Trying to understand more about wallet security

[Outhue]

Are every single wallets passwords useless once someone have access to the private key or recovery seed? Are there no projects or chains that implements password inside the private key so that even if you import the private key in a another fresh wallet you will still be asked for the password.

[jackg]

There was bip38 which encrypted private keys with a password (I think they then begin with a 'U').

The bip39 protocols for making the mnemonic phrase also allow you to extend your mnemonic with a passphrase (by adding words to the end of the mnemonic but it's not supported by non-standard types like electrum).

[pooya87]

No there isn't because at the end of the line there has to be something that doesn't need encrypting anymore and you can still leak that last step and compromise your keys. The only solution is not leak the password used for encryption in first place.

You can also use some other features that bitcoin offers such as multi-signature wallets, where spending coins requires signature from multiple keys. Then you can store these keys separately. For example one key  in your cold storage PC (air gap with Linux) and another in your hardware wallet in a 2of2 setup.

[witcher_sense]

even if you import the private key in a another fresh wallet you will still be asked for the password.

Such a mechanism already exists: whenever your import your seed words into a fresh wallet, it will ask you if you have an additional passphrase with which you extended your initial seed to make it more protected from accidental loss or hacking. If you answer positively, you enter your passphrase and get access to your funds. Without the passphrase, there will be a completely different wallet because every single passphrase or no passphrase when combined with your seed will result in different private keys, public keys, and therefore different addresses. If a hacker steals your seed words but not your passphrase, he will find nothing but an empty wallet. Like I said, each passphrase results in its own set of keys, which also means there is no such thing as a correct or incorrect passphrase: in order to get access to your funds, you should enter exactly the same passphrase you generated private keys from.

More info:

https://www.blockplate.com/blogs/blockplate/what-is-a-bip39-passphrase

[mk4]

Passphrases: they can't steal your funds if they only have the recovery seed; they're going to need the passphrase as well.

Passwords(or pins): this layer of protection is solely there to prevent unintended access to your wallet; like when someone stole your phone or something — the password/pin is there just so they can't access the wallet app. But if the thief gained access to your recovery seed, the password(or pin) is useless.

^Assuming we're talking about non-custodial wallets here. https://cryptosec.info/wallets

[NeuroticFish]

Are every single wallets passwords useless once someone have access to the private key or recovery seed? Are there no projects or chains that implements password inside the private key so that even if you import the private key in a another fresh wallet you will still be asked for the password.

I will talk here about non-custodial wallets, since custodial ones are simply accounts on a platform, not proper wallets.

You should start with understanding that the coins are not in the wallet, they're on the blockchain. Anybody who can sign a transaction he can send away the coins, that all that's needed.
You should also understand that usually you have a wallet software and a wallet file. The wallet file contains some information that allows the wallet software obtain the private keys necessary to sign transactions.

Now, if you protect by any means (password) your wallet, it's basically only that file you protect.
One can make from seed/private key a new wallet file and sign transaction. One can use the private key with a script and sign transaction (i.e. spend those coins).

So if you have password for your wallet, but you don't protect the seed/private key properly, it's like you put a steel grid over your window, but keep all the doors wide open.

[dbc23]

Are every single wallets passwords useless once someone have access to the private key or recovery seed? Are there no projects or chains that implements password inside the private key so that even if you import the private key in a another fresh wallet you will still be asked for the password.

From what I understand from your post you are asking about wallet password and not encryption password if it's wallet password then the password is only useful on the device where your wallet exist once your private key is compromised then your wallet password is useless. Because entering your private key on a new device wouldn't demand for your wallet password. Always remember" not yours keys not your coin"

[dkbit98]

Are every single wallets passwords useless once someone have access to the private key or recovery seed?

Yes they are, for most wallets.
Passwords and PIN codes are mostly connected with local device and they are not so hard to crack if they are weak.
From all software wallets I know only Wasabi is password in combination with seed words, so you need that password for recovering your funds in addition with seed words.
Wallets like exodus use regular passwords that are only used as superficial protection.

Are there no projects or chains that implements password inside the private key so that even if you import the private key in a another fresh wallet you will still be asked for the password.

There is no need for using other chains, just using different passphrases with BIP39 seed phrase can serve this purpose.
There is a big difference between regular password and passphrase that is used as a soil added to 12 or 24 seed words.
Note that losing a passprhase means losing your coins, so proper backup must be done for that.

[Rikimaruu]

Every crypto private key is like a security factory reset once someone has access to the key, all the security settings will be gone, 2FA, fingerprint or pin code only works on your present device if the private key is safe.

[Welsh]

This is why it's recommended to never store your private key digitally, and if you're storing it physically, make sure it's concealed, and safe from most threats. You can''t 100% protect it from threats, that's just unrealistic to assume. However, you can make a pretty good job of it so that most attacks are somewhat mitigated.

By the way, you probably shouldn't be storing your password digitally or anywhere that can be found easily, since the same principles apply. Although, a private key can completely bypass that password, whereas the password is only useful if they've the wallet file too.

[The Cryptovator]

As others users said you may implement some additional security to keep safe your funds. But I am wondering how you are gonna protect your additional passwords if you can't protect your seeds or private keys. I have seen some cases where users used additional passwords to generate and encrypt private keys for paper wallets. So in the end, they had written the private keys and didn't write the passwords. Eventually when they tried to access their funds forget the password which has used to encrypt private keys. So if you need to write your passwords as well then it's going to same writing your private keys and both would be stolen or lost. So better use a hardware wallet and keep secure your seeds in a secret place, so even lost the device can't access without a password and you can always recover your fund through the seed phrase.

[tbct_mt2]

There are single signature or multi-signature wallets. Multi-signature wallets require a number of signatures to sign transaction and unlock fund in your wallet. You can use it to co-sign a transaction by a wallet in which you store fund, and some other empty wallets without fund but play as co-signers for your transactions.

Indeed, you should secure all of those wallets but multi-signature wallet help you in case one of your wallets are compromised. If the number of compromised wallets is not enough, transaction can not be processed.

Protect your keys is most important, no matter single-signature or multi-signature wallet you are using.

[nakamura12]

Every crypto private key is like a security factory reset once someone has access to the key, all the security settings will be gone, 2FA, fingerprint or pin code only works on your present device if the private key is safe.

If you don't know how to have a multi signature wallet or a more secured wallet but it is compromised then you better abandon it and use a new wallet if that's the case then transfer the funds if you have funds remaining from the previous wallet if the one who knows the wallet important haven't beat you to take the funds first then that person failed to steal your funds but if a thief knows your private ket for example then that person would transfer it right away.

[Trojane]

The security of your wallet doesn't primarily depends on how good you're in hiding your priv keys or making long passphrase and whatsoever; what if through some blockchain spamming or phishing, your wallet becomes a victim?
Secondarily, we could advice everyone to keep their priv keys within thier valuables; this has nothing to do with creating long pin and passwords...and I keep asking myself' is there not a better way of still not making the priv keys the final solution to getting people's account shrinked? Is there not a way that maybe a four digit code is made to optimize and guard the priv keys so that if it's not imputed, funds cannot be accessed? Just thinking aloud: priv keys are long and clumsy and cannot be crammed but a four digit PIN just like that of our ATM cards can easily be crammed and stored within our memories. ...