jubalix (OP)
Legendary
Offline
Activity: 2632
Merit: 1023
|
|
April 17, 2013, 01:35:47 PM Last edit: April 18, 2013, 05:59:34 PM by jubalix |
|
how much BTC would you trust in a blockchain.wallet, how should password be?? note assumes you have got all your private keys backup and encrypted everywhere me, unsure at this stage (hence the thread) but it seems with say a 20 plus letter password it should be ok? EDIT what hapens if you use 2 factor and then loose your phone? EDIT 2: I guess the issue is, if some one got access to the server and relevant web sites, they could inject a JavaScript that just collects you password as you enter it, and javascript checker would be no good either as they would change that on the check site as well....as the BTC goes up so does impetus to do this some how goes up too...even of you had distributed javascript to be checked agiasnt, but even the a dodge on could be distributed...... at least this is my understanding of how the javascript check works and its limitations.
|
|
|
|
siggy
|
|
April 17, 2013, 03:16:28 PM |
|
how much BTC would you trust in a blockchain.wallet, how should password be?? note assumes you have got all your private keys backup and encrypted everywhere me, unsure at this stage (hence the thread) but it seems with say a 20 plus letter password it should be ok? About as much as I'd want to spend that day before I getting home and top it off from my personall wallet. Sigg
|
|
|
|
justusranvier
Legendary
Offline
Activity: 1400
Merit: 1013
|
|
April 17, 2013, 03:24:49 PM |
|
Trust it with as much value as you'd feel comfortable carrying around as physical cash in your wallet on a daily basis.
Password should be at least 30 random characters and generated by a password generator, which itself is protected by a high-entropy passphrase.
|
|
|
|
whiskers75
|
|
April 17, 2013, 03:39:26 PM |
|
Well, mine was hacked, losing 1 bitcoin. USE TWO FACTOR AUTHENTICATION!
|
|
|
|
grue
Legendary
Offline
Activity: 2058
Merit: 1452
|
|
April 17, 2013, 03:45:24 PM |
|
I'll trust it for up to $50 worth of bitcoins, but I will never store any money on it. What's the point of that when you can run a lite/thin client on your desktop? Trust it with as much value as you'd feel comfortable carrying around as physical cash in your wallet on a daily basis.
Password should be at least 30 random characters and generated by a password generator, which itself is protected by a high-entropy passphrase.
30 characters is extreme, unless you're trying to store thousands of dollars' worth of bitcoins.
|
|
|
|
Lethn
Legendary
Offline
Activity: 1540
Merit: 1000
|
|
April 17, 2013, 03:47:28 PM |
|
10 Bitcoins at most for me, then the loss wouldn't hurt so bad but honestly I don't trust the safety of anything that's on the internet, it's always safest offline.
|
|
|
|
btctrack
Newbie
Offline
Activity: 27
Merit: 0
|
|
April 17, 2013, 03:55:23 PM |
|
|
|
|
|
|
Frozenlock
|
|
April 17, 2013, 09:47:23 PM |
|
I would like an 'expert' opinion on this.
In 2011 it was really silly to use the webwallets. However, because blockchain.info (and others) never touches your private keys, is it still as much a risk as many here pretend? (Provided you use a secure password, of course.)
|
|
|
|
ivanol
Newbie
Offline
Activity: 15
Merit: 0
|
|
April 17, 2013, 09:57:41 PM |
|
In 2011 it was really silly to use the webwallets. However, because blockchain.info (and others) never touches your private keys, is it still as much a risk as many here pretend? (Provided you use a secure password, of course.)
How do you know they don't touch your private keys? They say they don't, but unless you read the javascript source code every time you access their website, you are taking that on trust. If their website is hacked, the hacker could edit the javascript to leak your private keys/password back to them and steal your bitcoins. This is a much lower risk than an old style web wallet that stores your private keys. In the blockchain.info case you would only be at risk if you tried to access your webwallet in the window between the site being hacked and someone noticing and taking it offline.
|
|
|
|
glub0x
Legendary
Offline
Activity: 892
Merit: 1013
|
|
April 17, 2013, 09:59:46 PM |
|
IT still has a LOOOOOOOONG way to go ...
|
The cost of mediation increases transaction costs, limiting the minimum practical transaction size and cutting off the possibility for small casual transactionsSatoshi Nakamoto : https://bitcoin.org/bitcoin.pdf
|
|
|
acoindr
Legendary
Offline
Activity: 1050
Merit: 1002
|
|
April 17, 2013, 10:05:06 PM |
|
In 2011 it was really silly to use the webwallets. However, because blockchain.info (and others) never touches your private keys, is it still as much a risk as many here pretend? (Provided you use a secure password, of course.)
How do you know they don't touch your private keys? They say they don't, but unless you read the javascript source code every time you access their website, you are taking that on trust. If their website is hacked, the hacker could edit the javascript to leak your private keys/password back to them and steal your bitcoins. This is a much lower risk than an old style web wallet that stores your private keys. In the blockchain.info case you would only be at risk if you tried to access your webwallet in the window between the site being hacked and someone noticing and taking it offline. This is correct. Unless you are reading the code/information exchanged between your computer and blockchain.info (or elsewhere) EVERY TIME you connect and exchange information then you can't be sure things are happening as you imagine and hope they are. For ANY online Bitcoin service I advise only storing as much there longer term as you are willing to lose completely if something unforeseen (like hacking/dishonesty/mistakes etc.) happens.
|
|
|
|
franky1
Legendary
Offline
Activity: 4396
Merit: 4760
|
|
April 17, 2013, 10:16:31 PM |
|
using any remote service for storage that is not owned by you is risky.
no matter how much security a bank vault has, there have been hundreds of years of examples of bank thefts involving gaining entry to a vault.
no matter how much security a bank has on its computer systems there are decades of examples of hacking banking institutions.
the only reason to still trust banks is that your money is insured.
with bitcoin it is not insured.
so don't let third parties hold all your funds, no matter how much security they promise they have.
remember if the only copy of the private key is on your hard drive or a piece of paper in your possession then the coins only belong to you.
if a third party service has it, secured or not. there is always a risk.
so only risk what your willing to use/lose.
|
I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER. Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
|
|
|
Dacm4n
|
|
April 17, 2013, 10:25:23 PM |
|
how much BTC would you trust in a blockchain.wallet, how should password be?? note assumes you have got all your private keys backup and encrypted everywhere me, unsure at this stage (hence the thread) but it seems with say a 20 plus letter password it should be ok? I have all my bitcoins there in watch mode with a strong long password. I use paper addresses and I import the keys when I want to use the coins. Those coins might sit there a couple of days and I have no problems with that but long term I wouldn't let any coins sit there in case the site goes down and you can't access the website or something similar.
|
|
|
|
Frozenlock
|
|
April 17, 2013, 10:27:42 PM |
|
Sure, local wallets will always be more secure when done correctly.
What I'm wondering about is the risk importance.
|
|
|
|
acoindr
Legendary
Offline
Activity: 1050
Merit: 1002
|
|
April 17, 2013, 10:47:16 PM |
|
Sure, local wallets will always be more secure when done correctly.
What I'm wondering about is the risk importance.
How important are your funds to you? If you lose whatever amount you have on an online service I daresay you would feel it's important. The only way to minimize that loss/importance is to minimize what can be lost that way. Now if you're asking about likelihoods sure that can be a consideration. Is it likely Blockchain.info will be effectively hacked or that piuk, the site's creator, is dishonest and/or unreasonably incompetent on security matters? Given its history I'd say no that's not likely. That still doesn't mean I'm willing to trust 100% of my coins there. I'd put there as much as might be used for typical transactions, for example. EDIT: now that I think about it where is Blockchain.info hosted? If it's not hosted under only piuk's administration (i.e. with a hosting provider) then anyone with access can compromise the site and steal coins with clever code.
|
|
|
|
blockbet.net
Member
Offline
Activity: 112
Merit: 10
Admin at blockbet.net
|
|
April 17, 2013, 10:57:49 PM |
|
I have 100% trust towards blockchain.info, but still, I would only store as little as necessary, for as short a time as necessary. It's all subjective though, what one person might consider his life savings might be small money to somebody else. But frankly I can't see any reason why you'd put your bitcoins there unless you plan on spending it soon. If you have thousands of dollars worth of bitcoins, then in my opinion, it's a good idea to spend some time to study how local wallets work and how they can be kept safe. Well, mine was hacked, losing 1 bitcoin. USE TWO FACTOR AUTHENTICATION!
Can you tell us what happened? Did you have a easy password, a trojan on your computer, or how did that happen?
|
Bitcoin Sports Betting online at www.blockbet.net, featuring NBA, NHL, UFC, football (soccer) and international competitions. Fast payouts directly to your wallet, great win odds, no need to register or deposit. Bet in just a few clicks now!
|
|
|
Logik
|
|
April 17, 2013, 11:40:30 PM |
|
Your password doesn't matter, the only thing that matters is password uniqueness. You shouldn't rely on your password to keep your account safe. You should rely on 2-factor authentication to keep your account safe; you should assume your password will be keylogged or stolen - if that's the case then the only risk (because you have 2-factor) is that your password will be tried by the crackers on other services to see if you re-used it. But, if you didn't re-use it then you're fine. You know what I do with my Blockchain wallet? I have a 30 character password that I keep in a Google Doc, and I copy/paste it into Blockchain but I have Google Authenticator / 2FA on both the Google account that holds the password doc, and Blockchain. This might seem insecure, but seriously, nobody has their password stolen because they wrote it down somewhere. People get hacked because they re-use passwords and because they don't 2FA. 2FA is never going to get hacked. Just don't lose your phone. Unique passwords, even if you have to track them all in a document, or in KeepPass/LastPass etc is far more secure than using the same passphrase everywhere. The other mistake people make is not securing their email address. If your email is compromised then it can be used for password reset. Passwords = just for fun. 2FA = keep out crackers
|
|
|
|
bg002h
Donator
Legendary
Offline
Activity: 1466
Merit: 1048
I outlived my lifetime membership:)
|
|
April 18, 2013, 12:36:26 AM |
|
IT still has a LOOOOOOOONG way to go ... If we say there are 10,000 words and a password will be 4 words...that is 1E16 combinations. If we have 26 uppercase, 26 lower case, 10 numbers and 10 symbols, then a 9 char passwords has 72^9= 5E16 combinations. So, a good 9 char password (really hard to memorize) is as decent a password as a 4 word pass phrase. That sound right?
|
|
|
|
jubalix (OP)
Legendary
Offline
Activity: 2632
Merit: 1023
|
|
April 18, 2013, 01:38:52 AM |
|
Well, mine was hacked, losing 1 bitcoin. USE TWO FACTOR AUTHENTICATION!
what happens if you loose your mobile, what happens to2 factor then?
|
|
|
|
|