How Strong Is Your Wallet Password? Wallet Backup + How to Avoid Keyloggers!

[cdog]

https://howsecureismypassword.net/
https://www.microsoft.com/security/pc-security/password-checker.aspx

If you have more than a few BTC, anything less than "Best" is unacceptable - that should be your starting point.

Having a password of "larry123" is like leaving your wallet and banking info laying out in the street. Just. Dont. Do it!

Ideally use letters, numbers, and symbols in combination. Something like @@@@@applebeesmakesmevomit12345&&&&& is pretty secure and easy to remember: 5 symbols twice, 5 numbers once, and a phrase you wont forget. But you can do much better: using the maximum amount of variation in the characters and words that arent in the dictionary, upper AND lowercase, and avoiding sequences like 12345 make for even stronger passwords: *@%#!59771bLoRgBrAbBlEfLaPpEr87651*@%#! is virtually uncrackable. Again, all you have to remember here is one series of symbols, two sets of numbers, and one gibberish phrase in alternating upper and lowercase. Also consider using a password manager. Read more here:

http://www.trackvia.com/blog/productivity/how-to-make-uncrackable-passwords-you-can-remember
http://www.microsoft.com/security/online-privacy/passwords-create.aspx
http://www.thegeekstuff.com/2008/06/the-ultimate-guide-for-creating-strong-passwords/

Also, always create multiple backups, usually 2-3 USB flash drives are fine for small amounts, but if you have a lot of BTC or LTC, you will usually want to use more than one wallet to spread it out over, and back up the keys for each wallet multiple times to multiple physical locations. I advise against using online wallets. Use extra hard drives, flash drives, your phone, your girlfriend's laptop, whatever. As long as your password is very secure, you wont ever need to worry. Just back that shit up. Because if the wallet is lost, having an uncrackable password cant help you.

If you do this, the chances of your bitcoins being lost or stolen is very low - just dont forget your password!

How to Avoid Keyloggers

The easiest way to avoid any type of keylogger is simple: type part of your passphrase into a blank document, and copy and paste it into your wallet. Then type some random gibberish into your open document. Then type another part of your password. Copy & paste. Repeat. Doing this 2 or more times makes it virtually impossible to have your password stolen via hardware or software.

[greyhawk]

My wallet password is 'swordfish'. How secure is that? Do you recommend I change it?

[escrow.ms]

Blank document trick is old,and keyloggers are too,people mostly use stealers or formgrabber these days and that document method is not effective with formgrabbers.

However using a keyscrambler is better than typing gibberish words on blank document.

[cdog]

My wallet password is 'swordfish'. How secure is that? Do you recommend I change it?

 

Pretty much this:

Blank document trick is old,and keyloggers are too,people mostly use stealers or formgrabber these days and that document method is not effective with formgrabbers.

However using a keyscrambler is better than typing gibberish words on blank document.

I think formgrabber is mostly for online passwords and web browsers, but Im not a security expert, just an enthusiast. Keyscrambler sounds good.

[tutkarz]

How to Avoid Keyloggers[/b]

The easiest way to avoid any type of keylogger is simple: type part of your passphrase into a blank document, and copy and paste it into your wallet. Then type some random gibberish into your open document. Then type another part of your password. Copy & paste. Repeat. Doing this 2 or more times makes it virtually impossible to have your password stolen via hardware or software.

This will only make harder but not impossible to steal password while typing. There are already programs that read your clipboard, if they are used with keylogger and program which is reading in which window you are typing there is no way to securely enter your password because even most complicated system using ctrl+c ctrl+v and parts of passwords can be reverted back. The good thing is that there is not much keyloggers that does all that at once.

[escrow.ms]

My wallet password is 'swordfish'. How secure is that? Do you recommend I change it?

Yes you should change it immediately, don't forget to take a backup first and mail it to me.

[cdog]

How to Avoid Keyloggers[/b]

The easiest way to avoid any type of keylogger is simple: type part of your passphrase into a blank document, and copy and paste it into your wallet. Then type some random gibberish into your open document. Then type another part of your password. Copy & paste. Repeat. Doing this 2 or more times makes it virtually impossible to have your password stolen via hardware or software.

This will only make harder but not impossible to steal password while typing. There are already programs that read your clipboard, if they are used with keylogger and program which is reading in which window you are typing there is no way to securely enter your password because even most complicated system using ctrl+c ctrl+v and parts of passwords can be reverted back. The good thing is that there is not much keyloggers that does all that at once.

Yeah, if the NSA or LulzSec wants your BTC, you are pretty much boned. This is more just basic protection against hackers for the general public.

However, I believe that the biggest threat for 99% of people is losing their wallet by not creating a backup.

[greyhawk]

My wallet password is 'swordfish'. How secure is that? Do you recommend I change it?

 

Pretty much this:

My wallet password is 'swordfish'. How secure is that? Do you recommend I change it?

Yes you should change it immediately, don't forget to take a backup first and mail it to me.

Thank you both. I have changed it to '@@@@@applebeesmakesmevomit12345&&&&&' as recommended.

[🏰 TradeFortress 🏰]

You can also use Inputs.io which has a an unkeyloggable PIN input pad.

[cdog]

Thank you both. I have changed it to '@@@@@applebeesmakesmevomit12345&&&&&' as recommended.

It was pretty obvious from your first post but...  



Hey man, Im just trying to do a public service and add something useful to this website. Please feel free to correct me or add some info.

Even if my post helps one person save their BTC, it will be worth the time it took me.

You can also use Inputs.io which has a an unkeyloggable PIN input pad.

Cool. Thank you for posting TradeFortress.

[spooderman]

You can also use Inputs.io which has a an unkeyloggable PIN input pad.

link pl0z?

[greyhawk]

Hey man, Im just trying to do a public service and add something useful to this website. Please feel free to correct me or add some info.

No, you're totally right. I just like to have little bit of fun.

Speaking of which, I just asked my users on the forum I moderate to go to that howsecureismypassword site and test theirs out.

The results were..... disappointing, to say the least. Mostly in the range from 19 seconds to 11 minutes.

[J35st3r]

Obligatory XKCD http://www.xkcd.com/936/  

@@@@@applebeesmakesmevomit12345&&&&& is probably going a bit too far. Its important that you don't forget your password (no drunk/stoned password changes please).

The keyloggers / copy-paster grabbers are a worry. Running a linux client in a VM (eg openbox) should be pretty much immune to the copy-paste framegrabbers (provided you turn off the guest-host integration), though not the keyloggers. An on-screen keyboard within the VM should take care of this.

PS "correct horse battery staple" is bonkers https://blockchain.info/address/1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T

[torzsy]

Obligatory XKCD http://www.xkcd.com/936/  

@@@@@applebeesmakesmevomit12345&&&&& is probably going a bit too far. Its important that you don't forget your password (no drunk/stoned password changes please).

The keyloggers / copy-paster grabbers are a worry. Running a linux client in a VM (eg openbox) should be pretty much immune to the copy-paste framegrabbers (provided you turn off the guest-host integration), though not the keyloggers. An on-screen keyboard within the VM should take care of this.

PS "correct horse battery staple" is bonkers https://blockchain.info/address/1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T

Use KeePass with 32 char length mixed passwords. Really-really hard to crack.  And of course use a VM and backup your wallet.dat 3 times a day.

[Zaghomat]

How secure are password manager like roboform? I usually generate a random password with it for every new account, online wallet, etc..

[herzmeister]

How to Avoid Keyloggers

The easiest way to avoid any type of keylogger is simple: type part of your passphrase into a blank document, and copy and paste it into your wallet. Then type some random gibberish into your open document. Then type another part of your password. Copy & paste. Repeat. Doing this 2 or more times makes it virtually impossible to have your password stolen via hardware or software.

unfortunately, there are also screenloggers.

[willphase]

The easiest way to avoid any type of keylogger is simple: type part of your passphrase into a blank document, and copy and paste it into your wallet. Then type some random gibberish into your open document. Then type another part of your password. Copy & paste. Repeat. Doing this 2 or more times makes it virtually impossible to have your password stolen via hardware or software.

any decent keylogger will also log clipboard:

http://en.wikipedia.org/wiki/Keystroke_logging#Related_features

best way to be secure is use a secure device, like a Chromebook, which are built with security in mind.

Will

[Breen2543]

I always use 16 digit alpha numeric password. It is hard to break.

[TippingPoint]

I believe that the order of likelihood of losing your entire Bitcoin wallet contents is:

• Not having any backup at all
• Forgetting your convoluted password
• < reserved >
• < reserved >
• < reserved >
• < reserved >
• < reserved >
• < reserved >
• < reserved >
• < reserved >
• < reserved >
• World War III
• Having your password stolen by a keylogger

[AliceWonder]

Yeah, if the NSA or LulzSec wants your BTC, you are pretty much boned.

Wrong attitude to have.
Look at what lulzsec (aren't they in prison??) and the NSA would do to get it, and fix the vulnerability.

For example, in my case I use a couple software repositories that are not official Fefora, so I have to look at the risk of how vulnerable those software repositories are being coerced into hosting trojans or having their signing key stolen.

For a wallet with a lot of bitcoin, I wouldn't take that risk.
Infact for a wallet with a lot of bitcoin, the system wouldn't be on-line much.

Make sure you have appropriate firewall. The firewall in your router is not good enough, they are notorious for having back doors.

The Linux firewall is decent.

Once your network security is taken care of, then think about physical access.

-=-
Point is, don't just give in and figure they are lulzsec or NSA so they can get me if they want me, that's lowering the bar. Raise the bar and do what you can to avoid them.

Many if not most of lulzsec's exploits were the results of laziness, corporations not taking steps to secure known vulnerabilities.
Don't make that mistake.