Bitcoin Forum
November 13, 2024, 08:45:16 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Question : trezor without passphrase, thief can make transactions ?  (Read 832 times)
Marcopolo123 (OP)
Member
**
Offline Offline

Activity: 62
Merit: 10


View Profile
July 09, 2015, 07:33:44 PM
 #1

hi,

what if my trezor without passphrase gets stolen, can the thief make transactions?
Scamalert
Hero Member
*****
Offline Offline

Activity: 490
Merit: 500


Captain


View Profile
July 09, 2015, 07:42:56 PM
 #2

Yes ofcause.

If you are bringing your trezor everywhere you go, then better pass word protect the device.
If you just keep your trezor in a safe or some other hidden place, then is a password not needed.
Marcopolo123 (OP)
Member
**
Offline Offline

Activity: 62
Merit: 10


View Profile
July 09, 2015, 07:47:35 PM
 #3

ok thx!

have to make sure i dont forget the passphrase...
Marcopolo123 (OP)
Member
**
Offline Offline

Activity: 62
Merit: 10


View Profile
July 09, 2015, 07:53:51 PM
Last edit: July 09, 2015, 08:36:46 PM by Marcopolo123
 #4

i added passphrase, but i cant see my balance..., it says 0.0 btc

edit: ahhh ok solved
Scamalert
Hero Member
*****
Offline Offline

Activity: 490
Merit: 500


Captain


View Profile
July 09, 2015, 09:16:32 PM
 #5

i added passphrase, but i cant see my balance..., it says 0.0 btc

edit: ahhh ok solved

Great!

I think that it is ok to have a simple password for the trezor, if you loose it, then is the chance of someone finding and at the same time know how to crack these things very small.

I also think you can justify to have one at home which does not have a password.

I know it sounds trivial, but remember to write the password down somewhere, many bitcoins have been lost over the time because of complicated password for wallet encryption which people forget.
JeromeL
Member
**
Offline Offline

Activity: 554
Merit: 11

CurioInvest [IEO Live]


View Profile
July 09, 2015, 09:38:36 PM
 #6

Yes ofcause.

No that is not true.

You do not need a passphrase to protect your funds in Trezor. The Trezor passphrase is only for advanced users. If you are not sure, please don't use it. If you forget your passphrase, you will lose all your funds.

Your Trezor is protected by a PIN. And this PIN alone is a very good protection.

If you have no passphrase, a thief can spend your coins only if :

He stole your Trezor AND you told him your PIN (the PIN cannot be key logged, cannot be spied on, cannot be brute forced)

---------------OR-------------------

He stole your seed (24 words given at initialisation).

Marcopolo123 (OP)
Member
**
Offline Offline

Activity: 62
Merit: 10


View Profile
July 10, 2015, 09:46:57 AM
 #7

the pin are the 9 numbers on the trezor screen right ?
saddambitcoin
Legendary
*
Offline Offline

Activity: 1610
Merit: 1004



View Profile
July 10, 2015, 01:19:50 PM
 #8

The PIN protects your Trezor from a thief.

You can set an optional passphrase for different accounts on your Trezor beyond that, if you want additional protection.

However, if you forget this passphrase your bitcoins will be LOST - the recovery seed will not help!

I think for most cases the PIN is enough security, unless you set a really weak PIN. Make it 6 digits.

LiteCoinGuy
Legendary
*
Offline Offline

Activity: 1148
Merit: 1014


In Satoshi I Trust


View Profile WWW
July 10, 2015, 01:49:20 PM
 #9

Yes ofcause.

No that is not true.

You do not need a passphrase to protect your funds in Trezor. The Trezor passphrase is only for advanced users. If you are not sure, please don't use it. If you forget your passphrase, you will lose all your funds.

Your Trezor is protected by a PIN. And this PIN alone is a very good protection.

If you have no passphrase, a thief can spend your coins only if :

He stole your Trezor AND you told him your PIN (the PIN cannot be key logged, cannot be spied on, cannot be brute forced)

---------------OR-------------------

He stole your seed (24 words given at initialisation).


finally
a good answer (and a right one)  Roll Eyes

johoe
Full Member
***
Offline Offline

Activity: 217
Merit: 259


View Profile
July 10, 2015, 02:13:00 PM
 #10

If you have no passphrase, a thief can spend your coins only if :

He stole your Trezor AND you told him your PIN (the PIN cannot be key logged, cannot be spied on, cannot be brute forced)

---------------OR-------------------

He stole your seed (24 words given at initialisation).

This assumes that there is no bug or design flaw in the TREZOR.  For example, with firmware up to 1.3.2 it is possible to get the keys from a stolen TREZOR without the PIN.  For the current firmware I don't know an easy way (the hard way by carefully opening the chip and using an electron microscope is not preventable).  With a secure passphrase you would be safe against these attacks.  However, a targeted attack would first install a keylogger on your computer to get the passphrase and then steal your TREZOR.  Still, the thief would need an electron microscope or know a new attack vector to get around the PIN (a cheaper way may be a fault attack).

This does not mean that hardware wallets are insecure.  A software wallet is much easier to compromise: You just need to install a Trojan on the victim's computer. The next time the wallet is used, the password and the private keys are sent to the command & control server.  With a TREZOR, you usually need a Trojan on the victim's computer (or physical access) AND you need to know a critical bug in the firmware that can be exploited.  These bugs usually get fixed quickly when they are discovered.

Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
LiteCoinGuy
Legendary
*
Offline Offline

Activity: 1148
Merit: 1014


In Satoshi I Trust


View Profile WWW
July 10, 2015, 02:56:45 PM
 #11

If you have no passphrase, a thief can spend your coins only if :

He stole your Trezor AND you told him your PIN (the PIN cannot be key logged, cannot be spied on, cannot be brute forced)

---------------OR-------------------

He stole your seed (24 words given at initialisation).

This assumes that there is no bug or design flaw in the TREZOR.  For example, with firmware up to 1.3.2 it is possible to get the keys from a stolen TREZOR without the PIN.  For the current firmware I don't know an easy way (the hard way by carefully opening the chip and using an electron microscope is not preventable).  With a secure passphrase you would be safe against these attacks.  However, a targeted attack would first install a keylogger on your computer to get the passphrase and then steal your TREZOR.  Still, the thief would need an electron microscope or know a new attack vector to get around the PIN (a cheaper way may be a fault attack).




you can use a virtual keyboard like that from kaspersky to reduce the risk.

but of course, nothing is 100% safe.

i would recommend to split your funds and use several PCs for that.

Marcopolo123 (OP)
Member
**
Offline Offline

Activity: 62
Merit: 10


View Profile
July 11, 2015, 09:14:09 PM
Last edit: July 11, 2015, 10:32:22 PM by Marcopolo123
 #12

hello, made a transaction from my trezor, it still shows unconfirmed on mytrezor.com, but on blockchain it already shows >7 confirmations...
i later sent some btc to my trezor, nothing shows up on mytrezor.com, but blockchain has already like 8 confirmations ?

do i have to worry ?

Edit : solved.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!