how secure is double encryption of blockchain?

[mskryxz]

Can someone detail me how one would even access a wallet that has 2FA + Double Encryption?

Here is the scenario

Blockchain Main Password = 30+ Characters long, Lower/Upper Case, with Special characters
- Has 2-FA with a Cell Phone
- Has Double Encryption for spending which is = 40+ Characters long, Lower/Upper Case, with Special characters (Even longer than accessing than the wallet itself)
- Lastly, the E-mail Address associated with the wallet has a different password and is also 30+ characters long.


Trying to figure out how they would be able to access that wallet. Even if they get access to the e-mail associated with the wallet at Blockchain.info, there is nothing on there.


I understand that a paper wallet is still the best and most secure wallet, but just want to see other opinions on how secure this looks based on 3 different passwords with 30+ characters.
My plan is to also diversify. Say no more than 2 BTC per wallet. Also, half stored as cold paper wallets in a safe at home or at a bank or both actually.

Thoughts?

Edit:

Also wanted to add as a security measure, all Forums and other Bank Accounts/Video Game Accounts etc. will be 30+ characters long with upper/lower and special characters (or whatever the maximum password length is) as added security. All different for each account.

[Rannasha]

How/where do you store the backup of the 2FA-secret? A combination of a keylogger and a poorly secured 2FA-secret-backup could cause issues.

In any case, the length of the password doesn't really matter that much, as long as it's not extremely short. It's extremely impractical to bruteforce passwords on a web-service. Hijacked accounts come from keyloggers and other malware or reused passwords between websites, not someone bruteforcing the password.

[hilariousandco]

Can someone detail me how one would even access a wallet that has 2FA + Double Encryption?

Here is the scenario

Blockchain Main Password = 30+ Characters long, Lower/Upper Case, with Special characters
- Has 2-FA with a Cell Phone
- Has Double Encryption for spending which is = 40+ Characters long, Lower/Upper Case, with Special characters (Even longer than accessing than the wallet itself)
- Lastly, the E-mail Address associated with the wallet has a different password and is also 30+ characters long.


Trying to figure out how they would be able to access that wallet. Even if they get access to the e-mail associated with the wallet at Blockchain.info, there is nothing on there.


I understand that a paper wallet is still the best and most secure wallet, but just want to see other opinions on how secure this looks based on 3 different passwords with 30+ characters.
My plan is to also diversify. Say no more than 2 BTC per wallet. Also, half stored as cold paper wallets in a safe at home or at a bank or both actually.

Thoughts?

Edit:

Also wanted to add as a security measure, all Forums and other Bank Accounts/Video Game Accounts etc. will be 30+ characters long with upper/lower and special characters (or whatever the maximum password length is) as added security. All different for each account.

Sounds about as secure as you're gonna get for an online wallet. This is exactly what I use for my blockchain account, except my passwords are shorter. Not sure if your passwords need to be that long, but I guess it doesn't hurt. Just make sure you don't forget them.

[Kazimir]

Thoughts?

1. Malware on your PC that replaces the recipient address with its own just before it creates the signature.
2. Hacking the server, injecting something small in javascript that silently sends your private keys somewhere else (after they are decrypted by whatever security means you use client side).
3. Malware on your PC that does keylogging + man-in-middle 2FA intercepting (i.e. you think you're authorizing your login with 2FA, but actually you're authorizing the hacker who is waiting for your cellphone's result).
4. Malware on your PC that redirects your web traffic from blockchain.info to honeypotblockchainlookalike.ru.
5. Modifying your hosts file with the same effect as 4.
6. DNS hijack with the same effect as 4.

And I'm sure there are plenty of other possibilities.

Want your Bitcoins to be absolutely 100% totally safe? Use cold storage or local wallets in dedicated offline environment (e.g. Ubuntu with encrypted private keys and script to sign transactions offline).

[hilariousandco]

Thoughts?

1. Malware on your PC that replaces the recipient address with its own just before it creates the signature.
2. Hacking the server, injecting something small in javascript that silently sends your private keys somewhere else (after they are decrypted by whatever security means you use client side).
3. Malware on your PC that does keylogging + man-in-middle 2FA intercepting (i.e. you think you're authorizing your login with 2FA, but actually you're authorizing the hacker who is waiting for your cellphone's result).
4. Malware on your PC that redirects your web traffic from blockchain.info to honeypotblockchainlookalike.ru.
5. Modifying your hosts file with the same effect as 4.
6. DNS hijack with the same effect as 4.

And I'm sure there are plenty of other possibilities.

Want your Bitcoins to be absolutely 100% totally safe? Use cold storage or local wallets in dedicated offline environment (e.g. Ubuntu with encrypted private keys and script to sign transactions offline).

Can cold wallets ever be 100% safe? They can still be stolen or damaged.

[Kazimir]

Can cold wallets ever be 100% safe?

Yep. A decent cold storage wallet is as safe as it gets.

They can still be stolen

Encryption.

or damaged.

Backups.

[hilariousandco]

Can cold wallets ever be 100% safe?

Yep. A decent cold storage wallet is as safe as it gets.

They can still be stolen

Encryption.

or damaged.

Backups.

What if they all get stolen and damaged? 

[medUSA]

I create 2 blockchain.info wallets with different passwords and different email address.
one to hold most of my bitcoins (which I call "Bank"), and the other one for frequent access (which I call "Stash")
I would only access "Bank" with an old laptop that I don't use for anything else.

I would add the public address of "Bank" (not the private keys) into "Stash" wallet, so I can see my total balance
but hopefully will not loose all my coins if my "Stash" account got compromised.

(I am looking into Electrum client for a more secure alternative to my "Bank" wallet)

[mskryxz]

im going offline armory storage

only my hot stash will be the 2fa 30+char password blockchain for quick purchases and what not. the rest will be on an offline disconnected computer fresh install with nothing on it.

[M++]

Dont want to open a new topic.

I start to worry about blockchain, so i made some backup finally lol. I just want to know if its easy to import the wallet file in multibit when double encryption is enabled ? I read somewhere a bit ago this can be an issue.

Can someone update me about this ? I dont want to be in trouble when shit will happens. If my backup are useless i need to know it

Pro tips about security : Always use screenkeyboards for some character of the password for the first password, and always use screenkeyboard for the 2nd. Can avoid Keylogger.

And overall i not recommande a double 30 charactere password, because you will need to write it down to not forget it, which is not secure, i did it in the past and i was high sometime i was stressed about forget my password. When you type in 30charactere  with special caracter you will make mistake at least 2 times and your hearth will stop beating 1second after each "password error" haha, horrible feeling.


double 15-20 character with upper and lowcase + special is already a VERY strong one if it's made correctly. A password like :

"!2prKdu(*?12DhbxnDoMdL34!"3`^" 29character which is impossible to remember ... Its kind of a generic password


Online Attack Scenario:
(Assuming one thousand guesses per second)   7.64 million trillion trillion trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second)   76.43 billion trillion trillion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)   76.43 million trillion trillion centuries

Ok you are safe, but you can do way more simple :


"TTM,ath,S00n! @BtC" (to the moon, all time high, soon @ btc easy to remember no?)

Online Attack Scenario:
(Assuming one thousand guesses per second)   1.28 hundred billion trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second)   1.28 thousand trillion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)   1.28 trillion centuries


Dont forget space can be used as a special caracter, and its a very strong special.

If you have two like this, it's better to the guy try to bruteforce ur password to mine dogecoin xD

We should not need to be so paranoid about bruteforce, it's more about malware, keylogger and stuff like this.

[keithers]

If someone gets ahold of your Blockchain backup, then they can access your coins with just the initial password right? It would bypass the second password wouldn't it?

[M++]

i just don't know i'm asking because i'm lazy to test it i think people have a right answer to this.

I don't know how the double encryption of Blockchain.info affect the backup, i believe Multibits do not support double encryption ?

[Light]

I create 2 blockchain.info wallets with different passwords and different email address.
one to hold most of my bitcoins (which I call "Bank"), and the other one for frequent access (which I call "Stash")
I would only access "Bank" with an old laptop that I don't use for anything else.

(I am looking into Electrum client for a more secure alternative to my "Bank" wallet)

Please tell me that you have a back up of that wallet somewhere else as well just in case the Blockchain service goes down? And you've tested it to make sure that you can decrypt the wallet as per stated on the site into a usable format? I would highly recommend you do both, I personally downloaded my wallet and had one of my private keys different in my wallet compared to the online site and to this day I'm still not sure why that's the case.

Either way, I switched over to Electrum and could not be happier, far more secure and you can actually run a proper cold storage setup.

[Krang]

I was wondering how the double encryption would work on wallet backups.Hope someone can clarify.

[M++]

same here

If double encryption is an issue for backup yes i will need to switch to something more secure. I will buy a 2nd hand cheap laptop.

If import a backup wallet double encryption is not an issu at all so i will stay like this a little longer.

[SOAD]

You dont even need to buy a new laptop.Why dont you try booting from linux to deal with your coins?

[franky1]

You dont even need to buy a new laptop.Why dont you try booting from linux to deal with your coins?

and make sure the linux files were NOT!!! from guys that say they have precompiled linux for bitcoins.

never download precompiled stuff that other bitcoiners have played with. even trustworthy guys that at one point had 800,000 coins for about 4 years, ended up scamming.

same goes for blockchain.info. with all the security you can think of to stop third parties from stealing coins. the more important third party to be cautious of is the one already holding coins in their public keys. all they have to do is cry "we been hacked" from their beach facing hotel rooms

[M++]

i dont know about linux really i'm not that good at computer.

The easy way is to buy a laptop only for bitcoin, which is boring. Bitcoin on the cloud are sexy, but yeah is not so secure

[Krang]

i dont know about linux really i'm not that good at computer.

The easy way is to buy a laptop only for bitcoin, which is boring. Bitcoin on the cloud are sexy, but yeah is not so secure

You dont have to be good with it. It's probably easier to instal than windows and you dont even need to instal it. You can run it from a cd or usb.

[lnternet]

the blockchain .json backup is not 2FA protected, only by the main password

not sure about the second password for sending