Trust No One

[coineta.com]

What if you forget one of your 25+ random characters passwords? Then how would you get your bitcoins back?

+1 extremely paranoid here too.

Besides "trust no one", I also like to stress: NO compromise when it comes to securing your bitcoins.

Here's what I do:

I have a dedicated VirtualBox VM with Ubuntu which I only use to run the Bitcoin client. I use an encrypted wallet. I store this wallet in a small truecrypt container (inside the VM). Furthermore the VM itself (well, the .vdi disk image containing the actual data) is inside a truecrypt container on the host machine.

I also make sure to have frequent remote backups (in case my house burns down, my PC gets stolen, the FBI takes it, whatever). After every few transactions, I compress the truecrypt container (I mean the small one inside the VM which contains just the wallet) using 7-zip with AES-256 encryption, and send this .7z to three webmail addresses (one yahoo, one hotmail, one gmail).

All passwords (for the truecrypt volumes and the encrypted wallet and the 7-zip archive etc) are 25+ random characters.
The passwords are stored in KeePass (and in the truecrypt mount and backup scripts in the VM so I never have to fill them in manually, except when I'd need to restore a backup).

I will not get f*cked.

[Kazimir]

What if you forget one of your 25+ random characters passwords? Then how would you get your bitcoins back?

The passwords are stored in KeePass

And KeePass is protected with one Master password which is impossible to guess or bruteforce, but very easy (for me) to remember.
It looks like bd9x2G5!27cjEYd5v6k, but different I only remember this particular password though. I wouldn't trust myself on having to remember more passwords like that one myself (that's what KeePass is for).

[JulioGonzo]

I agree

[d6d4d59]

is ur password a hash?
hashing "ilovemymommy" gives you an incredibly hard to crack password, butis pretty easy to remember (you love your momma and the hashing algorithm)

[Kazimir]

is ur password a hash?
hashing "ilovemymommy" gives you an incredibly hard to crack password, butis pretty easy to remember (you love your momma and the hashing algorithm)

No, this is actually easy to brute force. Such tricks are common.

If "ilovemymommy" is a bad password (and it is), then so is hash("ilovemymommy"). In fact its md5 appears in several open dictionaries already (example).

What I'm doing is somewhat like this: I take memorable sentence, for example Old Mac Donald Had a Farm. Then I pick only the last and first letter of each word: dOcMdDdHamF.
But slightly more complicated (for my actual password I use two sentences, with some numbers and strange 'slang words' that only make sense to me).

[kaurdump]

not even my own mother?

[malevolent]

What I'm doing is somewhat like this: I take memorable sentence, for example Old Mac Donald Had a Farm. Then I pick only the last and first letter of each word: dOcMdDdHamF.
But slightly more complicated (for my actual password I use two sentences, with some numbers and strange 'slang words' that only make sense to me).

You should never say this this sort of stuff to anyone. I once managed to guess someone's password by asking them what's a good password 

[crouslai]

What I'm doing is somewhat like this: I take memorable sentence, for example Old Mac Donald Had a Farm. Then I pick only the last and first letter of each word: dOcMdDdHamF.
But slightly more complicated (for my actual password I use two sentences, with some numbers and strange 'slang words' that only make sense to me).

You should never say this this sort of stuff to anyone. I once managed to guess someone's password by asking them what's a good password 

+1

[Kazimir]

You should never say this this sort of stuff to anyone. I once managed to guess someone's password by asking them what's a good password 

Well, my addition was not true either (or was it? you never know!)
It was just for demonstration purposes.

Either way, I'm willing to bet a million BTC that even if I would reveal the actual basic construction of my password to anyone (which I won't), they wouldn't be able to guess/hack/crack/bruteforce it in a lifetime

[QiVX]

Very informative guide.
Simple rule of thumb, if it's too good to be true, it probably isn't true!

[malevolent]

You should never say this this sort of stuff to anyone. I once managed to guess someone's password by asking them what's a good password 

Well, my addition was not true either (or was it? you never know!)
It was just for demonstration purposes.
Either way, I'm willing to bet a million BTC that even if I would reveal the actual basic construction of my password to anyone (which I won't), they wouldn't be able to guess/hack/crack/bruteforce it in a lifetime

Well you still have given little info but search results are definitely narrowed. Now assuming there was someone who knew you personally outside the forums that person would have easier work.

[Kazimir]

Well you still have given little info but search results are definitely narrowed. Now assuming there was someone who knew you personally outside the forums that person would have easier work.

I dare to say they wouldn't
(But just in case, I'm not posting under my real name)

But just for clarity I'd like to summarize the idea behind this kind of password management again:

1. Have ONE unique, strong, long, master password, that is easy to remember (for you) yet incredibly difficult to guess for others (even people who know you personally) or brute force by dictionary attacks and common variations (mixing upper/lower case, 1337 speak, etc).
Just as examples, consider the xkcd comic about password strength (but more complex, that one is actually easy to brute force) or the points I mentioned above.
The name of your dog or mother + your birth year is NOT a good password.

2. For any account, email address, bitcoin wallet, encrypted drive, login, and anything else, use a unique, randomly generated (thus very hard to remember and impossible to guess) password. Store these passwords with KeePass or a similar solution (for example a .txt file inside a truecrypt container).

3. Protect (as in, encrypt) these passwords with the master password from step 1, the idea is your passwords should NEVER be stored in plaintext anywhere. And make sure to backup your password database (typically just a single data file or truecrypt container) regularly, to a remote location. Automatic backup solutions such as Dropbox can also help here.

[drewsonlinenow]

gotta be careful!

[burnside]

Don't run windows.

[wirmola]

well I 've got my coins stolen from BITCOINICA... no more trusting... Now I need to make sum new coins..

[Jouke]

The legislation in countries are very harsh, if a company doesn't have some sort of legislation it will be taken down.

[Kazimir]

The legislation in countries are very harsh, if a company doesn't have some sort of legislation it will be taken down.

What company? What country? Not sure what you're talking about. Remember, Bitcoin is not a company, and it's not related to any country.

And it cannot be taken down. Bitcoin is simply a world wide P2P network consisting of hundreds of thousands (and growing) random users all over the world. Exactly who or what do you think they could 'take down'?

Well, they'll have to shut down the entire internet. Not gonna happen (and if it does, regular banks will be f*cked just as much).

[nolo200]

Good guide.  I don't know if anyone mentioned it here, but definitely don't trust bitcoins with Paypal!

[ryangetzlaf]

Great advice!

[btcftw]

Well you still have given little info but search results are definitely narrowed. Now assuming there was someone who knew you personally outside the forums that person would have easier work.

I dare to say they wouldn't
(But just in case, I'm not posting under my real name)

But just for clarity I'd like to summarize the idea behind this kind of password management again:

1. Have ONE unique, strong, long, master password, that is easy to remember (for you) yet incredibly difficult to guess for others (even people who know you personally) or brute force by dictionary attacks and common variations (mixing upper/lower case, 1337 speak, etc).
Just as examples, consider the xkcd comic about password strength (but more complex, that one is actually easy to brute force) or the points I mentioned above.
The name of your dog or mother + your birth year is NOT a good password.

2. For any account, email address, bitcoin wallet, encrypted drive, login, and anything else, use a unique, randomly generated (thus very hard to remember and impossible to guess) password. Store these passwords with KeePass or a similar solution (for example a .txt file inside a truecrypt container).

3. Protect (as in, encrypt) these passwords with the master password from step 1, the idea is your passwords should NEVER be stored in plaintext anywhere. And make sure to backup your password database (typically just a single data file or truecrypt container) regularly, to a remote location. Automatic backup solutions such as Dropbox can also help here.

I like when there is a plan. And this looks like a really good set of instructions to keep in mind. Thank you.

Coming to the topic of trust no one, I disagree, we do have to trust at some time. And trusting people offline and online is kinda similar. I think of it as getting as much information as possible on the people that you want to trust and in the end going with your gut feeling.