Bitcoin Forum
March 28, 2015, 06:50:01 PM *
News: Latest stable version of Bitcoin Core: 0.10.0 [Torrent] (New!)
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 ... 113 »
  Print  
Author Topic: Trust No One  (Read 95650 times)
dacoinminster
Legendary
*
Offline Offline

Activity: 1036


Rational Exuberance


View Profile WWW

Ignore
August 02, 2011, 09:56:57 PM
 #1

Seriously. Don't trust the exchanges, don't trust online wallet services, don't trust your anti-virus software, and don't trust anybody online.

If you absolutely must trust someone with your bitcoins, for the love, choose carefully!

  • Do you know their full name?
  • Do you know where they are located?
  • Have they demonstrated trustworthiness in the past?
  • Are they asking you to trust them? (red flag)
  • Do they have insurance?

Insurance? Impossible, you say. Not so!

When I needed people to trust me to hold bitcoins for a contest, I deposited 50 bitcoins as a bond with a well-respected forum member, so that even if I did something stupid and lost people's money, they would still be reimbursed. You can read about it here: http://bitcointalk.org/index.php?topic=10008.0

Consider carefully who you will trust. With bitcoins, elaborate scams may be profitable. For instance, someone may develop trust for their user name over many months with small transactions on this forum, then take advantage of that trust to make off with a lot of money. Such a scam would only be worth doing on this forum. No other forum in the world would be worth the effort.

If you want someone to hold your bitcoins for you, there are NO online services that have the transparency and security to make me comfortable using them for storing bitcoins for more than a short time in small amounts. The only way to do it is like I did - choose someone whom you believe to be trustworthy, and approach them. If they approach you, or in any way say or insinuate that they are a trustworthy person to hold your coins, STAY AWAY.

If you are thinking that I might not be trustworthy, since I am writing this post about the issue, you are approaching the appropriate level of paranoia.

If you want to store your bitcoins with maximum security, there are lots of resources about how to do it, such as this: https://en.bitcoin.it/wiki/Securing_your_wallet

Here's my summary:

1. Put all your coins in a new wallet that has never connected to the network
2. Encrypt that wallet with the maximum security you can find, using the most secure password you can keep track of
3. Delete the plaintext wallet, and distribute the encrypted wallet to every piece of physical media you own, store it online, and send it to several people you trust

Don't think you can generate and remember a secure enough password? Create a super-long password, and store clues to help you remember it. For instance, your password clue file might say:

My standard password + My throwaway password (backwards, all caps) + &#$%@ + First two sentences of first paragraph of page 19 of my favorite book (include all capitalization and punctuation) + My wife's mother's middle name + My son's favorite superhero + My favorite number times 8734 + food my wife hates (backwards, all caps) + 9-digit number stored with my paper will + 10-character password stored in my safety deposit box + . . . .

You can go on in this way to create as long a password as you want. Store this password clue file with your encrypted wallet, and optionally encrypt both with a simple standard password to keep out snoopers.

In this way, not only can you recover your coins from your "savings account" at a later date, if you get hit by a chicken truck tomorrow and die, your loved ones can probably piece together your password and recover the coins too (better make sure you trust them, and that between them they have or can get the answers to those clues).

I recommend that you practice your wallet encryption and recovery a few times with a small number of coins, until you are very comfortable with the process before you try it with the bulk of your savings.

And remember, this is how most bitcoins services get started:



Comic from: http://bitcointalk.org/index.php?topic=13903.0

1427568601
Hero Member
*
Offline Offline

Posts: 1427568601

View Profile Personal Message (Offline)

Ignore
1427568601
Reply with quote  #2

1427568601
Report to moderator
1427568601
Hero Member
*
Offline Offline

Posts: 1427568601

View Profile Personal Message (Offline)

Ignore
1427568601
Reply with quote  #2

1427568601
Report to moderator
1427568601
Hero Member
*
Offline Offline

Posts: 1427568601

View Profile Personal Message (Offline)

Ignore
1427568601
Reply with quote  #2

1427568601
Report to moderator
Private Internet Access™ - No logs, Unlimited Bandwidth, PC Magazine's Editor's Choice
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1427568601
Hero Member
*
Offline Offline

Posts: 1427568601

View Profile Personal Message (Offline)

Ignore
1427568601
Reply with quote  #2

1427568601
Report to moderator
1427568601
Hero Member
*
Offline Offline

Posts: 1427568601

View Profile Personal Message (Offline)

Ignore
1427568601
Reply with quote  #2

1427568601
Report to moderator
1427568601
Hero Member
*
Offline Offline

Posts: 1427568601

View Profile Personal Message (Offline)

Ignore
1427568601
Reply with quote  #2

1427568601
Report to moderator
Ridi
Jr. Member
*
Offline Offline

Activity: 42


View Profile

Ignore
August 03, 2011, 01:18:15 AM
 #2

Frankly if we are going to get this market off the ground we have to trust SOMEBODY.  I like your guidelines.  If you know where and who the person is, you have a leg up in litigating your funds back (since bitcoins do have an estimate-able value, theft is a criminal action.)  Another thing you should require is a merchant agreement.  When you are making a purchase online you want there to be a page (or better yet, receive and e-mail) that says exactly what product or service you are receiving and the cost in bitcoins.  You also want this to include the deposit address for the wallet, so you can prove that you paid to that address the specified amount from your transaction history. (print off the webpage.)

Another important factor is if they accept cash transactions.  In the United States and many Western Countries cash is legal tender, required by law to be accepted for transactions.  If they do not have a method for you to buy their product using a cash method, such as paypal, credit card, Western Union, etc, and operate solely on bitcoin then they are operating illegally.  Even if they are legitimately offering products and services you are taking a gamble that they won't be closed down through legal channels before filling your order, and probably shouldn't be trusted anyways for their complete lack of business sense.

Edit http://www.treasury.gov/resource-center/faqs/Currency/Pages/legal-tender.aspx Apparently private businesses in the US are not required to accept cash, but it would definitely be a step towards their credibility in my opinion.  Since fraud with legal tender is a federal offense and raises the stakes quite a bit for criminals.

I use Trade Hill, you can use my referral code (TH-R115864) for a 10% discount on commissions
Public address 1vedbt1pLCKyBfS9eApCfL4UAwQ1et12z
I don't support the artificial value of BTC, don't buy BTC at ridiculous prices.  Let Miners learn the lesson banks wouldn't.  The Supply has outgrown Dema
dacoinminster
Legendary
*
Offline Offline

Activity: 1036


Rational Exuberance


View Profile WWW

Ignore
August 03, 2011, 01:52:05 PM
 #3

Frankly if we are going to get this market off the ground we have to trust SOMEBODY.  I like your guidelines.  If you know where and who the person is, you have a leg up in litigating your funds back (since bitcoins do have an estimate-able value, theft is a criminal action.)  Another thing you should require is a merchant agreement.  When you are making a purchase online you want there to be a page (or better yet, receive and e-mail) that says exactly what product or service you are receiving and the cost in bitcoins.  You also want this to include the deposit address for the wallet, so you can prove that you paid to that address the specified amount from your transaction history. (print off the webpage.)

Another important factor is if they accept cash transactions.  In the United States and many Western Countries cash is legal tender, required by law to be accepted for transactions.  If they do not have a method for you to buy their product using a cash method, such as paypal, credit card, Western Union, etc, and operate solely on bitcoin then they are operating illegally.  Even if they are legitimately offering products and services you are taking a gamble that they won't be closed down through legal channels before filling your order, and probably shouldn't be trusted anyways for their complete lack of business sense.

Agreed. I wrote the post because I am appalled at how much people are trusting exchanges and online wallets to hold ALL their bitcoins. People are too trusting, and need to get a lot more paranoid.

BlockHash
Member
**
Offline Offline

Activity: 84


RON PAUL & LIBERTY 2012! FREE MARKET ONCE AGAIN!


View Profile

Ignore
August 03, 2011, 02:07:54 PM
 #4

I think you hit some important points.

 It's very suspicious to me, that right after all of the fraud allegations started being mentioned, some guy comes in with a template website and some seemingly professional words claiming to be starting some type of "protection service" called the UABB. If this thing isn't a scam, I don't know what is.

1K5b6v1QHd4A1PF58LSvb3oafPyy3kL1m1 FOR LIBERTY AND GREAT JUSTICE! RON PAUL 2012!

https://i.imgur.com/zztDC.png"

cosbycoin.com
Mfister
Newbie
*
Offline Offline

Activity: 6


View Profile

Ignore
August 03, 2011, 02:31:17 PM
 #5

What's the point of bitcoin if you have to be so paranoid?
timmey
Newbie
*
Offline Offline

Activity: 28


torchat: q23xl6bdgdzhawhf


View Profile

Ignore
August 03, 2011, 02:46:31 PM
 #6

What's the point of bitcoin if you have to be so paranoid?
Buying things anonymously like with cash?

I will sign you up anonymously at realitykings.com (http://rk.com)[NSFW] for Bitcoins with 20% discount!
https://ip.bitcointalk.org/?u=http%3A%2F%2Ftimmey.orgfree.com%2Fs.php&t=550&c=bgIxqnFXAT2PgQ
read all details in this thread (https://bitcointalk.org/index.php?topic=3242Cool
dacoinminster
Legendary
*
Offline Offline

Activity: 1036


Rational Exuberance


View Profile WWW

Ignore
August 03, 2011, 02:47:31 PM
 #7

What's the point of bitcoin if you have to be so paranoid?

I put this post in the Newbies area for a reason Smiley

I believe that bitcoin will someday be orders of magnitude more secure (and more valuable). If you buy bitcoins now, you are an early adopter getting in while prices are cheap and betting that security and utility will improve.

In the meantime, yes, you must be absurdly paranoid. These websites cannot be trusted any more than you absolutely have to. To actually hold onto your coins long enough for your investment to pay off, you need to push the paranoia up to the tinfoil-hat level. This is the price of being an early bitcoin adopter.

Xephan
Jr. Member
*
Offline Offline

Activity: 42


View Profile

Ignore
August 03, 2011, 02:52:37 PM
 #8

Seriously. Don't trust the exchanges, don't trust online wallet services, don't trust your anti-virus software, and don't trust anybody online.

Quote
When I needed people to trust me to hold bitcoins for a contest, I deposited 50 bitcoins as a bond with a well-respected forum member,

Am I the only one who finds it ironic? Cheesy

After all, the two person would be in cahoots so while A claims to have left insurance with B, they are actually on the same team.

186q9YUW3x8TVHC5aYBEqgZZYMxft8Cw9f
dacoinminster
Legendary
*
Offline Offline

Activity: 1036


Rational Exuberance


View Profile WWW

Ignore
August 03, 2011, 03:04:31 PM
 #9

Seriously. Don't trust the exchanges, don't trust online wallet services, don't trust your anti-virus software, and don't trust anybody online.

Quote
When I needed people to trust me to hold bitcoins for a contest, I deposited 50 bitcoins as a bond with a well-respected forum member,

Am I the only one who finds it ironic? Cheesy

After all, the two person would be in cahoots so while A claims to have left insurance with B, they are actually on the same team.


This is the sort of paranoia we need more of around here!

In this case, a less trusted forum member (me) was leveraging the trust of someone who was much more trusted. Michael Hendrix met all my requirements for how to choose someone to trust if you must (listed above), except obviously he had no insurance himself. In that forum thread I was telling the people placing bets that they don't need to trust me if they trust him, since he was holding my bond.

We could have been in cahoots, but there wouldn't be any point to doing that. Michael already has a lot of trust - he doesn't need my help to scam people if he decides he wants to do so.

Xephan
Jr. Member
*
Offline Offline

Activity: 42


View Profile

Ignore
August 03, 2011, 03:16:53 PM
 #10

This is the sort of paranoia we need more of around here!

In this case, a less trusted forum member (me) was leveraging the trust of someone who was much more trusted. Michael Hendrix met all my requirements for how to choose someone to trust if you must (listed above), except obviously he had no insurance himself. In that forum thread I was telling the people placing bets that they don't need to trust me if they trust him, since he was holding my bond.

We could have been in cahoots, but there wouldn't be any point to doing that. Michael already has a lot of trust - he doesn't need my help to scam people if he decides he wants to do so.

The problem is that trust is a snowball and eventually the amount trusted is going to get bigger and bigger. I'm a cynic so I don't believe that anybody is incorruptible, just a matter of price. Sometimes it's not even the person's intention to defraud anybody, things might happen that he is forced to make a bad decision.

After all, if a crook knows Michael is holding on to say 10K BTC or about US$ 120K (now but hey it might be US$1.2M 2 years later) worth for you, and given his full name and such makes it that the crook knows exactly where Michael leaves, what's to say he won't pay Michael a surprise visit and force Michael to transact that 10K BTC + his own personal stash somewhere else where his partner immediately converts it to cash?

I've been thinking about trying to come up with a system that can be untrusted but seriously at every point, I always find a human being can always fuck it up from outside the technological system. Of course it could be my paranoia coming up with all kinds of "ridiculous scenarios" that won't ever happen in real life. Even then it's only a question of how probable.

So fundamentally the only way to reduce the exposure to close to zero is just a system with low fraud/loss probability P + never trusting it with more than X amount so that P * X is always such a small number that the users won't really feel it even if that system fails.


186q9YUW3x8TVHC5aYBEqgZZYMxft8Cw9f
dacoinminster
Legendary
*
Offline Offline

Activity: 1036


Rational Exuberance


View Profile WWW

Ignore
August 03, 2011, 03:32:17 PM
 #11


The problem is that trust is a snowball and eventually the amount trusted is going to get bigger and bigger. I'm a cynic so I don't believe that anybody is incorruptible, just a matter of price. Sometimes it's not even the person's intention to defraud anybody, things might happen that he is forced to make a bad decision.

After all, if a crook knows Michael is holding on to say 10K BTC or about US$ 120K (now but hey it might be US$1.2M 2 years later) worth for you, and given his full name and such makes it that the crook knows exactly where Michael leaves, what's to say he won't pay Michael a surprise visit and force Michael to transact that 10K BTC + his own personal stash somewhere else where his partner immediately converts it to cash?

I've been thinking about trying to come up with a system that can be untrusted but seriously at every point, I always find a human being can always fuck it up from outside the technological system. Of course it could be my paranoia coming up with all kinds of "ridiculous scenarios" that won't ever happen in real life. Even then it's only a question of how probable.

So fundamentally the only way to reduce the exposure to close to zero is just a system with low fraud/loss probability P + never trusting it with more than X amount so that P * X is always such a small number that the users won't really feel it even if that system fails.

Yes, and spread around your risk so that you don't have a "single point of failure" where you can lose all your coins!

jarogej
Newbie
*
Offline Offline

Activity: 9


View Profile

Ignore
August 03, 2011, 05:11:40 PM
 #12

i trust only my walled secured by truecrypt
JHen
Newbie
*
Offline Offline

Activity: 14


View Profile

Ignore
August 03, 2011, 07:53:16 PM
 #13

Can't be too paranoid, have to convert the btc to real currency at some point afterall
dacoinminster
Legendary
*
Offline Offline

Activity: 1036


Rational Exuberance


View Profile WWW

Ignore
August 03, 2011, 08:03:53 PM
 #14

I submit my post for Newbie sticky consideration:

https://bitcointalk.org/index.php?topic=33835.0

Newbies (and some senior members who should know better) are way too trusting.

Done Smiley

This thread is now sticked (thanks SW). I'm hoping that this thread can help a few Newbies achieve the proper paranoia without having to earn it by losing coins.

Optonic
Jr. Member
*
Offline Offline

Activity: 31


View Profile WWW

Ignore
August 03, 2011, 09:38:22 PM
 #15

Paranoia is a good thing for sure when it comes to money/worth-related things BUT why don't revert to something which works quite well in real life/with fiat money: contracts/agreements/treaties (whatever you'd like to call them). At least when it comes to a larger transfer of money/btc this could come in handy. This even works within the digital world. Set up a contract both parties agree on and let both contractual partners sign this contract with a class II certificate issued by an approved CA. In Germany there are even offically accredited CAs (accredited by the "Bundesnetzagentur" (lit.: Federal Network Agency)) (accredited CAs). One of the accredited CAs is the "Bundesdruckerei" (lit. Federal print office). Its subsidiary D-TRUST offers class II certificates for personal use for 83,19 Euros (link) which are valid for two years. Tractis will help to find a CA near you :-)

goxsh — a command-line frontend to the Mt. Gox Bitcoin Exchange
Ridi
Jr. Member
*
Offline Offline

Activity: 42


View Profile

Ignore
August 03, 2011, 11:22:07 PM
 #16

Alright, you added some stuff about encryption passwords that seems ridiculously complex when it doesn't need to be.

When you create a password for anything which could be sensitive (including email you idiots) it needs to be at least 13 characters, the longer the better. Julian Assange used a 52 character password for his encrypted distribution of his 'insurance plan.'

Every password you use should be written down.  Most preferably in the same spot (that isn't under your keyboard)  like one of those little journals you can get at Borders or something, you should also have a backup copy of this somewhere very secure (a lock box, bank secure box, etc). At most you should have 2 books, 1 for less secure information like your WOW account, E-mail, etc, another for Bitcoin passwords, Bank Accounts etc.  The reasons I say your passwords need to be written down are two-fold.

1- You can have super secure random passwords like 23Dhn#$qsxmnmnt953 and don't have to bother with memorizing them.

2- If somebody nefarious does take your password book.  You know EXACTLY what they have access too since you have one in a secure lock-box. It's easy to call your banks and tell them you know your passwords been stolen and you need your account information changed or a new password assigned until you can change it.  This also limits the suspects to people who had access to your notebook.  A HUGE advantage of the millions of possible people who may have just gotten access to your computer in one form or another.

Also if you are on a Microsoft computer, like myself, there is a large chance you have a keylogger already on your computer just pumping away at your personal information.  There is no way, i repeat NO WAY to eliminate the chances of your keys being logged because there is some pretty advanced software out there for keylogging and it only gets more advanced every day.  You can reduce it by quit a bit though by using the on-screen keyboard (Accessories>Ease of Access) for your password input.

Additional Note- One thing I'd like to see from (trusted, secure, something like windows or google doing this not some hack that could easily be a keylogger in itself) developers.  An on-screen keyboard that not only randomizes the keys, but blacks out the key your mouse is hovering over so that the 'micro-screenshot' used by some keyloggers use is rendered useless.

I use Trade Hill, you can use my referral code (TH-R115864) for a 10% discount on commissions
Public address 1vedbt1pLCKyBfS9eApCfL4UAwQ1et12z
I don't support the artificial value of BTC, don't buy BTC at ridiculous prices.  Let Miners learn the lesson banks wouldn't.  The Supply has outgrown Dema
nighteyes
Member
**
Offline Offline

Activity: 105


View Profile

Ignore
August 04, 2011, 02:53:07 AM
 #17

Paranoia is a good thing for sure when it comes to money/worth-related things BUT why don't revert to something which works quite well in real life/with fiat money: contracts/agreements/treaties (whatever you'd like to call them).

Contracts are just a piece of paper....what you are really asking for is trust in the government...no thanks. The idea is to make people more self-reliant and if they dont want to be taken, they need to learn how to defend themselves....its just that simple.

My 2 cents vote is for social networking. As I posted somewhere else, Anon Plus(or whatever its name will be) is a really good start. Everyone has a confidential name and then social groups form. Its should be the social groups that have to fight or die in competition.

So for example, I would be an accepted member of the IAlwaysPayMyBillsOnTime which is endorsed by the SellersRUs group and vice versa. You dont have to know my government identity....all you need to know is that your risk has been spread. If the regulations are too high, a group will die...too low, a group will die. Too few members or too many members, same thing.I would also be in other groups and you could see that as well(if I wanted you to).

Lets note the social network info is encrypted on the internet....so if you forget your password, your identity is dead....you talk about losing your wallet, how about losing your identity?

Notwithstanding this is all speculation. In fact, the DOJ supposedly has sent Anon+ an email Smiley
http://pastebin.com/4VMdcDbg

So yes, there are people working on a lot of community issues and people just have to be patient and see if they can help out.
Xephan
Jr. Member
*
Offline Offline

Activity: 42


View Profile

Ignore
August 04, 2011, 03:35:19 AM
 #18

Every password you use should be written down.  Most preferably in the same spot (that isn't under your keyboard)  like one of those little journals you can get at Borders or something, you should also have a backup copy of this somewhere very secure (a lock box, bank secure box, etc). At most you should have 2 books, 1 for less secure information like your WOW account, E-mail, etc, another for Bitcoin passwords, Bank Accounts etc.  The reasons I say your passwords need to be written down are two-fold.

1- You can have super secure random passwords like 23Dhn#$qsxmnmnt953 and don't have to bother with memorizing them.

2- If somebody nefarious does take your password book.  You know EXACTLY what they have access too since you have one in a secure lock-box. It's easy to call your banks and tell them you know your passwords been stolen and you need your account information changed or a new password assigned until you can change it.  This also limits the suspects to people who had access to your notebook.  A HUGE advantage of the millions of possible people who may have just gotten access to your computer in one form or another.

If somebody was smart enough to figure out where you kept the passbook and smart enough to unlock a secore lock box, he or she would also be smart enough to scan/photograph the passwords and replace everything as it is.

Even if they don't, they just need to pick a time you won't discover the lost for at least a few hours. More than enough time for them to clear out your accounts.

Writing down passwords is a major no no. It's safer to come up with your own personal methods like using first letter of every word in a sentence to make up long and relatively random passwords.

Quote
Additional Note- One thing I'd like to see from (trusted, secure, something like windows or google doing this not some hack that could easily be a keylogger in itself) developers.  An on-screen keyboard that not only randomizes the keys, but blacks out the key your mouse is hovering over so that the 'micro-screenshot' used by some keyloggers use is rendered useless.

No use. Usually the  micro screenshot is set to the active window. So if I own a logger installed on your PC, it would likely already know what the arrangement of the keyboard is based on screenshots before your mouse reached the keyboard. Even if it was taken after you hover, it's only missing that ONE key you're hovering over.

You should have a firewall that can block outgoing traffic so even if the logger captures the shots, your firewall would alert you when it tries to send out.

186q9YUW3x8TVHC5aYBEqgZZYMxft8Cw9f
Ridi
Jr. Member
*
Offline Offline

Activity: 42


View Profile

Ignore
August 04, 2011, 04:25:00 AM
 #19

Quote
Writing down passwords is a major no no. It's safer to come up with your own personal methods like using first letter of every word in a sentence to make up long and relatively random passwords.

Disagree, the scenario you outlined is far more unlikely than a memorable password being hacked.  Also still limits the suspects to people who could theoretically gain access to the passwords.

Even if you do simple letter substitution, the password should still be over 13 characters for any amount of security from rainbow tables. Very difficult to remember for the average person.

Any way you look at it, there is always a way to get at your information.  The likely-hood of that event happening is determined by the level of security you pursue.  Use what works for you and be aware of the foreseeable ways that your chosen method can be abused.

Also- Micro screenshot loggers take images of the surrounding area of a mouse click.  Rarely do you have to worry about your entire screen being recorded since live recording of your screen would drag most computers down enough for the average person to be concerned anyways.  Even if they take an image of the entire screen with every mouse click, a simple solution would be to make the secure keyboard randomize positions with every entry.  Another level of complexity would be to have the keyboard scroll so only a line of characters was visible to click on at a time, so you could not use a process of elimination.

As for firewalls, I'm most concerned with methods that don't involve configuration of your computer, since more secure wallets and merchanting programs 'out of the box' will assist in widespread adoption

I use Trade Hill, you can use my referral code (TH-R115864) for a 10% discount on commissions
Public address 1vedbt1pLCKyBfS9eApCfL4UAwQ1et12z
I don't support the artificial value of BTC, don't buy BTC at ridiculous prices.  Let Miners learn the lesson banks wouldn't.  The Supply has outgrown Dema
Xephan
Jr. Member
*
Offline Offline

Activity: 42


View Profile

Ignore
August 04, 2011, 04:43:48 AM
 #20

Disagree, the scenario you outlined is far more unlikely than a memorable password being hacked.  Also still limits the suspects to people who could theoretically gain access to the passwords.

Perhaps, but it really depends on how the person chooses to generate his/her password. If the person is naive enough to use the same password or the same passphrase or same method always, then obviously he/she's going to be screwed. But the same person is also likely to be equally naive with physical security. In the end, the weakest link is still the user.


Quote
Even if you do simple letter substitution, the password should still be over 13 characters for any amount of security from rainbow tables. Very difficult to remember for the average person.

A password should always be long and safer if the code salts the password hash properly. The average person won't be able to remember a random sequence of letters, but a passphrase like "This is my password for getting into the bitcoin bank" and using "Timpfgitbb" is probably much easier. Of course the risk is again, a naive user might just end up using the same passphrase and effectively reducing it to a 2 letter password since only the last few letters would ever change.

Quote
Also- Micro screenshot loggers take images of the surrounding area of a mouse click.  Rarely do you have to worry about your entire screen being recorded since live recording of your screen would drag most computers down enough for the average person to be concerned anyways.  Even if they take an image of the entire screen with every mouse click, a simple solution would be to make the secure keyboard randomize positions with every entry.  Another level of complexity would be to have the keyboard scroll so only a line of characters was visible to click on at a time, so you could not use a process of elimination.

Only the last suggestion would be useful IMO because if the logger screenshots just the active window (or even a reasonably wide area such as 200px instead of just a few pixels around the cursor), it would be able to see the entire keyboard. Randomizing that on every click doesn't help since every click gets the logger a new picture with all the keys except the one you used.

The problem with the scroller is that the average users may get rapidly annoyed with it and give up using the system or find ways to get around it if they have to deal with it daily. That's what make users put password stick-it  on office monitors in places where they implement draconian password policies such as minimum 10 letters, no reusing of last 12 passwords, no similar passwords, new password every 2 weeks or 30 log ins.

Quote
As for firewalls, I'm most concerned with methods that don't involve configuration of your computer, since more secure wallets and merchanting programs 'out of the box' will assist in widespread adoption

Frankly speaking if the user's system isn't secured in the first place against information leak, nothing we do can be considered secured. Just the initial entry of the password during registration, or even receiving a generated password in the email, could be the time of the leak, rendering whatever physical measures or random onscreen keyboard useless.

186q9YUW3x8TVHC5aYBEqgZZYMxft8Cw9f
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 ... 113 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!