Bitcoin Forum
December 04, 2016, 04:36:16 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Encrypted wallet.dat but not entirely  (Read 742 times)
Frodek
Member
**
Offline Offline

Activity: 70


View Profile
September 24, 2011, 08:29:29 PM
 #1

That's great that now wallet.dat file is encrypted. However, it is password protected only bitocin sending and anyone can easily preview them how much they have. It can be dangerous because someone could get thousands of wallet.dat files and force from someone who has a lot. And so we keep the files in Linux (eg VirtualBox) instead of Windows.
It is better to be able to run it in bitcoin client after entering the password from the wallet.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480869376
Hero Member
*
Offline Offline

Posts: 1480869376

View Profile Personal Message (Offline)

Ignore
1480869376
Reply with quote  #2

1480869376
Report to moderator
Stephen Gornick
Legendary
*
Offline Offline

Activity: 1988



View Profile
September 24, 2011, 09:55:15 PM
 #2

It can be dangerous because someone could get thousands of wallet.dat files and force from someone who has a lot.

I don't follow.  Are you trying to say something like if for some reason someone learns how many bitcoins you have you would have a higher risk the more bitcoins you hold?   (Which is probably true, by the way.  As you hold more bitcoins, the level of importance placed on security of the wallet should increase).

Gabi
Legendary
*
Offline Offline

Activity: 1050


View Profile
September 25, 2011, 11:49:01 AM
 #3

He is saying that the client encrypt only a part of the wallet.dat. If you steal a client-encrypted wallet.dat you can read how many bitcoins it have. And if you find a wallet with a LOT of btc it can be worth to try to bruteforce it.

kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
September 25, 2011, 11:52:16 AM
 #4

That's great that now wallet.dat file is encrypted. However, it is password protected only bitocin sending and anyone can easily preview them how much they have. It can be dangerous because someone could get thousands of wallet.dat files and force from someone who has a lot. And so we keep the files in Linux (eg VirtualBox) instead of Windows.
It is better to be able to run it in bitcoin client after entering the password from the wallet.
go tortur mtgox, i know that they have alot of btc...

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
memvola
Hero Member
*****
Offline Offline

Activity: 896


View Profile
September 25, 2011, 12:27:48 PM
 #5

I think it's a good usability trade off for security. Wallet encryption does not protect you from a myriad of attacks. If I had the ability to access a lot of people's wallets, instead of downloading them and trying to brute force the one with the largest sum, I'd install keyloggers. Even better, I'd install a modified bitcoin client that silently sends some of the coins without displaying on the interface. If I don't have access to binaries, nor the system memory, but only the wallets, and lots of them, and there are people dumb enough to use simple passwords for large wallets; maybe then, knowing the balances would be helpful.

At any rate, it is worth adding a second layer of encryption as you said. It  is still a good idea to use a savings wallet either way. One good addition would be, being able to use multiple wallets (a la MultiBit); I wouldn't mind entering a primary password for my savings wallet.
ribuck
Donator
Legendary
*
Offline Offline

Activity: 826


View Profile
September 25, 2011, 12:40:28 PM
 #6

... I'd install keyloggers ...
A quick question for anyone who knows about typical keyloggers: can you circumvent them by clicking around the entry field and typing the characters out of order (e.g. type the last half, then click at the start of the field and type the first half), or does the keylogger harvest the data after the field is complete?
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
September 25, 2011, 12:48:00 PM
 #7

... I'd install keyloggers ...
A quick question for anyone who knows about typical keyloggers: can you circumvent them by clicking around the entry field and typing the characters out of order (e.g. type the last half, then click at the start of the field and type the first half), or does the keylogger harvest the data after the field is complete?
solution:
install fake client.

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
memvola
Hero Member
*****
Offline Offline

Activity: 896


View Profile
September 25, 2011, 01:22:08 PM
 #8

A quick question for anyone who knows about typical keyloggers: can you circumvent them by clicking around the entry field and typing the characters out of order (e.g. type the last half, then click at the start of the field and type the first half), or does the keylogger harvest the data after the field is complete?

AFAIK they usually get input directly from the device. It would be very complicated to get data from password fields of arbitrary programs. On the other hand, they can capture mouse movements and take screenshots, so clicking around wouldn't be an ultimate protection. I imagine, a program that automatically inserts your passwords bound to custom key combinations would work better. I don't know if there are any, but should work as long as the solution is not widespread enough for the attackers to care. Smiley

Even so, it would be far easier for the attacker to target specific programs, such as bitcoin, and install fake clients, or read unencrypted keys from memory.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!