levels of time delays.  So you'd have one with instant access and a small amount of funds.  Then for larger holdings you would put them for example in an account that has a built in 24 hr, 3 day, or week delay for withdrawals.  If say the week delay account is accessed with a private key the funds wouldn't move for a week and a system would notify you, say through email, that the funds have been marked for withdrawal.  If no action is taken, after 7 days the funds are moved, but if within those 7 days the private key is re-entered, the funds are moved to another long term address previously designated by the initial account creator.  So if anyone was attempting to hack an exchange wallet for example the owners would have 7 days to notice this, re-enter the private key, which would then re-direct those funds to another predetermined long term account.

Just an idea and one I haven't thought through that much so I'm sure there's some problems and obviously isn't applicable to bitcoin as presently constructed.

This issue is not specific to Bitcoin. Basically, you are asking, "how can an asset be made so secure that it can never be lost or stolen?" The answer is that it can't. There is always a trade-off between utility and security. The only way to completely avoid theft or loss is to make the asset unusable.

A better question to ask is, "how the features of Bitcoin be exploited to make it more resilient to theft and loss while minimizing the impact on utility.

Bitcoin is already immune to theft and loss as long as the owner and only the owner has control over the private keys, and that cannot be said about other assets and monetary systems.

The problem of theft and loss occurs at the coupling between the owner and the private keys. That is where the security can be compromised, and when looking for a solution, that is where you should look.

Trusted institutions in Bitcoin ecosystem will take some time to build - Coinbase and Circle are good examples of this effort. I have no doubt Bitcoin will mature to the point where your Bitcoin deposit will be as secure as your checking or savings account at the local bank. The same will apply to your personal hardware wallet. We just need to give it some time, that's all.

There is a fundamental problem, really.

Either a user keeps track of his own key, or the web wallet/exchange/whatever that has the key can Goxx him.

But if he keeps track of his own key, then he has to keep it secure.  And most people are not willing or able to do what it takes to keep keys truly secure on their own systems. 

Yet some people insist that bitcoin is 'for everyone'

We already have HD wallet which can be integrated to a hardware or paper wallet. I do not know how easy would that get in terms of understanding while security wise would say it would be enough. Sometimes it still falls to the owner to use basic common sense and to take necessary precautions to maintain security.

That's true, if you compare Coinbase holding your Bitcoin to a bank holding your cash. Both can have that money stolen, it's been in the news recently about both.

The difference right now is that the bank has insurance on the cash. Maybe we'll see an insurance company for Bitcoin theft someday.

I think this is quite likely in the long run. It sounds like there is a consensus that (A) there is an inherent conflict between avoiding accidental loss and avoiding theft, and (B) that we can't really expect the average person to consistently secure their accounts without error against both possibilities. That means (A) bitcoin, as a BYOB instrument, is not for everyone, and (B) to make it for everyone means accepting institutions like banks and exchanges that will (for a fee) secure people's bitcoins and insure them (in some fashion).That's a little disappointing to me, but I appreciate the help in thinking it through to reach this conclusion.

Some exchanges (for example Allcrypt, and Coinbase's cold wallet) have time delay options. Just keep in mind these are not inherent to the bitcoin protocol, so to utilize this kind of security we would necessarily have to be trusting a 3rd party with our bitcoins. But I do think it's an example of the kind of good practices everyone should use as bitcoin becomes a significant portion of their investments.

When you keep it simple, it's not so difficult. For example:

Electrum on cold storage and Mycellium for online usage.
- 2 seeds to keep = 2x12 words
- top off Mycellium from time to time

What's not to like?

This is why N-of-N multisig should be avoided.


Multisig works on both fronts.  You can, for example, arrange for there to be three passwords protecting funds such that any one password is useless but any two passwords give access.  This is called 2-of-3 multisig and is more common than the 3-of-3 multisig you describe above.

This can be done for any integers M and N with 1 <= M <= N.  Larger values of N are more complex.  When M is far from 1, theft is unlikely.  When M is far from N, loss is unlikely.

Good suggestion. This would simplify matters compared to the 3X3 example I gave. Perhaps a 3 of 5 multisig would provide both robust defense against theft while also tolerating loss of 2 of the passwords. Even 2 of 4 might be acceptable if secured well.

If it was me, I'd store my private key in some DNA(read up on DNA storage) and then place it on my heart, for extra security.

You need to consider different wallets for different uses.  Nobody is never going to lose a satoshi, that just doesn't make sense. 

I might throw a week's spending cash on a device which I have a backup for at home.  While I'm out, somebody fools me and I send coin to the wrong address.  Whoops!

I mess up a digit when sending.. whoops! 

Somebody sticks a knife in my face and tells me to empty the wallet.  whoops! 

I walk through a casino, whoops!


These things we try to avoid but over a lifetime you can't close all security holes on your smallest spending wallet.

Larger, life changing sums, will be kept in multisignature trust funds with family and managers holding keys redundant and backed up.  Sure, this makes it a pain in the ass to spend but that is the tradeoff. 

I'd like to thank everyone again for their contributions, and summarize my own Lessons Learned thus far. Best practices:

1.   Utilize multi-sig for a M of N access requirement. (That is, needing to input M passwords out of N total passwords on file to access an account.)
2.   Utilize 2 or more accounts with higher security on long-term, high value accounts and easier access with day-to-day small value accounts.
3.   If using trusted 3rd parties, a time delay feature for significant withdrawals provides additional protection.
4.   It probably makes sense that trusted 3rd parties arise which provide insurance for their accounts, for people who won’t/can’t manage their own bitcoin holdings securely.
5.   The trusted 3rd parties can in principle utilize technological solutions (retinal scanners, DNA, etc.) as substitutes for passwords for security.


My comment: Institutions and software (such as wallets) can implement a M of N security solution fairly easily, and in fact many already do. The use of security questions like “What is your mother’s maiden name” in addition to password are in essence just such an approach. And although cheesy, they probably do provide a fairly good level of security against lost/compromised passwords in real life terms.

I like the idea of a 3 out of 5 access level, because a hacker would need to obtain at least 3 passwords to breach the account, and at the same time you’d need to lose 3 of the 5 passwords to become unable to access your own account. That strikes me as a reasonable and robust level of security for my “long-term” holdings. Throw in a moderate (and user-configurable) time delay for major withdrawals (with notifications sent out by email/text/etc.) and the account becomes even more secure.

For day-to-day use, something like 2-factor authentification (password plus smartphone app) is probably reasonable, with a way to recover if and when the smartphone falls into a toilet.

Overall I feel a lot better about long term security of my BTC based on this feedback. The key will be in software developers releasing software to support M of N security and time delays with notification (both at an institutional level and in personal wallets), and educating the masses on what to do and why they need to do it to keep their bitcoins safe.

These recommendations are fine though you don't need to go that far to be safe.
If you are willing to go through it, go for it. But the people who got hacked were nowhere near that level of security.
1.
    - They heard about hacks and thought: "This looks difficult, I'll probably mess up."
    - or they just trusted their exchange because they trust their bank.
    Either way, they got robbed by their exchange.
2.
    - They kept their bitcoin on their online computer or used a password they store on Dropbox.

Bottom line, bitcoins that you have on an online computer can be hacked. Some may argue that they have utmost security on their computer and maybe they do but it's them not us.
Now that there are so many hacks, people get scared and go the other extreme.
It's actually easy to avoid being hacked and it takes little effort... **Cold Storage** for your main stash.
No one has ever being hacked from cold storage (if it's done properly).

Using complex processes may end up costing you more if you mess up. IMHO, it's better to stick with simple things when they have the same level of security.

I'm not all that sanguine about cold storage for a couple reasons:

1. An article came out about a month ago that described how hackers could release cold wallet software that would generate non-random keys. The hackers could monitor the blockchain for identifiable transactions and would then have free access to anything in the supposedly safe cold wallet forever after. (Could this be what happened to Gox?)

2. There seems to be a perception (correct or not) that funds in cold storage are safer because the password is in hardcopy or offline. But it still exists in some form, so the risk of it being stolen still exists. So cold storage is not a game-changer for me; it may be a bit more secure, but it's not bulletproof.

I hope you are right about current hacks being of the "lowest hanging fruit" in terms of poor security. It would be great if someone developed a global measure of bitcoin theft that could be measured over time to see if things are getting better or worse. Something as simple as # bitcoins reported stolen / average # of bitcoins in existence for each year.

By the way, here's a tip I learned (and proved out and implemented myself) this morning about Google Authenticator:

When you first set up an account on Google Authenticator, you either scan a QR code or manually type in a 16-character alphanumeric key. If you save the QR code or key you can use it to set up a duplicate copy of Google Authenticator on another device at a later date - very useful if your smartphone gets run over.

Just be careful not to store the GA codes on the smartphone running GA, or with the passwords for the account(s) in question.

Though there could be a program out there (released or just currently being made) to generate non-random keys for paper wallets, no one has seen it yet, as far as I'm aware. Many people suggest this site, https://bitcoinpaperwallet.com/bitcoinpaperwallet/generate-wallet.html, and the source has been released, and I would think if it was set up that way, someone would have noticed it by now. But please, correct me if I'm wrong.

1. The article in question refers to compromised software. If you use compromised software, all bets are off - that should go without saying. The details of the attack are well known to anyone who read about these signatures. I suppose it still generates page views.
2. 2FA - multisig - etc. doesn't change anything for me. They have their applications for sure but they don't introduce more intrinsic safety, on the contrary. Ultimately, you choose what you want to use.

Nothing prevents people from releasing source code for a key generation technique different from the one they are actually using. 

Never.

     EVER.

          Use a key generated by someone who is not you, to store your money.

Do you know of a good guide to creating a paper wallet by yourself, (I know people mention dice-rolling). I've never seen a guide on how to get it working though.

Thanks, that is useful to know.

When you set up a hw wallet, you get a seed (for trezor it's a 24 words seed) that you need to write done on paper. You can also encrypt that seed with a password. If your hw wallet gets lost, broken, whatever, you can recover all your funds using your seed. You can buy another hw wallet or input the seed in conventional wallets like multibit or armory. And recover your funds.

If btc becomes more valuable, I was thinking splitting up the seed and hand different pieces to trustworthy family members living in different regions with some kind of riddle with personal questions so they can find out the password.  So if something bad happens to me, My funds won't be lost for ever.

The wallet generator mentioned is based on bitaddress.org and any random numbers are generated in your browser, this means you can download it (as a .zip, or the source code published on GitHub) and run it on an offline computer. Nobody is generating your keys for you with bitcoinpaperwallet.com or bitaddress.org and if you use them on an offline machine they're both as secure an option as any other I can think of for making paper wallets. You can also use dice, a deck of cards or whatever external source you can think of to provide entropy instead of trusting your offline machine to generate random numbers.. just make sure you're providing enough entropy.


1 - Download the wallet generator from bitaddress.org or bitcoinpaperwallet.com (or their source code on GitHub), whichever one you prefer.
2 - Open the html file in a browser on an offline computer. For this, I use an Ubuntu or Linux Mint live DVD with my laptop's wifi disabled and nothing plugged into the ethernet port. Follow the instructions on the page to generate a paper wallet.
2a - (optional) If you don't trust your computer to generate random numbers, get some dice and follow the instructions to generate them (in the "print front" page on bitcoinpaperwallet, "wallet details" page on bitaddress). The bitcoinpaperwallet page also tells you how to use a deck of cards, but I personally trust a good set of casino dice a lot more than my own card shuffling ability.
2b - (optional) You can BIP38 encrypt your private keys. Choose a strong passphrase that you'll be able to remember.
3 - Print your wallet. Cut and fold as appropriate.
3a - (optional) Laminate your wallet. You won't be able to write on it with a pen, but it'll be protected from fading and water damage.
3b - (optional) Print it on Teslin, it'll be waterproof as soon as the ink dries, no need to laminate.

Reboot and enjoy. As far as I can tell, you won't be able to provide your own entropy on the "paper wallet" page of bitaddress.org but you can always print the "wallet details" page.

edit: Always make sure you save a copy of the wallet generator you used, especially if you BIP38 encrypted your keys. You want to make sure you can decrypt those in the future, plus you'll always have a copy of the paper wallet generator if you want to make more wallets. If you use BIP38, it doesn't hurt to create a "throwaway" wallet just for the purpose of sending a small amount to it and sending that money right back to your hot wallet.. just to make sure you can it works before you trust it with larger amounts of money. Sending back to your hot wallet is easy with Electrum, GreenAddress, Blockchain and probably quite a few other desktop and online wallets.. just sweep the private key (decrypt it first if you used BIP38).

Thanks. I'm adding information on rolling dice to create paper wallets in my guide. And I previously used Ubuntu/Offline/Offline printer to create a paper wallet with the zipped files from bitcoinpaperwallet's site.

I also found this website on dice-rolling: http://www.swansontec.com/bitcoin-dice.html

http://www.coindesk.com/bitgo-update-expands-security-controls-for-consumers/

Multi-sig for individual users with BitGo. While regular folks may be slow to adopt it, I predict 2015 will see a marked drop in BTC losses among companies/exchanges/organizations as they migrate to multi-sig.

Couldn't happen too soon; an exchange I used up until a few weeks ago (Allcrypt) just announced their BTC wallet was emptied over the weekend. That's eerie because that's the 2nd time I've left an exchange shortly before it collapsed (Mintpal). And for that matter, I was able to profit in the chaos surrounding Cryptorush's end as well (lost $20 when it shut down, but profited several times that amount in the final day as people struggled to extract funds.)

There should be a more secure 2fa on withdrawals and account activity for platforms. Phishing and other issues will result in a lot of users getting hacked potentially even with insurance, it costs the business significant amounts. Google 2fa/sms/authy are all text based and generated on a time seed which is vulnerable to multiple attack vectors, any time you use a text based 2fa it's like typing a private key in. I wish more exchanges would use clef... public/private key crypto with anti-phishing.

http://sakurity.com/blog/2015/03/15/authy_bypass.html/

 Anyways, multi-sig should really be ubiquitous and I still don't understand why companies choose to keep all funds in one "hot wallet". It costs almost nothing to split funds amongst multiple wallets, and have distributed multi-sig keys. Sorry to hear you lost funds, I think this mass incompetence of putting all eggs in one basket with one key is ridiculous.

The main issue is that waiting for a withdrawal on an exchange is annoying and makes users worry. Without this mass hot wallet with direct access from the platform means wallets have to be cycled and requires more complex architecture. Simply put the small players don't have the staff or development to protect customers in the same manner, a wallet provider adding this feature is per user, and separate while an exchange is one wallet or a few wallets for everyone :(

Well, I dodged a number of bullets and only have the indirect hits (I call it shrapnel) from all the various scandals and thefts and altcoin scheming and so forth. I figure by most veteran's standards I've gotten off easy thus far. I picture the security situation at traditional institutions like banks is like a bucolic picture of a peaceful castle with tall walls and guards posted, with a few bandits lurking in the shadows of the forest in the backgrounds. With bitcoin the security situation is more like.... well, have you seen the movie The Two Towers? Remember the Battle of Helms Deep?  ::)

I think we'll get things locked down. I really am optimistic. For one thing, people can negate 99%-99.9% of the risk now by employing prudent safeguards without much fuss or reliance on anyone else. This thread has been very helpful in that regard.

On the simplest level I will say, only keep on an exchange what you are willing to risk at that time. Choose your preferred secure wallet provider, and move funds out accordingly to reduce risk.