Private key security level

[coder0x15]

Any of a kind Bitcoin wallet need to share private key on the internet-connected machine.

Bitcoin client has no responsibility for to keep private key secure. If your's machine connected to the internet, your keys can be hijacked, because your machine can be hacked before you import keys.

The questions is, how to trust any of existing crypto-wallets to store private keys?

P.S. My answer is "no trust" to all of them.

[HCP]

You either set up a two computer "cold storage" system with one "online" (internet connected) that only has public keys... and one "offline" (air gapped) that is never connected to the internet or any network and has your private keys

OR

You get a hardware wallet so that your private keys are never exposed to any computer... even if you connect it into an internet connected computer.

refer: https://en.bitcoin.it/wiki/How_to_set_up_a_secure_offline_savings_wallet

[achow101]

The questions is, how to trust any of existing crypto-wallets to store private keys?

Most wallets are open source, and the ones that aren't are ones that you should not use.

So because they are open source, you can go and read through the code yourself and make sure that it is secure. Then you can compile the wallet from source (so that you don't have to trust any distributed binaries) so that you know that the source code that you read is exactly the code that went into the wallet program that you are running.

[pebwindkraft]

same question here: https://bitcoin.stackexchange.com/questions/70662/private-key-security-level/70676?noredirect=1#comment81975_70676

Yes, dealing with funds and crypto currency is basically a question of trust.
There has been to many lost funds due to exchanges going down. So be extremly careful to secure your funds. Only when you have the private keys yourself, the funds are secure. At the point when you use a an exchange, "they" control the keys, with the keys the funds, and you could only trust them.

Storing the keys locally on your machine depends on your willingness to invest in security measures.
As I replied already in stackexchange, security is a trade-off.
See my answer to a similar question here: https://bitcointalk.org/index.php?topic=2865766.msg29442089#msg29442089

I think an offline solution is the best you can achieve nowadays, and it provides enough trust, that you can sleep without fear of loosing coins.

[Colorblind]

Any of a kind Bitcoin wallet need to share private key on the internet-connected machine.

Bitcoin client has no responsibility for to keep private key secure. If your's machine connected to the internet, your keys can be hijacked, because your machine can be hacked before you import keys.

The questions is, how to trust any of existing crypto-wallets to store private keys?

P.S. My answer is "no trust" to all of them.

Short answer: Your answer is correct.

Long answer: The issue of "trust" is pretty complicated. If we look at any problem from security officer point of view it is easier to mark everyone as untrustworthy and simply deny everything (because everything is a possible threat to some extent). In perfectly safe condition nothing really works. However to maintain reasonable productivity you need some way of risk-tolerance. Whole human infrastructure piled upon this concept and every time you take a plane or drive your car you accept potential risks of those activities. To be successful in assessing your risks you need to carefully consider:

what you trying to achieve?
what path you can take in acheiving it?
what risks each path bares?
what is the cost of taking each path?
what will happen if your worst risk will actually happen?

Applying all of the above there are 2 usual scenarios that comes to mind:

1. You are small bitcoin holder that involved in day trading on some exchanges. This way it will be convenient to simply keep your assets on your favorite platforms and store profits in either cold wallet or in fiat.
2. You have alot of BTC that you don't often use. In this case you probably want to store everything in cold wallet.

In real life it is usually a mixture of two above cases where you want to assess and decide how much of your assets to store online and how much to store in cold storage. But ultimately - unless you are the only one who have access to private key - you are NOT in control of the coins.

[hatshepsut93]

Any of a kind Bitcoin wallet need to share private key on the internet-connected machine.

No, this is wrong, you need some sort of connection to send transactions - which might not even necessarily be Internet connection, since there are already methods that allow you to send BTC transactions via SMS, but you can create transactions in an isolated offline environment, which will prevent malicious code from sending your private keys to its masters. However, malicious/poorly written clients can make you lose your coins in other ways, like replacing your receiving and change addresses with attacker addresses, replacing destination addresses, using weak random number generators, reusing k parameter of ECDSA, and so on. So, you will always have to put some trust in wallets, and you should check discussions of wallets that you use from time to time to keep them up to date and receive all the recent bugfixes.

[monkeydominicorobin]

Any of a kind Bitcoin wallet need to share private key on the internet-connected machine.

Bitcoin client has no responsibility for to keep private key secure. If your's machine connected to the internet, your keys can be hijacked, because your machine can be hacked before you import keys.

The questions is, how to trust any of existing crypto-wallets to store private keys?

P.S. My answer is "no trust" to all of them.

You're right about that. Never trust those online wallet service.

[carter34]

Well I really don't have to border much about that where the site has been proved to be a trusted site by the symbol of the locked key. And , if I get hoodwinked after confirming is a trusted site, so be it and it then means the site will not exist again after losing the trust of so many investors who actually believed in the genuity of the site and trusted to invest their money with them.

Or, otherwise, how then do we invest again when the sites we trust with their locked key at the left side of their web page defraud us.

[HCP]

Well I really don't have to border much about that where the site has been proved to be a trusted site by the symbol of the locked key. And , if I get hoodwinked after confirming is a trusted site, so be it and it then means the site will not exist again after losing the trust of so many investors who actually believed in the genuity of the site and trusted to invest their money with them.

Or, otherwise, how then do we invest again when the sites we trust with their locked key at the left side of their web page defraud us.

That "locked key" just indicates that the site has an SSL certificate and that any data being transferred to/from the site is encrypted and "private".

ANYONE can make an SSL certificate for their website... It does NOT indicate in any way that the site is trusted!!?!

If you are trusting sites based purely on whether or not they use HTTPS and have an SSL certificate, you are likely to scammed at some point.

[Weeko]

Any of a kind Bitcoin wallet need to share private key on the internet-connected machine.

Bitcoin client has no responsibility for to keep private key secure. If your's machine connected to the internet, your keys can be hijacked, because your machine can be hacked before you import keys.

The questions is, how to trust any of existing crypto-wallets to store private keys?

P.S. My answer is "no trust" to all of them.

completely trust online services can not. Everybody understands this, but they have to do it because of the comfort. Owners of large sums leave only a small fraction of the online.

[skorms]

Paper wallet is the answer, i use it to store most of my coins.

[phd2d]

The wallet have private key is the best security level. But you have a lot of options to storage cryptocurrency.
1. If the coins platform i recommend cold wallet such as ledger, trezor, paper wallet...(https://en.bitcoin.it/wiki/Hardware_wallet)
2. If the tokens platform, almost based on ETH i recommend MEW...

[hefjor]

Any of a kind Bitcoin wallet need to share private key on the internet-connected machine.

Bitcoin client has no responsibility for to keep private key secure. If your's machine connected to the internet, your keys can be hijacked, because your machine can be hacked before you import keys.

The questions is, how to trust any of existing crypto-wallets to store private keys?

P.S. My answer is "no trust" to all of them.

I also wonder about the security of our private key putting it in an online world so it would be possible to the attackers to do anything about it because it is an internet connected machine so it would be always possible to all hackers to do evil things. Unless if we have that kind of security like authenticator that no one can access your credential and good things about its an offline mode.

[Colorblind]

Any of a kind Bitcoin wallet need to share private key on the internet-connected machine.

Bitcoin client has no responsibility for to keep private key secure. If your's machine connected to the internet, your keys can be hijacked, because your machine can be hacked before you import keys.

The questions is, how to trust any of existing crypto-wallets to store private keys?

P.S. My answer is "no trust" to all of them.

I also wonder about the security of our private key putting it in an online world so it would be possible to the attackers to do anything about it because it is an internet connected machine so it would be always possible to all hackers to do evil things. Unless if we have that kind of security like authenticator that no one can access your credential and good things about its an offline mode.

Any system have flaws. 2FA can be breached (for example perpetrator can impersonate you, restore your SIM card and further steal your identity). However you need to weight all those risks against 2 key things:
1. How much do you keep in your wallet? (If the amount is insignificant or less then the effort attacker will need to take to get to it, you are probably safe)
2. How much have you told "world" about your holdings?

Also you probably want to care about "random" attacks. I.e. malware that don't have specific target, just attack anyone that it managed to infect. Basic internet safety precautions should help you with that, but don't guarantee you don't get attacked.

If you are holding below 1 BTC (this is my personal measure, it may vary for you) I would suggest you to use most basic means (encrypted wallet, standard anti-virus, follow basic rules like "don't run things if you don't know where they came from" or "don't click links... EVER"). If your holding above 1BTC (again - it's my measure) - just put whatever you don't need in immediate reach offline. 

Always remember - Better safe then sorry.
Good luck and stay safe!

[Samarkand]

...

Any system have flaws. 2FA can be breached (for example perpetrator can impersonate you, restore your SIM card and further steal your identity). ...

This only works if someone can access an exchange account using your mobile
phone number (e.g. reset the exchange account password using a SMS verification code).

After all the 2FA application is running on the application layer and not on the SIM card.
E.g. even if someone manages to impersonate me at my mobile phone provider and manages to get
a SIM card he will still not be able to breach the 2FA of my exchange accounts.

The real risk is that you back-up your 2FA recovery seed/code in a way where a third person
can access it (e.g. storing it digitally, storing it in your wallet or similar questionable behavior).
Merely obtaining a SIM card for the mobile phone number should not be enough to breach 2FA.

[HCP]

I think they may have been referring to the "old" 2FA system that sent codes via SMS. As you've pointed out, most of the 2FA systems these days work with Google Authenticator app... and the "Secret Key" is on the device itself, not just tied to your phone number.

Although, I have experience a couple of services over the last 6-12 months that still use SMS codes, at least, for initial signup confirmation of a telephone number etc.