Trust No One

[Gigie]

Thanks for the advice.
This thread should be made sticky.

[tokeniso]

Great wealth of knowledge here for a Newbie like me thanks to all.

[Jeticoe]

Yes sir
Everyone should really revisit the OP once in a while to keep the awareness.

[Shark]

is katnisseverdeen a good password? 

[marcovaldo]

is katnisseverdeen a good password? 

No, not at all...
Is it your password?

[Andrewwattson]

Great advice thanks for the help.

[Litisun]

I absolutely agree with the concepts expressed in the original post. 

It's not paranoia if they really are out to get you.

[Thieverycorp]

Coming from the Silkroad scene, trust is a very important issue. Anything that can mitigate future damage should always be used. Be careful, guard your own back.

[Richy_T]

I like the individual responsibility, but ultimately the security boils down to the software used. While I agree in principle that "online wallets" should not be inherently trusted, there is trust built over time for anything that doesn't get violated on a regular basis.

This is how scam artists work. A little money at first then you get good returns/it's proven/whatever, then a little more money, then your friends' money. Hey, this is pretty good, let's borrow on the house... Boom, they're gone and you wonder what's happened.

Not that I'm saying that's the case with any particular online wallet service, just be careful with that whole trust thing.

[TaaviHV]

Lot of help. Thanks.

[Jaystar236]

Great post. Thanks for the info!

[eazybram]

If you are thinking that I might not be trustworthy, since I am writing this post about the issue, you are approaching the appropriate level of paranoia.

Best line from OP   

[revivalive]

excellent advice for us newbs. thanks!

[braxx]

tnx 4 the advise

[Forcecast]

Just so you know: http://bitcoinscammers.com/

[bennylou]

Thanks for the advice..

[Meuh6879]

to react about the first post ... it's right, the only way to keep is bitcoin is the "bitcoin-QT" application with the 15Go of associate blockchain folder.

i use only android app with nothing more like 100 Euros (200mBTC).

[singood]

Disagree, the scenario you outlined is far more unlikely than a memorable password being hacked.  Also still limits the suspects to people who could theoretically gain access to the passwords.

Perhaps, but it really depends on how the person chooses to generate his/her password. If the person is naive enough to use the same password or the same passphrase or same method always, then obviously he/she's going to be screwed. But the same person is also likely to be equally naive with physical security. In the end, the weakest link is still the user.

Even if you do simple letter substitution, the password should still be over 13 characters for any amount of security from rainbow tables. Very difficult to remember for the average person.

A password should always be long and safer if the code salts the password hash properly. The average person won't be able to remember a random sequence of letters, but a passphrase like "This is my password for getting into the bitcoin bank" and using "Timpfgitbb" is probably much easier. Of course the risk is again, a naive user might just end up using the same passphrase and effectively reducing it to a 2 letter password since only the last few letters would ever change.

Also- Micro screenshot loggers take images of the surrounding area of a mouse click.  Rarely do you have to worry about your entire screen being recorded since live recording of your screen would drag most computers down enough for the average person to be concerned anyways.  Even if they take an image of the entire screen with every mouse click, a simple solution would be to make the secure keyboard randomize positions with every entry.  Another level of complexity would be to have the keyboard scroll so only a line of characters was visible to click on at a time, so you could not use a process of elimination.

Only the last suggestion would be useful IMO because if the logger screenshots just the active window (or even a reasonably wide area such as 200px instead of just a few pixels around the cursor), it would be able to see the entire keyboard. Randomizing that on every click doesn't help since every click gets the logger a new picture with all the keys except the one you used.

The problem with the scroller is that the average users may get rapidly annoyed with it and give up using the system or find ways to get around it if they have to deal with it daily. That's what make users put password stick-it  on office monitors in places where they implement draconian password policies such as minimum 10 letters, no reusing of last 12 passwords, no similar passwords, new password every 2 weeks or 30 log ins.

As for firewalls, I'm most concerned with methods that don't involve configuration of your computer, since more secure wallets and merchanting programs 'out of the box' will assist in widespread adoption

Frankly speaking if the user's system isn't secured in the first place against information leak, nothing we do can be considered secured. Just the initial entry of the password during registration, or even receiving a generated password in the email, could be the time of the leak, rendering whatever physical measures or random onscreen keyboard useless.

[sibilant_doge]

So, just out of curiosity what does encrypting my wallet do? because when I have the program open I can seem to send and receive as I please. Does it encrypt against outside tapping? What does it do against someone remote accessing my computer?

[dbradley]

This is the sort of paranoia we need more of around here!

In this case, a less trusted forum member (me) was leveraging the trust of someone who was much more trusted. Michael Hendrix met all my requirements for how to choose someone to trust if you must (listed above), except obviously he had no insurance himself. In that forum thread I was telling the people placing bets that they don't need to trust me if they trust him, since he was holding my bond.

We could have been in cahoots, but there wouldn't be any point to doing that. Michael already has a lot of trust - he doesn't need my help to scam people if he decides he wants to do so.