Time to bust a myth. Paper wallets are less secure than normal encrypted wallets

[Blazr]

This seems to be a pretty common myth among Bitcoiners now. Often what I hear people say is that paper is not hackable, therefore your Bitcoins are safe from hackers. However given actual realworld scenarios I am going to show you that a paper wallet provides no extra security than a properly made encrypted wallet stored on the PC.

For my examples, here are how the two types of wallets are created.




Paper wallet:
The user downloads software to generate a paper wallet, a common one is https://bitaddress.org.
Often times the user will disconnect their internet when generating the wallet, or if they are extra paranoid they will also use a live operating system, like a Ubuntu live CD, to run the paper wallet software.
The user generates a number of paper wallets, paranoid users will encrypt them with a password. The user will either print these out or handwrite them


Encrypted wallet:
The user downloads wallet software such as electrum
The user then creates a new wallet and encrypts it with a strong unique password, the user should never enter this password anywhere else other than the wallet software, and the password should be at least 80bits strong. In my example the user will use a randomly generated 16 character password made up of upper and lower letters, numbers and special symbols, which is 106bits.




The creation process:

We are going to pretend that the OS you use everyday on your computer is infected with malware during the creation process and see how the two types of wallets are vulnerable.

Paper wallet:
When you are creating the paper wallet, any malware on your PC can read the private keys. What most people will tell you to do is disconnect from the internet, that this will prevent the malware from sending back the private key, but it won't, the malware will simply wait until you reconnect to the internet and send the private key then.

But it doesn't even need internet to steal your bitcoins. The malware can interfere with the generation process itself, and give you a private key and Bitcoin address that is already known to the hacker. This is called
 backdooring the random number generator.

Now one will be quick to point out that if we are using a live OS like ubuntu that the malware won't be running and cannot do anything. That might be the case for many types of dumb malware, however there does exist malware that can hide in the BIOS and firmware of your computer and can infect your live operating system. Here are some examples of this type of malware in the wild:

http://www.theregister.co.uk/2015/02/17/kaspersky_labs_equation_group/
https://en.wikipedia.org/wiki/BadBIOS

If you print out your wallet, the printer provides a whole other avenue for attack. If it is a networked printer, when you hit print your computer will send your wallet out over the network unencrypted to the printer, allowing anyone to listen in and steal it. Some printers also have a built-in memory that stores what is printed out, even if you clear this memory it is possible to recover it in some cases with proper forensics tools.

Encrypted wallet:
An encrypted wallet is just as vulnerable as a paper wallet during the creation process. It too can have it's private keys transmitted by malware, or it's random number generator backdoored.

Summary:
Both wallets are just as vulnerable to theft. Paper wallets are slightly more vulnerable if you use a printer.

Disconnecting from the internet is entirely pointless and provides no extra security whatsoever. Running a live OS will somewhat protect you from dumb malware, however this is basically security through obscurity.




While your bitcoin is in storage:

Now we are going to pretend you've been infected with malware while your Bitcoins are in your wallet.

Paper wallet:
There is a small chance that whatever software you used to generate the paper wallet has left a trace behind on your computer during the creation process. The private key may have accidentally entered your swap and ended up written to disk. If this has happened then the malware can steal your Bitcoins.

If this has not happened then you are safe, because malware can't "jump" from your PC onto your paper wallet.
However you are not safe from physical theft unless you encrypted your paper wallet.

Encrypted wallet:
The malware can steal your wallet file, however, the wallet file is encrypted. Because the password is 16 characters long, the hacker cannot access your wallet. If the hacker had the computing power of all Bitcoin miners combined it would take 45964.97 years to crack just your wallet - and thats under a best case scenario. So even though the malware can read the wallet, it cannot do anything with it. Now some of you are going to say "keylogger" - we'll get to that in the next part.

Summary:
While the Bitcoins are being stored in the wallet, both wallets are very safe. Bitcoins can be physcially stolen from paper wallets if they are not encrypted, and if you use a weak password on your normal encrypted wallet then they can also be stolen.




While Sending Bitcoins:
Now we are going to pretend you've been infected with malware while you attempt to send Bitcoins from your wallet:

Paper wallet:
Once you enter in the private key into your computer the malware can immediately steal it and it's game over. Much like the creation process disconnecting from the internet or using a live OS won't help much as Bitcoin transaction has a random number called a K value, which the malware can backdoor to steal your Bitcoins even if you are offline. Also you need to go online to broadcast the transaction anyway.

Encrypted wallet:
Once you enter in the password into your computer the malware can immediately steal it (keylogger) and it's game over.

Summary:
Both wallets are completely vulnerable to theft.




Conclusion:
Paper wallets are hackable, despite claims that some people make, and are just as vulnerable as properly created encrypted wallets.
Paper wallets also have extra security concerns such as physical theft or if you use a printer.
Paper wallets may be cool, and they may be useful for some situations, but if you want to secure your Bitcoins, ignore all of the half-informed sheeple telling you to create a paper wallet and create a normal encrypted wallet, encrypt it with a strong randomly generated password and never enter this password anywhere other than the wallet software. This is safer than a paper wallet and MUCH more convenient. Also paper wallets encourage address reuse which is bad, if you use paper wallets you need to make a new wallet everytime you make a transaction if you want any kind of privacy at all.

[1714751096]

1714751096

[1714751096]

1714751096

[1714751096]

1714751096

[1714751096]

1714751096

[Blazr]

Any feedback would be much appreciated, I am still updating this. I had to explain to someone today how their paper wallet was hacked when they went to send Bitcoins from it, they were shocked when I told them paper wallets could be hacked just as easy if not easier than encrypted wallets. There is too much FUD and half-truths out there when it comes to information on Bitcoin, lots of people are completely misinformed.

[Blazr]

If I haven't created a M of N wallet on a permanently air gapped machine, and then stored the pieces in multiple different physical locations, I don't feel secure.

Yep. That is cold storage. If you are not creating your wallet and only using it on a permanently airgapped machine, then it is not cold storage. Paper wallets are not cold storage unless they are created and exclusively used on an airgapped machine.

[Jakesy]

As a sort of counter argument for some of the paper wallet drawbacks (i.e. printer, hacked computer)... you can create your own machine AND printer as an all-in-one device that never touches the internet: https://github.com/piperwallet/Piper

You can inspect the code for these backdooor random number generator.  And you can order your own raspberry pi and printer accessories online to assemble yourself.  Bonus: it doubles as a digital backup AND you can backup to as many USBs as you would like.  

The ONLY drawback to this method is that you have to keep the machine as safe as your paper wallets (safe from theft).

[Blazr]

As a sort of counter argument for some of the paper wallet drawbacks (i.e. printer, hacked computer)... you can create your own machine AND printer as an all-in-one device that never touches the internet: https://github.com/piperwallet/Piper

You can inspect the code for these backdooor random number generator.  And you can order your own raspberry pi and printer accessories online to assemble yourself.  Bonus: it doubles as a digital backup AND you can backup to as many USBs as you would like.  

The ONLY drawback to this method is that you have to keep the machine as safe as your paper wallets (safe from theft).

Storing an encrypted wallet on the separate machine is just as safe, if not safer (physical theft), and  it's much more convenient than scanning QR codes/typing in private keys and printing a new paper wallet each time you make a transaction.

By the way, the software you chose there, Piper, uses a weak random number generator:
https://github.com/piperwallet/Piper/blob/master/randomPass.py

it is using random.randint to generate the seed, this is not a cryptographically secure way of generating random numbers:
https://blog.spideroak.com/20121205114003-exploit-information-leaks-in-random-numbers-from-python-ruby-and-php

It may be possible for a hacker to predict the private keys of everyone who uses that software. I would stay far away from this project.

[Light]

Paper wallets also have extra security concerns such as physical theft or if you use a printer.

Paper wallets may be cool, and they may be useful for some situations, but if you want to secure your Bitcoins, ignore all of the half-informed sheeple telling you to create a paper wallet and create a normal encrypted wallet, encrypt it with a strong randomly generated password and never enter this password anywhere other than the wallet software.

This is safer than a paper wallet and MUCH more convenient. Also paper wallets encourage address reuse which is bad, if you use paper wallets you need to make a new wallet everytime you make a transaction if you want any kind of privacy at all.

Agree with most of it.

Since we're going into the scenarios where you have malware residing in your BIOS specifically aimed at adjusting the RNG of your address generator (which is highly unlikely), you've ignored the fact that someone could break into your house and steal you're air gapped device. It is just as prone to physical theft.

TBH, paper wallets are pretty much just as secure as an air gapped machine (assuming you use BIP38 to secure it) - but yes they are less convenient if you need to move coins regularly. For people like myself you don't intend to move coins for an eternity, I don't necessarily need an airgapped machine to sign transactions I'm not going to make.

Mathematically, reuse makes the address marginally less secure - but yes, it hurts your privacy.

[Blazr]

Since we're going into the scenarios where you have malware residing in your BIOS specifically aimed at adjusting the RNG of your address generator (which is highly unlikely),

Thats actually not as difficult to do as you might imagine, all the malware needs to do is mess with the RNG in the Linux kernel, which is stored in a known place and is stored unencrypted even in most types of full disk encrypted machines. So it's just "run this patch against the kernel". The hard part is that there are many different kinds of BIOS's, and the malware needs to be tailored against each type. This can be overcome by not using the BIOS but using the hard drive firmware like the NSA did in the article I linked, almost all hard drives come from 12 manufacturers and each manufacturers firmware is almost identical across all their products so you only need 12 variants to be able to infect almost any hard drive.

you've ignored the fact that someone could break into your house and steal you're air gapped device. It is just as prone to physical theft.

No use, its an encrypted wallet.

TBH, paper wallets are pretty much just as secure as an air gapped machine

No.

[Light]

Thats actually not as difficult to do as you might imagine, all the malware needs to do is mess with the RNG in the Linux kernel, which is stored in a known place and is stored unencrypted even in most types of full disk encrypted machines. So it's just "run this patch against the kernel". The hard part is that there are many different kinds of BIOS's, and you would need to write one for each kind. This can be overcome by not using the malware but using the hard drive firmware like the NSA did in the article I linked, almost all hard drives come from 1 of 12 manufacturers and each manufacturers firmware is almost identical across all their products.

If you do it properly and buy a new machine (ie. Rasp Pi) and run a live version of Linux which you've checked against the SHA and MD5 sums it is incredibly unlikely. If we're going down the NSA route - the reality is there is nothing you can do about it. Good luck not using a computer which hasn't been tampered with if the NSA wants it tampered with. For all you know, the NSA could have broken all forms of encryption or inserted backdoors rendering it all useless.

No use, its an encrypted wallet.

I'm not saying it's gonna get your coins stolen - in comparison to paper wallets I'm saying BOTH can be physically stolen.

No.

How is it less secure than a cold storage device? Both are open to the same vulnerabilities - and unless your an actuary who can quanitfy the likelihood of risk associated with each vulnerability then I'll take them as being the same.

[Blazr]

If you do it properly and buy a new machine (ie. Rasp Pi) and run a live version of Linux which you've checked against the SHA and MD5 sums it is incredibly unlikely. If we're going down the NSA route - the reality is there is nothing you can do about it. Good luck not using a computer which hasn't been tampered with if the NSA wants it tampered with. For all you know, the NSA could have broken all forms of encryption or inserted backdoors rendering it all useless.

I mentioned the NSA as we know the most about their attacks on BIOS and firmware due to the leaks and Kaspersky's report, but these attacks are not THAT difficult to pull off. Some eastern european crybercriminal gangs have used similar techniques to steal from banks, and it's only a matter of time before they turn to Bitcoin.

If your going to buy a fresh PC use it for cold storage with an encrypted wallet, using a paper wallet provides no extra security and extra hassle.

I'm not saying it's gonna get your coins stolen - in comparison to paper wallets I'm saying BOTH can be stolen.

encrypted wallets have the benefit here, because they are encrypted with a strong password you can back them up remotely so even if your cold storage PC is stolen you can still get at your funds. Paper wallets can also be backed up of course, but storing them in remote locations can be difficult, and you have to physically go there to check if its still intact.

How is it less secure than a cold storage device? Both are open to the same vulnerabilities - and unless your an actuary who can quanitfy the likelihood of risk associated with each vulnerability then I'll take them as being the same.

What device do you use to spend from your paper wallet?

If you are using the paper wallet with a cold storage device then it is just as safe as the device itself. If you are using the paper wallet with your everyday PC, it is obviously less secure.

tl;dr; paper wallets are only as secure as the device you use them with, in the best case scenario.

[Light]

What device do you use to spend from your paper wallet?

If you are using the paper wallet with a cold storage device then it is just as safe as the device itself. If you are using the paper wallet with your everyday PC, it is obviously less secure.

tl;dr; paper wallets are only as secure as the device you use them with, in the best case scenario.

That's the thing I'm not planning on spending from those address for a very long time - meaning they're just there as storage. But if needs be I could easily set up a cold storage and sign txs offline.

For people in my case, you don't need a secondary device till you actually want to spend. The only vulnerability is the initial creation - which we have discussed.

Basically if done correctly - both are just as safe.

[Blazr]

What device do you use to spend from your paper wallet?

If you are using the paper wallet with a cold storage device then it is just as safe as the device itself. If you are using the paper wallet with your everyday PC, it is obviously less secure.

tl;dr; paper wallets are only as secure as the device you use them with, in the best case scenario.

That's the thing I'm not planning on spending from those address for a very long time - meaning they're just there as storage. But if needs be I could easily set up a cold storage and sign txs offline.

For people in my case, you don't need a secondary device till you actually want to spend. The only vulnerability is the initial creation - which we have discussed.

Basically if done correctly - both are just as safe.

You need a secure device to create it and a secure device to spend it. Sure you could keep it on a paper wallet instead of keeping it on the device itself, but seeing as you have to actually have the device to create the paper wallet I don't see the usefulness of this much.

In your case you had a secure device when creating the paper wallet, I don't know why you can't use this same secure device to store and spend them.

[Light]

You need a secure device to create it and a secure device to spend it. Sure you could keep it on a paper wallet instead of keeping it on the device itself, but seeing as you have to actually have the device to create the paper wallet I don't see the usefulness of this much.

In your case you had a secure device when creating the paper wallet, I don't know why you can't use this same secure device to store and spend them.

You're right, I could. But I had other plans to use that device aside from just initially generating and storing a wallet.

But for me, where I'm located, fires and floods are a greater risk - so being able to store keys in different locations rather than on a single device in my home is a better solution. Theoretically I could purchase multiple Pi's or whatever but it kinda becomes inefficient and unfeasible - especially if you're storing it in hard to get places.

[gmaxwell]

Thanks. You might want to change the ":" to a "." since its easy to misread the title, I loaded this thread all ready to chew you out and disagree with you; only to realize that you were saying the opposite of what I expected from the title.

"Paper wallets" have been the subject of a bunch of marketing push from a couple different angles. They're fun, some people have a commercial interest in them, they make for good security theater. But seldom do they make for good security.  Ignoring malware the number one risk to people's bitcoins is loss/destruction, and often the paper does particular poor there without special care. (I've now dealt with two people that lost substantial amounts of bitcoins due to paper wallets and water damage!).

An extra data point is that the web services you see are cryptographic crapshoots.

They have random unreviewed crypto code, written by someone who's never done anything like it before or copy-pasta from someplace else that had no review. I've seen a fair amount of stuff that was so broken that you had to have at least four kinds of cluelessness before you would think that the approach taken had any chance of being correct. It's bad enough that you can't ever find intentional backdoors because the honest mistakes are so crazy and so common that an actual backdoor would just hide in the noise.

Not that this problem is unique to the paper wallet space, but it seems to be especially bad there...

The web and JS is already a very hostile environment for writing secure cryptographic code-- JS has a lot of subtle, browser specific, implicit behavior and "action at a distance" that makes it hard to review, review is just not a cultural norm for most web software, the browser execution environment fundamentally cannot provide constant time operation or data leak free operation. ... and basic "key generator" and "signing" code is fairly easy to do (at least if you don't care to do it very well) and a fun little project.  Then these pages are loaded without HTTPS across an untrusted network, through an untrusted CDN from an untrusted server, hosting files for an anonymous and untrusted author.

A bunch of things that would be better described as "Jonny learns to code" are finding themselves in production use with hundreds of thousands of dollars flowing through them, because the end user has no means to judge the integrity of the work or the process that produced it. (And often the authors themselves have no idea how risky things are, or worse-- developer confidence can be inverse related to competence due to the Dunning-Kruger effect).  I'm not sure what to do about this in the ecosystem; it's pretty clear to _me_ when some piece of code or its process has no evidence of meeting even the most basic standards, because I live them every day, but I have almost zero desire to go play gmaxwell-the-destroyer-crusher-of-dreams crapping on other people's project with unsolicited and often unappreciated reviews (it's amazing how hostile some developers are when you point out their stuff is actually broken, not just theoretically ugly), nor do I have the time to do it all myself.

[futureofbitcoin]

I guess now's a good time to ask...


Is there a good way that won't take hours to manually calculate a private-public key pair?

[Blazr]

Thanks for the reply gmaxwell. Yep you are right about the badly coded paper wallet generators, take a look a few posts above, someone linked me a "secure" paper wallet generater that uses python's random.randint to pick a seed - you couldn't even make this shit up.

Is there a good way that won't take hours to manually calculate a private-public key pair?

Use any normal wallet, Bitcoin Core, electrum, Armory. Don't mess around with private keys, only developers need to know what those are, just look after your wallet file (back it up) and your password (strong unique password that you ONLY type into the software) and your good to go.

[fox19891989]

I think so too, if thieves know bitcoin, they would easily steal the wallet, but he hardly know how to decrypt a wallet, that only hackers know.

So paper wallet is preventing hackers, but not thieves.

[Blazr]

I think so too, if thieves know bitcoin, they would easily steal the wallet, but he hardly know how to decrypt a wallet, that only hackers know.

So paper wallet is preventing hackers, but not thieves.

Please read the OP fully whenever your spamming your sig. TY.

[johnyj]

1. 99 dice cast gives you a perfect private key, base 6

2. The difficulty lies in how to review the code that transform this key into WIF format and address

3. If the above can be ensured, signing offline tx will do the spending part

[odolvlobo]

...
Paper wallet:

Plug Mycelium Entropy into printer USB port.
Print paper wallet.

FTFY

Creating a paper wallet can be completely immune to hacking.

[Blazr]

...
Paper wallet:

Plug Mycelium Entropy into printer USB port.
Print paper wallet.

FTFY

Creating a paper wallet can be completely immune to hacking.

Some printers have a built-in memory.

How do you spend the wallet? you need to enter the private key into a device to spend it putting it at risk of hacking. So it has the same risk of being hacked as a normal encrypted wallet, plus the risk of physical theft (if it is unencrypted or not properly backed up) and the risk of the printer memory potentially saving a copy of it.

[Kprawn]

I hope this thread, will be followed by a thread on how to create a "hack-proof" address. 

I created 100s of Paper wallets on a old computer {Low level formatted HDD and fresh OS from original disks} and then I did not connect to the internet, after it was installed.

I then generated the wallets offline with BIP38, and I printed them on a old printer. I then destroyed the computer and the printer. {It's in small pieces now}

How safe are this method in your opinion? {What method will be the most secure to sweep them?} Not planning to re-use them after they were sweeped.

Thanks for the info...

[Borisz]

Nice thread and info on paper wallets.

I'm not using paper wallets, I trust an encrypted one much more. However I find it unlikely that someone will break into my house to extract information from my printer's memory or listen to my network communication with my printer. Depends on the location and environment as well I guess.

Question though. I have recently imported around some private keys which had to be done in unencrypted format as was stored in an txt file for a short while (multibit client). Now even if I delete the temporary file from my PC, because the keys were stored unencrypted for a while should these be considered as "compromised"? I think I'll move my coins to a new wallet.

Other question. If I create a new wallet, it has a private key initially unencrypted. A malware could grab this before I could encrypt it right at the start and then it's game over. isn't it?

[bryant.coleman]

WTF? I have stored at least 90% of my BTC holdings in to paper wallets. I thought that they were safe and secure. Now I have to find another way to store them. 

[Q7]

Which is why right now I'm moving towards hardware wallet. Unlike a paper wallet which eventually needs a software, hardware wallet has its own internal program so you can be sure you are safe and secure over there. Plus all the communication and keystroke during the whole generation process is basically encrypted or put it in another way, it is less immune to viruses and malware.

[unamis76]

Blazr, thank you for this thread. Very useful and informative. I've been saying some of these things to friends on casual talks about securing Bitcoins. I realized some of these things early on when I created my first (and last) paper wallet, back when I was learning about Bitcoin.

Everyone talks about paper wallets as if they're the number one protection method, the most secure one. It does seem to be a myth between Bitcoin users, especially new users... But I hope threads like these start making people think a bit more and maybe opt for better ways to protect their funds

[spazzdla]

What is I create a paper wallet on a harddrive that has never and will never touch the web?

An encrypted paper wallet.

[dserrano5]

While Sending Bitcoins:
Paper wallet:
disconnecting from the internet or using a live OS won't help much as Bitcoin transaction has a random number called a K value, which the malware can backdoor to steal your Bitcoins even if you are offline.

How would this work with a private key that has never been used to sign until now? I understand this is only a problem when reusing keys, right? (yes, I know paper wallets encourage reusing but, what if I'm not reusing?)

[bryant.coleman]

Which is why right now I'm moving towards hardware wallet. Unlike a paper wallet which eventually needs a software, hardware wallet has its own internal program so you can be sure you are safe and secure over there. Plus all the communication and keystroke during the whole generation process is basically encrypted or put it in another way, it is less immune to viruses and malware.

Can we trust the hardware wallets? Do they offer 100% protection from wallet hacks and robberies? Also, is there a risk of losing all of our coins if the hardware becomes corrupt.

[Blazr]

Can we trust the hardware wallets? Do they offer 100% protection from wallet hacks and robberies? Also, is there a risk of losing all of our coins if the hardware becomes corrupt.

I think they need more time to mature, they are new and not very well tested or studied. The code could have bugs that allow an attacker to steal from them (some of the hardware wallets out now are VERY buggy). Give them some more time to work things out, things will be clearer in the future IMO.

Some kinds of hardware wallets are pretty secure in theory. More specifically the ones that have a screen and show you the transaction details on the device and make you approve that transaction on the device itself and not the computer. Any hardware wallet that doesn't do this is a waste of time.

Most hardware wallets will give you a seed, so if the device breaks or is stolen you can use the seed to recover your funds.

[inBitweTrust]

WTF? I have stored at least 90% of my BTC holdings in to paper wallets. I thought that they were safe and secure. Now I have to find another way to store them.  

Don't panic. While the OP does bring up some valid concerns he isn't reflecting the probabilistic risks from the various ways of securing your bitcoins. There are right ways and wrong ways of generating paper wallets and all have various risks.

One of the easiest and most secure way to generate paper wallets right now is:

Entropy with Shamir’s 2-of-3 Secret Sharing Scheme
http://asicminer-shop.de/Mycelium-Entropy
https://mycelium.com/assets/entropy/me.html

Where you enter in one of the shards into your encrypted password manager and physically destroy it afterwards, place the second in a safe or hidden in your house, and the third in a offsite time capsule or relatives house.

The concerns about the printer can be alleviated by knowing about the printer (avoiding commercial models that have hard drives), disabling the LAN, disconnect your printer from your computer and network before use, and printing a few regular documents from your thumb after wards to remove any possibility of your keys being stored in memory within the printer.

Slightly complicated, but you only have to do it  right once and generate many wallets in one shot for privacy reasons.

I initially created paperwallets with a careful process of testing and verifying the source of armory and a clean version of linux and using a live mode session from usb stick. (yes, my bios could have been compromised by the NSA , but that is highly unlikely) ... entropy makes this all much easier.

[Blazr]

WTF? I have stored at least 90% of my BTC holdings in to paper wallets. I thought that they were safe and secure. Now I have to find another way to store them.  

Don't panic. While the OP does bring up some valid concerns he isn't reflecting the probabilistic risks from the various ways of securing your bitcoins. There are right ways and wrong ways of generating paper wallets and all have various risks.

One of the easiest and most secure way to generate paper wallets right now is:

Entropy with Shamir’s 2-of-3 Secret Sharing Scheme
http://asicminer-shop.de/Mycelium-Entropy
https://mycelium.com/assets/entropy/me.html

Where you enter in one of the shards into your encrypted password manager and physically destroy it afterwards, place the second in a safe or hidden in your house, and the third in a offsite time capsule or relatives house.

The concerns about the printer can be alleviated by knowing about the printer (avoiding commercial models that have hard drives), disabling the LAN, disconnect your printer from your computer and network before use, and printing a few regular documents from your thumb after wards to remove any possibility of your keys being stored in memory within the printer.

Slightly complicated, but you only have to do it  right once and generate many wallets in one shot for privacy reasons.

Or... instead of going through all of that you could just use a normal encrypted wallet, and have the same level of security. You can still do multisig if you wish.

Also my printer is a cheapo $50 one and it has a built-in memory that saves documents to print out later if it runs out of paper. You would not know it had built-in memory. A printer is not a leak-free environment, in the business world people use expensive printers to print out secure documents.

[inBitweTrust]

Or, you could just use a normal encrypred wallet, and have the same level of security. You can still do multisig if you wish.

No, my 2 of 3 paper wallet is much more secure than a normal encrypted wallet. Just because I run a potential risk at the time of importing the keys on an computer doesn't mean that my coins aren't secure before I attempt the import and doesn't mean I cannot choose to import the keys in a waallet from a fresh install or live OS. Additionally, I don't have to store all my cold storage in one paper wallet but can split it to many so I am only importing a fraction of my savings when needed thus mitigating more risk and privacy concerns.

[Blazr]

Or, you could just use a normal encrypred wallet, and have the same level of security. You can still do multisig if you wish.

No, my 2 of 3 paper wallet is much more secure than a normal encrypted wallet. Just because I run a potential risk at the time of importing the keys on an computer doesn't mean that my coins aren't secure before I attempt the import and doesn't mean I cannot choose to import the keys in a waallet from a fresh install or live OS. Additionally, I don't have to store all my cold storage in one paper wallet but can split it to many so I am only importing a fraction of my savings when needed thus mitigating more risk and privacy concerns.

But you can do multisig with a normal encrypted wallet if you really want to. electrum supports it out of the box. An encrypted wallet secured with a strong password is also just as secure as a paper one while at rest.

Also another risk is that if you are always using a live OS or fresh install an attacker may be able to predict the state of your random number generator and steal your coins. This is because random number generators collect random information from your PC to create randomness, such as messages from your hardware, your mouse movements, network activity and time between keypresses. When you are using a live OS or fresh install the state is reset at every boot, making it easier for a hacker to predict it's output. While this is very difficult to do, note this is an untargetted attack, like bruteforcing a private key. Additionally if you are not connecting to the internet there is no network activity to collect.

[inBitweTrust]

But you can do multisig with a normal encrypted wallet if you really want to. electrum supports it out of the box. An encrypted wallet secured with a stong password is also just as secure as a paper one while at rest.

You are correct if you can trust the computer that has electrum and trust electrum and trust the electrum version you downloaded, and than generate the multisig keys separately.. there are many potential weaknesses to this...that is why entropy was developed.

Also my printer is a cheapo $50 one and it has a built-in memory that saves documents to print out later if it runs out of paper. You would not know it had built-in memory. A printer is not a leak-free environment, in the business world people use expensive printers to print out secure documents.

All modern printers have a bit of built in memory to cache documents. This can quickly be exhausted by printing a few documents after. Avoid any expensive commercial printer as they have large hard drives.

I have to go so will continue this conversation later/.

[BIG Tyrese]

a paper wallet made by dice rolls can't be hacked unless someone rolls the dice and gets the exact same results

[Blazr]

a paper wallet made by dice rolls can't be hacked unless someone rolls the dice and gets the exact same results

Yes it can. Read the OP. It can be logged once you type it into your computer to spend it.

[inBitweTrust]

Yes it can. Read the OP. It can be logged once you type it into your computer to spend it.

Yes, but I don't have to import my whole life savings. Additionally, If I'm especially paranoid I can import it into a live boot OS that has been verified where the practical only risk is an infected bios(highly unlikely).

[Blazr]

You are correct if you can trust the computer that has electrum and trust electrum and trust the electrum version you downloaded, and than generate the multisig keys separately.. there are many potential weaknesses to this...that is why entropy was developed.

You still need to trust entropy, and due to it being an actual device it is much easier to hide a backdoor in Entropy than electrum. There are added risks of my computer hardware being hacked, but IMO it's more likely that someone will try to insert Bitcoin-stealing backdoors into Entropy then they will try to insert Bitcoin-stealing backdoors into some random-brand laptop. It is also easier to make a backdoor for Entropy because Entropy is a much simpler device and there are thousands of types of BIOS, they would need to write one for my exact type of BIOS, they only need to write one that will work on all Entropy devices.

Yes, but I don't have to import my whole life savings. Additionally, If I'm especially paranoid I can import it into a live boot OS that has been verified where the practical only risk is an infected bios(highly unlikely).

https://en.wikipedia.org/?title=/dev/random

Gutterman, Pinkas, & Reinman in March 2006 published a detailed cryptographic analysis of the Linux random number generator[6] in which they describe several weaknesses. Perhaps the most severe issue they report is with embedded or Live CD systems, such as routers and diskless clients, for which the bootup state is predictable and the available supply of entropy from the environment may be limited.

Live OS's have poor entropy.

[Pietjebel]

When reading all this I ask myself how can the average non-technical user ever store bitcoin safely ?
You would almost crawl to the necessity of a trusted party to store your keys.

[Blazr]

When reading all this I ask myself how can the average non-technical user ever store bitcoin safely ?
You would almost crawl to the necessity of a trusted party to store your keys.

Simply create a normal encrypted wallet with Bitcoin Core, Electrum or Armory and don't go messing around with private keys or paper wallets. Back it up and use a strong unique password.

I'm going to post a guide that will explain how to set up a very secure and very simple hot/cold storage system. It's not hard at all.

[johnyj]

The horrible scenario is: One day you wake up and find out that your coins are gone  

Then you will panic and start to check the security of each step of your operation

It basically falls into two categories:
1. The key generation was not secure
2. The key was stolen

The generation part is most difficult to defend, since there is no easy way to guarantee the true randomness of the key. Even if you have a true random key generated by dice casting, you could still become the victim if the conversion software intentionally provide you a key that software author makes

This concern even applies to hardware wallet, which is even less transparent than those webpages

So, in order to make sure every step is secure, either you rely on some authority (which against the "trust nobody" spirit of bitcoin), or you must be able to review the code that does the actual key generation and conversion. That's why many people dare not to put serious money in bitcoin unless they are good at code review

Maybe bitcoin foundation can act as an authorized code reviewer and publish the certified software and hardware

[ACCTseller]

If your going to buy a fresh PC use it for cold storage with an encrypted wallet, using a paper wallet provides no extra security and extra hassle.

A paper wallet is physically much smaller, and as a result is easier to hide. Also in the event that you are physically robbed (potentially unrelated to bitcoin) then the attacker is more likely to go after your airgaped computer then a paper wallet. Also by human nature, a computer that is air gaped, is more likely to have a weak password securing it's encryption if any at all. So someone may steal your computer hoping to have something to sell for drug money to fuel their addiction and may end up stumbling upon your massive amounts of bitcoin while never coming across your paper wallet (or even seeing it and ignoring it).

One avenue that a paper wallet is probably more secure is when you are needing to spend your bitcoin and know in advance that your computer has malware. With an encrypted wallet, it is going to be more difficult to get your encrypted wallet to a non-malware infected computer without also potentially bringing the malware with you. With a paper wallet on the other hand, all you need to do is simply find a computer that is secure and not infected with malware.

Another point that you might want to add is the fact that when someone is told they should encrypt their private key with a strong password, they are much more likely to use a weak password when using a paper wallet because they will think that the chances of someone ever getting access to the paper wallet to even try the password are slim

[Blazr]

A paper wallet is physically much smaller, and as a result is easier to hide. Also in the event that you are physically robbed (potentially unrelated to bitcoin) then the attacker is more likely to go after your airgaped computer then a paper wallet. Also by human nature, a computer that is air gaped, is more likely to have a weak password securing it's encryption if any at all. So someone may steal your computer hoping to have something to sell for drug money to fuel their addiction and may end up stumbling upon your massive amounts of bitcoin while never coming across your paper wallet (or even seeing it and ignoring it).

Right. Thats why I mentioned atleast an 80bit password. If you are going to use poor passwords despite all the warnings DO NOT have anything to do with Bitcoin as all of your exchange accounts and wallets will be hacked.

One avenue that a paper wallet is probably more secure is when you are needing to spend your bitcoin and know in advance that your computer has malware. With an encrypted wallet, it is going to be more difficult to get your encrypted wallet to a non-malware infected computer without also potentially bringing the malware with you.

I posted a guide before on what to do if you've been hacked, follow that guide and this won't happen:
https://bitcointalk.org/index.php?topic=929882.0
(I need to still fix that up, I hate that guide).

[ACCTseller]

One avenue that a paper wallet is probably more secure is when you are needing to spend your bitcoin and know in advance that your computer has malware. With an encrypted wallet, it is going to be more difficult to get your encrypted wallet to a non-malware infected computer without also potentially bringing the malware with you.

I posted a guide before on what to do if you've been hacked, follow that guide and this won't happen:
https://bitcointalk.org/index.php?topic=929882.0
(I need to still fix that up, I hate that guide).

It looks to be useful for someone who is trying to secure their coinbase account (for example) or their bitcointalk account, but not so much for a wallet that does not use any kind of central location to keep track of your passwords. For example you could simply enter your email/password on coinbase from a secure computer and change your password to secure that account. However when dealing with an encrypted file (wallet) then you would somehow need to transfer that file from a malware infected computer onto a "clean" computer and potentially risk that you infect the "clean" computer in the process.

[Blazr]

One avenue that a paper wallet is probably more secure is when you are needing to spend your bitcoin and know in advance that your computer has malware. With an encrypted wallet, it is going to be more difficult to get your encrypted wallet to a non-malware infected computer without also potentially bringing the malware with you.

I posted a guide before on what to do if you've been hacked, follow that guide and this won't happen:
https://bitcointalk.org/index.php?topic=929882.0
(I need to still fix that up, I hate that guide).

It looks to be useful for someone who is trying to secure their coinbase account (for example) or their bitcointalk account, but not so much for a wallet that does not use any kind of central location to keep track of your passwords. For example you could simply enter your email/password on coinbase from a secure computer and change your password to secure that account. However when dealing with an encrypted file (wallet) then you would somehow need to transfer that file from a malware infected computer onto a "clean" computer and potentially risk that you infect the "clean" computer in the process.

Yeah I wrote that guide mainly for those kinds of hacks because they are the most common. I probably should write more about the issue you describe. You should follow the 3,2,1 procedure when backing up an encrypted wallet, 3 copies, 2 mediums, 1 offsite. You could use a paper wallet as a backup medium, or a CD. You can use this copy of your wallet to restore it if your pc is infected and not risk tracking the malware across.

Paper wallets are useful for certain scenarios such as backups but they are not very useful as a security tool.

[r3wt]

Maybe bitcoin foundation can act as an authorized code reviewer and publish the certified software and hardware

That's a damn good idea

[Blazr]

Maybe bitcoin foundation can act as an authorized code reviewer and publish the certified software and hardware

That's a damn good idea

Not really. You still need to trust the people doing the review, which is the same situation we have now. And the Bitcoin foundation is broke and nobody trusts them.

[r3wt]

Maybe bitcoin foundation can act as an authorized code reviewer and publish the certified software and hardware

That's a damn good idea

Not really. You still need to trust the reviewers. And the Bitcoin foundation is broke and nobody trusts them.

You only need to trust one person who has reviewed the code.

I'm not necessarily endorsing review from the foundation. But maybe an open review platform. such as [1]Codereview?

[1] http://codereview.stackexchange.com/

[ACCTseller]

One avenue that a paper wallet is probably more secure is when you are needing to spend your bitcoin and know in advance that your computer has malware. With an encrypted wallet, it is going to be more difficult to get your encrypted wallet to a non-malware infected computer without also potentially bringing the malware with you.

I posted a guide before on what to do if you've been hacked, follow that guide and this won't happen:
https://bitcointalk.org/index.php?topic=929882.0
(I need to still fix that up, I hate that guide).

It looks to be useful for someone who is trying to secure their coinbase account (for example) or their bitcointalk account, but not so much for a wallet that does not use any kind of central location to keep track of your passwords. For example you could simply enter your email/password on coinbase from a secure computer and change your password to secure that account. However when dealing with an encrypted file (wallet) then you would somehow need to transfer that file from a malware infected computer onto a "clean" computer and potentially risk that you infect the "clean" computer in the process.

Yeah I wrote that guide mainly for those kinds of hacks because they are the most common. I probably should write more about the issue you describe. You should follow the 3,2,1 procedure when backing up an encrypted wallet, 3 copies, 2 mediums, 1 offsite. You could use a paper wallet as a backup medium, or a CD. You can use this copy of your wallet to restore it if your pc is infected and not risk tracking the malware across.

Paper wallets are useful for certain scenarios such as backups but they are not very useful as a security tool.

right. I think it is somewhat of an unrealistic expectation for everyone to backup their wallets in multiple locations and mediums as this level of security is foreign to most people, especially with the advent of cloud storage that allows their documents to be automatically backed up to their cloud service. I am not saying that I engage in this lack of security environment or that it is a valid excuse however it is unfortunately a reality for a lot of people.

[xmasdobo]

I tend to agree with you. Im more paranoid that the printed paper gets lost/deteriorated than a usb+hd backups.

[kpitti]

I found this information very interesting and valuable. I understand it as information what can possibly happen if someone did not follow basic and fundamental steps of security on computer he is using. I would like to understand what is good practice to avoid security break which can allow to steal and send away a private information (private keys).
What I would be intersted as well if there is someone who can confirm he lost Bitcoins from Paper wallet he created as safe Cold storage.

[Blazr]

right. I think it is somewhat of an unrealistic expectation for everyone to backup their wallets in multiple locations and mediums as this level of security is foreign to most people, especially with the advent of cloud storage that allows their documents to be automatically backed up to their cloud service. I am not saying that I engage in this lack of security environment or that it is a valid excuse however it is unfortunately a reality for a lot of people.

It's not that difficult to backup your wallet. To do it with electrum, simply create a wallet, write down the seed on paper with a pen (no printers), then do file>save copy and save it in cloud storage. Now you have 3 copies, 2 different mediums and 1 offsite. Electrum backups are forever (except for the labels, you can use the label sync feature if you want to back those up). The seed is at risk of physical theft however, and I wouldn't recommend encrypting it in case you forget your password.

What I would be intersted as well if there is someone who can confirm he lost Bitcoins from Paper wallet he created as safe Cold storage.

Paper wallets do get hacked a lot but this is usually due to people using crappy software to make them.

However I had a friend who had his paper wallet hacked recently, which is why I decided to make this thread. He typed the private key into his computer to send some bitcoins out of it and a few hours later the rest of the funds on the paper wallet were stolen. We're still looking into what exactly what happened but we found a RAT on his computer so my guess is that the hacker found out he had a paper wallet (he had a copy of bitaddress.org saved on his desktop) and keylogged him entering in the private key and stole the rest of the funds later. There are many other way the hacker could've done this, and I suspect we will see more sophisticated attacks on paper wallets soon.

[kpitti]

right. I think it is somewhat of an unrealistic expectation for everyone to backup their wallets in multiple locations and mediums as this level of security is foreign to most people, especially with the advent of cloud storage that allows their documents to be automatically backed up to their cloud service. I am not saying that I engage in this lack of security environment or that it is a valid excuse however it is unfortunately a reality for a lot of people.

It's not that difficult to backup your wallet. To do it with electrum, simply create a wallet, write down the seed on paper with a pen (no printers), then do file>save copy and save it in cloud storage. Now you have 3 copies, 2 different mediums and 1 offsite. Electrum backups are forever (except for the labels, you can use the label sync feature if you want to back those up). The seed is at risk of physical theft however, and I wouldn't recommend encrypting it in case you forget your password.

What I would be intersted as well if there is someone who can confirm he lost Bitcoins from Paper wallet he created as safe Cold storage.

Paper wallets do get hacked a lot but this is usually due to people using crappy software to make them.

However I had a friend who had his paper wallet hacked recently, which is why I decided to make this thread. He typed the private key into his computer to send some bitcoins out of it and a few hours later the rest of the funds on the paper wallet were stolen. We're still looking into what exactly what happened but we found a RAT on his computer so my guess is that the hacker found out he had a paper wallet (he had a copy of bitaddress.org saved on his desktop) and keylogged him entering in the private key and stole the rest of the funds later. There are many other way the hacker could've done this, and I suspect we will see more sophisticated attacks on paper wallets soon.

Thank you, I am taking this very seriously. I would welcome any information or guidance how to avoid such scenario. Reading your answer I see another problem in Not following basic rule to spend whole amount of BTC stored in Paper Wallet. When you once use your Private key is not "private" any more. I will follow your thread for sure. Thanks.

[colinistheman]

Can someone please verify the security of bitcoins I have stored with this method:

0. I copied bitaddress.org source code onto a formatted flash drive.
1. Turned off my computer. I unplugged my computer from the Internet.
2. I booted from a Ubutnu Live DVD.
3. I opened the bitaddress website from the flash drive (not from the Internet, because the computer was not connected to the Internet during this boot up with Ubuntu Live).
4. I printed a bunch of private keys onto paper with my laser printer.
5. I turned off the computer and removed the Ubuntu Live DVD.

(have since printed hundreds of non-bitcoin-related documents from the laser printer, clearing its memory)

Also: I only use they private keys once. If I ever send funds from them, I destroy the private key and never use it again.

[ACCTseller]

right. I think it is somewhat of an unrealistic expectation for everyone to backup their wallets in multiple locations and mediums as this level of security is foreign to most people, especially with the advent of cloud storage that allows their documents to be automatically backed up to their cloud service. I am not saying that I engage in this lack of security environment or that it is a valid excuse however it is unfortunately a reality for a lot of people.

It's not that difficult to backup your wallet. To do it with electrum, simply create a wallet, write down the seed on paper with a pen (no printers), then do file>save copy and save it in cloud storage. Now you have 3 copies, 2 different mediums and 1 offsite. Electrum backups are forever (except for the labels, you can use the label sync feature if you want to back those up). The seed is at risk of physical theft however, and I wouldn't recommend encrypting it in case you forget your password.

I didn't say it is hard to backup. It is just that people don't care to do so. I don't like the idea of storing your seed in plaintext though, I would encrypt it with a weak PGP password (instead of a private PGP key) that way someone that hacks your cloud storage with social engineering cannot have immediate access to your private keys and you should have time to move your funds once you discover your cloud storage service is hacked. Plus if your computer is hacked then there is a good chance your cloud storage service account would get hacked as well.

You can do a very similar procedure with electrum as well.

[Pietjebel]

He typed the private key into his computer to send some bitcoins out of it and a few hours later the rest of the funds on the paper wallet were stolen.

How is this even possible, the funds belonging to a private key needs to be spend all at once right?

[Febo]

If you dont do it right no procedure will be ever safe. If you do it right both ways can be quite safe.

[ACCTseller]

He typed the private key into his computer to send some bitcoins out of it and a few hours later the rest of the funds on the paper wallet were stolen.

How is this even possible, the funds belonging to a private key needs to be spend all at once right?

No. You need to "spend" all the funds in each input that you are sending however it is possible to make the chance go back to the address that originaly had the funds as is encouraged by the use of paper wallets.

It would be possible to have multiple inputs to an address and only spend one or some of them.

[Blazr]

I didn't say it is hard to backup. It is just that people don't care to do so. I don't like the idea of storing your seed in plaintext though, I would encrypt it with a weak PGP password (instead of a private PGP key) that way someone that hacks your cloud storage with social engineering cannot have immediate access to your private keys and you should have time to move your funds once you discover your cloud storage service is hacked. Plus if your computer is hacked then there is a good chance your cloud storage service account would get hacked as well.

You can do a very similar procedure with electrum as well.

When you do file>save copy in Electrum, the copy will be encrypted if the original was. Of course any wallet you put in the cloud should be encrypted, a few years ago dropbox had a security issue that allowed anyone to log in to anyone else account without a password. The issue remained for a few hours.

Only the hand-written seed should be unencrypted, I would not recommend encrypting it as if you forget your password you'll have no way of accessing your funds, you should always have the means to access your wallet in the event you've forgotten your password.

[Blazr]

Thank you, I am taking this very seriously. I would welcome any information or guidance how to avoid such scenario. Reading your answer I see another problem in Not following basic rule to spend whole amount of BTC stored in Paper Wallet. When you once use your Private key is not "private" any more. I will follow your thread for sure. Thanks.

I'm working on a guide right now that will show you step-by-step how to setup a secure and relatively simple hot/cold storage system using electrum that will provide significant protection. Keep an eye out for it.

[CIYAM]

I created the CIYAM Safe (https://susestudio.com/a/kp8B3G/ciyam-safe) for the purpose of making safe offline "cold storage".

To be really secure I would advise buying an *old computer" that predates any of the NSA attacks upon hard-drive firmware, etc. (yes it is a pity that they have made all modern hardware now suspect).

Like it or not we are in the middle of a "war' against privacy (which the major governments of this world hope we will lose).

[Blazr]

I create the CIYAM Safe (https://susestudio.com/a/kp8B3G/ciyam-safe) for the purpose of making safe offline "cold storage".

To be really secure I would advise buying an *old computer" that predates any of the NSA attacks upon hard-drive firmware, etc. (yes it is a pity that the US has made all modern hardware now suspect).

The NSA hard drive firmware malware used browser exploits and other techniques to gain access to the device and then reflash the hard drive firmware in order to hide it's existence from the operating system and survive a reformat. Also their malware is at least 6 years old, so you'll need some REALLY old hardware.

I would recommend just walking into a computer shop and picking up a sealed computer off the shelf from a manufacturer you trust. You need to trust the manufacturer hasn't inserted any backdoors, which can be difficult. Picking up one at random from a store prevents against targetted attacks, for example the NSA are known to intercept computer hardware in the mail and insert backdoors into it (the infamous Cisco router).

[CIYAM]

Also their malware is at least 6 years old, so you'll need some REALLY old hardware.

My cold storage laptop is around 10 years old (which actually made it very cheap to buy).

And it *cannot* connect to the internet (apart from getting its WiFi card removed I ruined its plugs to prevent anyone plugging in anything to connect it).

[Blazr]

My cold storage laptop is over 10 years old (which actually made it very cheap to buy).

And it *cannot* connect to the internet (apart from getting its WiFi card removed I ruined its plugs to prevent anyone plugging in anything to connect it).

Yep a good step, however as you know there is the whole R value issue, and the method used to transmit the transaction data. I believe your system uses QR codes to transmit the transaction data, which is good.

One issue is if there was malware on both cold PC and online PC then the QR code could simply be replace by the malware with the actual private key and when you scan the QR the online PC sweeps it into the hackers wallet. Also I don't think your solution can prevent against the R value issue, can it?

[CIYAM]

Yep a good step, however as you know there is the whole R value issue, and the method used to transmit the transaction data. I believe your system uses QR codes to transmit the transaction data, which is good, but I don't think your solution can prevent against the R value issue, can it?

I'd need to change the signature system to use deterministic values to be certain against that (if vanitygen would add that then it would be relatively easy to incorporate).

[Blazr]

Yep a good step, however as you know there is the whole R value issue, and the method used to transmit the transaction data. I believe your system uses QR codes to transmit the transaction data, which is good, but I don't think your solution can prevent against the R value issue, can it?

I'd need to change the signature system to use deterministic values to be certain against that (if vanitygen would add that then it would be relatively easy to incorporate).

I have been reading about this, I don't know enough about deterministic values, they aren't widely used yet, I believe Armory is only testing them right now, hopefully they can improve the situation.

[Pietjebel]

He typed the private key into his computer to send some bitcoins out of it and a few hours later the rest of the funds on the paper wallet were stolen.

How is this even possible, the funds belonging to a private key needs to be spend all at once right?

No. You need to "spend" all the funds in each input that you are sending however it is possible to make the chance go back to the address that originaly had the funds as is encouraged by the use of paper wallets.

It would be possible to have multiple inputs to an address and only spend one or some of them.

Thanks for explaining, didn't know.

[CIYAM]

I believe Armory is only testing them right now, hopefully they can improve the situation.

My problem with Armory has always been that they don't do QR codes (instead rely upon USB devices that could be hacked) simply because they try to be a "wallet" rather than just a "cold storage" solution (so CIYAM Safe is actually *safer* than Armory).

[bitebits]

However I had a friend who had his paper wallet hacked recently, which is why I decided to make this thread. He typed the private key into his computer to send some bitcoins out of it and a few hours later the rest of the funds on the paper wallet were stolen. We're still looking into what exactly what happened [...]

You are aware that the remaining bitcoins go to a new change address?

You should always sweep the complete balance, as it's not safe to try to partially spend directly from the paper wallet itself.

[Blazr]

You are aware that the remaining bitcoins go to a new change address?

You should always sweep the complete balance, as it's not safe to try to partially spend directly from the paper wallet itself.

It doesn't really matter because the hacker still could've just had the malware send all the funds to his wallet once the second the private key was typed in. In this case the hacker was lazy and just did it manually a few hours later, but the next hacker won't be so lazy.

Using change addresses with paper wallets requires using a new paper wallet each time you make a transaction, which you obviously should do, but very few people actually do that as it's not very convenient.

[Blazr]

My problem with Armory has always been that they don't do QR codes (instead rely upon USB devices that could be hacked) simply because they try to be a "wallet" rather than just a "cold storage" solution (so CIYAM Safe is actually *safer* than Armory).

Yes of course. There are a WHOLE lotta problems with USB sticks. QR codes are much much better. I personally like using an audiomodem to transmit the transaction data via sound card over a 3.5mm audio cable. Qr codes have an advantage over an audiomodem in that an audiomodem can transmit data both ways which is a security risk, but the audiomodem is much more convenient, I always had trouble scanning the QR codes with the camera as my laptop only has a front-facing camera. I think an audiomodem is the best way to transmit the transaction data in the end of the day.

[CIYAM]

I think an audiomodem is the best way to transmit the transaction data in the end of the day.

I think it probably depends upon the software being used - but assuming it doesn't allow for "executable code" (or scripts) then either QR or audio should be okay.

[ACCTseller]

I didn't say it is hard to backup. It is just that people don't care to do so. I don't like the idea of storing your seed in plaintext though, I would encrypt it with a weak PGP password (instead of a private PGP key) that way someone that hacks your cloud storage with social engineering cannot have immediate access to your private keys and you should have time to move your funds once you discover your cloud storage service is hacked. Plus if your computer is hacked then there is a good chance your cloud storage service account would get hacked as well.

You can do a very similar procedure with electrum as well.

When you do file>save copy in Electrum, the copy will be encrypted if the original was. Of course any wallet you put in the cloud should be encrypted, a few years ago dropbox had a security issue that allowed anyone to log in to anyone else account without a password. The issue remained for a few hours.

Only the hand-written seed should be unencrypted, I would not recommend encrypting it as if you forget your password you'll have no way of accessing your funds, you should always have the means to access your wallet in the event you've forgotten your password.

you could tell it to display the seed and then save the text of the seed in a PGP encrypted file.

This would be essentially the same thing you would do with armory, except that armory is much more encouraging for you to back it up this way.

[Blazr]

I didn't say it is hard to backup. It is just that people don't care to do so. I don't like the idea of storing your seed in plaintext though, I would encrypt it with a weak PGP password (instead of a private PGP key) that way someone that hacks your cloud storage with social engineering cannot have immediate access to your private keys and you should have time to move your funds once you discover your cloud storage service is hacked. Plus if your computer is hacked then there is a good chance your cloud storage service account would get hacked as well.

You can do a very similar procedure with electrum as well.

When you do file>save copy in Electrum, the copy will be encrypted if the original was. Of course any wallet you put in the cloud should be encrypted, a few years ago dropbox had a security issue that allowed anyone to log in to anyone else account without a password. The issue remained for a few hours.

Only the hand-written seed should be unencrypted, I would not recommend encrypting it as if you forget your password you'll have no way of accessing your funds, you should always have the means to access your wallet in the event you've forgotten your password.

you could tell it to display the seed and then save the text of the seed in a PGP encrypted file.

This would be essentially the same thing you would do with armory, except that armory is much more encouraging for you to back it up this way.

The problem is though, if you happen to get diagnosed with amnesia, you won't be able to access your Bitcoins to pay for treatment as you'll have forgotten all your passwords, so you should always have a way in to your wallet without a password in case you forget your passwords, which is why I recommend an unencrypted handwritten seed. If you absolutely must encrypt the seed, then you should at least store a password hint with it and you shouldn't use a really high iteration count so if you forget a character or two you'll be able to bruteforce your way in. Obviously such a seed should be kept in a very safe location if physical theft is an issue.

Armory also tries to force you to make at least one unencrypted backup for this reason. Without a way of getting into your wallet without a password your wallet essentially becomes a brain wallet.

[ACCTseller]

I didn't say it is hard to backup. It is just that people don't care to do so. I don't like the idea of storing your seed in plaintext though, I would encrypt it with a weak PGP password (instead of a private PGP key) that way someone that hacks your cloud storage with social engineering cannot have immediate access to your private keys and you should have time to move your funds once you discover your cloud storage service is hacked. Plus if your computer is hacked then there is a good chance your cloud storage service account would get hacked as well.

You can do a very similar procedure with electrum as well.

When you do file>save copy in Electrum, the copy will be encrypted if the original was. Of course any wallet you put in the cloud should be encrypted, a few years ago dropbox had a security issue that allowed anyone to log in to anyone else account without a password. The issue remained for a few hours.

Only the hand-written seed should be unencrypted, I would not recommend encrypting it as if you forget your password you'll have no way of accessing your funds, you should always have the means to access your wallet in the event you've forgotten your password.

you could tell it to display the seed and then save the text of the seed in a PGP encrypted file.

This would be essentially the same thing you would do with armory, except that armory is much more encouraging for you to back it up this way.

The problem is though, if you happen to get diagnosed with amnesia, you won't be able to access your Bitcoins to pay for treatment as you'll have forgotten all your passwords, so you should always have a way in to your wallet without a password in case you forget your passwords, which is why I recommend an unencrypted handwritten seed. If you absolutely must encrypt the seed, then you should at least store a password hint with it and you should probably turn down the iteration count a bit so if you forget a character or two you'll be able to bruteforce your way in. Obviously such a seed should be kept in a very safe location if physical theft is an issue.

Armory also tries to force you to make at least one unencrypted backup for this reason.

Yes. For your paper version you should leave it in plaintext form as it would allow you to access your btc in the event you forget even a weak password.

When storing your seed in the cloud however you should keep it somewhat encrypted. I suggested using PGP with a weak password/pass phrase to decrypt (an attacker won't know that your password is weak and probably won't go in order starting with "a" up to "000..." (With the last "try" being something very long) but would rather either use a dictionary attack or try to brute force attack, both of which would take a long time to theoretically break (to the point that it is not possible without *very* good luck so it probably won't even be tried). But using a weak password means it is more difficult to forget.

[Blazr]

When storing your seed in the cloud however you should keep it somewhat encrypted. I suggested using PGP with a weak password/pass phrase to decrypt (an attacker won't know that your password is weak and probably won't go in order starting with "a" up to "000..." (With the last "try" being something very long) but would rather either use a dictionary attack or try to brute force attack, both of which would take a long time to theoretically break (to the point that it is not possible without *very* good luck so it probably won't even be tried). But using a weak password means it is more difficult to forget.

Yes sorry I misunderstood you. Of course, you should encrypt all copies of your wallet except for the backup seed, especially the copy in the cloud. I'd personally recommend uploading a copy of the actual wallet file (which is what file>save copy does), since it's already encrypted (as long as you chose to encrypt the wallet in electrum) and you'll also backup your labels and any settings for electrum plugins that you use, plus you can import it straight into electrum without fumbling with PGP, which makes it easy to test your backup.

And you can see what the balance is without knowing the password, so if in 10 years time you find this wallet backup you'll be able to see it's empty and won't waste your time trying to crack it in hopes that you might have left 0.01BTC in there which could be worth a lot more then. I once found a really old truecrypt encrypted litecoin wallet on an old drive, I used to mine 50LTC a day back when it was like $0.05/LTC and LTC was now $20 so I was really stoked, took me ages to crack it as I didn't know what password I used and I didn't write down a hint or anything, but eventually I figured it out and it was empty

[inBitweTrust]

The great thing about this thread is that it discusses many of the security problems we have been concerned about and discussing for years.

The problem with this thread is it gives no context with the relative probabilities of each attack vector and exaggerates certain fears and than suggests one may as well simply use an encrypted wallet(which may or may not be true depending upon how the paper wallet was generated)

Ultimately, you can read the source code of entropy and even add your own salt to it if you believe it was tampered with but we must trust the hardware. This is why there is a growing movement of engineers supporting the open source hardware movement:

http://www.oshwa.org/
http://www.ohwr.org/

Good physical security and digital security is difficult to accomplish and you can never be 100% sure that your bitcoins are completely secure (or any of your physical items are 100% secure). What you can do is be extremely confident your bitcoins are secure. Additionally, the amount of effort you must place into security is highly relative depending upon if you are a political or legal target and how many bitcoins you need to secure. These aren't unique problems with bitcoin, but problems with securing any valuable assets.

The great thing about paper wallets is you have the ability to combine physical security with digital security when they are in mutisig form or split with Shamir's Secret Sharing. The largest bitcoin exchanges and banks aren't doing this simply as a PR stunt because physical cold storage is a fad and to insinuating this is misleading at least.

[inBitweTrust]

The problem is though, if you happen to get diagnosed with amnesia, you won't be able to access your Bitcoins to pay for treatment as you'll have forgotten all your passwords, so you should always have a way in to your wallet without a password in case you forget your passwords, which is why I recommend an unencrypted handwritten seed. If you absolutely must encrypt the seed, then you should at least store a password hint with it and you shouldn't use a really high iteration count so if you forget a character or two you'll be able to bruteforce your way in. Obviously such a seed should be kept in a very safe location if physical theft is an issue.

I like the way you are thinking when you are considering the insecurities of the user themselves here but you just negated the whole point you initially were making because essentially you just created a insecure paperwallet with this suggestion.

What we really need is a comprehensive guide which details a best course of action based upon the threat level of each individual.

Thus the threat level may look something like this:

1) minimal risk- Someone without a lot a bitcoins and generally good overall security behaviors
2) moderate risk - Someone nontechnical or poor security behaviors or with large amounts of bitcoin
3) High Risk - Journalists, political activists, IT administrators, Extremely wealthy or famous people
4) Paranoid risk level - high value criminals, large banks and exchanges, presidents and other political targets like snowden, applebaum, ect..

With each of these risk levels one would have different recommendations.

[Blazr]

I like the way you are thinking when you are considering the insecurities of the user themselves here but you just negated the whole point you initially were making because essentially you just created a insecure paperwallet with this suggestion.

The point of this whole thread is that paper wallets are not more secure than encrypted ones. People always tell me their paper wallets are more secure than normal ones, thats not true. If you leave out the risks due to printers etc they are essentially the same level of security as a normal encrypted wallet, so using a paper wallet does not improve your security at all, if anything it slightly lessens it due to aformentioned risks of printers etc.

Paper wallets are very useful, just not as a security tool.

Your system is only safe as it's weakest point. I don't use obscurity or rely on the difficulty of writing a piece of malware to protect my coins. Put it this way: I am not very smart but there is no attack I have mentioned here that I couldn't pull off on my own with moderate funds. Preventing or mitigating most of the attacks I have mentioned so far is possible, I'm currently writing up a guide. Keep an eye out for it, it's easier than fumbling with paper wallets and provides tangible security. There is no need to have different levels of security when the highly paranoid option is easy and cheap.

[inBitweTrust]

The point of this whole thread is that paper wallets are not more secure than encrypted ones. People always tell me their paper wallets are more secure than normal ones, thats not true. If you leave out the risks due to printers etc they are essentially the same level of security as a normal encrypted wallet, so using a paper wallet does not improve your security at all, if anything it slightly lessens it due to aformentioned risks of printers etc.

Paper wallets are very useful, just not as a security tool.

You keep mentioning the risks from printers and I have already addressed those concerns. If you use a dumb/simple printer with minimal cache and temporarily disabled your LAN and WIFi functionality of your printer printed off the paper wallets from an entropy/clean and verified linux install, and than printed a few more documents after the fact to clear the cache their is almost no risk for those bitcoins to be stolen if they are properly secured. Of course we both can discuss many possible attack vectors under such a circumstance and if you thought you werre actively being targeted or spied upon you may want to use a open source laptop that a trusted friend bought for you , that you than checked and reviewed all the firmware and verified your version of linux , and printed off the paper wallets in grounded Faraday cage, ect... all of this isn't necessary for the average user and what I have a few steps creating a standard paper wallet is far more secure than electrum on a windows PC.

Your system is only safe as it's weakest point.

You are completely ignoring the relative costs and difficulties of each attack vector. You are also ignoring the fact that users do not need to choose between options but can employ multiple types of security, where if any of them fail due to a mistake, security flaw or backdoor, than most of the savings is still secure because it was secured with other methods or at a different time and with different hardware.

[Blazr]

all of this isn't necessary for the average user and what I have a few steps creating a standard paper wallet is far more secure than electrum on a windows PC.

No its not. How do you spend your paper wallet? on the same PC, putting it in exactly the same risk as the electrum one, which is also safe until you enter you password to send from it (assuming the creation process was done safely much like the paper wallet). And the method you described for creating a paper wallet is a lot of steps for the average user IMO.

[inBitweTrust]

How do you spend your paper wallet? on the same PC, putting it in exactly the same risk as the electrum one, which is also safe until you enter you password to send from it (assuming the creation process was done safely much like the paper wallet). And the method you described for creating a paper wallet is a lot of steps for the average user IMO.

Nope.... you are making assumptions which I already refuted. I keep multiple devices that are air gaped (sneakerware tech(TM )) that allows me to import small amounts of cold storage into hardware that hasn't touched the network and cannot touch the network until needed.

You are suggesting that one should secure their life savings on the same PC they browse porn on ?

I'm currently writing up a guide. Keep an eye out for it, it's easier than fumbling with paper wallets and provides tangible security. There is no need to have different levels of security when the highly paranoid option is easy and cheap.

Sounds good , I am always open to new ideas and criticisms... look forward to your guide.

[Blazr]

You are completely ignoring the relative costs and difficulties of each attack vector. You are also ignoring the fact that users do not need to choose between options but can employ multiple types of security, where if any of them fail due to a mistake, security flaw or backdoor, than most of the savings is still secure because it was secured with other methods or at a different time and with different hardware.

Which attack do you think is out of range for the actual hackers who are making millions off of ripping off banks?

I think the main thing putting you off was me mentioning the NSA firmware thing as a way to infect a live CD. While that attack is rare and expensive, you only need to write the malware once and you can infect millions of people with it. The NSA had the unit cost of their malware listed as $0, meaning an infection cost them nothing, they only had to pay the few million to make it, and I think that price is in range of criminals. So all the bad guys gotta do is write the malware once and then spread it to as many people as they can, so it doesn't matter if you have 1BTC or 1,000BTC, you could still be infected by multi-million dollar malware just as easily.

And thats not even the only way to steal from a live CD. Like I said before, the RNG on a live CD is predictable, with some analysis with common computer hardware it may be possible to crack it. The RNG used on the website http://brainwallet.org was broken in a similar fashion and everyone who used it had all their bitcoins stolen. The LRNG would be harder to break than the brainwallet.org one of course, and it won't get everyone, some people may not have their funds stolen.

And when you burn the CD, how do you know the ISO you wanted was burnt? It is trivial to write up a piece of malware that could switch the ISO the burning software uses. You can protect against this by checking the CD again on another machine however.

And if you are burning it to a USB, if you happen to plug that USB in anytime in the future when your running your main OS then the malware can modify the kernel and backdoor the RNG, I have a patch file right here that will backdoor the LRNG, it's insanely easy to do.

[Blazr]

Nope.... you are making assumptions which I already refuted. I keep multiple devices that are air gaped (sneakerware tech(TM )) that allows me to import small amounts of cold storage into hardware that hasn't touched the network and cannot touch the network until needed.

GREAT! the airgap provides actual tangible security. That is what is giving you the security, not the paper wallets. You could store electrum on that and it would be just as secure as the paper wallets.

[inBitweTrust]

And the method you described for creating a paper wallet is a lot of steps for the average user IMO.

The average user only needs to unplug their router, plug in an entropy, click a button a few times to create multiple SSS paper wallets, print a few more documents to clear cache, input one set of their shards into their encrypted password manager and destroy the paper associated. For remaining 2 shards of all the sets laminate them place one set in a safe, and the 2nd set secure at their parents or relatives safe or time capsule, and send their BTC to the public addresses.

This isn't that complicated and a one time task and way more secure than what you are suggesting.

Personally , I have gone way beyond this but only because it was a fun process in security.

GREAT! cold storage provides actual tangible security. That is what is giving you the security, not the paper wallets. You could store electrum on that and it would be just as secure as the paper wallets.

Yes, only if I used multisig or Shamir's Secret Sharing splits between multiple sets of hardware. You know how many laptops and raspberry pis I would need to buy?
 
This is where paper wallets are useful.

[Blazr]

And the method you described for creating a paper wallet is a lot of steps for the average user IMO.

The average user only needs to unplug their router, plug in an entropy, click a button a few times to create multiple SSS paper wallets, print a few more documents to clear cache, input one of their shards into their encrypted password manager and destroy the paper associated. For remaining 2 shards of all the sets laminate them place one set in a safe, and the 2nd set secure at their parents or relatives safe or time capsule, and send their BTC to the public addresses.

This isn't that complicated a one time task and way more secure than what you are suggesting.

Personally , I have gone way beyond this but only because it was a fun process in security.

I haven't suggested anything yet, but to setup a pretty secure cold storage, all you need to do is type this into a linux terminal:

git clone https://github.com/spesmilo/electrum
gpg --recv-keys 0x2BD5824B7F9470E6
git tag -v 2.0.4 (check it says good signature, if so, your download has not been tampered with)
git checkout 2.0.4
chmod +x electrum
./electrum

This will download electrum from source, verify its signature to prevent tampering.
If it runs copy the folder onto your cold PC and run git tag -v 2.0.4 and git checkout 2.0.4 again in case it was tampered by your main PC.

select standard wallet
write down seed on paper
set strong password
wallet > MPK and scan QR code with online PC.
Connect audio cable between online PC and cold PC.

Done. Like your example this could be a lot better, but its pretty good.

[Cruxer]

For me they are both as secure as their end-user

[inBitweTrust]

Which attack do you think is out of range for the actual hackers who are making millions off of ripping off banks?

A centralized repository to secure multiple accounts is insecure by design and why I typically tell users to avoid bitcoin banks or exchanges for storing their savings.

I think the main thing putting you off was me mentioning the NSA firmware thing as a way to infect a live CD. While that attack is rare and expensive, you only need to write the malware once and you can infect millions of people with it. The NSA had the unit cost of their malware listed as $0, meaning an infection cost them nothing, they only had to pay the few million to make it, and I think that price is in range of criminals. So all the bad guys gotta do is write the malware once and then spread it to as many people as they can, so it doesn't matter if you have 1BTC or 1,000BTC, you could still be infected by multi-million dollar malware just as easily.

They cannot retroactively insert malware into existing and audited linux images. Yes, there could have been a unknown vulnerability that was missed initially (I.E..heartbleed) but this doesn't necessarily mean you are compromised and that your bitcoins will be stolen when you import part of your savings.

Like I said before, the RNG on a live CD is predictable, with some analysis with common computer hardware it may be possible to crack it. The RNG used on the website http://brainwallet.org was broken in a similar fashion and everyone who used it had all their bitcoins stolen. The LRNG would be harder to break than the brainwallet.org one of course, and it won't get everyone, some people may not have their funds stolen.

You are making an assumption that the Live CD is what should be used to create the paper wallets and not merely spend them. I agree that  online generators are more vulnerable.

And when you burn the CD, how do you know the ISO you wanted was burnt? It is trivial to write up a piece of malware that could switch the ISO the burning software uses. You can protect against this by checking the CD again on another machine however.

And if you are burning it to a USB, if you happen to plug that USB in anytime in the future when your running your main OS then the malware can modify the kernel and backdoor the RNG, I have a patch file right here that will backdoor the LRNG, it's insanely easy to do.

Yes , there are some extra security steps that must be checked and followed that most users will never do. This is why there are hardware wallets and devices like entropy... because they allow easy and good enough security for the average person.

[Blazr]

You are making an assumption that the Live CD is what should be used to create the paper wallets and not merely spend them. I agree that  online generators are more vulnerable.

When you make a transaction your client needs to insert a random number in it, called an R value. If this number isn't random the attacker can compute your private key by scanning the blockchain. This is what happened to blockchain.info when they almost lost >1000BTC recently.

[inBitweTrust]

I haven't suggested anything yet, but to setup a pretty secure cold storage, all you need to do is type this into a linux terminal:

git clone https://github.com/spesmilo/electrum
gpg --recv-keys 0x2BD5824B7F9470E6
git tag -v 2.0.4 (check it says good signature, if so, your download has not been tampered with)
git checkout 2.0.4
chmod +x electrum
./electrum

This will download electrum from source, verify its signature to prevent tampering.
If it runs copy the folder onto your cold PC and run git tag -v 2.0.4 and git checkout 2.0.4 again in case it was tampered by your main PC.

select standard wallet
write down seed on paper
set strong password
wallet > MPK and scan QR code with online PC.
Connect audio cable between online PC and cold PC.

Done. Like your example this could be a lot better, but its pretty good.

I completely agree, and what you just explained is one security method I originally did for myself before I created a more elaborate method with paper wallets.

We may simply be talking past each other.... If what you are suggesting is that you can take separate computer with a clean linux install and only use it to secure your bitcoins and than disable the networking on it (possibly temporarily enabling for periodic updates and patches that are audited)... and while it might be slightly weaker security than what I suggested it still is good enough security for most.

[Blazr]

We may simply be talking past each other.... If what you are suggesting is that you can take separate computer with a clean linux install and only use it to secure your bitcoins and than disable the networking on it (possibly temporarily enabling for periodic updates and patches that are audited)... and while it might be slightly weaker security than what I suggested it still is good enough security for most.

Pretty much, except for the connecting to the internet part. I'm still working on the guide along with some handy python tools. You don't need security patches, very few security issues in the OS will affect you, you may need to update your bitcoin client however but that can be done relatively safely now that you have the dev's PGP key on your cold PC. You can actually do a git pull over the audio cable (I have a python scripts that can do this in a safe manner) and verify the sigs and check a diff of the code if you wish. it's awesome.

[inBitweTrust]

When you make a transaction your client needs to insert a random number in it, called an R value. If this number isn't random the attacker can compute your private key by scanning the blockchain. This is what happened to blockchain.info when they almost lost >1000BTC recently.

This is very difficult to pull off , and creating enough entropy if you are aware of this attack is fairly easy to do. blockchain.info was an easy target because it was a central point of failure as well.

Pretty much, except for the connecting to the internet part. I'm still working on the guide along with some handy python tools. You don't need security patches, very few security issues in the OS will affect you, you may need to update your bitcoin client however but that can be done relatively safely now that you have the dev's PGP key on your cold PC. You can actually do a git pull over the audio cable (I have a python scripts that can do this in a safe manner) and verify the sigs and check a diff of the code if you wish. it's awesome.

Sounds good, I look forward to adding your guide to my list of recommendations. I haven't listed my security arrangement yet because it is too complicated for the average user and I don't feel like writing it all out.

[Blazr]

This is very difficult to pull off , and creating enough entropy if you are aware of this attack is fairly easy to do. blockchain.info was an easy target because it was a central point of failure as well.

I don't like "very difficult". Very difficult depends on the attackers capabilities, and who knows whos attacking you, money is money attackers will attack anyone who has money. It's possible the attacker may think you have more money than you do, or the attack may be entirely automated so they are just going after anyone they can infect.

[inBitweTrust]

This is very difficult to pull off , and creating enough entropy if you are aware of this attack is fairly easy to do. blockchain.info was an easy target because it was a central point of failure as well.

I don't like "very difficult". Very difficult depends on the attackers capabilities, and who knows whos attacking you, money is money attackers will attack anyone who has money. It's possible the attacker may think you have more money than you do, or the attack may be entirely automated so they are just going after anyone they can infect.

Mostly agreed, and there is a whole "social" layer of security that must be considered as well. The fact that I am discussing this with you, the fact that I am in IT, the fact that I have certain political opinions, the fact that I have a bitcointalk account, ect... all make me a much larger target than someone without those traits. I am cognizant of these weaknesses and this is why I took paranoid steps to secure my cold storage... short of doing a 100% audit on every line of code.

Good security is very complicated and even the best security experts occasionally make some mistakes(and thus why you should never have a single point of failure) for securing all your wealth.

 One great thing about Bitcoin is its forcing the users and society to adapt and develop better security and auditing. Most traditional fiat banks have abysmal security but its losses are ignored and amortized.


 

[colinistheman]

Isn't this a safe way to spend bitcoins from a paper wallet:

1.) Boot from a Linux Live DVD
2.) Visit blockchain.info
3.) perform a sweep of the entire contents of the private key to your destination.

Using the Live DVD prevents any malware or key loggers.

And sweeping the key, removes the funds fully from your private key and puts them where you want without re-using the original private key.

[Blazr]

Isn't this a safe way to spend bitcoins from a paper wallet:

1.) Boot from a Linux Live DVD
2.) Visit blockchain.info
3.) perform a sweep of the entire contents of the private key to your destination.

Using the Live DVD prevents any malware or key loggers.

And sweeping the key, removes the funds fully from your private key and puts them where you want without re-using the original private key.

You are exposing yourself to all kinds of risks by using blockchain.info. Yes, I know they are trustworthy, but they CAN access your funds despite what people say as they can modify the code at anytime, or a hacker whos broken in can modify the code, or they could mess up again and introduce another bug like last time where they almost lost 1,000's of BTC. It's an unnecessary risk. In the past, lots of people were hacked when they accessed blockchain.info over Tor. This is due to man-in-the-middle attacks, which happen all over the internet, not just on the Tor network although they are more common there due to the way the Tor network is designed.

Malware CAN jump from your main OS onto your live CD, I explained a few ways this can happen in this thread. This is not something the happens a lot, but it is trivial for a hacker to do some of the techniques I described, and I'm sure eventually hackers will start looking into these kinds of techniques if people are using live CD's to protect their coins.

Not reusing the paper wallet is a good idea. You should definitely do that.

[colinistheman]

Isn't this a safe way to spend bitcoins from a paper wallet:

1.) Boot from a Linux Live DVD
2.) Visit blockchain.info
3.) perform a sweep of the entire contents of the private key to your destination.

Using the Live DVD prevents any malware or key loggers.

And sweeping the key, removes the funds fully from your private key and puts them where you want without re-using the original private key.

You are exposing yourself to all kinds of risks by using blockchain.info. Yes, I know they are trustworthy, but they CAN access your funds despite what people say as they can modify the code at anytime, or a hacker whos broken in can modify the code, or they could mess up again and introduce another bug like last time where they almost lost 1,000's of BTC. It's an unnecessary risk. In the past, lots of people were hacked when they accessed blockchain.info over Tor. This is due to man-in-the-middle attacks, which happen all over the internet, not just on the Tor network although they are more common there due to the way the Tor network is designed.

Malware CAN jump from your main OS onto your live CD, I explained a few ways this can happen in this thread. This is not something the happens a lot, but it is trivial for a hacker to do some of the techniques I described, and I'm sure eventually hackers will start looking into these kinds of techniques if people are using live CD's to protect their coins.

Not reusing the paper wallet is a good idea. You should definitely do that.

What's the best way to spend the bitcoin on my paper wallets then? Since the bitcoins are already stored there.

[Blazr]

What's the best way to spend the bitcoin on my paper wallets then? Since the bitcoins are already stored there.

What you can do is you can create a custom version of Ubuntu that contains an SPV client like multibit or electrum and burn that to a CD and use that. Though creating a custom version of Ubuntu is annoying to do. You could also install a copy of electrum on the live cd, to do that simply type "sudo apt-get install electrum" into a terminal when running the live CD, though you'll have to do this each time you boot the live CD.

After you do that make a throwaway wallet and import the private key into that and sweep the funds off to a new address.

That is somewhat better.  The ideal solution would be to use a separate cold storage PC, and if you are doing that you may as well just use a normal encrypted wallet.

[Kprawn]

And the method you described for creating a paper wallet is a lot of steps for the average user IMO.

The average user ...............

Some average users also make use of "office" equipment / printers / Photo copiers at their place of work with built in hard drives. This is also a point of failure for some people.

This has been demonstrated in one of the episodes in the TV Series "Hacking the system"   

Blazr - Your solution is a bit complicated for the "average" user. If I tell the general public to do that, they will not accept Bitcoin as a payment method.

How about a "Idiot's guide to create secure Cold storage" ?

I will use your more advanced guide ... thanks. 

[inBitweTrust]

Some average users also make use of "office" equipment / printers / Photo copiers at their place of work with built in hard drives. This is also a point of failure for some people.

On printers-
https://www.reddit.com/r/Bitcoin/comments/2aodta/on_printer_memory_for_the_security_of_printed/

PRINTERS WITH HARD-DRIVE:

Pretty much any home/personal printer will not have a hard drive, but most will have some kind of memory installed. Depending on the type of printer, as well as the model, will determine how much, if any, memory is installed.

Most memory that is in home/personal printers only hold the data for the current print job from anywhere from a few lines to a few pages, as the job is being printed. Once the job is complete or the printer is turned off, any data that was in memory is erased & unrecoverable. Printers commonly use basic RAM memory, which is commonly referred to as volatile memory since it cannot store data once power is removed.

NOTES ON PRINTERS WITH HARD-DRIVES:

    If the printer allows you to bypass its internal hard drive and print directly from RAM, select this setting for better security, and ensure that print jobs are not stored on the printer hard-drive.

    If you do choose to store print jobs on the drive, ensure that it is encrypted with a strong encryption method, such as AES.

    If the printer allows you to overwrite the data immediately after printing (or scanning or faxing, if it’s an all-in-one device), select that option.

    Almost all new models include a wipe disk function for decommissioning the printer, and most include disk encryption, so if you take the disk out of the printer you won't be able to read the information stored on it.

NOTE: Even old printers (laser, dot matrix, inkjet, etc....) had some kind of memory that they used for some data storage for printing.

NOTES ON PRINTER MEMORY:

    Most current printers have a couple megabytes of memory

    In some cases the printer may be using volatile memory with a battery backup, If it is, this should be mentioned in the user guide. In that case, leave it unplugged for however long the user guide says is too long.

MISC. NOTES FOR CREATING COLD STORAGE WALLETS:

    ALWAYS ASSUME YOUR DEVICES HAVE BEEN COMPROMISED BY BAD ACTORS (Criminals)
    Use a dedicated computer & printer for purposes of creating Cold-storage wallets.
    Keep both dedicated computer and printer off the internet, keep wireless options deactivated or physically removed if possible.

MOST POPULAR PRINTERS: Most Popular Printers with examples of on-board memory

Amazon top 13 Printers (Best Sellers)
#    Brand    Model    Memory Capacity    Notes
1    Canon    PIXMA MX922    Approx. 250 Pages12    FAX
2    Epson    XP-310 Wireless    NL    Not Listed
3    Brother    HL-2270DW Compact Laser    32MB    Standard
4    Epson    XP-410 Small-inkjet    NL    Not Listed
5    Canon    PIXMA PRO-100 Color    250 Pages    
6    HP    Envy 4500 Wireless    NL    Not Listed
7    Brother    MFCJ450DW    170 Page Fax Memory    
8    Epson    WF-3520 Wireless    NL    Not Listed
9    Epson    WF-2540 Wireless    NL    Not Listed
10    Epson    WF-3620 Wireless    Up to 180 pages    Fax Memory
12    Canon    LBP6000    2MB    buffer memory
13    Hewlett Packard    1102W Wireless    8 MB    Standard

[inBitweTrust]

How about a "Idiot's guide to create secure Cold storage" ?

https://bitcoinarmory.com/tutorials/armory-advanced-features/offline-wallets/
https://bitcoinarmory.com/tutorials/armory-advanced-features/fragmented-backups/
https://bitcoinarmory.com/tutorials/armory-advanced-features/lockbox/create-lockbox/

... but more guides and different options are always welcomed.

[Amph]

the point in the end should be to secure your desktop/laptop/device, it does not matter much which is less secure(and you are comparing a way where the wallet is encrypted and a way where it isn't...)

i did not even encrypted my wallet, and i never lost any btc due to thieves, because i have a secure desktop in primis, which is the most important thing

one thing you can do is dual boot(on separate hard disk, and remove the power from the Hdd with bitcoin everytime you boot with the other, this is secure at 100%, non-hackable)

[spazzdla]

Screw a printer burn them to a CD.

[inBitweTrust]

Screw a printer burn them to a CD.

Factory burned cd's and dvds are a completely different process than ones you burn at home.

Home burned CDs and DVDs are notoriously flaky and damage very easy. I lost huge amounts of data in the past because expensive archival quality dvds didn't last more than 1 year, let alone any cheap discs(which may be DOA or fail shortly after). It is a huge gamble with those items that depends upon the batch , brand, humidity and other environmental factors, ect...

[spazzdla]

Why in the shits of shits of shits are you reconnecting the Harddrive you created it on back to the net.

F
A
I
L

on an epic level.. epic beyond epic.

The harddrive used to create the wallet from bitaddress.org should never EVER EVER EVER touch the web again after you have encrypted the paper wallet.


EVER NEVER EVER EVER EVER AGAIN! EVER AGAIN.


So do continue with the assumption the harddrive which was used to encrypt the paper wallet using bitaddress.org will never touch the web again.

How does one break the encryption?

[spazzdla]

Screw a printer burn them to a CD.

Factory burned cd's and dvds are a completely different process than ones you burn at home.

Home burned CDs and DVDs are notoriously flaky and damage very easy. I lost huge amounts of data in the past because expensive archival quality dvds didn't last more than 1 year, let alone any cheap discs(which may be DOA or fail shortly after). It is a huge gamble with those items that depends upon the batch , brand, humidity and other environmental factors, ect...

I have them on 10 CD's.. 10 jump drives.. an external harddrive.. physically printed.

Encrypted with a +20 char pass..

Harddrive that was used to create them no longer exists and NEVER touched the web once.

[ragi]

I have never had a problem with a paper wallet. Why is this fear-mongering starting now? I even created them on live pc. Maybe I am just lucky... idk...

[spazzdla]

I have never had a problem with a paper wallet. Why is this fear-mongering starting now? I even created them on live pc. Maybe I am just lucky... idk...

WHOA WHOA WHOA..

That is a bad plan man..

You haven't had an issue until BTC EXPLODES in value and you find out that is EXACTLY what the hackers were waiting for boom it's gone...

I would be very nervious about my bitcoins if they were created on a harddrive that was connected to the web at the time or ever reconnected to the web..


One thing is certian the gov has your private keys 100%, do you trust the NSA?

[Borisz]

One thing is certian the gov has your private keys 100%, do you trust the NSA?

Could you please justify this statement? Do you have an explanation on how/why or maybe a link to a research paper?

[ragi]

One thing is certian the gov has your private keys 100%, do you trust the NSA?

I don't. I know they have even more that what it was revealed by that guy...

[Lauda]

This is an interesting thread. Even though I was never really praising paper wallets as the ultimate method, I have been recommending it.
I've only tried this method once myself and it was really an inconvenience for me. OP thank you.
I'm pretty sure that in the future we are going to have better software for this as currently everything is still fresh.

I would recommend installing VMware on a HDD and encrypt and keep your wallet there. Just keep it disconnected if you're storing a lot of Bitcoins.

One thing is certian the gov has your private keys 100%, do you trust the NSA?

Could you please justify this statement? Do you have an explanation on how/why or maybe a link to a research paper?

No. He's saying that it is certain that the government has your private keys.
He's talking nonsense.

[bornil267645]

As long as the wallet remains offline it will remain safe. So I don't think it should be a qstn of paper wallet or not.

[Lauda]

As long as the wallet remains offline it will remain safe. So I don't think it should be a qstn of paper wallet or not.

Have you even read anything that was written in the original post?
It seems like you have not.

If someone busts inside your house they'll see you have Bitcoins if they find the paperwallet, but on the other hand with an encrypted hidden file inside a USB they would never figure out that you are a owner of Bitcoins. This is a plus against paper wallets.

It doesn't have to be hidden nor on a USB. If you have a encrypted wallet on your PC with a good password it will be useless to them.

[spazzdla]

How do I know..

Sweet mother of god have you guys ever read a news paper?


I find it quite hilarious everyone goes on about security yet slacks on security measures.. THEN long be hold once a week "HELP ALL MY COINS ARE GONE"..

Why are you being lazy on security........ I hear The Bank Of America will take care of security for you if you are to lazy.

[odolvlobo]

How do I know..
Sweet mother of god have you guys ever read a news paper?

[LFC_Bitcoin]

If someone busts inside your house they'll see you have Bitcoins if they find the paperwallet, but on the other hand with an encrypted hidden file inside a USB they would never figure out that you are a owner of Bitcoins. This is a plus against paper wallets.

Most dumb ass thieves/robbers wouldn't have a clue what bitcoin is let alone know how to put a private key into an online wallet to swipe the paper one.
When somebody robs a house they normally look for cash, electronics etc, I doubt they'll be looking inside an old book or a filing cabinet for a piece of paper with a combination of random numbers and letters on.

[spazzdla]

How do I know..
Sweet mother of god have you guys ever read a news paper?

Why is Snowden in Russian than big boy?

[Klestin]

How does an air-gapped machine contract malware?  It can sign transactions with zero Internet (or LAN for that matter) connectivity. Additionally, M of N paper wallets mitigate physical theft.

OP has missed the entire point of a paper wallet. 

[Panthers52]

I have never had a problem with a paper wallet. Why is this fear-mongering starting now? I even created them on live pc. Maybe I am just lucky... idk...

The first post in this thread actually did a pretty good job of explaining why paper wallets are more susceptible to theft/loss. Both are going to be fairly secure while more can go wrong with paper wallets, primarily physical theft of the paper wallet.

The to;dr version is that both encrypted wallets and paper wallets have certain vulnerabilities. Encrypted wallets have a subset of vulnerabilities and paper wallets have the same subset of vulnerabilities and then a greater subset of vulnerabilities.

[Blazr]

How does an air-gapped machine contract malware?  It can sign transactions with zero Internet (or LAN for that matter) connectivity. Additionally, M of N paper wallets mitigate physical theft.

OP has missed the entire point of a paper wallet. 

Many ways. Read up on Stuxnet. The most likely scenario would be via USB sticks when you are transferring files (which many people do with airgapped machines even though it's a big no-no), but you could also be infected if your airgapped PC's OS or other software was tampered with in some way when you were installing it, such as malware on the computer you burned the boot CD/USB tampering with the image. These are pretty advanced attacks, but they are certainly not so difficult to execute and not unheard of and thy will probably happen to some Bitcoiners eventually so people should be aware of them so that they can defend themselves if they deem it necessary.

[Blazr]

The to;dr version is that both encrypted wallets and paper wallets have certain vulnerabilities. Encrypted wallets have a subset of vulnerabilities and paper wallets have the same subset of vulnerabilities and then a greater subset of vulnerabilities.

I like this tl;dr a lot, does a great job at summing it up.

[Klestin]

How does an air-gapped machine contract malware?  It can sign transactions with zero Internet (or LAN for that matter) connectivity. Additionally, M of N paper wallets mitigate physical theft.

OP has missed the entire point of a paper wallet. 

Many ways. Read up on Stuxnet. The most likely scenario would be via USB sticks when you are transferring files (which many people do with airgapped machines even though it's a big no-no), but you could also be infected if your airgapped PC's OS or other software was tampered with in some way when you were installing it, such as malware on the computer you burned the boot CD/USB tampering with the image. These are pretty advanced attacks, but they are certainly not so difficult to execute and not unheard of and thy will probably happen to some Bitcoiners eventually so people should be aware of them so that they can defend themselves if they deem it necessary.

I should add "without absolute user ineptitude, or an attackers reliance on zero-day vulnerabilities targeted to your specific hardware".

I fail to see how these extremely unlikely scenarios make "paper wallets less secure than normal encrypted wallets".  Do you?

[Blazr]

The easiest way for me to explain that is, you tell me how you create your paper wallet, do you use a live OS, airgapped PC etc what other precautions you take, and I'll explain based on that scenario how an encrypted wallet would be safer.

[Klestin]

The easiest way for me to explain that is, you tell me how you create your paper wallet, do you use a live OS, airgapped PC etc what other precautions you take, and I'll explain based on that scenario how an encrypted wallet would be safer.

I'll bite. Within a faraday cage, assemble a PC from parts purchased and held in storage for the last several years.  OS installed from DVD (let's say Windows XP, original discs).  Wallet generator software source code printed code-reviewed, and re-entered by hand and compiled on the PC.  Wallet initial entropy via dice, rolled in a darkened room in the dead of the night (sensitive fingertips required for dice reading).  M of N paper wallet created and written by hand.  Remainder of notepad incinerated.  Pages stored in geographically disparate secure localities.  PC degaussed, then incinerated.

If coins are to be spent, M parts of wallet gathered, then repeat most of the above, sign the transaction, transfer the signature via handwritten pad, and enter on the connected PC of your choice.

You didn't say it had to be practical.

[odolvlobo]

Anyone that want's to make a paper wallet should buy a Mycelium Entropy. It is the most convenient and most secure way to make a paper wallet.

The combination of maximum security and maximum convenience is rare, but Entropy achieves it. You just plug it in, press a button and print. There is no need for an air-gapped computer, bootable CDs, formatting disks, etc.

[Panthers52]

The easiest way for me to explain that is, you tell me how you create your paper wallet, do you use a live OS, airgapped PC etc what other precautions you take, and I'll explain based on that scenario how an encrypted wallet would be safer.

I'll bite. Within a faraday cage, assemble a PC from parts purchased and held in storage for the last several years.  OS installed from DVD (let's say Windows XP, original discs).  Wallet generator software source code printed code-reviewed, and re-entered by hand and compiled on the PC.  Wallet initial entropy via dice, rolled in a darkened room in the dead of the night (sensitive fingertips required for dice reading).  M of N paper wallet created and written by hand.  Remainder of notepad incinerated.  Pages stored in geographically disparate secure localities.  PC degaussed, then incinerated.

If coins are to be spent, M parts of wallet gathered, then repeat most of the above, sign the transaction, transfer the signature via handwritten pad, and enter on the connected PC of your choice.

You didn't say it had to be practical.

If you are this paranoid about creating a paper wallet then there is probably a pretty high chance that you will end up in a psychiatric institution. You would then be unable to ever spend the money you send to the associated address.

[Klestin]

If you are this paranoid about creating a paper wallet then there is probably a pretty high chance that you will end up in a psychiatric institution. You would then be unable to ever spend the money you send to the associated address.

Psychiatric institutions generally don't allow Internet access.  My 0.013 BTC are secure forevers!

[Panthers52]

If you are this paranoid about creating a paper wallet then there is probably a pretty high chance that you will end up in a psychiatric institution. You would then be unable to ever spend the money you send to the associated address.

Psychiatric institutions generally don't allow Internet access.  My 0.013 BTC are secure forevers!

You would suffer the loss of your freedom and privacy in exchange for keeping your Bitcoin safe from theft. I don't think this is a very good trade off when Bitcoin is suppose to represent additional freedom and privacy.

It would also result in you loosing access to your Bitcoin which would be a loss to you because you would be unable to spend it if you wished to do so. It would be similar to you using an encrypted wallet and then having all of your backups get corrupted

[Klestin]

You would suffer the loss of your freedom and privacy in exchange for keeping your Bitcoin safe from theft. I don't think this is a very good trade off when Bitcoin is suppose to represent additional freedom and privacy.

It would also result in you loosing access to your Bitcoin which would be a loss to you because you would be unable to spend it if you wished to do so. It would be similar to you using an encrypted wallet and then having all of your backups get corrupted

Um...  you seriously believe someone who securely creates a paper wallet per my listed steps deserves to be locked up in a psychiatric facility?  Nah, you must be trollin'.  Good one dude!

In any event, the challenge was to describe a set of steps to create a paper wallet that is more secure than an encrypted wallet on a connected desktop.  Do you have a vulnerability in mind that invalidates my proposal, or is "psychiatric lockup" the best you can do?

[Panthers52]

You would suffer the loss of your freedom and privacy in exchange for keeping your Bitcoin safe from theft. I don't think this is a very good trade off when Bitcoin is suppose to represent additional freedom and privacy.

It would also result in you loosing access to your Bitcoin which would be a loss to you because you would be unable to spend it if you wished to do so. It would be similar to you using an encrypted wallet and then having all of your backups get corrupted

Um...  you seriously believe someone who securely creates a paper wallet per my listed steps deserves to be locked up in a psychiatric facility?  Nah, you must be trollin'.  Good one dude!

Someone who takes that level of precautions are most likely going to display other symptoms of paranoid schizophrenia. Some may even argue that doing what you described would be an indication of schizophrenia.

Try describing even part of that process to someone in RL, tell them you are doing those steps to secure your money and see what they think about your mental state.

[Klestin]

Do you have a vulnerability in mind that invalidates my proposal, or is "psychiatric lockup" the best you can do?

Try describing even part of that process to someone in RL, tell them you are doing those steps to secure your money and see what they think about your mental state.

I'll take that as "yes, that's the best I can do."

[spazzdla]

You would suffer the loss of your freedom and privacy in exchange for keeping your Bitcoin safe from theft. I don't think this is a very good trade off when Bitcoin is suppose to represent additional freedom and privacy.

It would also result in you loosing access to your Bitcoin which would be a loss to you because you would be unable to spend it if you wished to do so. It would be similar to you using an encrypted wallet and then having all of your backups get corrupted

Um...  you seriously believe someone who securely creates a paper wallet per my listed steps deserves to be locked up in a psychiatric facility?  Nah, you must be trollin'.  Good one dude!

Someone who takes that level of precautions are most likely going to display other symptoms of paranoid schizophrenia. Some may even argue that doing what you described would be an indication of schizophrenia.

Try describing even part of that process to someone in RL, tell them you are doing those steps to secure your money and see what they think about your mental state.

Mental illness LMAO what a joke.  A group of random fucks decide if you have x traits you are mentally ill.  You should see some of the panels of these bastards.  

"But I do that"

"Oh okay lets not put that in there then"

It's a fucking joke.




The fact you are so lazy with your wealth I think is a mental illness.  The illness of extreme lazyness SO LAZY you attempt to make others think they have a problem as they are not as lazy as you.

[Panthers52]

Do you have a vulnerability in mind that invalidates my proposal, or is "psychiatric lockup" the best you can do?

Try describing even part of that process to someone in RL, tell them you are doing those steps to secure your money and see what they think about your mental state.

I'll take that as "yes, that's the best I can do."

I will difer to the expert in computer security (blazr) to look for other vulnerabilities.

One risk would be that you make a mistake in copying the private keys and/or the code as humans are notorious for making copy mistakes and it would be difficult to check for such mistakes without adding potential additional chances for your private key to leak.

I am not lazy with securing my money. I only take reasonable precautions that balance various risks of loss and theft with what would end up lost (how much I would lose) and the chances of various attacks of succeeding.

[Blazr]

The easiest way for me to explain that is, you tell me how you create your paper wallet, do you use a live OS, airgapped PC etc what other precautions you take, and I'll explain based on that scenario how an encrypted wallet would be safer.

I'll bite. Within a faraday cage, assemble a PC from parts purchased and held in storage for the last several years.  OS installed from DVD (let's say Windows XP, original discs).  Wallet generator software source code printed code-reviewed, and re-entered by hand and compiled on the PC.  Wallet initial entropy via dice, rolled in a darkened room in the dead of the night (sensitive fingertips required for dice reading).  M of N paper wallet created and written by hand.  Remainder of notepad incinerated.  Pages stored in geographically disparate secure localities.  PC degaussed, then incinerated.

If coins are to be spent, M parts of wallet gathered, then repeat most of the above, sign the transaction, transfer the signature via handwritten pad, and enter on the connected PC of your choice.

You didn't say it had to be practical.

Sounds great, though that only covers one part of the setup, the generation process. How are you going to spend those Bitcoins? You're going to need some kind of computer right? so I guess destroying the secure computer like you did seems counter-intuitive as you'll need atleast one secure computer to join up the m of n paper wallets to spend them. If you're a fan of destroying and buying computers each time you make a transaction, that would work. But instead of doing that, you could create another wallet using a similar process except make it an M of N encrypted wallet stored on multiple different computers stored in different locations. Same level of security, makes more sense than rebuying computers, why print out the keys at all?

My point is, all paper wallets eventually have to touch a PC and while they are touching the PC they are just as vulnerable as a normal encrypted wallet that has been unlocked, however unlike a locked encrypted wallet which is "non-trivial" to crack, paper wallets have other security risks you need to take into account such as the printer memory issue, which you do not need to even worry about with an encrypted wallet. Additionally wallets are only unlocked for milliseconds if even, some users of paper wallets who are tying in private keys etc may leave the private key in memory for quite some time exposing it to risk. It really does make much more sense to just use a normal encrypted wallet rather than a paper one. I prefer strength in numbers rather than strength in "paper", I am already tired of "paper" money

[Klestin]

Sounds great, though that only covers one part of the setup, the generation process. How are you going to spend those Bitcoins?

Keep reading, it's covered.

As admitted, my example isn't easy, or even practical.  In the real world, we have to balance security and ease of use.  Personally, I use a Trezor.

[Blazr]

Sounds great, though that only covers one part of the setup, the generation process. How are you going to spend those Bitcoins?

Keep reading, it's covered.

You're "manually" signing the transaction? Do that with the encrypted wallet too, it'll save you the ink and will give you the same security.

[Klestin]

You're "manually" signing the transaction? Do that with the encrypted wallet too, it'll save you the ink and will give you the same security.

It really won't.  Connected computers can be compromised with a keylogger.  My described scenario cannot.

[Blazr]

You're "manually" signing the transaction? Do that with the encrypted wallet too, it'll save you the ink and will give you the same security.

It really won't.  Connected computers can be compromised with a keylogger.  My described scenario cannot.

I am sorry I reread your scenario but how are you signing the transaction for your paper wallet, are you signing it on a secure PC or "by hand"? I got the impression you said you were doing it "by-hand" IE pen and paper EC math but now I'm not sure.

[Klestin]

I am sorry I reread your scenario but how are you signing the transaction for your paper wallet, are you signing it on a secure PC or "by hand"? I got the impression you said you were doing it "by-hand" IE pen and paper EC math but now I'm not sure.

In my (admittedly costly and time-consuming) example, the PC is rebuilt, the wallet primed from the M portions of the paper wallet, and the transaction information entered.  The signature is generated on the disconnected PC, manually transcribed, then the PC is again decommissioned.

[blossbloss]

Serious comment: brainwallet for long term storag, Trezor for mid term, and Mycelium app for pocket change.
Comments?

[afriezalie]

In my opinion, both of them are same. If we use encrypted wallet such as electrum, our wallet could be hacked by someone or we lose our recovery ID  when we re-install our operating system. If we use paper walllet, maybe it's safer than encrypted wallet, but when we generate paper wallet, malware could read our private key. So there's no perfect place to store our BTC. That's my opinion.

[Klestin]

Serious comment: brainwallet for long term storag, Trezor for mid term, and Mycelium app for pocket change.
Comments?

Brainwallet is fine if done correctly.  Sadly, virtually all brainwallets are not done correctly.  The crib notes version for correctly generating a brainwallet:

- Pick 12+ random (really, actually, truly) random words from a large list. Diceware will work fine. (Google it if unfamiliar)
- Commit the words to memory, and periodically test yourself
- Generate your wallet/key from an offline copy of a page, that you either trust or have personally verified the code. Or use Electrum, if you trust it and have ensured it is untampered with.

Trezor and Mycelium I use myself.

[Quickseller]

Serious comment: brainwallet for long term storag, Trezor for mid term, and Mycelium app for pocket change.
Comments?

Brainwallet is fine if done correctly.  Sadly, virtually all brainwallets are not done correctly.  The crib notes version for correctly generating a brainwallet:

- Pick 12+ random (really, actually, truly) random words from a large list. Diceware will work fine. (Google it if unfamiliar)
- Commit the words to memory, and periodically test yourself
- Generate your wallet/key from an offline copy of a page, that you either trust or have personally verified the code. Or use Electrum, if you trust it and have ensured it is untampered with.

Trezor and Mycelium I use myself.

If the words are random, then it will be much more difficult to memorize, and the chances will be greater that you will lose access to your funds.

IMO a safer bet would be to do the following:
#create a brain wallet with a relatively easy to remember phrase
#sign a message with a second, but different easy to remember phrase
#the resulting signature will be your passphrase

For example:
#I create a brain wallet with the phrase "quickseller is cool" (without quotes)
#The corresponding address is using brainwallet.github.io (uncompressed) is 13qAJGPqcyK2Dd69b19n4S9Bvfwxn7SS5Q
#The private key to 13qAJGPqcyK2Dd69b19n4S9Bvfwxn7SS5Q is 5KcNGK5y76KHYMNLnzX8exekj5Y3ygDMNUhudeoc3Eurk9hWkEN
#If I sign the message "today is friday" (without quotes) with the above private key (multibit) then I would receive the following signature: G7PbabLubAJeeEUf0UGvEvD4YeTRw/M3ft/k4daoiocef4fqHY7QX7wJjvSss9TX0E3wMuFA+4zt2/44PkYimYM=
#I would then use G7PbabLubAJeeEUf0UGvEvD4YeTRw/M3ft/k4daoiocef4fqHY7QX7wJjvSss9TX0E3wMuFA+4zt2/44PkYimYM=
 as my passphrase for my brain wallet which would result in the address 1A9Xp5DgASmApmnRpgzriW663oJdv2Uxic

The above steps would make it much more difficult for a brainwallet farmer to try to crack my brainwallet because of the exponentially greater number of potential passphrases if you use two sentences found in literature or are otherwise easily crackable.

If you were to assume there are 1,000,000 words in the english dictionary, and you were to use a 'random' three words as your 'first' passphrase' and a 'random' three words as the message that you sign with the above resulting key then:

There are 1,000,000³, or ~1 * 10¹⁸ possibilities as to what your first (signing) address will be. If you can calculate a trillion 'three word' passphrase combinations per second then it would take you 1,000,000 seconds or ~99 weeks to find all of the possible 'three word' passphrase combinations - they have probably already been found a long time ago.

If you were to take a random of the above addresses and sign a random three word message with the resulting private key then there would be a total of 1 * 10³⁶ possible signing address - resulting signature combinations. If you can calculate a trillion of these combinations per second then it would take you 1 * 10²⁴ seconds to calculate all of these combinations, this works out to be roughly 1.335 * 10¹⁹ years to calculate all of the possible combinations.

The current Bitcoin network hash rate is something less then 400,000 trillion hashes per second, so if the entire current network were to be repurposed to calculate all of the possible above combinations (assuming ASICs could be repurposed to do this) then it would take roughly 3.3375 * 10¹² years to calculate all of the possible combinations. This is roughly 3.3 trillion years.

It should be noted that a three word combination would be very easy to remember, and it would not be difficult to increase either, or both of the lengths, and if this were to happen then the number of possible private key combinations would be exponentially larger.

It should also be noted that I am not going to personally endorse this strategy of creating a brain wallet, and as a result I am not going to take responsibility if anyone were to have their funds stolen as a result of employing this kind of strategy.

if someone can find any non-trival errors in my math then please feel free to point them out

[Klestin]

If the words are random, then it will be much more difficult to memorize, and the chances will be greater that you will lose access to your funds.

[snip]

The above steps would make it much more difficult for a brainwallet farmer to try to crack my brainwallet because of the exponentially greater number of potential passphrases if you use two sentences found in literature or are otherwise easily crackable.

It should also be noted that I am not going to personally endorse this strategy of creating a brain wallet, and as a result I am not going to take responsibility if anyone were to have their funds stolen as a result of employing this kind of strategy.

if someone can find any non-trival errors in my math then please feel free to point them out

As to math problems, I'll only point out that there are nowhere near 1 million english words - there are less than 200k words in total.  If these are words are to be memorized, they must be known to the user.  A more practical number to use here is 10,000.  This alone changes your math to a final result of 3.3 years instead of 3.3 trillion years.  If the words are not random, then of course this goes way way down.

This may not be good enough and may result in the loss of your funds.  Don't do this.  If you are unwilling to memorize (and keep memorized) those 12+ RANDOM words, then don't use a brainwallet.  Nobody said you have to memorize them into one long list - feel free to make them into four three-word phrases.  The KEY is that they have to be ACTUALLY RANDOM.  No phrases, no book quotes, no birthdays, etc.  Random words, chosen by dice roll or other non-computer-generated method.

You can also use a hybrid approach.  Memorize some of the words, and keep the rest written down somewhere safe.  Just nowhere digital.

[Borisz]

As to math problems, I'll only point out that there are nowhere near 1 million english words - there are less than 200k words in total.

Quick search has shown this:
"The number of words in the English language is: 1,025,109.8.   This is the estimate by the Global Language Monitor on January 1, 2014." source
So the 1 million words is OK, however it is more realistic that an average person uses only a fraction of this, as you said as well. Above-average people may use something like 25'000 so that is the order you should be looking at, maybe even less, yes. These are the words you would normally think of. Unless, of course, you flip open some scientific magazines.

Let's jump to maths.

if someone can find any non-trival errors in my math then please feel free to point them out

There are 1,000,0003, or ~1 * 1018 possibilities as to what your first (signing) address will be. If you can calculate a trillion 'three word' passphrase combinations per second then it would take you 1,000,000 seconds or ~99 weeks to find all of the possible 'three word' passphrase combinations - they have probably already been found a long time ago.

(1*10^18)/(1*10^12)=1000'000 which gives your 1 million seconds to break the first passphrase
1000'000/(60seconds*60minutes*24hours)=11.57 days instead of 99weeks

Assuming from the above an above-average person's dictionary, say 25'000 words, with the same numbers the first passphrase can be broken under 0.3 seconds.
The same 25'000 words, cracking with bitcoin network analogy would come down to under 20 years. Still probably pointless, but way less than the 3.3 trillion years. (which has probably the same flaw in calculating the time and it would be actually something like 0.08 trillion years, 7.93E10)

Check again the way you converted hashing time to actual time it takes and it will be OK. Significant error, however for the practical use it doesn't matter. If it takes 20,3 billion or 3 trillion years, who really cares? People will be happier stealing accounts with no encryption or the passphrase "puppy".


On a final note, I don't think you can make 10E12 guesses (trillion) per second, yet alone refurbish the Bitcoin network  . You can use this method if you want, but don't come up with words on your own like "it is Friday". Open a science book or something similar and roll some dice. However, at this point I would ask why would I do this? I personally find this method way too complex to be of practical use to me. I can write down my password somewhere and hide it on a piece of paper in a book's cover, glued to the back of some furniture etc etc.

[Fabrizio89]

That's the big problem with btc, too much thinking about how to secure your coins for the layman

[spazzdla]

That's the big problem with btc, too much thinking about how to secure your coins for the layman

This is a problem, if not the problem.  Things like trezor are trying.

[Klestin]

Quick search has shown this:
"The number of words in the English language is: 1,025,109.8.   This is the estimate by the Global Language Monitor on January 1, 2014." source

I based my number on this:
The Second Edition of the 20-volume Oxford English Dictionary contains full entries for 171,476 words in current use

So, I guess we should add "in current use" to the < 200k estimate.  Also, I can only guess that GLM's number includes every variant of every word (tense, subject, plurality, etc).  I expect it would be unwise to include all such variants for lists of words that must be precisely memorized.

In either event, I think we agree that the 1M or 200k discrepancy is largely irrelevant.  For brainwallets, there are two constraints on word selection: 1) They must be memorizable. 2) They must be randomly selectable.

Diceware uses five rolls of a six-sided die to do word selection.  This gives 7,776 possible "words", some of which aren't words, aren't well-known, and won't be easily memorized.  There are other lists out there, but they suffer the same constraints.  10,000 is a generous estimate of word pool size for this purpose.

Memorizing 12+ words, selected at random via dice roll, is a mathematically provable method to generate a sufficiently safe brainwallet.  Additional steps, shortcuts, obfuscations, etc are not necessary at best, and crippling to security at worst.

[vlom]

thank you very much.
i would like to add:
do not forget to backup HD/SSD with your wallet.
and don't forget to backup you backup.
and don't store all the backups at the same place.
and encrypt your backups.

and do not use a passphrase twice.

[BitcoinNewsMagazine]

I created the CIYAM Safe (https://susestudio.com/a/kp8B3G/ciyam-safe) for the purpose of making safe offline "cold storage".

To be really secure I would advise buying an *old computer" that predates any of the NSA attacks upon hard-drive firmware, etc. (yes it is a pity that they have made all modern hardware now suspect).

Like it or not we are in the middle of a "war' against privacy (which the major governments of this world hope we will lose).

How is CIYAM Safe more secure than Trezor? Thanks.

[bob123]

Conclusion.. Dont download every shit on every page and use a hardware wallet.

[helloeverybody]

That's some good information.  I will still stick to my paper wallets though.  I'm actually guilty of using a live machine to print them off.

[teukon]

In either event, I think we agree that the 1M or 200k discrepancy is largely irrelevant.  For brainwallets, there are two constraints on word selection: 1) They must be memorizable. 2) They must be randomly selectable.

Adding to point (2).  To achieve maximum entropy, it is essential that no word is more or less likely to be selected than any other and each select event is independent from any other.  Some people erroneously attempt to think up their own words or select them from random pages of some book.

Diceware uses five rolls of a six-sided die to do word selection.  This gives 7,776 possible "words", some of which aren't words, aren't well-known, and won't be easily memorized.  There are other lists out there, but they suffer the same constraints.  10,000 is a generous estimate of word pool size for this purpose.

Agreed.  I made my own version of the Diceware list years ago to counter this problem.  10 000 words is indeed generous.  Even as a native English speaker I wouldn't care to push much beyond 1000 words.

These days I use the English 2048-word list supplied with BIP0039:

Code:

abandon ability able about above ... zero zone zoo

Memorizing 12+ words, selected at random via dice roll, is a mathematically provable method to generate a sufficiently safe brainwallet.  Additional steps, shortcuts, obfuscations, etc are not necessary at best, and crippling to security at worst.

Certainly, shortcuts can cost entropy and while method obscurity may increase security, it will typically do so in a non-quantifiable way.  Relying on one's intuition regarding the difficulty of divining an obscure method is to abandon a foundational premise of information theory.

However, I'd like to highlight key-stretching as a fair source of additional security for a true brainwallet.  In essence, one simply forgets the last few words of their passphrase and brute-forces them whenever access is required.

I'd also like to expand on "sufficiently safe" here.

Selecting 12 words randomly and uniformly from a pool of 10 000 words gives 12 * log₂(10000) = 159.45 bits of entropy (2.d.p).  Roughly speaking, there are as many equally plausible 12-word passphrases as there are Bitcoin addresses.  Assuming the entropy of the passphrase is not reduced as it is converted into a private key, such a private key will be no less effective in securing a Bitcoin output than a standard random key.

Selecting 12 words from a pool of just 2048 yields

12 * log₂(2048) = 12 * 11 = 132

bits of entropy.  This is less secure than a standard address but is arguably "sufficiently safe" today.  Electrum¹ seeds have 128 bits by default.  Casascius coins used special 128-bit compact private keys.

Even 9 words from 2048 gives 99 bits of entropy.  We're well past the point of general cryptographic recommendation here but as far as a convenience/security tradeoff is concerned, I believe there are cases where 9 words would be a reasonable choice.  Extending your earlier point of reference:  As of block #387287, approximately 2^83.71 hashes have been calculated by miners in Bitcoin's lifetime, and such a hash is computationally cheaper than converting a private key to an address.

[1] Most new Electrum seeds are 13 words from the pool of 2048 words I linked to above.  One might expect such a seed to have 13 * 11 = 143 bits of entropy but some of the data is dedicated to a checksum/version-number and the final word is underutilised (usually begins 'ab' or 'ac').