Bitcoin Forum
November 24, 2017, 11:49:53 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Security concerns of Bitcoin-QT with encrypted wallet?  (Read 4482 times)
SgtSpike
Legendary
*
Offline Offline

Activity: 1358



View Profile
February 05, 2013, 05:56:17 PM
 #1

I have Bitcoin-QT with some coins in it, encrypted with a decently-lengthy password (11 chars).  From what I understand, a trojan built to steal my Bitcoins would have to have both a keylogger (to get the wallet password) and a file-grabber (to grab the wallet.dat).  How likely is this to happen, and has anyone ever seen such a trojan in the wild?

I know security through obscurity is generally looked down upon around here, but is there a way to point Bitcoin-QT to a wallet file that isn't named "wallet.dat"?  How?

Are there any other possible vectors of attack on an encrypted QT wallet?

Is there anything else I should be doing to better secure my wallet?
1511524193
Hero Member
*
Offline Offline

Posts: 1511524193

View Profile Personal Message (Offline)

Ignore
1511524193
Reply with quote  #2

1511524193
Report to moderator
Join ICO Now A blockchain platform for effective freelancing
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1511524193
Hero Member
*
Offline Offline

Posts: 1511524193

View Profile Personal Message (Offline)

Ignore
1511524193
Reply with quote  #2

1511524193
Report to moderator
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1358


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
February 05, 2013, 06:00:39 PM
 #2

Is there anything else I should be doing to better secure my wallet?

Keeping your bitcoins on securely produced paper wallets and only importing the ones you immediately intend to spend.

100% effective.  Second only to total abstinence from bitcoin.  You can never lose more BTC than you have online at any given time.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
SgtSpike
Legendary
*
Offline Offline

Activity: 1358



View Profile
February 05, 2013, 06:51:37 PM
 #3

Is there anything else I should be doing to better secure my wallet?

Keeping your bitcoins on securely produced paper wallets and only importing the ones you immediately intend to spend.

100% effective.  Second only to total abstinence from bitcoin.  You can never lose more BTC than you have online at any given time.
I would, but I am afraid of fire or forgetfulness wiping out my Bitcoin savings in such a case.
CurbsideProphet
Hero Member
*****
Offline Offline

Activity: 672


View Profile
February 05, 2013, 06:58:05 PM
 #4

Is there anything else I should be doing to better secure my wallet?

Keeping your bitcoins on securely produced paper wallets and only importing the ones you immediately intend to spend.

100% effective.  Second only to total abstinence from bitcoin.  You can never lose more BTC than you have online at any given time.
I would, but I am afraid of fire or forgetfulness wiping out my Bitcoin savings in such a case.

You could always make multiple copies and keep it in separate places (safety deposit box, home safe, etc.).  Cypherdoc (at the suggestion of someone else whose name escapes me) had a good suggestion of creating a paper wallet, covering it with construction paper, then laminating it.  It will not protect you from theft or fire obviously, but it does offer a greater deal of protection than just a piece of paper.

1ProphetnvP8ju2SxxRvVvyzCtTXDgLPJV
DannyHamilton
Legendary
*
Offline Offline

Activity: 1988



View Profile
February 05, 2013, 07:01:37 PM
 #5

I would, but I am afraid of fire or forgetfulness wiping out my Bitcoin savings in such a case.
Your plan to keep your private keys in a an encrypted form in a wallet.dat file (even if you find a way to rename it) isn't any safer from fire or forgetfulness than that piece of paper.

casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1358


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
February 05, 2013, 07:16:08 PM
 #6

Is there anything else I should be doing to better secure my wallet?

Keeping your bitcoins on securely produced paper wallets and only importing the ones you immediately intend to spend.

100% effective.  Second only to total abstinence from bitcoin.  You can never lose more BTC than you have online at any given time.
I would, but I am afraid of fire or forgetfulness wiping out my Bitcoin savings in such a case.

For this I came up with encrypted paper wallets.

Put two copies in two safe places. Keep the encryption pass phrase in two or three safe places, one of which is your brain.

The encryption opens up so many options. Safes, spouses, safety deposit boxes, attorneys, family members.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
niko
Hero Member
*****
Offline Offline

Activity: 742


There is more to Bitcoin than bitcoins.


View Profile
February 05, 2013, 07:27:11 PM
 #7

I am happy with paper wallets. Fold it, with a piece of aluminum foil inserted, to protect the private key from prying eyes, and laminate. Two copies in two different, secure locations.

Casascius' encrypted keys work even better then alu foil, and offer additional possibilities - but I will wait for some additional scrutiny before I embrace them.

They're there, in their room.
Your mining rig is on fire, yet you're very calm.
Littleshop
Legendary
*
Offline Offline

Activity: 1316



View Profile WWW
February 05, 2013, 08:10:27 PM
 #8

Keep a small amount on a machine as a security test.  If it goes you have a problem.


SgtSpike
Legendary
*
Offline Offline

Activity: 1358



View Profile
February 05, 2013, 08:18:16 PM
 #9

I would, but I am afraid of fire or forgetfulness wiping out my Bitcoin savings in such a case.
Your plan to keep your private keys in a an encrypted form in a wallet.dat file (even if you find a way to rename it) isn't any safer from fire or forgetfulness than that piece of paper.
Yes it is... I could store it in my gmail or something, then access it no matter where a fire is (unless said fire is at Google, but I still have my local backup in such a case).

Is there anything else I should be doing to better secure my wallet?

Keeping your bitcoins on securely produced paper wallets and only importing the ones you immediately intend to spend.

100% effective.  Second only to total abstinence from bitcoin.  You can never lose more BTC than you have online at any given time.
I would, but I am afraid of fire or forgetfulness wiping out my Bitcoin savings in such a case.

For this I came up with encrypted paper wallets.

Put two copies in two safe places. Keep the encryption pass phrase in two or three safe places, one of which is your brain.

The encryption opens up so many options. Safes, spouses, safety deposit boxes, attorneys, family members.
I suppose distributing them does make it easier... would it be any better than distributing an encrypted wallet.dat various places?  Why?

Keep a small amount on a machine as a security test.  If it goes you have a problem.
And if it doesn't go?  What happens when the problem comes later down the line?

I've always held less than 100 BTC (with one exception where I held ~500 BTC for a couple of days), and I've held it for almost 2 years on the same machine.  It's been safe so far, but that doesn't necessarily indicate safety for the future.
SgtSpike
Legendary
*
Offline Offline

Activity: 1358



View Profile
February 05, 2013, 08:19:03 PM
 #10

I'd like to bring this thread back to the QT client specifically, rather than focusing on paper wallets.  I understand paper wallets have their merits, I would just like to better understand the risks of the QT client and how those risks can be mitigated.
nobbynobbynoob
Hero Member
*****
Offline Offline

Activity: 756


Annuit cœptis humanae libertas


View Profile WWW
February 05, 2013, 08:25:46 PM
 #11

Decent anti-virus/anti-malware software; don't download random unknown/untested stuff.

Earn Free Bitcoins!   Earn bitcoin via BitcoinGet
BTC tip: 1PKkvuwC24Vqjv9odigXs1QVzE66jEJqmb (if <200 µBTC, please donate to charity)
LTC tip: LRqXaNdF79QHvhPpS5AZdEJZnLiNnAkJvq (if <Ł0,05, please donate to charity)
DannyHamilton
Legendary
*
Offline Offline

Activity: 1988



View Profile
February 05, 2013, 08:29:35 PM
 #12

I'd like to bring this thread back to the QT client specifically, rather than focusing on paper wallets.  I understand paper wallets have their merits, I would just like to better understand the risks of the QT client and how those risks can be mitigated.
Assuming that you don't have any old unencrypted copies of the wallet.dat sitting around anywhere, it sounds like you already understand it pretty well.  To steal/spend your bitcoins a potential thief would need both the encrypted private keys from your wallet.dat file and your password.  Electronically this can be done with a key logger.  I suppose it would also be possible to install a hidden camera that would record your keyboard to get the password.  Someone with that sort of access to your computer would probably be able to physically access your wallet.dat as well.  Same thing with looking over your shoulder while you type your password.

If we are talking really high tech, I suppose it might be possible to remotely record the sound of you tapping on the keyboard (laser picking up sound vibrations from your window?).  Using the rhythm, volume, and timing of your keystrokes, perhaps it would be possible to reduce the number of possible combinations to something that could be brute-forced?  If we want to think of this like a spy movie, I suppose someone could sneak in and clean all fingerprints off your keyboard just before you enter the room to send some bitcoins somewhere.  Then as soon as you leave they can identify which keys you hit by looking at the fingerprints?  A gun to your head might do the trick as well.

SgtSpike
Legendary
*
Offline Offline

Activity: 1358



View Profile
February 05, 2013, 08:36:06 PM
 #13

I'd like to bring this thread back to the QT client specifically, rather than focusing on paper wallets.  I understand paper wallets have their merits, I would just like to better understand the risks of the QT client and how those risks can be mitigated.
Assuming that you don't have any old unencrypted copies of the wallet.dat sitting around anywhere, it sounds like you already understand it pretty well.  To steal/spend your bitcoins a potential thief would need both the encrypted private keys from your wallet.dat file and your password.  Electronically this can be done with a key logger.  I suppose it would also be possible to install a hidden camera that would record your keyboard to get the password.  Someone with that sort of access to your computer would probably be able to physically access your wallet.dat as well.  Same thing with looking over your shoulder while you type your password.

If we are talking really high tech, I suppose it might be possible to remotely record the sound of you tapping on the keyboard (laser picking up sound vibrations from your window?).  Using the rhythm, volume, and timing of your keystrokes, perhaps it would be possible to reduce the number of possible combinations to something that could be brute-forced?  If we want to think of this like a spy movie, I suppose someone could sneak in and clean all fingerprints off your keyboard just before you enter the room to send some bitcoins somewhere.  Then as soon as you leave they can identify which keys you hit by looking at the fingerprints?  A gun to your head might do the trick as well.
Thanks for the confirmation.

I'm not too worried about someone physically surveying me, but you never know.  If that's the case, I probably have much larger problems than my meager BTC holdings.  Wink

How is the encryption?  Are we talking 100's of universes of time to crack an 11-digit PW, or should I go with something even longer?
Akka
Legendary
*
Offline Offline

Activity: 1162



View Profile
February 05, 2013, 08:41:27 PM
 #14

Type in the last five or so chars of you pass phrase with the on-screen keyboard, complicated put key logger proof  Grin (at least as far as I know)

All previous versions of currency will no longer be supported as of this update
DannyHamilton
Legendary
*
Offline Offline

Activity: 1988



View Profile
February 05, 2013, 09:13:22 PM
 #15

How is the encryption?  Are we talking 100's of universes of time to crack an 11-digit PW, or should I go with something even longer?
I wouldn't be worried about the encryption being cracked.  I'd be far more concerned with creating a password that won't be cracked.  If your eleven digit password is 11111111111, I'd expect it to get cracked.  If you use an eleven character password , but only use lowercase characters (such as "mysecurepwd"), I'd still expect it to be cracked.  Add in some numbers and symbols, and now you are improving your chances of having a secure password.  If you really want it secure, use a completely random set of capital letter, lowercase letters, numbers, symbols/punctuation, and make sure that there aren't any "words".  Under those conditions, I'd expect an eleven character password to be beyond any current technology of cracking in your lifetime.  Want to be more sure?  Make it even longer.  Of course, the problem with such a password is it can be difficult to remember it if you haven't used it in a while.  This tends to people writing the password down.  If you are going to put the password on paper, you might as well consider paper wallets, since either way you are subject to the same risks and benefits.

Piper67
Legendary
*
Offline Offline

Activity: 1106


AffBits.com Affiliate Network


View Profile WWW
February 05, 2013, 09:31:02 PM
 #16

Just today I started playing around with Armory (offline and online wallets) and at first glance it seems pretty impressive.

Disclaimer: I am not exactly a technophobe, but compared to most others on this forum I'm quite close. So if anyone knows of any potential pitfalls with Armory, I'd like to hear about them.

dserrano5
Legendary
*
Offline Offline

Activity: 1848



View Profile
February 05, 2013, 09:45:59 PM
 #17

If you really want it secure, use a completely random set of capital letter, lowercase letters, numbers, symbols/punctuation, and make sure that there aren't any "words".

A reasonable compromise would be a passphrase with just one non-word, e.g. "This is my gP#m6ij_% password.".

On the topic of passwords, the usage of Unicode characters hasn't been frequently discussed. It certainly broadens the dictionary that the attackers would have to use, at the cost of potentially finding encoding problems that prevent its legitimate usage. But think of it, a single "ñ", "β" or "©" can completely change the game.

casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1358


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
February 05, 2013, 10:05:06 PM
 #18

If you really want it secure, use a completely random set of capital letter, lowercase letters, numbers, symbols/punctuation, and make sure that there aren't any "words".

A reasonable compromise would be a passphrase with just one non-word, e.g. "This is my gP#m6ij_% password.".

On the topic of passwords, the usage of Unicode characters hasn't been frequently discussed. It certainly broadens the dictionary that the attackers would have to use, at the cost of potentially finding encoding problems that prevent its legitimate usage. But think of it, a single "ñ", "β" or "©" can completely change the game.

I specified that my paper wallet encryption scheme must use UTF-8, and included a test vector consisting of all Greek characters.  So at least there is an established definition for encoding Unicode passwords.  There's still the possibility for confusion with respect to composed versus non-composed characters, but don't think it will present a major issue (non-composed characters, as I understand it, are far more commonly used, and this is a function of the input method that has nothing to do with the wallet encryption in the first place)

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
Offthechain
Jr. Member
*
Offline Offline

Activity: 35


View Profile
February 05, 2013, 10:29:46 PM
 #19

I have a fresh install of Linux Mint on a Laptop that rarely touches the Net.
I use Armory and have a watch only Armory wallet on my Windows 8 machine.
I have multiple backups of my wallet in Truecrytpt containers... some in the cloud, some on a USB stick.
I feel pretty safe.

I wouldn't want bits of paper knocking around unless I had a fireproof safe.
SgtSpike
Legendary
*
Offline Offline

Activity: 1358



View Profile
February 05, 2013, 11:22:46 PM
 #20

How is the encryption?  Are we talking 100's of universes of time to crack an 11-digit PW, or should I go with something even longer?
I wouldn't be worried about the encryption being cracked.  I'd be far more concerned with creating a password that won't be cracked.  If your eleven digit password is 11111111111, I'd expect it to get cracked.  If you use an eleven character password , but only use lowercase characters (such as "mysecurepwd"), I'd still expect it to be cracked.  Add in some numbers and symbols, and now you are improving your chances of having a secure password.  If you really want it secure, use a completely random set of capital letter, lowercase letters, numbers, symbols/punctuation, and make sure that there aren't any "words".  Under those conditions, I'd expect an eleven character password to be beyond any current technology of cracking in your lifetime.  Want to be more sure?  Make it even longer.  Of course, the problem with such a password is it can be difficult to remember it if you haven't used it in a while.  This tends to people writing the password down.  If you are going to put the password on paper, you might as well consider paper wallets, since either way you are subject to the same risks and benefits.
Thanks.  The password certainly isn't something that will be cracked by anything but a non-pattern brute-forcer, but it's still short enough to be easily remembered.  I feel good about my chances then.

Just today I started playing around with Armory (offline and online wallets) and at first glance it seems pretty impressive.

Disclaimer: I am not exactly a technophobe, but compared to most others on this forum I'm quite close. So if anyone knows of any potential pitfalls with Armory, I'd like to hear about them.
It's great software, I just hate the launch times.  First launching the QT client and waiting for that to load, then waiting for Armory to load on top of it...

I have a fresh install of Linux Mint on a Laptop that rarely touches the Net.
I use Armory and have a watch only Armory wallet on my Windows 8 machine.
I have multiple backups of my wallet in Truecrytpt containers... some in the cloud, some on a USB stick.
I feel pretty safe.

I wouldn't want bits of paper knocking around unless I had a fireproof safe.
Paper isn't even THAT safe inside a fire safe either.  Safer, but an intense house fire without intervention could have it brown to the point of unreadability.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!