johnyj
Legendary
 Offline
Activity: 1988
Merit: 1012
Beyond Imagination
|
 |
February 06, 2013, 04:58:52 AM |
|
I had a feeling that keyloggers will be the next biggest threat for BTC security And on the other hand, the password management could really become a pain, sooner or later someone lost many of his coin permanantly because he just forgot one of his brainwallet password  |
|
|
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
SgtSpike (OP)
Legendary
Offline
Activity: 1400
Merit: 1005
|
|
February 06, 2013, 08:48:15 AM |
|
Just today I started playing around with Armory (offline and online wallets) and at first glance it seems pretty impressive.
It's great software, I just hate the launch times. First launching the QT client and waiting for that to load, then waiting for Armory to load on top of it... You must not be very concerned about security if a couple of minutes of load time inconveniences you. I used to be worried about keeping my Bitcoins safe, and being able to safely use them at the same time. Since I started using Armory it's no longer a concern. I keep multiple wallets with multiple levels of security and it works wonderfully. Put what you might spend on a more convenient wallet, put the rest in deep savings, offline only. Fund the spending wallet as needed with offline transfers. I keep digital wallet backups in multiple physical locations to protect against disaster. I do value convenience highly. I do not currently have a large BTC balance, but if that changes in the future, I will obviously put more weight into the most secure solutions. I don't really have any spare computers that don't touch the web... that's what you're talking about, right? A spare machine that is always offline, and that you use with armory and a USB key to sign transactions? Maybe I should build one out of spare parts... how much ram is required for an offline only machine? |
|
|
|
|
LightRider
Legendary
Offline
Activity: 1500
Merit: 1021
I advocate the Zeitgeist Movement & Venus Project.
|
|
February 06, 2013, 09:21:16 AM |
|
3 Rules of Computer Security:
Do not own a computer; Do not power it on; and do not use one.
|
|
|
|
DannyHamilton
Legendary
Offline
Activity: 3360
Merit: 4570
|
|
February 06, 2013, 02:01:49 PM |
|
. . . Are we talking 100's of universes of time to crack an 11-digit PW, or should I go with something even longer?
. . . If you use an eleven character password . . . If you really want it secure, use a completely random set of capital letter, lowercase letters, numbers, symbols/punctuation, and make sure that there aren't any "words". Under those conditions, I'd expect an eleven character password to be beyond any current technology of cracking in your lifetime. Want to be more sure? Make it even longer . . .
If you really want it secure, use a completely random set of capital letter, lowercase letters, numbers, symbols/punctuation, and make sure that there aren't any "words".
A reasonable compromise would be a passphrase with just one non-word, e.g. "This is my gP#m6ij_% password." . . . That's 30 characters. So what you are saying is, "use a longer password"? If you really want it secure, use a completely random set of capital letter, lowercase letters, numbers, symbols/punctuation, and make sure that there aren't any "words".
A reasonable compromise would be a passphrase with just one non-word, e.g. "This is my gP#m6ij_% password." . . . Correct Horse Battery Staple That's 28 characters. So what you are saying is, "use a longer password"? |
|
|
|
|
Piper67
Legendary
Offline
Activity: 1106
Merit: 1001
|
|
February 06, 2013, 02:05:10 PM |
|
Just today I started playing around with Armory (offline and online wallets) and at first glance it seems pretty impressive.
It's great software, I just hate the launch times. First launching the QT client and waiting for that to load, then waiting for Armory to load on top of it... You must not be very concerned about security if a couple of minutes of load time inconveniences you. I used to be worried about keeping my Bitcoins safe, and being able to safely use them at the same time. Since I started using Armory it's no longer a concern. I keep multiple wallets with multiple levels of security and it works wonderfully. Put what you might spend on a more convenient wallet, put the rest in deep savings, offline only. Fund the spending wallet as needed with offline transfers. I keep digital wallet backups in multiple physical locations to protect against disaster. Thanks. I'm doing just about the same right now, and as I said, quite impressed with it. The whole process for signing an offline transaction does take well under a minute and having digital and paper backups for the wallets is very reassuring. |
|
|
|
|
2112
Legendary
Offline
Activity: 2128
Merit: 1065
|
|
February 06, 2013, 06:10:41 PM |
|
My suggestion was to use a completely random set of capital letters, lowercase letters, numbers, symbols/punctuation which would provide 1194 possible combinations.
Ugh. Please check your math. In[1]:= 11^94 Out[1]= 7778796406007058285951393811497112871791787694\ 6029329123560958680818697236800243835465535478292041 In[2]:= 94^11 Out[2]= 5062982072492057196544 |
|
|
|
DannyHamilton
Legendary
Offline
Activity: 3360
Merit: 4570
|
|
February 06, 2013, 06:22:39 PM |
|
My suggestion was to use a completely random set of capital letters, lowercase letters, numbers, symbols/punctuation which would provide 1194 possible combinations.
Ugh. Please check your math. In[1]:= 11^94 Out[1]= 7778796406007058285951393811497112871791787694\ 6029329123560958680818697236800243835465535478292041 In[2]:= 94^11 Out[2]= 5062982072492057196544 Bah! What a dumb mistake to make. I know better too. Sorry about that. Can't believe I did that. I've deleted the post, as the whole thing was based on that really bad math. |
|
|
|
|
DannyHamilton
Legendary
Offline
Activity: 3360
Merit: 4570
|
|
February 06, 2013, 06:32:45 PM |
|
If you really want it secure, use a completely random set of capital letter, lowercase letters, numbers, symbols/punctuation, and make sure that there aren't any "words".
A reasonable compromise would be a passphrase with just one non-word, e.g. "This is my gP#m6ij_% password." . . . Correct Horse Battery Staple That's 28 characters. So what you are saying is, "use a longer password"? But to answer the question, don't rely on something a simple key logger can defeat. I consider a password like a lock on a door. If you want security, get rid of the door! I'm familiar with the xkcd comic, OP was specifically asking about an 11 digit password. My suggestion was to use a completely random set of capital letters, lowercase letters, numbers, symbols/punctuation which would provide 94 11 possible combinations. That is approximately 72 bits of entropy, as such, it is about as secure as you are going to get with 11 characters, though still less secure than a bitcoin address (having 160 bits). If you want your password to be as secure as a bitcoin address, you'll need at least 25 characters as long as it was a completely random arrangement of capital letters, lowercase letters, numbers, and symbols/punctuation since 94 25 > 2 160
P.S. Care to double check my math again 2112? No guarantees that I haven't made another dumb mistake. |
|
|
|
|
2112
Legendary
Offline
Activity: 2128
Merit: 1065
|
|
February 06, 2013, 06:43:53 PM |
|
P.S. Care to double check my math again 2112? No guarantees that I haven't made another dumb mistake.
I'm just going to post here what I posted for jim618 in his Multibit thread. Do people think this is an easier way to remember 128 bits?
Jim, are you, by chance, a monolingual person? Are you capable of reading any other script than Latin? Just lay off this problem. It tends to become a paranoidal obsession, similar to the one exhibited in other thread where very intelligent people assume that Internet is operational but all sources of time are compromised. As far as your software: just make sure that Unicode and various Input Method Editors are operational. Really just lay it off for a while: it isn't a technical issue and really a behavioral health issue. |
|
|
|
Stelios
Member
Offline
Activity: 112
Merit: 10
|
|
October 08, 2013, 12:44:35 PM |
|
OK quick question:
1) you have a dummy (empty) wallet.dat in .bitcoin so as your bitcoin-qt can stay up to date
2) you keep your real wallet.dat encrypted (say truecrypt) in a usb or maybe also on your mail or dropbox.
3) if you want to make a transaction:
a) get your encrypted wallet
b) decrypt it and copy it into .bitcoin
c) make transaction
d) replace real wallet.dat with dummy one
question: Is this secure enough or are you still in danger during the transaction (for as long as you have your real wallet.dat linked to bitcoin-qt)?
SK
|
|
|
|
|
Jan
Legendary
Offline
Activity: 1043
Merit: 1002
|
|
October 08, 2013, 03:32:06 PM |
|
OK quick question:
1) you have a dummy (empty) wallet.dat in .bitcoin so as your bitcoin-qt can stay up to date
2) you keep your real wallet.dat encrypted (say truecrypt) in a usb or maybe also on your mail or dropbox.
3) if you want to make a transaction:
a) get your encrypted wallet
b) decrypt it and copy it into .bitcoin
c) make transaction
d) replace real wallet.dat with dummy one
question: Is this secure enough or are you still in danger during the transaction (for as long as you have your real wallet.dat linked to bitcoin-qt)?
SK
You would be better off doing this with a cheap dedicated device: http://youtu.be/1pDSzOiFgIk |
Mycelium let's you hold your private keys private.
|
|
|
Stelios
Member
Offline
Activity: 112
Merit: 10
|
|
October 14, 2013, 11:03:30 AM |
|
OK quick question:
1) you have a dummy (empty) wallet.dat in .bitcoin so as your bitcoin-qt can stay up to date
2) you keep your real wallet.dat encrypted (say truecrypt) in a usb or maybe also on your mail or dropbox.
3) if you want to make a transaction:
a) get your encrypted wallet
b) decrypt it and copy it into .bitcoin
c) make transaction
d) replace real wallet.dat with dummy one
question: Is this secure enough or are you still in danger during the transaction (for as long as you have your real wallet.dat linked to bitcoin-qt)?
SK
You would be better off doing this with a cheap dedicated device: http://youtu.be/1pDSzOiFgIkPoint taken  , Thanks Jan. |
|
|
|
|
|
