This thread and others like it worry me. I suspect a lot of people are buying and have bought something they don't understand, and I'm concerned that thefts are going to increase as a result. If this is you, please read this.
WalletsTo access your bitcoins and transact with the network you're going to use a
wallet. This will either be
a piece of software you install on your computer or an online wallet service like
blockchain.info. The wallet jargon is just a convenient way to refer to what's going on under the hood. Every Bitcoin address has an associated private key, and the private key is really just a string of numbers and letters. You can only spend bitcoins at addresses for which you also have the associated private key. If you happen to find somebody else's private key, then you can import it into other Bitcoin clients or online wallets and then you have the ability to spend any coins associated with that private key's addresses.
Most wallet clients give you the option to encrypt your private key. Please do that. That means you can protect it with a password. You will be asked for this password to create transactions. Your blockchain.info login password serves that purpose, for example.
PasswordsUse strong and unique passwords. That advice applies to your entire online life, really. If you use weak passwords and/or you don't use unique passwords, then you are at risk of somebody guessing your password using a computer designed to make lots of guesses. If your passwords are not unique that gives attackers the opportunity to compromise more than one service. It's best to use a mix of lower case, upper case, numbers, and symbols in your passwords. Your passwords should also be sufficiently long, around 16 characters, for services that you would really hate getting compromised. You should still use unique passwords for services you don't consider critical, but for those services you might not feel it's necessary to use long passwords with a mix of all character types. Of course, this is all up to you.
Passwords managers can help you organize lots of strong, unique passwords.
Lastpass is a fantastic password manager. It works across all the major browsers and they even have mobile apps. You create one really, really strong password that you must never forget, and then Lastpass organizes and remembers all of your other passwords for you. Lastpass encrypts all of your data before it's sent to their servers, so they can't see your passwords. If you forget your Lastpass password, then you lose access to passwords stored with them, unless you remember them or have them stored somewhere else.
You can make strong passwords easier to remember by increasing their length with a relatively simple pattern while still using each character type. This is called
password padding. Security researcher Steve Gibson explains by comparing two passwords:
Which of the following two passwords is stronger, more secure, and more difficult to crack?
D0g.....................
PrXyc.N(n4k77#L!eVdAfp9
You probably know this is a trick question, but the answer is: Despite the fact that the first password is HUGELY easier to use and more memorable, it is also the stronger of the two! In fact, since it is one character longer and contains uppercase, lowercase, a number and special characters, that first password would take an attacker approximately 95 times longer to find by searching than the second impossible-to-remember-or-type password!
Strong, unique, but memorable passwords depend on using all character types and adding memorable length. You really should also avoid dictionary words and common modifications of simple dictionary words (e.g. dog, d0g, etc.) Consistent with the advice to use unique passwords, you wouldn't want to use the same padding technique for more than one critical password.
Multi-Factor AuthenticationMany online services (e.g. gmail, blockchain.info, MtGox, Lastpass) offer the option to use multi-factor authentication. If this service is offered, you should use it. This means that you need more than your password to log into your account. It can come in the form of a number sent as a text to your phone, a usb key that must be plugged into your computer, or an app like Google Authenticator. When you log into a service for which multi-factor authentication has been activated you will be asked for both your password and an additional pin sent to or derived from a separate device. This offers you some protection from key loggers which an attacker can install on your computer to see everything you type. Even if they discover your password, they will be unable to log in without the additional pin from, say, your phone. A previously used pin will not work, they would need one generated specifically for the most recent attempt to log in.
If the email provider that you use offers multi-factor authentication, and you use that email to register for important services (e.g. online banking, bitcoin wallets, exchanges, etc), then you should definitely enable multi-factor authentication. If an attacker can compromise your email, then they can potentially access lots of websites your registered at, because they can ask the websites to reset your password. Websites typically send a password reset email under the assumption that only you have control of your email. If you don't, an attacker can change the passwords to your web services. By enabling multi-factor authentication on your email, you can significantly decrease the odds of an attacker compromising your email. You should likewise use multi-factor authentication with any password managers you use, if you choose to use one.
This might all seem very inconvenient. However, the security gained far outweighs any convenience lost.
Advanced Bitcoin Wallet SecurityThe most secure way to safeguard your bitcoin value is to create and keep your private keys on systems that cannot be hacked into. This can be a computer that is setup without ever touching the internet, or paper wallets. A paper wallet is just some text based way to represent your private key. An attacker cannot compromise an offline computer without physical access, and he would additionally need to know the passwords to log onto your offline computer. If you have offline systems such as offline computers or paper or other physical wallets, then obviously the attack vector is basically physical burglary.
The
Armory bitcoin client is a client designed to maximize security options. Armory makes it relatively painless to setup an
offline wallet. A computer does not need to be connected to the internet to create valid bitcoin private keys with associated bitcoin addresses. That's because their creation is determined by algorithms that can be copied and run on any computer with or without network connections.
With Armory you can setup offline bitcoin wallets. In order to send bitcoins to that wallet you just need to copy an address created on the offline computer. The offline wallet can create what's called a "watching only wallet". This is a wallet you can import into an
online installation of Armory on a
different networked computer. From the online watching only wallet you can see bitcoins sent to your addresses and you can create
unsigned transactions. You can try to broadcast an unsigned transaction, but it will not be confirmed in the blockchain, and is not a valid transaction. In order to send the transaction into the blockchain and have it validated you will need to copy the unsigned transaction to a USB device, import it into the
offline Armory wallet, sign the transaction, then copy and move it back to your
online Armory wallet. From there, it can be sent and received as a valid bitcoin transaction. In this way it is made practically impossible for a network attack to steal your bitcoins.
It's a good idea to create additional offline backups of your Armory wallets. Armory has a feature to create printable offline backups. These can be used to restore your wallet in the event that your offline computer is destroyed or stolen.
Systems like this are more inconvenient, but offer the highest level of relatively easy to setup security.
Thanks, welcome to bitcoin, and stay safe.
-Proudhon
