Bitcoin Forum
November 24, 2017, 11:46:21 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2]  All
  Print  
Author Topic: Security concerns of Bitcoin-QT with encrypted wallet?  (Read 4481 times)
johnyj
Legendary
*
Offline Offline

Activity: 1834


Beyond Imagination


View Profile
February 06, 2013, 04:58:52 AM
 #21

I had a feeling that keyloggers will be the next biggest threat for BTC security

And on the other hand, the password management could really become a pain, sooner or later someone lost many of his coin permanantly because he just forgot one of his brainwallet password  Grin Grin

Join ICO Now Coinlancer is Disrupting the Freelance marketplace!
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
SgtSpike
Legendary
*
Offline Offline

Activity: 1358



View Profile
February 06, 2013, 08:48:15 AM
 #22

Just today I started playing around with Armory (offline and online wallets) and at first glance it seems pretty impressive.
It's great software, I just hate the launch times.  First launching the QT client and waiting for that to load, then waiting for Armory to load on top of it...

You must not be very concerned about security if a couple of minutes of load time inconveniences you.

I used to be worried about keeping my Bitcoins safe, and being able to safely use them at the same time. Since I started using Armory it's no longer a concern. I keep multiple wallets with multiple levels of security and it works wonderfully. Put what you might spend on a more convenient wallet, put the rest in deep savings, offline only. Fund the spending wallet as needed with offline transfers.

I keep digital wallet backups in multiple physical locations to protect against disaster.
I do value convenience highly.  I do not currently have a large BTC balance, but if that changes in the future, I will obviously put more weight into the most secure solutions.

I don't really have any spare computers that don't touch the web... that's what you're talking about, right?  A spare machine that is always offline, and that you use with armory and a USB key to sign transactions?  Maybe I should build one out of spare parts... how much ram is required for an offline only machine?
LightRider
Legendary
*
Offline Offline

Activity: 1485


I advocate the Zeitgeist Movement & Venus Project.


View Profile WWW
February 06, 2013, 09:21:16 AM
 #23

3 Rules of Computer Security:

Do not own a computer; Do not power it on; and do not use one.

Bitcoin combines money, the wrongest thing in the world, with software, the easiest thing in the world to get wrong.
Visit www.thevenusproject.com and www.theZeitgeistMovement.com.
DannyHamilton
Legendary
*
Offline Offline

Activity: 1988



View Profile
February 06, 2013, 02:01:49 PM
 #24

. . .  Are we talking 100's of universes of time to crack an 11-digit PW, or should I go with something even longer?

. . . If you use an eleven character password . . . If you really want it secure, use a completely random set of capital letter, lowercase letters, numbers, symbols/punctuation, and make sure that there aren't any "words".  Under those conditions, I'd expect an eleven character password to be beyond any current technology of cracking in your lifetime.  Want to be more sure?  Make it even longer . . .

If you really want it secure, use a completely random set of capital letter, lowercase letters, numbers, symbols/punctuation, and make sure that there aren't any "words".
A reasonable compromise would be a passphrase with just one non-word, e.g. "This is my gP#m6ij_% password." . . .

That's 30 characters.  So what you are saying is, "use a longer password"?

If you really want it secure, use a completely random set of capital letter, lowercase letters, numbers, symbols/punctuation, and make sure that there aren't any "words".
A reasonable compromise would be a passphrase with just one non-word, e.g. "This is my gP#m6ij_% password." . . .
Correct Horse Battery Staple

That's 28 characters.  So what you are saying is, "use a longer password"?

Piper67
Legendary
*
Offline Offline

Activity: 1106


AffBits.com Affiliate Network


View Profile WWW
February 06, 2013, 02:05:10 PM
 #25

Just today I started playing around with Armory (offline and online wallets) and at first glance it seems pretty impressive.
It's great software, I just hate the launch times.  First launching the QT client and waiting for that to load, then waiting for Armory to load on top of it...

You must not be very concerned about security if a couple of minutes of load time inconveniences you.

I used to be worried about keeping my Bitcoins safe, and being able to safely use them at the same time. Since I started using Armory it's no longer a concern. I keep multiple wallets with multiple levels of security and it works wonderfully. Put what you might spend on a more convenient wallet, put the rest in deep savings, offline only. Fund the spending wallet as needed with offline transfers.

I keep digital wallet backups in multiple physical locations to protect against disaster.





Thanks. I'm doing just about the same right now, and as I said, quite impressed with it. The whole process for signing an offline transaction does take well under a minute and having digital and paper backups for the wallets is very reassuring.

2112
Legendary
*
Offline Offline

Activity: 1974



View Profile
February 06, 2013, 06:10:41 PM
 #26

My suggestion was to use a completely random set of capital letters, lowercase letters, numbers, symbols/punctuation which would provide 1194 possible combinations.
Ugh. Please check your math.

In[1]:= 11^94

Out[1]= 7778796406007058285951393811497112871791787694\
6029329123560958680818697236800243835465535478292041

In[2]:= 94^11

Out[2]= 5062982072492057196544

Please comment, critique, criticize or ridicule BIP 2112: https://bitcointalk.org/index.php?topic=54382.0
Long-term mining prognosis: https://bitcointalk.org/index.php?topic=91101.0
DannyHamilton
Legendary
*
Offline Offline

Activity: 1988



View Profile
February 06, 2013, 06:22:39 PM
 #27

My suggestion was to use a completely random set of capital letters, lowercase letters, numbers, symbols/punctuation which would provide 1194 possible combinations.
Ugh. Please check your math.

In[1]:= 11^94

Out[1]= 7778796406007058285951393811497112871791787694\
6029329123560958680818697236800243835465535478292041

In[2]:= 94^11

Out[2]= 5062982072492057196544
Bah! What a dumb mistake to make.  I know better too.  Sorry about that.  Can't believe I did that.  I've deleted the post, as the whole thing was based on that really bad math.

DannyHamilton
Legendary
*
Offline Offline

Activity: 1988



View Profile
February 06, 2013, 06:32:45 PM
 #28

If you really want it secure, use a completely random set of capital letter, lowercase letters, numbers, symbols/punctuation, and make sure that there aren't any "words".
A reasonable compromise would be a passphrase with just one non-word, e.g. "This is my gP#m6ij_% password." . . .
Correct Horse Battery Staple
That's 28 characters.  So what you are saying is, "use a longer password"?
But to answer the question, don't rely on something a simple key logger can defeat. I consider a password like a lock on a door. If you want security, get rid of the door!

EDITED and re-posted to address a really dumb math mistake...

I'm familiar with the xkcd comic, OP was specifically asking about an 11 digit password.  My suggestion was to use a completely random set of capital letters, lowercase letters, numbers, symbols/punctuation which would provide 9411 possible combinations.  That is approximately 72 bits of entropy, as such, it is about as secure as you are going to get with 11 characters, though still less secure than a bitcoin address (having 160 bits).  If you want your password to be as secure as a bitcoin address, you'll need at least 25 characters as long as it was a completely random arrangement of capital letters, lowercase letters, numbers, and symbols/punctuation since 9425 > 2160


P.S. Care to double check my math again 2112?  No guarantees that I haven't made another dumb mistake.

2112
Legendary
*
Offline Offline

Activity: 1974



View Profile
February 06, 2013, 06:43:53 PM
 #29


P.S. Care to double check my math again 2112?  No guarantees that I haven't made another dumb mistake.

I'm just going to post here what I posted for jim618 in his Multibit thread.
Do people think this is an easier way to remember 128 bits?
Jim, are you, by chance, a monolingual person? Are you capable of reading any other script than Latin?

Just lay off this problem. It tends to become a paranoidal obsession, similar to the one exhibited in other thread where very intelligent people assume that Internet is operational but all sources of time are compromised.

As far as your software: just make sure that Unicode and various Input Method Editors are operational.

Really just lay it off for a while: it isn't a technical issue and really a behavioral health issue.

Please comment, critique, criticize or ridicule BIP 2112: https://bitcointalk.org/index.php?topic=54382.0
Long-term mining prognosis: https://bitcointalk.org/index.php?topic=91101.0
Stelios
Member
**
Offline Offline

Activity: 112


View Profile
October 08, 2013, 12:44:35 PM
 #30

OK quick question:

1) you have a dummy (empty) wallet.dat in .bitcoin so as your bitcoin-qt can stay up to date
2) you keep your real wallet.dat encrypted (say truecrypt) in a usb or maybe also on your mail or dropbox.
3) if you want to make a transaction:
    a) get your encrypted wallet
    b) decrypt it and copy it into .bitcoin
    c) make transaction
    d) replace real wallet.dat with dummy one

question: Is this secure enough or are you still in danger during the transaction (for as long as you have your real wallet.dat linked to bitcoin-qt)?

SK       
Jan
Legendary
*
Offline Offline

Activity: 1043



View Profile
October 08, 2013, 03:32:06 PM
 #31

OK quick question:

1) you have a dummy (empty) wallet.dat in .bitcoin so as your bitcoin-qt can stay up to date
2) you keep your real wallet.dat encrypted (say truecrypt) in a usb or maybe also on your mail or dropbox.
3) if you want to make a transaction:
    a) get your encrypted wallet
    b) decrypt it and copy it into .bitcoin
    c) make transaction
    d) replace real wallet.dat with dummy one

question: Is this secure enough or are you still in danger during the transaction (for as long as you have your real wallet.dat linked to bitcoin-qt)?

SK       
You would be better off doing this with a cheap dedicated device: http://youtu.be/1pDSzOiFgIk

Mycelium let's you hold your private keys private.
Stelios
Member
**
Offline Offline

Activity: 112


View Profile
October 14, 2013, 11:03:30 AM
 #32

OK quick question:

1) you have a dummy (empty) wallet.dat in .bitcoin so as your bitcoin-qt can stay up to date
2) you keep your real wallet.dat encrypted (say truecrypt) in a usb or maybe also on your mail or dropbox.
3) if you want to make a transaction:
    a) get your encrypted wallet
    b) decrypt it and copy it into .bitcoin
    c) make transaction
    d) replace real wallet.dat with dummy one

question: Is this secure enough or are you still in danger during the transaction (for as long as you have your real wallet.dat linked to bitcoin-qt)?

SK       
You would be better off doing this with a cheap dedicated device: http://youtu.be/1pDSzOiFgIk

Point taken Wink,
Thanks Jan.
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!