What are the risks of having blockchain wallet backup

[riekinho]

...in one's mailbox?

How can someone steal it and what would it take?

I read blockchain's FAQ on it but can't pin down the risk precisely.
Thanks!

[1715582916]

1715582916

[1715582916]

1715582916

[1715582916]

1715582916

[kellrobinson]

According to the "FAQ: wallet" the backup is encrypted.  It doesn't tell what encryption they use.  
The "FAQ: technical" doesn't mention the backup encryption.

[riekinho]

So it is safer not to have it in mailbox then to have it?

[runam0k]

So it is safer not to have it in mailbox then to have it?

There are two basic levels of protection when it comes to your wallet.dat file:

(1) Don't let people get hold of a copy.

(2) Keep it encrypted (an option in most clients) with a very strong password. If someone does get hold of a copy, they might not be able to crack the password.

You are making (1) more difficult for yourself.

Obviously the more copies you make and the more places you send them, the more likely it is someone else will get hold of a copy.

If someone were to gain access to your email, for example, Bitcoin related messages might prompt them to do a quick search for a wallet back up.

[medUSA]

The json backup file is your entire wallet in encrypted form. If your password is weak, it can be brute-forced.
So use a very strong password with at least 12 alphanumeric characters with mixed upper and lower cases.

[phillipsjk]

I have trouble understanding why people think wallet back-ups are secure if they are encrypted: you need to store that encryption key somewhere! That is all wallets are: sets of encryption keys.

I still recommend paper back-ups in at least two geographically separate locations. Physical theft is a concern though. Using n-of-m transactions and a Pay to script hash address (read: 2 of 3 locations) would be better. Blockchain.info does not support that as far as I know.

[DeathAndTaxes]

"Encrypted doesn't tell us much".   If the encryption is properly implemented (including using salt in the key derivation function) and the passphrase is sufficiently strong then there is no practical risk.

If you don't know the exact details of how blockchain.info encrypts the wallet you shouldn't assume it is done properly.   Have they made the encryption/decryption process open source?

[phillipsjk]

If you don't know the exact details of how blockchain.info encrypts the wallet you shouldn't assume it is done properly.   Have they made the encryption/decryption process open source?

I think it is multibit compatible. (have not actually tested though)

[medUSA]

I think it is multibit compatible. (have not actually tested though)

I have tested. It did work.
I downloaded multibit and imported the json file and have access to my wallet in about an hour
(an hour to download relevent blockchain data)