Newbie needs fast answers about Mycelium wallet / paper wallets / Security.

[cmbconcretefire]

I think I've got the concept of Bitcoin understood. I definitely trust the math. I've been buying bitcoin and have a modest stash now and I can explain Bitcoin to people so they get the concepts too.

But for a reason I'm about to explain, the bottom line is I am still confused about the security aspect of it. And before I go any further with Bitcoin, I want to make sure I am up to date with the latest about keeping my coins safe.

I have Circle Pay, and Coinbase and Mycelium. That's just the way it worked out. Here's my process. I buy from circle pay because for some reason, I find it easier than buying from coin base. But I do use both. They are both hooked up to my bank and my debit card. (Not entirely worried much about this ---should I be?) I buy my bitcoin and then immediately transfer it into Mycelium. That's where I currently feel safest about sending and receiving. I think of that wallet as my "safe." --- But I'm slowly starting to think I might have the right idea, but there's much more secure ways to HOARD my BTC safely. I'm open to all suggestions....but I like the idea of a paper wallet. I don't trust anything digital for the long term safety of my HOARD.

Moving on to why I'm still confused is because I printed a paper wallet and deposited some money into it and then I gave the paper wallet to my brother and wife for their wedding gift. Tonight I thought it was a good idea for HIM to go ahead and learn how to open it, deposit, etc...but when I made the paper wallet, we encrypted it with the BIP 38 (or whatever it is) password.

I had / have read that scanning the QR code for the PRIVATE key is not good. Not secure. But we pressed on, he scanned it, (Same Mycelium wallet app that I use) and then the PW worked and he said the balance was there and correct (good)....but that the only option he had available was "send." I'm assuming this is correct. So I asked him to ahead and close that portion of the wallet and go back to "Accounts"......I forgot to tell you this but BEFORE we did this, I asked him to tell me how many private keys he had. He said "2." I assume 1 is his private key, and the other is mine....?....cause there's only been 1 transaction from me to him. 2 keys makes sense. But am I right?

So then he looks at the "accounts" and I ask him how many keys he has now. I was expecting him to say "3" because in my mind, he had just imported and processed the private key from the paper wallet. Well this made me panic a little bit (not much) but it prompted me to sign up here and ask these questions.

DID WE IN FACT COMPROMISE his private key? If so, he obviously needs to move that money to a new wallet ASAP.

I understand the private key is the key to the kingdom. If you don't have it....you're out of luck. Forever. I also understand that the public key is just that. Public. Your piggy bank. I've read I can put that out anywhere on earth, some places even encourage it....but THERE TOO is another confusing issue for me. Everywhere you look you see "never use the same address twice. Send or receive." ------ Well, which is it?

And for the life of me, I cannot understand why private keys would be stored on the SAME digital device that also can produce send and receive addresses.

Trust me, I've watched a lot of youtube vids about this.....still fuzzy with it. Maybe I'm way over thinking this. But, my wife and I are betting our entire future into BTC. We CANNOT lose it. So please....edumacate me.

[1714133135]

1714133135

[1714133135]

1714133135

[1714133135]

1714133135

[achow101]

I had / have read that scanning the QR code for the PRIVATE key is not good. Not secure.

Whoever told you that is wrong.

But we pressed on, he scanned it, (Same Mycelium wallet app that I use) and then the PW worked and he said the balance was there and correct (good)....but that the only option he had available was "send." I'm assuming this is correct.

That's correct. Mycelium works by accounts. Each account is 1 or more private keys. When you import an address, it goes to a new account with only that private key. There is no receive option because a new private key for an address cannot be generated for that account.

So I asked him to ahead and close that portion of the wallet and go back to "Accounts"......I forgot to tell you this but BEFORE we did this, I asked him to tell me how many private keys he had. He said "2." I assume 1 is his private key, and the other is mine....?....cause there's only been 1 transaction from me to him. 2 keys makes sense. But am I right?

No. Paper wallets only have 1 private key. That is for one account. The other account would only be there if you created it, which, IIRC, Mycelium has you do on the first run of the app. It is not possible to get a private key from a transaction.

So then he looks at the "accounts" and I ask him how many keys he has now. I was expecting him to say "3" because in my mind, he had just imported and processed the private key from the paper wallet. Well this made me panic a little bit (not much) but it prompted me to sign up here and ask these questions.

Accounts and keys are two entirely different things.

How many accounts did he have? Still 2? If so, that is supposed to happen.

DID WE IN FACT COMPROMISE his private key? If so, he obviously needs to move that money to a new wallet ASAP.

Probably not. However, a paper wallet is supposed to be a one use thing, so he should move the Bitcoin out anyways onto another address on the phone.

I understand the private key is the key to the kingdom. If you don't have it....you're out of luck. Forever. I also understand that the public key is just that. Public. Your piggy bank. I've read I can put that out anywhere on earth, some places even encourage it....but THERE TOO is another confusing issue for me. Everywhere you look you see "never use the same address twice. Send or receive." ------ Well, which is it?

All of the above. The Bitcoin address is derived from the public key, the address can and should be given out. The public key will be given out once the address is spent from. The idea of not reusing addresses is to both protect your privacy and for some extra security. Regarding privacy, reusing addresses means that anyone who sends money to you can see how much money you currently have. That is not exactly a good thing. Regarding security, if ECDSA is broken such that the private key could be derived from the public key, then reusing addresses means that the Bitcoin associated with your reused addresses are at risk. This is because the public key is exposed when you spend. Addresses are actually hashes of the public key, so you can receive to it and the Bitcoin will still be safe should ECDSA be broken. By not reusing addresses, by the time the public key is revealed, the Bitcoin is already gone and it is pointless for an attacker to try to get the private key because that address is empty.

And for the life of me, I cannot understand why private keys would be stored on the SAME digital device that also can produce send and receive addresses.

First of all, there is no such thing as a send or receive address. They are all the same, just Bitcoin addresses. And technically, addresses don't actually exist and are just abstractions for humans.

An address is derived from a public key, which is derived from the private key. Thus private keys and addresses are inherently linked and are stored and produced on the same device. There is no security risk, and if your private key is compromised, the address can be easily derived (but that isn't even necessary for spending anyways).

[dsattler]

If you scan a paper wallet with mycelium, the only option you have is to send it's complete balance to a different bitcoin address (probably one you control). This is implemented for security reasons because if you have scanned the qr code on a computer/mobile which is online, the embedded private key could have become compromised.

[cmbconcretefire]

Thank you guys a lot. So, maybe I'm not quite as confused as I thought I was. Some of my assumptions were correct.

Maybe let's back up one second. Forget about my brother. In my own Mycelium wallet, I go to "accounts." I swear when I started using it, it said I had 1 account, and 1 private key. Now a couple months later, it says I have the same 1 account, but now 23 private keys. That's exactly what it says.

Can we start there? As far as I know, there is no way for me to "open" that and actually see those 23 private keys.

I'm new but not dumb. I do know the tiniest of information about salts and hashes , etc. It's not something I can conceptually fathom in my mind though.

So 1) There's the seed.....(the words?).....ok, take it from there please.....what happens?

[RGBKey]

Thank you guys a lot. So, maybe I'm not quite as confused as I thought I was. Some of my assumptions were correct.

Maybe let's back up one second. Forget about my brother. In my own Mycelium wallet, I go to "accounts." I swear when I started using it, it said I had 1 account, and 1 private key. Now a couple months later, it says I have the same 1 account, but now 23 private keys. That's exactly what it says.

Can we start there? As far as I know, there is no way for me to "open" that and actually see those 23 private keys.

I'm new but not dumb. I do know the tiniest of information about salts and hashes , etc. It's not something I can conceptually fathom in my mind though.

So 1) There's the seed.....(the words?).....ok, take it from there please.....what happens?

Mycelium takes the seed phrase and uses that to create a deterministic wallet. Every time you receive bitcoins on an address, Mycelium generates the next key pair (address) and adds it to your account. Because all the addresses in an account are based off of the same seed phrase, if you ever lose your wallet, you only need to back up the seed phrase because it is from that seed phrase that every address your wallet will ever give you is generated.