2 paper wallets - same password. Still Secure? Also, how do you secure your BTC?

[Chris!]

Question 1.
Let's say I have paper wallet "X" and paper wallet "Y". I also have a wallet for spending: wallet "Z"

I want to transfer 0.01Bitcoins from "X" to "Z" spend 0.005BTC and from there send the left over 0.005BTC to "Y".
‎
When I took the funds out of "X" I used the password "12345abcde" (which is BIP38 encrypted) and now that the 0.005BTC are in "Y" the password (which is BIP38 encrypted as well) is also "12345abcde. If I had malware and/or a keylogger are my funds at risk because the passwords are the same?

Question 2.

What ultra-paranoid method do you use to store large amounts of BTC? Why do you trust it and how is it 99.999% safe?

I'm just being ultra paranoid because when I started with Bitcoins I got hacked in under 24h. Mind you I was using the Blockchain.info android wallet so that was pretty newbie of me .

I know some people here: https://bitcointalk.org/index.php?topic=1013586.0 feel that paper wallets aren't actually as secure as they might seem. Just because you use a Ubuntu Live CD/USB doesn't mean if you had malware on your Windows system it won't also be able to infect the Ubuntu Live CD/USB. 

This is very top-notch ultra-paranoid stuff and I'd love to hear your expert opinion on the subject!

[EcuaMobi]

Question 1.
Let's say I have paper wallet "X" and paper wallet "Y". I also have a wallet for spending: wallet "Z"

I want to transfer 0.01Bitcoins from "X" to "Z" spend 0.005BTC and from there send the left over 0.005BTC to "Y".
‎
When I took the funds out of "X" I used the password "12345abcde" (which is BIP38 encrypted) and now that the 0.005BTC are in "Y" the password (which is BIP38 encrypted as well) is also "12345abcde. If I had malware and/or a keylogger are my funds at risk because the passwords are the same?

As long as you created correctly the paper wallet Y then it should be safe. The BIP38 encryption is just an extra security. The main protection is the fact it was generated randomly and it never touched the Internet. If the SW you used to create it was compromised or deficient, or if you exposed the keys to Internet in any way then of course you wouldn't be safe.

Question 2.

What ultra-paranoid method do you use to store large amounts of BTC? Why do you trust it and how is it 99.999% safe?

My paranoid method to store almost all of my BTC is using a deck of cards: https://bitcointalk.org/index.php?topic=811397.0

• 100% offline
• True physical randomness
• Immune to key-loggers

[Chris!]

As long as you created correctly the paper wallet Y then it should be safe. The BIP38 encryption is just an extra security. The main protection is the fact it was generated randomly and it never touched the Internet. If the SW you used to create it was compromised or deficient, or if you exposed the keys to Internet in any way then of course you wouldn't be safe.

My paranoid method to store almost all of my BTC is using a deck of cards: https://bitcointalk.org/index.php?topic=811397.0

• 100% offline
• True physical randomness
• Immune to key-loggers

Thanks for your insight! I didn't think it would make sense that I could make 100 different paper wallets with the same password if it's a big security risk. I just wanted to make sure.

That looks like an interesting method. I'll have to read more about that app you've developed!

[RealBitcoin]

Question 2.

What ultra-paranoid method do you use to store large amounts of BTC? Why do you trust it and how is it 99.999% safe?

I'm just being ultra paranoid because when I started with Bitcoins I got hacked in under 24h. Mind you I was using the Blockchain.info android wallet so that was pretty newbie of me .

I know some people here: https://bitcointalk.org/index.php?topic=1013586.0 feel that paper wallets aren't actually as secure as they might seem. Just because you use a Ubuntu Live CD/USB doesn't mean if you had malware on your Windows system it won't also be able to infect the Ubuntu Live CD/USB. 

This is very top-notch ultra-paranoid stuff and I'd love to hear your expert opinion on the subject!

I wrote a guide about this
https://bitcointalk.org/index.php?topic=1263429.0

Probably in a bunker underground. Or throw the offline PC you generated the random number on into a black hole, that should be safe

[DannyHamilton]

If you truly want to be paranoid about it, you should probably have a separate computer that is NEVER connected to the internet.  Then use that offline computer for signing transactions (with keys from paper wallets or otherwise), and transport the signed transaction to an online computer for broadcast to the bitcoin network.

I think both the Armory and Electrum wallets make this possible. I'm not sure if any other wallets have implemented offline signing.

[bitbaby]

My ultra paranoid method is that I just use a different machine which stays off-line always for all my bitcoins cold storage, I use encrypted paper wallets and Electrum and keep my funds distributed among different paper wallets and Electrum addresses.

And the most important part is keeping various back-ups of paper wallets and a backup of Electrum seed in a way that only I can decipher it. And also making sure that the Paper wallets are safe from any sort of damage and degradation.

[ranochigo]

As long as you created correctly the paper wallet Y then it should be safe. The BIP38 encryption is just an extra security. The main protection is the fact it was generated randomly and it never touched the Internet. If the SW you used to create it was compromised or deficient, or if you exposed the keys to Internet in any way then of course you wouldn't be safe.

My paranoid method to store almost all of my BTC is using a deck of cards: https://bitcointalk.org/index.php?topic=811397.0

• 100% offline
• True physical randomness
• Immune to key-loggers

Thanks for your insight! I didn't think it would make sense that I could make 100 different paper wallets with the same password if it's a big security risk. I just wanted to make sure.

That looks like an interesting method. I'll have to read more about that app you've developed!

It can be a security risk if someone have access to your paper wallets physically or if you used them all on the same device for signing and broadcasting the TX. To use the funds in the address, the attacker requires an encrypted version of your private key and your password.

[Kprawn]

If I may ask, why would you want to use the same pass phrase for the BIP38 encrypted paper wallets? I write the pass phrase in a format only I know, on the back of these paper wallets and each of them is

different. The formatting allow me to have the password in plain sight, but still not recognisable.

The whole idea with this, is to make it difficult for other people to guess your pass phrase. Do you use the same password for every site you register on the internet? Not a good practice at all. 

[NorrisK]

The password only comes into play when a hacker steals your actual wallet.dat file. If they somehow got their hands on your privatekey (which is protected by the password in your wallet.dat file) somehow else, your password does not matter anymore, as they have the private key.

Offline machine, random generation of a string of words, one way usb (hardware wallets), is probably the best way to protect your wallets.

[Amph]

ultra paranoid method would definitely be some online method, but for me i would simply go this route

buying a completely new motherboard and ssd install my safe OS copy, maybe linux if you do not own a secure version of w7(one that you bought...)

and make a backup from there

[calkob]

Question 1.
Let's say I have paper wallet "X" and paper wallet "Y". I also have a wallet for spending: wallet "Z"

I want to transfer 0.01Bitcoins from "X" to "Z" spend 0.005BTC and from there send the left over 0.005BTC to "Y".
‎
When I took the funds out of "X" I used the password "12345abcde" (which is BIP38 encrypted) and now that the 0.005BTC are in "Y" the password (which is BIP38 encrypted as well) is also "12345abcde. If I had malware and/or a keylogger are my funds at risk because the passwords are the same?

Question 2.

What ultra-paranoid method do you use to store large amounts of BTC? Why do you trust it and how is it 99.999% safe?

I'm just being ultra paranoid because when I started with Bitcoins I got hacked in under 24h. Mind you I was using the Blockchain.info android wallet so that was pretty newbie of me .

I know some people here: https://bitcointalk.org/index.php?topic=1013586.0 feel that paper wallets aren't actually as secure as they might seem. Just because you use a Ubuntu Live CD/USB doesn't mean if you had malware on your Windows system it won't also be able to infect the Ubuntu Live CD/USB. 

This is very top-notch ultra-paranoid stuff and I'd love to hear your expert opinion on the subject!

I would say "yes" to question 1.  if an attacker knows about address Y then i'm sure they would try the password that they have captured with there keylogger or screen grab.

in regards to question 2.  I created addresses and keys offline and store them on a usb which has never been online and backed up on paper wallets, which i watch only on blockchain.info.

[gkv9]

You can have as many paper wallets as you have addresses in one single wallet in any software or online...
So, you can even choose to just cut out your coins into small pieces, distribute them in many paper wallets and save them at a safe place...

[cellard]

- Even your computer in safe condition it'll better if you changed your password periodically or atleast having different password for each

My ultra paranoid method to save my btc :
- using offline wallet
- scanning pc with antivirus every 3 days to prevent being keylogged
- using Anti-keylogger software to prevent being keylogged
- those software that i mentioned above must premium/pro, dont try to use cracked software
- dont install cracked software

What anti keylogger software are you using? I have Malwarebytes Anti Malwaware Premium and Comodo as firewall, what else would I need to be safe? Im considering installing MSI (Microsoft Security Essentials) I heard it was a decent antivirus and it's free. Ideally I would use a Linux machine but a lot of software I need to use is Windows only.

[ranochigo]

- Even your computer in safe condition it'll better if you changed your password periodically or atleast having different password for each

My ultra paranoid method to save my btc :
- using offline wallet
- scanning pc with antivirus every 3 days to prevent being keylogged
- using Anti-keylogger software to prevent being keylogged
- those software that i mentioned above must premium/pro, dont try to use cracked software
- dont install cracked software

What anti keylogger software are you using? I have Malwarebytes Anti Malwaware Premium and Comodo as firewall, what else would I need to be safe? Im considering installing MSI (Microsoft Security Essentials) I heard it was a decent antivirus and it's free. Ideally I would use a Linux machine but a lot of software I need to use is Windows only.

Zemana AntiLogger. Used to have it, don't know how effective it did because I never had any keylogger.

Microsoft Security Essential isn't the best. IMO, Malwarebytes does a very good job. The main thing to keep safe is to just avoid downloading suspicious program. Till now, I haven't got hacked before.

[Patatas]

First off all,the passwords don't really matter as much as the private keys. You could have same passwords for multiple accounts as far as you remember them.Secondly its not advised to use the same password for multiple wallets as if your one wallet is somehow hacked,it opens the doors for every other wallet.

As far as your storing bitcoins is concerned I personally use hardware cases to store my bitcoins as cold storage.Here are a few hardcore wallets you can use.I use trezor.

https://www.bitcointrezor.com/

Case is new and I like it too
https://choosecase.com/

[ThunderThomas]

I think that paper wallet is secure, but you need to save some where save.
And carefull with water and fire.

[Mickeyb]

- Even your computer in safe condition it'll better if you changed your password periodically or atleast having different password for each

My ultra paranoid method to save my btc :
- using offline wallet
- scanning pc with antivirus every 3 days to prevent being keylogged
- using Anti-keylogger software to prevent being keylogged
- those software that i mentioned above must premium/pro, dont try to use cracked software
- dont install cracked software

What anti keylogger software are you using? I have Malwarebytes Anti Malwaware Premium and Comodo as firewall, what else would I need to be safe? Im considering installing MSI (Microsoft Security Essentials) I heard it was a decent antivirus and it's free. Ideally I would use a Linux machine but a lot of software I need to use is Windows only.

Zemana AntiLogger. Used to have it, don't know how effective it did because I never had any keylogger.

Microsoft Security Essential isn't the best. IMO, Malwarebytes does a very good job. The main thing to keep safe is to just avoid downloading suspicious program. Till now, I haven't got hacked before.

I used Zemana for quite a while and it seemed that it worked fine for me, at least I never caught any keyloggers. Now this doesn't mean anything of course, I might have just been lucky.

All of the above programs don't matter that much for the paper wallets, since the paper wallets if done properly, should be created and printed on a machine that has never been online.

[Chris!]

The reason I was asking is because I made some paper wallets with a Ubuntu Live USB and not connected to the Internet. I made 3 wallets but now I realised I only made 1 password so all 3 must have the same password. I wouldn't want to punch/scan the private key to spend the funds, put in the password only to end up having a keylogger!

I think it's a very smart idea to have a machine completely offline but for the time being I'll be using paper wallets. Mainly for the price.

If I were to have a computer offline how would I send funds back and forth to it though? Don't you need data to actually do a transaction? I'm a little confused about that. Could I just somehow use an old computer and I USB?

[TERA]

2.

-generate very long random seed and write it down using pen and paper
-hash the seed with one or more mental passwords to form your private key
-compute wallet address from private key and put it wherever you want
-put away the paper in a safe place
-destroy all evidence of the private key and the computations
-do this all offline in tails.  Restart when you are done

-go online and send 0.01btc to the wallet address to make sure it works
-send the rest

-when ready to take coins OUT of cold storage,  find the paper and hash it with your mental passwords to form the private key again and import that into a secure wallet, or sign transactions offline.

[ranochigo]

-snip-
If I were to have a computer offline how would I send funds back and forth to it though? Don't you need data to actually do a transaction? I'm a little confused about that. Could I just somehow use an old computer and I USB?

For paper wallets, if possible, I would actually recommend getting a spare and clean phone that has Cyanogenmod rom in it. Cyanogenmod is opensourced and hence it is easy to look through for any possible exploits placed in deliberately.

You can generate a raw TX on the online computer and sign it with the private key on the offline computer then broadcast it on the network. You would require two computer, one offline and one online. This way, your private key is never directly exposed to the internet. The online computer can be used to script a raw transaction to be transferred to the offline computer to be signed with the private key. A raspberry Pi would work fine.