dsattler
Legendary
Offline
Activity: 924
Merit: 1000
|
|
August 24, 2016, 06:27:33 AM |
|
Yeh, seed + keylogger is probably the biggest risk. I think PIN would be somewhat easy to brute-force if it were 25th word (compared to passphrase), but too lazy to do the math. I can still see it could be an advantage for advanced users though (since keylogger is less effective in that situation.)
Alternatively if the trezor could hold the 25th word in memory just like it does the 24 before it that would be awesome. (or you know the deterministic value that is derived from the seed). Just not writing down the last four words anywhere and remembering just those four is basically this but with the caviat that you have to memorize a new password rather than one you already have committed to memory. But yea having the pin as a 25th or 26th or w/e word certainly couldnt hurt even if it wasnt enough on its own. Maybe both. The pin as an extra word plus the ability to have a password that you need for recovery but not for day to day use entering in on mytrezor.com The pin wouldn't enhance the security because it is too short. You can't even call it bruteforcing if you only have 10000 combinations to guess! Add a long password and put it in your password manager and keep the seed on a piece of paper, then you're fine. An additional advantage is that you can have several "accounts" on your trezor by using different passwords.
|
Bitcointalk member since 2013!
|
|
|
NLNico
Legendary
Offline
Activity: 1876
Merit: 1303
DiceSites.com owner
|
|
August 24, 2016, 07:02:15 AM |
|
Yeh, even with 10 number PIN it would take a few minutes max, so I guess that's completely useless (again the device adds big exponentially increasing delay upon every failed PIN, so works fine for that.)
|
|
|
|
Anon136
Legendary
Offline
Activity: 1722
Merit: 1217
|
|
August 24, 2016, 01:15:13 PM |
|
Yeh, even with 10 number PIN it would take a few minutes max, so I guess that's completely useless (again the device adds big exponentially increasing delay upon every failed PIN, so works fine for that.) I don't think this sort of thing is linear. Sure it only takes a few minutes to crack the pin alone. Lets say for the sake of argument that it takes 5 minutes. Now imagine that you have a password that takes one week to crack. If you add the pin too that. It doesnt now take 1 week + 5 minutes. The added pin would make it take much longer than that. Idk the actual maths well enough to make a model. But supposing the original password took 1 week to crack (with a given machine) and you added an 8 digit pin to the end of it, that should push it way out side of the range of feasibility for the attacker using the same brute forcing hardware.
|
Rep Thread: https://bitcointalk.org/index.php?topic=381041If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited?
|
|
|
NLNico
Legendary
Offline
Activity: 1876
Merit: 1303
DiceSites.com owner
|
|
August 24, 2016, 02:01:35 PM |
|
I guess like that yeh, but I was still thinking on the "seed + keylogger risk" - it wouldn't help for that.
|
|
|
|
georgem
Legendary
Offline
Activity: 1484
Merit: 1007
spreadcoin.info
|
|
August 24, 2016, 10:44:45 PM |
|
You can't even call it bruteforcing if you only have 10000 combinations to guess! That's true, and it's even less than 10000, just 6561 combinations since ZERO is not allowed, only numbers 1-9.
|
|
|
|
jiijj1
Newbie
Offline
Activity: 23
Merit: 0
|
|
August 27, 2016, 01:40:50 PM |
|
I have three Trezor devices which I bought at the same time, all three have 2 small marks on the top edge of device.
It looks like something that a tiny needle would do, I'm assuming this is the result of the manufacturing process when melting the plastic? The location of the marks is roughly pretty much the same on all three devices.
not sure if I explain it correctly, but if someone else has a Trezor device they can propably confirm this 2 marks?
|
|
|
|
malevolent
can into space
Legendary
Offline
Activity: 3472
Merit: 1725
|
|
August 28, 2016, 08:02:32 PM |
|
Yup, got the same thing. Two small marks, one smaller than the other, on the top edge of the device. If the two marks were connected with a line, it would be perpendicular to the line which runs across the perimeter of the device.
|
Signature space available for rent.
|
|
|
jiijj1
Newbie
Offline
Activity: 23
Merit: 0
|
|
August 29, 2016, 02:04:11 AM |
|
Yup, got the same thing. Two small marks, one smaller than the other, on the top edge of the device. If the two marks were connected with a line, it would be perpendicular to the line which runs across the perimeter of the device.
I guess this is the result of melting the plastic?
|
|
|
|
xbach
Newbie
Offline
Activity: 40
Merit: 0
|
|
August 31, 2016, 03:46:23 PM |
|
|
|
|
|
Anon136
Legendary
Offline
Activity: 1722
Merit: 1217
|
|
August 31, 2016, 04:59:10 PM |
|
This is silly. Why would you need another factor of authentication besides trezor?
|
Rep Thread: https://bitcointalk.org/index.php?topic=381041If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited?
|
|
|
NLNico
Legendary
Offline
Activity: 1876
Merit: 1303
DiceSites.com owner
|
|
August 31, 2016, 05:12:04 PM |
|
I am afraid Google, Dropbox, Github, etc aren't adding Trezor Connect just yet so seems like another great update to me.
|
|
|
|
BitcoinNewsMagazine
Legendary
Offline
Activity: 1806
Merit: 1164
|
|
August 31, 2016, 06:32:34 PM |
|
I am afraid Google, Dropbox, Github, etc aren't adding Trezor Connect just yet so seems like another great update to me. Since Ledger Nano S added FIDO I have been using it to authenticate with Google. Trezor says in their new blog post that after firmware update to 1.4.0 you should be able to use Trezor to authenticate with Google on Chrome. Not working for you?
|
|
|
|
Anon136
Legendary
Offline
Activity: 1722
Merit: 1217
|
|
August 31, 2016, 06:42:05 PM |
|
This company. Oh my god this company is so great. These guys could have just been fly by night hacks when they were taking bitcoin early on. But they turned out to be so very very legit. Thanks so much for everything. This latest update in particular is so exciting!
I actually bought 2 more trezors just because what they hey, I'll have a separate one for monero, a separate one for internet security, and a separate on for bitcoin. Really I probably bought 2 more just cant stop nerding out over this first one every single day, and there were 2 more colors I didn't have damn it!
|
Rep Thread: https://bitcointalk.org/index.php?topic=381041If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited?
|
|
|
NLNico
Legendary
Offline
Activity: 1876
Merit: 1303
DiceSites.com owner
|
|
August 31, 2016, 06:50:26 PM |
|
I am afraid Google, Dropbox, Github, etc aren't adding Trezor Connect just yet so seems like another great update to me. Since Ledger Nano S added FIDO I have been using it to authenticate with Google. Trezor says in their new blog post that after firmware update to 1.4.0 you should be able to use Trezor to authenticate with Google on Chrome. Not working for you? I was replying to Anon136, I read his message as: " why you need passwords + U2F... you could just use Trezor alone (like Trezor Connect)". So my answer is that U2F is a standard used by many sites and Trezor Connect not. So great firmware update. Did I misunderstood his post or something?
|
|
|
|
Anon136
Legendary
Offline
Activity: 1722
Merit: 1217
|
|
August 31, 2016, 08:15:57 PM |
|
|
Rep Thread: https://bitcointalk.org/index.php?topic=381041If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited?
|
|
|
|
Anon136
Legendary
Offline
Activity: 1722
Merit: 1217
|
|
September 03, 2016, 03:14:50 AM |
|
So I just got my 2 new trezors in today and I immediately noticed something. The tactile feel of the click on the buttons feels noticeably different. Not just a slight difference. They feel very different. On the old one the actuation is very muted and soft almost mushy with almost no "click" to it. On the new ones its very clicky/snappy to the point where I can audibly hear the click if its very quite in my house.
Anyone else noticed this? Is it noted anywhere that satoshi labs changed some of their hardware manufacturers in newer production runs?
|
Rep Thread: https://bitcointalk.org/index.php?topic=381041If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited?
|
|
|
Carlton Banks
Legendary
Offline
Activity: 3430
Merit: 3080
|
|
September 03, 2016, 08:42:47 AM |
|
Is it noted anywhere that satoshi labs changed some of their hardware manufacturers in newer production runs?
Well, it makes sense to use cheap switches on early production runs. I'd be surprised if any of the PCB layout needed any significant redesign to accommodate more expensive feeling switches. It may not even be a question of expense at all, and simply one of availability.
|
Vires in numeris
|
|
|
.m.
|
|
September 03, 2016, 02:52:35 PM |
|
I believe they know what they are doing
|
|
|
|
sugarfly
Full Member
Offline
Activity: 135
Merit: 100
Zettel-Dolphin
|
|
September 11, 2016, 05:53:03 PM Last edit: September 22, 2016, 08:02:40 AM by sugarfly |
|
Andreas Antonopoulos in his most recent joe rogan podcast appearance whips his TREZOR out of the pocket: https://youtu.be/1sOxtBiBpE4"this little device over here…" It's at the 1:58:33 mark -sf-
|
|
|
|
|