Can Bitaddress.org be trusted?

[calkob]

Hi all i have been using paperwallets created at bitaddress for years, but came across this post on reddit, any truth? 

[–]magasilver [score hidden] 2 hours ago
Well, you move the security of a 256 bit random down to a user selectable passphrase, which in hard crypto are worthless.
There is no way to memorize a bip38 paper wallet, so you lose the paper its gone.
Very dangerous to spend -> best to sweep the first time it is decoded, and be careful with change.
Lets not forget the most popular bip38 site, bitadrress, is in the control of known scmamers who are incentivized to play games with the random numbers.
The modern paperwallet is generated with paper and dice, and is a bip39 menmonic driving a bip44 wallet. you can easily memorize it and not lose everything with the piece of paper. There is no need for a second passphrase which will always be weak. And they are easy to import into a great number of wallets safely, without the risks of change loss or identity compromise.

Thanks

[1714912548]

1714912548

[1714912548]

1714912548

[newIndia]

Could u please point to the permalink of the actual comment?

[jonald_fyookball]

Hi all i have been using paperwallets created at bitaddress for years, but came across this post on reddit, any truth? 

[–]magasilver [score hidden] 2 hours ago
Well, you move the security of a 256 bit random down to a user selectable passphrase, which in hard crypto are worthless.
There is no way to memorize a bip38 paper wallet, so you lose the paper its gone.
Very dangerous to spend -> best to sweep the first time it is decoded, and be careful with change.
Lets not forget the most popular bip38 site, bitadrress, is in the control of known scmamers who are incentivized to play games with the random numbers.
The modern paperwallet is generated with paper and dice, and is a bip39 menmonic driving a bip44 wallet. you can easily memorize it and not lose everything with the piece of paper. There is no need for a second passphrase which will always be weak. And they are easy to import into a great number of wallets safely, without the risks of change loss or identity compromise.

Thanks

I haven't seen any proof that bitaddress is in control of scammers or that the source code is doing anything malicious, but I also haven't seen that anyone has inspected and reviewed the code.  Also, the online page can be modified anytime, so if someone reviewed it last year and it was changed today, may be a problem.

Paper and dice are a great way to go, because its unhackable.  So the advice here is good. 

[cr1776]

The link mentioned in the one you responded to was bitadrress not bitaddress, FYI.  

One should always clone and run a local copy, OP.

Hi all i have been using paperwallets created at bitaddress for years, but came across this post on reddit, any truth?  

[–]magasilver [score hidden] 2 hours ago
Well, you move the security of a 256 bit random down to a user selectable passphrase, which in hard crypto are worthless.
There is no way to memorize a bip38 paper wallet, so you lose the paper its gone.
Very dangerous to spend -> best to sweep the first time it is decoded, and be careful with change.
Lets not forget the most popular bip38 site, bitadrress, is in the control of known scmamers who are incentivized to play games with the random numbers.
The modern paperwallet is generated with paper and dice, and is a bip39 menmonic driving a bip44 wallet. you can easily memorize it and not lose everything with the piece of paper. There is no need for a second passphrase which will always be weak. And they are easy to import into a great number of wallets safely, without the risks of change loss or identity compromise.

Thanks

I haven't seen any proof that bitaddress is in control of scammers or that the source code is doing anything malicious, but I also haven't seen that anyone has inspected and reviewed the code.  Also, the online page can be modified anytime, so if someone reviewed it last year and it was changed today, may be a problem.

Paper and dice are a great way to go, because its unhackable.  So the advice here is good.  

[ImHash]

If you can't verify the service using your browser's tools then don't use them, is it bitadrress or bitaddress? was it a typo or not? you can as well use it offline in your browser so accusations such as this one is uncalled for.

I'd suggest you to visit GitHub and do some searching spend 2 hours learning about addresses and different ways of generating them.
Services such as bitaddress.org are simply providing free services for the convenience of the community.

[bL4nkcode]

Eversince I didn't hear anything yet that someone got scam using bitaddress.org generated address.
For your security, you can run bitaddress in offline mode by saving offline the page turning off your internet also and generate new address for your future use. And please double or even triple check the link before you do something.

[chineseprancing]

If you have doubt in that online wallet do not make any deposit, there are many online wallet which is sure your money will keep secured and not doubt to scam. Just be careful we do not want to get scammed!

[jonald_fyookball]

Play around with this and use dice if you want to be safe... besides, dice are fun

https://github.com/bitcoinjs/bip39

[jaceefrost]

I am using a generated address from that website for almost a year now and never have I encountered any problem with it. My balance remains safe even after leaving it in there for so long so I don't think that that statement has truthfulness. Maybe he was talking about a different or maybe he used a different site or something.

[calkob]

The link mentioned in the one you responded to was bitadrress not bitaddress, FYI.  

I was guessing that it is a spelling mistake as the poster said "Lets not forget the most popular bip38 site,"  Which i presume is Bitaddress.org.

I have been using the site for 3 years myself so i do trust it,  but lets be honest unless someone has checked the code thoroughly or knows the creator, how can we be sure there is not a long term scam here ?  I know that there is a bitcointalk thread for it, which might help asking there.

Heres the original thread on reddit.  https://www.reddit.com/r/Bitcoin/comments/670zhy/summary_pitfalls_of_paper_wallets/

[gentlemand]

I had coins on a paper wallet sitting there for the best part of four years created with it. At no point did they do a runner. If Bitaddress.org, and not some pathetic ripoff, was compromised we'd certainly be hearing about it.

[dopeydog]

The key point that everyone has missed, is the bitaddress.org works offline. Go to the site then go offline (turn off WiFi or pull your cable out, whatever). Then save the webpage itself to your computer (e.g. Chrome, right click in browser and Save As). It's a single HTML file, which is mainly JavaScript. A further step you could take is to save the file to a USB stick and then put it on a PC that is permanently offline. But really, who has one of those? The next best thing is to only run it on a separate browser on your PC that you only use for this purpose and never use online. But anyway, the whole process of generating your address and private key can be done while you are offline.  OK, technically they could trick you by creating a cookie with JavaScript and then when you do go online, they could read it.  That's why i suggested using a separate offline-only browser (Actually, I'm not sure they could do this cookie trick anyway if you are running a saved page on your computer as it is no longer on their domain - but I could be wrong).

But here's the point - anyone can view and scrutinize the source code anytime they want, although obviously you'll need to be a programmer to understand it. It's all client-side, no server-side processing so no server-side code (obviously, because the whole thing works offline). So I would say it is extremely transparent.

[boranes]

The link mentioned in the one you responded to was bitadrress not bitaddress, FYI.  

I was guessing that it is a spelling mistake as the poster said "Lets not forget the most popular bip38 site,"  Which i presume is Bitaddress.org.

I have been using the site for 3 years myself so i do trust it,  but lets be honest unless someone has checked the code thoroughly or knows the creator, how can we be sure there is not a long term scam here ?  I know that there is a bitcointalk thread for it, which might help asking there.

Heres the original thread on reddit.  https://www.reddit.com/r/Bitcoin/comments/670zhy/summary_pitfalls_of_paper_wallets/

It is obviously spelling mistake.
OP don't you think you are being a little paranoid here?
Probably someone did check code and i don't see any reason why we shoulnd't trust bitaddress, besides, it is old almost as bitcoin itself.

[Fidemoga]

So OP of the article was on pishing site of bitaddress? Anyway. As we can use it also offline the probability of getting scammed should be low. Programmers would also have already shouted out here on bitcointalkforum, if there would be something wrong with the code.

[honestproscons]

One should always clone and run a local copy, OP.

Then it's safe?
What other steps I need to take to make it safe?

I have kept some coins in this paper wallet for few years. Shall I be worried? Or if they are not stolen by now, then it's fine?

[o_e_l_e_o]

Then it's safe?
What other steps I need to take to make it safe?

There are a lot of steps when creating a paper wallet to ensure the safety of your coins.

• First, you need to download the source code of the website or wallet you are planning to use, and then review the code to ensure it is doing what you think it is doing. If you are unable to review the code yourself, then you are going to have to rely on the community to do it for you.
• Then, you need to run it offline. Ideally this means on a permanently airgapped computer which will never have an internet connection again. If this is not possible, then you should disconnect your computer from the internet (and ideally also disconnect your hard drive and any other storage devices) and boot to a live Linux OS from a USB stick, and run it on that.
• You want to use the oldest, dumbest printer you can find. You do not want to use a modern, WiFi-enabled printer, which can be targeted by malware or will store copies of what it has printed on its internal memory or cache.
• Then there are all the practical aspects, such as doing all this with your curtains closed and without any webcams or phone cameras in the room, and storing it securely after you have created it.

I have kept some coins in this paper wallet for years. Shall I be worried? Or if they are not stolen by now, then it's fine?

The times I have seen people use fake paper wallet generators, the coins are generally swept within a few days. It is impossible for anybody to say that you are coins are definitely safe, but if they haven't been touched in years then I think it is highly unlikely that someone else knows your private key.

[honestproscons]

• First, you need to download the source code of the website or wallet you are planning to use, and then review the code to ensure it is doing what you think it is doing. If you are unable to review the code yourself, then you are going to have to rely on the community to do it for you.
• Then, you need to run it offline. Ideally this means on a permanently airgapped computer which will never have an internet connection again. If this is not possible, then you should disconnect your computer from the internet (and ideally also disconnect your hard drive and any other storage devices) and boot to a live Linux OS from a USB stick, and run it on that.
• You want to use the oldest, dumbest printer you can find. You do not want to use a modern, WiFi-enabled printer, which can be targeted by malware or will store copies of what it has printed on its internal memory or cache.
• Then there are all the practical aspects, such as doing all this with your curtains closed and without any webcams or phone cameras in the room, and storing it securely after you have created it.

Yes that's how I did it, expect point 1, since I'm not that good with tech.

So this is what my question is about. Is the course code of bitaddress.org trustworthy?

Or more specifically should I start moving my coins out? I think moving them out is risky, since I will have to create new wallet export new private keys or seeds and there's always a risk when doing this.

[o_e_l_e_o]

So this is what my question is about. Is the course code of bitaddress.org trustworthy?

I cannot vouch for it personally since I have never sat down and read through the entire code myself, because I've never used bitaddress to create a wallet that I intended to fund with any more than a few thousand sats for various tests or experiments. However, bitaddress is widely used by the community, and the code on GitHub hasn't been changed in over 4 years, so I imagine there are many people out there who have sat down and read through the code, and if there was anything malicious in it I suspect it would have been identified by now.

Or more specifically should I start moving my coins out? I think moving them out is risky, since I will have to create new wallet export new private keys or seeds and there's always a risk when doing this.

I don't think you need to move your coins. If you followed the other steps of running a local copy of bitaddress offline and not saving any copies of your paper wallet digitally (including on your printer), then you are pretty safe. As you say, generating a new wallet will also come with a risk.

[honestproscons]

There has been some discussion about trustworthiness of that wallet here:

https://www.reddit.com/r/Bitcoin/comments/771c4z/bitaddressorg_beware_of_possible_scam/

http://web.archive.org/web/20171021011048/http://bitguru.co.uk/trading-focus/bitaddress-org-beware-possible-scam/

(original website is down)

[o_e_l_e_o]

There has been some discussion about trustworthiness of that wallet here:

https://www.reddit.com/r/Bitcoin/comments/771c4z/bitaddressorg_beware_of_possible_scam/

http://web.archive.org/web/20171021011048/http://bitguru.co.uk/trading-focus/bitaddress-org-beware-possible-scam/

(original website is down)

The reddit thread you've linked to includes a comment saying that this was likely a fake or phishing site rather than the official site. Further, the archive page you linked to includes the phrase "The wallet was turned offline immediately after the Bitcoin was confirmed to have been sent", which means they used the live bitaddress site while connected to the internet, which is obviously a massive security risk and not the fault of bitaddress.

As I said, I cannot vouch one way or the other, but I suspect we would have seen many, many more scam accusations if bitaddress was malicious. At the end of the day, it is up to you whether you want to move your coins or not, but if we assume your paper wallet was created properly and has remained secure, then any non-paper wallet you choose is likely to be less secure.