Storing my seed in Lastpass

[NUFCrichard]

How do the Electrum pros here feel about storing the seed in Lastpass?

I haven't done it at the moment, but I do feel like storing bits of paper with seed codes on isn't a great long term strategy.

[1713952354]

1713952354

[1713952354]

1713952354

[1713952354]

1713952354

[defined]

LastPass Password Manager is made to do this.
Do not forget to make backups and use a strong password.

[NUFCrichard]

ok thanks, I don't like to keep all my eggs in one basket, so even though I trust lastpass, I wasn't sure about having my seed(s) on there.
I guess I will keep my hard copy stored away and investigate further if storing my seed in lastpass is 100% safe.

[OmegaStarScream]

LastPass is an online password manager ,It's definitely not recommended to store your seed or anything related to your private keys there.
I'd suggest storing them on KeePass instead since it's an offline password manager and you have a portable database file .kdx which you can use it anywhere as long as you have your Master key.

PS : LastPass got hacked last year - https://www.coinprices.io/posts/a-guide-to-basic-password-security-the-danger-of-last-pass

[NUFCrichard]

LastPass is an online password manager ,It's definitely not recommended to store your seed or anything related to your private keys there.
I'd suggest storing them on KeePass instead since it's an offline password manager and you have a portable database file .kdx which you can use it anywhere as long as you have your Master key.

PS : LastPass got hacked last year - https://www.coinprices.io/posts/a-guide-to-basic-password-security-the-danger-of-last-pass

I had read that article, but it also seemed to be somewhat rubbished as advertising for KeePass.

KeePass had had it's problems too: https://thehackernews.com/2015/11/password-manager-hacked.html

I already have LastPass and love it, I just wasn't sure about using it for seeds

[OmegaStarScream]

LastPass is an online password manager ,It's definitely not recommended to store your seed or anything related to your private keys there.
I'd suggest storing them on KeePass instead since it's an offline password manager and you have a portable database file .kdx which you can use it anywhere as long as you have your Master key.

PS : LastPass got hacked last year - https://www.coinprices.io/posts/a-guide-to-basic-password-security-the-danger-of-last-pass

I had read that article, but it also seemed to be somewhat rubbished as advertising for KeePass.

KeePass had had it's problems too: https://thehackernews.com/2015/11/password-manager-hacked.html

I already have LastPass and love it, I just wasn't sure about using it for seeds

I'm only giving you an advice here man so it's up to you but I have to mention few things :

that hack was in 2015 and there were other versions of it and they keep updating it so it's secure now. Someone won't simply target you with a KeePass stealer in the first place unless he knows you are using it . Unlike LastPass where he won't target you personally but will target the whole database and get a lot of users passwords and then It's just a matter of time till the information's gets used or sold in the Darknet .
As a bitcoin , I suppose you understand that using online wallets (Coinbase/Blockchain.info) is unsecure , yes ? If it's the case then it's the same case for LastPass .

[BitcoinSupremo]

I saved my Seed in a Libreoffice 5 document in Linux, and put a strong password to that document, in addition to that, compressed it and put also a strong password to the rar file. Put that file in different USB plus in my laptop and desktop. Today I needed that file and restored my electrum wallet in my laptop without any problem at all. This is the best way to store your seed in my opinion.

[BitcoinNewsMagazine]

If you are serious about security of your bitcoin your seed should never be displayed or typed on an online computer. Use a hardware wallet instead and write your seed on paper, store securely. If you use a hardware wallet that permits encryption of the seed with a passphrase you keep in your head you have an additional layer of protection. Using a PIN and simple passphrase on a Trezor provides very good security. Since the seed is worthless without the passphrase you can leave the seed with friends. Just do not forget your passphrase!

[NUFCrichard]

If you are serious about security of your bitcoin your seed should never be displayed or typed on an online computer. Use a hardware wallet instead and write your seed on paper, store securely. If you use a hardware wallet that permits encryption of the seed with a passphrase you keep in your head you have an additional layer of protection. Using a PIN and simple passphrase on a Trezor provides very good security. Since the seed is worthless without the passphrase you can leave the seed with friends. Just do not forget your passphrase!

I am serious about security, but as this thread is showing, it really isn't as easy as it seems!  I don't want to have to remember anything, if I leave my Bitcoin untouched for a while, I will forget any decent password/phrase.
I quite like BitcoinSupremos idea, but then where do you store the 2 strong passwords?  I guess the chances of someone getting into lastpass, taking each of those passwords, and having access to my saved .rar file, is pretty remote.

I have read some trezor threads about them crashing/malfunctioning, I think I would go for a paper wallet before a trezor.

[BitcoinNewsMagazine]

If you are serious about security of your bitcoin your seed should never be displayed or typed on an online computer. Use a hardware wallet instead and write your seed on paper, store securely. If you use a hardware wallet that permits encryption of the seed with a passphrase you keep in your head you have an additional layer of protection. Using a PIN and simple passphrase on a Trezor provides very good security. Since the seed is worthless without the passphrase you can leave the seed with friends. Just do not forget your passphrase!

I am serious about security, but as this thread is showing, it really isn't as easy as it seems!  I don't want to have to remember anything, if I leave my Bitcoin untouched for a while, I will forget any decent password/phrase.
I quite like BitcoinSupremos idea, but then where do you store the 2 strong passwords?  I guess the chances of someone getting into lastpass, taking each of those passwords, and having access to my saved .rar file, is pretty remote.

I have read some trezor threads about them crashing/malfunctioning, I think I would go for a paper wallet before a trezor.

When you use Trezor the seed in effect is your bitcoin; the plastic device is a tool. You can crush your Trezor and be back up again in less than half an hour by recovering the seed to a new Trezor. Many folks who use Trezor keep a spare around in case of loss. I have never had a problem with Trezor crashing or malfunctioning. Once in a while the myTrezor.com site is down is all. If that happens you just use your Trezor with local Electrum.

[Freakin]

Bumping an old thread to add my $.02

Storing your seeds online is no good. 

I personally use lastpass for all my passwords.  The data are encrypted client side and never transmitted or stored unencrypted on Lastpass's servers.  They were hacked a year or two ago but the databases storing the encrypted passwords were not compromised.  I believe they only got user information.  Lastpass caught the hack themselves (either in progress or shortly afterward) by detecting an abnormal traffic pattern between some of their servers. 

So while I trust my encrypted passwords to lastpass, I don't trust the clients that decrypt those passwords (including my own computer) with my seed.  There are vulnerabilities in Lastpass clients that essentially trick the lastpass extension into filling hidden form fields on a website with all your passwords and posting them to their server behind the scenes.  This may be fixed already, but it doesn't mean another zero-day exploit won't be revealed in the client that can do the same.

Don't trust your seed to an online computer if you care about the BTC that the private keys can access.

[jonald_fyookball]

First of all, if its a medium to large amount, keep it in cold storage.

but even small amount, I'm not sure I recommend lastpass... my understanding was data Is kept locally but not the best idea if your computer dies..just email yourself the seed or write it down (again for small amounts)

[kolloh]

First of all, if its a medium to large amount, keep it in cold storage.

but even small amount, I'm not sure I recommend lastpass... my understanding was data Is kept locally but not the best idea if your computer dies..just email yourself the seed or write it down (again for small amounts)

If you value security, don't ever email yourself a seed. Email is extremely insecure and is in plaintext (unless encrypted with PGP or something). Storing in LastPass would be much more secure than email. That being said, it is probably a bit safer to store the seed offline in a secure place.

[viking02]

Isn't putting your electrum phrase on keepass fine though? 


Also i assume most people have a copy of keepass on dropbox right?  So would that still be fine?  The thing is if you have your electrum phrase on keepass and also on dropbox, then as long as you remember your keepass masterkey password and your dropbox password, then isn't that really all that is needed?  I mean if dropbox gets hacked... has it?  Well they still cannot open your keepass file without your master password right?


Thanks.

[kolloh]

Isn't putting your electrum phrase on keepass fine though? 


Also i assume most people have a copy of keepass on dropbox right?  So would that still be fine?  The thing is if you have your electrum phrase on keepass and also on dropbox, then as long as you remember your keepass masterkey password and your dropbox password, then isn't that really all that is needed?  I mean if dropbox gets hacked... has it?  Well they still cannot open your keepass file without your master password right?


Thanks.

Yeah, I would think that should be fine as long as you are using a secure enough master password for KeePass that isn't easily brute forceable. Also, you must be sure that you never reuse your KeePass master password for any other websites which could end up leaking it in a compromise down the road.

[CardShare]

USB stick - Truecrypt volume pop it in there encrypt it.  best place to keep them. and there encrypted so double protection. just make a couple of backups for emergency use.

[BitcoinNewsMagazine]

USB stick - Truecrypt volume pop it in there encrypt it.  best place to keep them. and there encrypted so double protection. just make a couple of backups for emergency use.

Using a TrueCrypt container can give you a false sense of security. First, when you typed your seed or password in a document you later saved in the container, you briefly exposed the seed or password to logging malware. Worse, any time you open a TrueCrypt container your password and work is saved in virtual memory paging files which are not erased on shut down. You need to take steps to tell your machine to delete the paging files or (better) only run TrueCrypt from a computer with whole disk encryption.

[CardShare]

USB stick - Truecrypt volume pop it in there encrypt it.  best place to keep them. and there encrypted so double protection. just make a couple of backups for emergency use.

Using a TrueCrypt container can give you a false sense of security. First, when you typed your seed or password in a document you later saved in the container, you briefly exposed the seed or password to logging malware. Worse, any time you open a TrueCrypt container your password and work is saved in virtual memory paging files which are not erased on shut down. You need to take steps to tell your machine to delete the paging files or (better) only run TrueCrypt from a computer with whole disk encryption.

True. Or just use air-gapped system when decrypting like you say on a machine with FDE add's 2nd layer of protection.

[kolloh]

USB stick - Truecrypt volume pop it in there encrypt it.  best place to keep them. and there encrypted so double protection. just make a couple of backups for emergency use.

Using a TrueCrypt container can give you a false sense of security. First, when you typed your seed or password in a document you later saved in the container, you briefly exposed the seed or password to logging malware. Worse, any time you open a TrueCrypt container your password and work is saved in virtual memory paging files which are not erased on shut down. You need to take steps to tell your machine to delete the paging files or (better) only run TrueCrypt from a computer with whole disk encryption.

Interesting, I hadn't heard about the password being stored in paging files. Is it possible to actually extract a truecrypt volume password from a paging file even if the container is not currently mounted? Any links to documentation or proof of concepts on this?

[BitcoinNewsMagazine]

USB stick - Truecrypt volume pop it in there encrypt it.  best place to keep them. and there encrypted so double protection. just make a couple of backups for emergency use.

Using a TrueCrypt container can give you a false sense of security. First, when you typed your seed or password in a document you later saved in the container, you briefly exposed the seed or password to logging malware. Worse, any time you open a TrueCrypt container your password and work is saved in virtual memory paging files which are not erased on shut down. You need to take steps to tell your machine to delete the paging files or (better) only run TrueCrypt from a computer with whole disk encryption.

Interesting, I hadn't heard about the password being stored in paging files. Is it possible to actually extract a truecrypt volume password from a paging file even if the container is not currently mounted? Any links to documentation or proof of concepts on this?

Take a look at the TrueCrypt user manual. Windows leaks a lot.