Time to upgrade your security

[wormbog]

6. make a few copies of your address list. secure at least one copy in your home safe, safety deposit box, etc. I've got a copy behind a family photo in my office... not a compelling target for a thief.

If you keep unencrypted paper copies of your private keys you should not write Bitcoin in bold on it. This is just security by obscurity but for 98% of people this is just a random string of numbers.

Agreed, and even better: add a few extra random characters at the beginning or end of the key.

[1714768690]

1714768690

[1714768690]

1714768690

[foo]

Keylogger is single biggest side channel attack hard to totoally avoid, it is time for bitcoin client utilize two factor authentication, and the second factor should be one time password, (based on time like RSA token or Google authenticator.

That won't work. One-time passwords (OTP) are based on a shared secret. (Both the web site you are logging in to and your token uses the same PRNG seed.) If you use it for a Bitcoin wallet, then the secret has to be stored in the wallet itself, which doesn't provide any extra security.

[jl2012]

6. make a few copies of your address list. secure at least one copy in your home safe, safety deposit box, etc. I've got a copy behind a family photo in my office... not a compelling target for a thief.

Now it is

[Jutarul]

Also worth learning:
http://en.wikipedia.org/wiki/Principle_of_least_privilege

I applied it to software.
One user account = one cryptocurrency, one set of trusted software

Be wary of malicious clients, and only do revised upgrades.

[marcus_of_augustus]

Upgrade complete.

[Fiyasko]

PAAAAAPPPEEERRR WAAAALLLEEEETTTTTSSS PRRRIIINNNTTTEEEDDDD WWIIITTTHHH AAA CCYYYPPHHHEEERRR KKEEYYYYY

[twolifeinexile]

Keylogger is single biggest side channel attack hard to totoally avoid, it is time for bitcoin client utilize two factor authentication, and the second factor should be one time password, (based on time like RSA token or Google authenticator.

That won't work. One-time passwords (OTP) are based on a shared secret. (Both the web site you are logging in to and your token uses the same PRNG seed.) If you use it for a Bitcoin wallet, then the secret has to be stored in the wallet itself, which doesn't provide any extra security.

The first step to steal is to get privileged to be able to read your file in the server, for that step, they usually use a exploit, and that is usually done on the client side ( a windows running putty, login in a linux server) and keylog and read files from your client. So you password to server will be stolen, but for One time password, it is of no use, they still could not log on so no way to get privileged.

If they attacking server directly, that is another story, and I believe in sshd much much more than any windows software. It is been tested attacked for so many years and get to know handle these thing better than client side. (be it firefox, chrome, java, whatever it is)

[Jan]

But why not make today the day you back up your wallet and clean out any scraps of old wallets. Or change your password from "god" to something robust.

This!
I heard of an incident yesterday where someone got a phone replacement and forgot that he had BTC in BitcoinSpinner on it. BitcoinSpinner warns you that you should make a backup as soon as you have coins on it. Come on folks, it is not that hard. 3 clicks and take a picture.

[niko]

6. make a few copies of your address list. secure at least one copy in your home safe, safety deposit box, etc. I've got a copy behind a family photo in my office... not a compelling target for a thief.

If you keep unencrypted paper copies of your private keys you should not write Bitcoin in bold on it. This is just security by obscurity but for 98% of people this is just a random string of numbers.

Agreed, and even better: add a few extra random characters at the beginning or end of the key.

Excellent points. However, if your savings are in any way significant, make sure to provide a way for your beneficiaries or estate to identify and control your offline wallet.

[RodeoX]

Another thing to consider in your security regime is silence. If you are using cloud storage for a wallet, for example, don't mention that online. Or don't say "my coins are safe because I put them on a flash drive and buried it in my back yard." Shhh. 

[Carlton Banks]

brain wallet mnemonic, etched into a ceramic block with 3D printer and stored in a safe FTW!

[cypherdoc]

Upgrade complete.

how do you handle small letters?

[superbit]

Kind of new to armory, but it seems to allow offline and encryption.  Would it be possible for them to include google authenticator?

[prezbo]

Kind of new to armory, but it seems to allow offline and encryption.  Would it be possible for them to include google authenticator?

A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards.

[twolifeinexile]

Kind of new to armory, but it seems to allow offline and encryption.  Would it be possible for them to include google authenticator?

A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards.

Google authenticator's main use is to against keyloggers to get password to get privileged right in your computer from a unsecured client. Once they get access the privileged right, it is no longer relevant.

[wormbog]

6. make a few copies of your address list. secure at least one copy in your home safe, safety deposit box, etc. I've got a copy behind a family photo in my office... not a compelling target for a thief.

Now it is

Ominous.

Now a thief only has to identify me, defeat my home security systems, subdue the dogs, and hope I wasn't lying about the secret location of the private keys to grab them. Oh, and hope I own enough bitcoins to make the effort worthwhile. (psst... I don't!)

The only thing better than security through obscurity is security through poverty.

[nobbynobbynoob]

bitcointip wormbog +BTC0,01

A bit less poverty now.

[superbit]

Kind of new to armory, but it seems to allow offline and encryption.  Would it be possible for them to include google authenticator?

A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards.

Google authenticator's main use is to against keyloggers to get password to get privileged right in your computer from a unsecured client. Once they get access the privileged right, it is no longer relevant.

Does it not have the ability to encrypt your wallet?  Could it not require a password and google authenticator to unencrypt?

[prezbo]

Kind of new to armory, but it seems to allow offline and encryption.  Would it be possible for them to include google authenticator?

A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards.

Google authenticator's main use is to against keyloggers to get password to get privileged right in your computer from a unsecured client. Once they get access the privileged right, it is no longer relevant.

Does it not have the ability to encrypt your wallet?  Could it not require a password and google authenticator to unencrypt?

No. Once it's encrypted, the only way to re-encrypt it is to decrypt it first. Since google auth tokens change over time, you can see the problem here.

Google auth will protect from someone else logging in your name, for example to mtgox, but if mtgox itself gets hacked google auth won't protect your coins anymore, that's why it can't really be of any use in a bitcoin client.

[twolifeinexile]

Kind of new to armory, but it seems to allow offline and encryption.  Would it be possible for them to include google authenticator?

A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards.

Google authenticator's main use is to against keyloggers to get password to get privileged right in your computer from a unsecured client. Once they get access the privileged right, it is no longer relevant.

Does it not have the ability to encrypt your wallet?  Could it not require a password and google authenticator to unencrypt?

No. Once it's encrypted, the only way to re-encrypt it is to decrypt it first. Since google auth tokens change over time, you can see the problem here.

Google auth will protect from someone else logging in your name, for example to mtgox, but if mtgox itself gets hacked google auth won't protect your coins anymore, that's why it can't really be of any use in a bitcoin client.

Server side security is not sth google authenticator could help, I guess, but it protect you from get your password hacked and then all is F*ked.