Wallet Security

[Scott J]

I'd like to know peoples opinions on the risks of having my coins stolen in the following situation..

I purchase a new PC and only connect it to the internet to download/update Bitcoin-qt and to update the blockchain/send transactions.

The PC is not used for anything else.

I find it highly unlikely that the private keys could get compromised, but I may be missing something.

[1714988028]

1714988028

[LiteCoinGuy]

question: are you the only one you has access to the pc? password protected?

if yes: its a possibility but i would recommend not to leave your wallet on that computer.

[davidgdg]

It would be a lot cheaper to store your coins in a paper wallet!

[Scott J]

question: are you the only one you has access to the pc? password protected?

if yes: its a possibility but i would recommend not to leave your wallet on that computer.

Yes, I would be the only one with access.

Why would you recommend otherwise?

[Scott J]

It would be a lot cheaper to store your coins in a paper wallet!

To do this I also need to purchase an uncompromised computer - if I have to do that anyway, then why not have a dedicated computer for Bitcoin?

[LiteCoinGuy]

question: are you the only one you has access to the pc? password protected?

if yes: its a possibility but i would recommend not to leave your wallet on that computer.

Yes, I would be the only one with access.

Why would you recommend otherwise?

i just thought: whats happens when someone steals that computer? wouldnt it be more clever to store it on several USB sticks in several locations?

when you are only talking about 500 USD in bitcoins okay, do it on the computer. but with an activity of over 700 you might have more than 500 USD in bitcoin... 

[acoindr]

Be sure you encrypt your wallet with a strong password and you should be fine.

However, for very large amounts I'd look into a trezor, cold storage etc.

The problem is a computer is a multi-purpose device. It's meant to run programs; and there are very many ways for external programs to eventually execute on your computer, not all of them benign. This is why very many computer users do experience malware at some point. Could you be sure nobody did any Internet browsing or inserted arbitrary flash drives on your computer over an extended time? For substantial amounts you might be stressed ever leaving your computer unattended.

If you're intent on this route, however, you can button down your computer as well as you can. Don't install anything and turn off absolutely everything, javascript, flash, browser plug-ins, everything. Also, as LiteCoinGuy points out be sure you have backups to the wallet which exist, ideally on printout as well as USB. Also remember it's not a good idea to keep every single coin you have at one single point of failure.

[frankenmint]

Be sure you encrypt your wallet with a strong password and you should be fine.

However, for very large amounts I'd look into a trezor, cold storage etc.

The problem is a computer is a multi-purpose device. It's meant to run programs; and there are very many ways for external programs to eventually execute on your computer, not all of them benign. This is why very many computer users do experience malware at some point. Could you be sure nobody did any Internet browsing or inserted arbitrary flash drives on your computer over an extended time? For substantial amounts you might be stressed ever leaving your computer unattended.

If you're intent on this route, however, you can button down your computer as well as you can. Don't install anything and turn off absolutely everything, javascript, flash, browser plug-ins, everything. Also, as LiteCoinGuy points out be sure you have backups to the wallet which exist, ideally on printout as well as USB. Also remember it's not a good idea to keep every single coin you have at one single point of failure.

+10,000

Paper wallet is safer than electronic...especially if its somewhere safe like a deposit box and covered such that you need to tamper with a seal to gain access to a private key.  I wouldn't trust any computer at all. I would only use a thumbdrive for certain if I knew that it was being kept in similar conditions to a paper wallet.

[tvbcof]

In terms of unique access, the most important factor to me seems to be what operating system is being run.  Given the material released by Snowden, I would find it more likely than not that by Win-8 vintage it is possible for the NSA and whatever parties they choose to work with to access almost anything on a stock computer (including smart phones.)  That is not to say that they would probably make a habit of it though, and certainly not to snake a few BTC.  If/when they choose to do so, however, I would not anticipate encryption slowing them down excessively.

Even if one is simply worried about garden variety cyber-criminal ankle biters, the question of operating system is still an big part of the equation.  A brand new computer which has been treated carefully is probably fairly safe from this class of attackers until and unless they exploit holes arranged for higher category attackers.  I'm not aware of this being an issue at this time (though my Android seems to get hacked at will and from a fresh wipe.)

[acoindr]

^ Yes, I expressed similar sentiments in a past post.

If you want to protect yourself from hackers see my above post. If you want to protect yourself from the NSA you need to start migrating to open source software.

[Alty]

How secure is this method that I used?

Use a factory reset android telephone to access bitddress.org

Then use an offline browser on the telephone and open bitaddress.org (offline) and run brain wallet.

Type in an impossibly large and random alpha numerique code.

Generate address

Take a screenshot of the private key and public key using screenshot function on android phone.

Disconnect PC from the internet

Transfer screenshot from android phone to a brand new and encrypted sha-256 usb drive

Print out paper wallet and store in envelope

Take photo with a digital camera of paper wallet and store on SD card.

Delete screenshot on android phone.

Remove encrypted usb drive from PC before reconnecting to internet.

Store SD card, encrypted USB drive and paper wallet in safe places.




 

[greyhawk]

How secure is this method that I used?

Use a factory reset android telephone to access bitddress.org

Then use an offline browser on the telephone and open bitaddress.org (offline) and run brain wallet.

Type in an impossibly large and random alpha numerique code.

Generate address

Take a screenshot of the private key and public key using screenshot function on android phone.

Disconnect PC from the internet

Transfer screenshot from android phone to a brand new and encrypted sha-256 usb drive

Print out paper wallet and store in envelope

Take photo with a digital camera of paper wallet and store on SD card.

Delete screenshot on android phone.

Remove encrypted usb drive from PC before reconnecting to internet.

Store SD card, encrypted USB drive and paper wallet in safe places.




 

Android's RNG is not random

[Alty]

How secure is this method that I used?

Use a factory reset android telephone to access bitddress.org

Then use an offline browser on the telephone and open bitaddress.org (offline) and run brain wallet.

Type in an impossibly large and random alpha numerique code.

Generate address

Take a screenshot of the private key and public key using screenshot function on android phone.

Disconnect PC from the internet

Transfer screenshot from android phone to a brand new and encrypted sha-256 usb drive

Print out paper wallet and store in envelope

Take photo with a digital camera of paper wallet and store on SD card.

Delete screenshot on android phone.

Remove encrypted usb drive from PC before reconnecting to internet.

Store SD card, encrypted USB drive and paper wallet in safe places.




 

Android's RNG is not random

I'm not an expert on computers but doesn't the brain wallet provide a unique output when somebody inputs random typing like......

3903450EFZDFZOJF3405340F9ZDFF034T038TGERPJEPRFP034FZEFZEF03450324534508ZEFZOFJZ ELFJ345


In other words it would be unlikely anybody else would type that exact code in and get the same brain wallet results?

[DannyHamilton]

I'm not an expert on computers but doesn't the brain wallet provide a unique output when somebody inputs random typing like......

3903450EFZDFZOJF3405340F9ZDFF034T038TGERPJEPRFP034FZEFZEF03450324534508ZEFZOFJZ ELFJ345


In other words it would be unlikely anybody else would type that exact code in and get the same brain wallet results?

Humans are notoriously EXTREMELY bad at being random.

If you want random input, you should REALLY consider using some source other than your brain or body for generating it.

[greyhawk]

I'm not an expert on computers but doesn't the brain wallet provide a unique output when somebody inputs random typing like......

3903450EFZDFZOJF3405340F9ZDFF034T038TGERPJEPRFP034FZEFZEF03450324534508ZEFZOFJZ ELFJ345


In other words it would be unlikely anybody else would type that exact code in and get the same brain wallet results?

As Dan said, humans are a bad source of randomness.

For example your string above fails on several levels
- you are using only a very small selection of characters from the available keyspace
- there are several repetitions of sequences

From the line above alone I can conclude you most likely use a keyboard with french layout. Your left hand was hovering slighty above qsdf, your right hand was hovering over the lower part of the numpad, you moved the right hand over to the alphanumeric keys twice (once in the middle of the string and once near the end), you were subconsciously typing on the right hand with a rhythm of thumb-ring finger-index finger (producing the oft repeated 034 sequence), similarily you subconsciously used a rhythm of ring finger - middle finger - index finger with the left hand (producing the ZEF sequence)

[Scott J]

An idea I have had for a brain wallet that doesn't require too much memory...

Choose a particular book and make the private key from, say, the third letter of every fifth page, up to x

Then add the ISBN number in between each letter.   

[tvbcof]

An idea I have had for a brain wallet that doesn't require too much memory...

Choose a particular book and make the private key from, say, the third letter of every fifth page, up to x

Then add the ISBN number in between each letter.   

I'd considered some permutation of that strategy.  I'll bet there are a lot of passwords out there that have characters taken from noteworthy and widely distrubuted texts like the Christian bible or U.S. constitution.  I never considered it enough to research how much disparity there may be between various re-prints and such.  I'm guessing that a rainbow table like construct could be pretty effective against such a strategy, but my math (and interest and knowledge of table methods) isn't strong enough to analyze it in detail.

[Alty]

I'm not an expert on computers but doesn't the brain wallet provide a unique output when somebody inputs random typing like......

3903450EFZDFZOJF3405340F9ZDFF034T038TGERPJEPRFP034FZEFZEF03450324534508ZEFZOFJZ ELFJ345


In other words it would be unlikely anybody else would type that exact code in and get the same brain wallet results?

As Dan said, humans are a bad source of randomness.

For example your string above fails on several levels
- you are using only a very small selection of characters from the available keyspace
- there are several repetitions of sequences

From the line above alone I can conclude you most likely use a keyboard with french layout. Your left hand was hovering slighty above qsdf, your right hand was hovering over the lower part of the numpad, you moved the right hand over to the alphanumeric keys twice (once in the middle of the string and once near the end), you were subconsciously typing on the right hand with a rhythm of thumb-ring finger-index finger (producing the oft repeated 034 sequence), similarily you subconsciously used a rhythm of ring finger - middle finger - index finger with the left hand (producing the ZEF sequence)

Impressive deductions! 

[LouReed]

If you are going to go this route, it might be wise to completely remove the wireless adapter drivers, and connect to the Internet via hard wire. That way, you know for a fact when it is going online.

[acoindr]

If you are going to go this route, it might be wise to completely remove the wireless adapter drivers, and connect to the Internet via hard wire. That way, you know for a fact when it is going online.

That won't help. He wants to use a computer to store coins which is allowed to connect to the Internet at various times. If your computer is compromised it only takes milliseconds to transfer sensitive information somewhere else once a connection is given. That's why the strongest options are use something like Armory with an offline computer, a completely offline paper wallet, or the Trezor.