[ESHOP launched] Trezor: Bitcoin hardware wallet

[dsattler]

Yeh, seed + keylogger is probably the biggest risk. I think PIN would be somewhat easy to brute-force if it were 25th word (compared to passphrase), but too lazy to do the math. I can still see it could be an advantage for advanced users though (since keylogger is less effective in that situation.)

Alternatively if the trezor could hold the 25th word in memory just like it does the 24 before it that would be awesome. (or you know the deterministic value that is derived from the seed). Just not writing down the last four words anywhere and remembering just those four is basically this but with the caviat that you have to memorize a new password rather than one you already have committed to memory.

But yea having the pin as a 25th or 26th or w/e word certainly couldnt hurt even if it wasnt enough on its own.

Maybe both. The pin as an extra word plus the ability to have a password that you need for recovery but not for day to day use entering in on mytrezor.com

The pin wouldn't enhance the security because it is too short. You can't even call it bruteforcing if you only have 10000 combinations to guess! 

Add a long password and put it in your password manager and keep the seed on a piece of paper, then you're fine. An additional advantage is that you can have several "accounts" on your trezor by using different passwords.

[NLNico]

Yeh, even with 10 number PIN it would take a few minutes max, so I guess that's completely useless (again the device adds big exponentially increasing delay upon every failed PIN, so works fine for that.)

[Anon136]

Yeh, even with 10 number PIN it would take a few minutes max, so I guess that's completely useless (again the device adds big exponentially increasing delay upon every failed PIN, so works fine for that.)

I don't think this sort of thing is linear. Sure it only takes a few minutes to crack the pin alone. Lets say for the sake of argument that it takes 5 minutes. Now imagine that you have a password that takes one week to crack. If you add the pin too that. It doesnt now take 1 week + 5 minutes. The added pin would make it take much longer than that. Idk the actual maths well enough to make a model. But supposing the original password took 1 week to crack (with a given machine) and you added an 8 digit pin to the end of it, that should push it way out side of the range of feasibility for the attacker using the same brute forcing hardware.

[NLNico]

I guess like that yeh, but I was still thinking on the "seed + keylogger risk" - it wouldn't help for that.

[georgem]

You can't even call it bruteforcing if you only have 10000 combinations to guess! 

That's true, and it's even less than 10000, just 6561 combinations since ZERO is not allowed, only numbers 1-9.

[jiijj1]

I have three Trezor devices which I bought at the same time, all three have 2 small marks on the top edge of device.

It looks like something that a tiny needle would do, I'm assuming this is the result of the manufacturing process when melting the plastic?
The location of the marks is roughly pretty much the same on all three devices.

not sure if I explain it correctly, but if someone else has a Trezor device they can propably confirm this 2 marks?

[malevolent]

Yup, got the same thing. Two small marks, one smaller than the other, on the top edge of the device. If the two marks were connected with a line, it would be perpendicular to the line which runs across the perimeter of the device.

[jiijj1]

Yup, got the same thing. Two small marks, one smaller than the other, on the top edge of the device. If the two marks were connected with a line, it would be perpendicular to the line which runs across the perimeter of the device.

I guess this is the result of melting the plastic?

[xbach]

Trezor can now be used as a FIDO/U2F key.

Source: https://blog.trezor.io/secure-two-factor-authentication-with-trezor-u2f-e940fd5a60af

[Anon136]

Trezor can now be used as a FIDO/U2F key.

Source: https://blog.trezor.io/secure-two-factor-authentication-with-trezor-u2f-e940fd5a60af

This is silly. Why would you need another factor of authentication besides trezor?

[NLNico]

I am afraid Google, Dropbox, Github, etc aren't adding Trezor Connect just yet so seems like another great update to me.

[BitcoinNewsMagazine]

I am afraid Google, Dropbox, Github, etc aren't adding Trezor Connect just yet so seems like another great update to me.

Since Ledger Nano S added FIDO I have been using it to authenticate with Google. Trezor says in their new blog post that after firmware update to 1.4.0 you should be able to use Trezor to authenticate with Google on Chrome. Not working for you?

[Anon136]

This company. Oh my god this company is so great. These guys could have just been fly by night hacks when they were taking bitcoin early on. But they turned out to be so very very legit. Thanks so much for everything. This latest update in particular is so exciting!

I actually bought 2 more trezors just because what they hey, I'll have a separate one for monero, a separate one for internet security, and a separate on for bitcoin. Really I probably bought 2 more just cant stop nerding out over this first one every single day, and there were 2 more colors I didn't have damn it!

[NLNico]

I am afraid Google, Dropbox, Github, etc aren't adding Trezor Connect just yet so seems like another great update to me.

Since Ledger Nano S added FIDO I have been using it to authenticate with Google. Trezor says in their new blog post that after firmware update to 1.4.0 you should be able to use Trezor to authenticate with Google on Chrome. Not working for you?

I was replying to Anon136, I read his message as: "why you need passwords + U2F... you could just use Trezor alone (like Trezor Connect)". So my answer is that U2F is a standard used by many sites and Trezor Connect not. So great firmware update. Did I misunderstood his post or something?

[Anon136]

Google is infuriating.

I've been scouring my account settings and I can not figure out how to get it to stop making me un-check the little box that says "dont ask again on this computer" every single time I log in. And if I do forget to un-check it, I can not for the life of me figure out how to get it to use 2fa again without removing and re-registering the trezor on the account.

 

[BitcoinNewsMagazine]

Google is infuriating.

I've been scouring my account settings and I can not figure out how to get it to stop making me un-check the little box that says "dont ask again on this computer" every single time I log in. And if I do forget to un-check it, I can not for the life of me figure out how to get it to use 2fa again without removing and re-registering the trezor on the account.

 

See if the support article at https://support.google.com/accounts/answer/6103535?hl=en&ref_topic=6103521 helps at all.

[Anon136]

So I just got my 2 new trezors in today and I immediately noticed something. The tactile feel of the click on the buttons feels noticeably different. Not just a slight difference. They feel very different. On the old one the actuation is very muted and soft almost mushy with almost no "click" to it. On the new ones its very clicky/snappy to the point where I can audibly hear the click if its very quite in my house.

Anyone else noticed this? Is it noted anywhere that satoshi labs changed some of their hardware manufacturers in newer production runs?

[Carlton Banks]

Is it noted anywhere that satoshi labs changed some of their hardware manufacturers in newer production runs?

Well, it makes sense to use cheap switches on early production runs. I'd be surprised if any of the PCB layout needed any significant redesign to accommodate more expensive feeling switches. It may not even be a question of expense at all, and simply one of availability.

[.m.]

I believe they know what they are doing

[sugarfly]

Andreas Antonopoulos in his most recent joe rogan podcast appearance whips his TREZOR out of the pocket:

https://youtu.be/1sOxtBiBpE4

"this little device over here…"  

It's at the 1:58:33 mark

 

-sf-