Saving your private key in your email is a lethal move

[Kakmakr]

Let's say the sender and the recipient agrees that the first 3 numbers or letters will be ignored and then the 5th and the 7th and replaced with something else, then it would not make up a recognisable private key.

This is essentially security through obscurity, and is generally a bad way to store any sensitive information. If you absolutely must send something sensitive via email, the best way is an encrypted file with a previously (and securely) agreed upon key.

The same advice throughout this thread obviously applies to mnemonic seeds as well. Too many people store electronic copies of their mnemonic seed, which again, is a terrible idea. Write it down or engrave it, and store it somewhere physically secure.

How sure are you that encryption technology are safe and that it would stay safe in the future? Let's say the "No Such Agency" finds a way to decrypt that encrypted email in the future, then your sensitive information would be exposed and used against you in the future. <They are already collecting large amounts of data> and encrypted data would be an ideal target for them.>

Security through obscurity can constantly change and it makes it very difficult for them to decipher the hidden messages. <You can change it with every message if you wanted to.> 

[1714838516]

1714838516

[1714838516]

1714838516

[1714838516]

1714838516

[1714838516]

1714838516

[o_e_l_e_o]

Security through obscurity can constantly change and it makes it very difficult for them to decipher the hidden messages. <You can change it with every message if you wanted to.> 

You can only change it with every message if you have a separate and 100% secure way of communicating with the recipient to reveal your new method, (in other words, meeting up in person with no electronic devices around), in which case you are far better just using that secure method to transfer for the information you need to. I make a point of keeping anything truly sensitive well away from the internet, email, cloud servers, etc., even if it is encrypted.

Additionally, if an agency had the computing power to break 256-bit, then they can certainly brute force anything along the lines of swapping digits around or including extra nonsense characters.

[vit05]

Emails are completely unsafe for something like that. But it is necessary that at some point we have some kind of online solution to save a key. It may be just one, of multiple keys needed to open a wallet.

There are several reasons and times that you may have to see yourself completely away from several of your physical assets. As well as wallets, usb etc. When making a trip, being arrested, staying in the hospital. The simple way is to say that online and in the clouds is always the worst option. But in fact everything carries some kind of risk. And you should always analyze case by case.

In this student situation, it is important to demonstrate why email is unsafe to store the keys and also to exchange a range of information that may be confidential. A great opportunity to teach about encryption.

[leowonderful]

Emails aren't a good place to keep anything valuable, period. Even with multiple layers of security on your email like 2FA and SMS confirmation, there's still a chance your email could be compromised and you want to keep as little sensitive information as possible in your inbox when that happens. I periodically go through my emails and delete emails because of this.

[CryptopreneurBrainboss]

Ignorance & lack of information is a major contributor to this, Here are some of the possible reason why newbies think storing of private on email is the best solution;

• They could easily remember where they stored their private key
• It can be easily access from any device as far they're connected to the internet
• They have been earlier misinformed that storing sensible information on their email is safe

Again the type of wallet they use play a major role in them storing their private key carelessly. A user making use of an online (web) or APP wallet is likable to store their private key in their email than a user making use of a hardware wallet. So again they need to be informed on the best wallet to use to prevent issues like this (them storing private key in emails) from occuring.

[Siren]

Finally I decided to USB flash, but I'm not sure that's safest place.

Storing private keys in USB FLASH is safe as long as they aren’t in the hands of an attacker. I hope you have hidden the USB Flash is a safe place.

But the first safest option is HARDWARE WALLETS, second USB FLASH, third is a paper wallet in my opinion. But paper wallets has some risks unless the user laminates it.


@OP, you may want to check this article for all the best possible options.

Yups that’s totally safe as long as the USB will remain safe and other than that i guess writing in paper will also beneficial for us and our successors as we really don’t know what will happen in future and accidents happen in none expected occasion
I have written my private keys in separate formats an gave to my children each they deserve so when time comes I’ll passed in unexpected ways they will continue my legacy here in crypto

[bob123]

How sure are you that encryption technology are safe and that it would stay safe in the future?

Simple answer: Mathematics.

Even with constantly increasing computing power, there are encryption algorithms which are (mathematically proven) secure.
RSA with a key length of 2048+ bit is safe for the next 10 years for example. 4096 bit keys are secure beyond 2030.

Same applies to AES with 256 bit. It is safe to use beyond 2030. Another good alternative is to use ECC.


In 10+ years, you could simply send all of your coins to a different address and encrypt that private key with a (more modern) encryption algorithm to have it secured for another period.

Let's say the "No Such Agency" finds a way to decrypt that encrypted email in the future

They don't find a way to "decrypt that encrypted mail", but to "break an encryption". And this - depending on the algorithm - is not possible, which is proven mathematically.

Security through obscurity can constantly change and it makes it very difficult for them to decipher the hidden messages. <You can change it with every message if you wanted to.> 

Security through obscurity is a very very VERY bad approach.
Just google it, you will find tons of arguments why you should never rely on this.

[TheHas]

Just treat your private address with a corresponding level of security to its value.

If you've got ten bucks in an address, sure you could save that in an email or on your desktop, the repercussions are fairly minor if someone gets access.

If you've got hundreds, or even thousands then write it down manually and put in a safe. Just use commonsense.

[Velkro]

Re: Saving your private key in your email is a lethal move

Agree, its like actually saving it on someone else computer. You never know how many people have access to this data, its huge risk of your private key beign compromised.
Security need to be adjusted to person need's. Less money demands less security, more money demands more security.

[efrenbilantok]

Flashdrives might get corrupted so does computer/laptop, cloud storage can be hacked, so does email and Social media accounts. The best choice is to make a hardcopy of your private key and lock it somewhere safe, but you might forgot where you place it or might stolen. Hmm looks like everything is lethal huh? XD

[sheenshane]

Re: Saving your private key in your email is a lethal move

Agree, its like actually saving it on someone else computer. You never know how many people have access to this data, its huge risk of your private key beign compromised.
Security need to be adjusted to person need's. Less money demands less security, more money demands more security.

You are right when it comes more money demands it required more security needs. I do usually save my private key or seed phrase in the memory card from mobile, after saving my private key I'll remove it and put into my closet. But one thing that comes up in my mind, how about body implant like a microchip implant where your private key stored, I am sure it is secure but I don't know if safe for human.


Google credit

Do you think this is possible or the same on the lethal move?

[r1a2y3m4]

Finally I decided to USB flash, but I'm not sure that's safest place.

Storing private keys in USB FLASH is safe as long as they aren’t in the hands of an attacker. I hope you have hidden the USB Flash is a safe place.

But the first safest option is HARDWARE WALLETS, second USB FLASH, third is a paper wallet in my opinion. But paper wallets has some risks unless the user laminates it.

Hardware wallets are the best option to store your private key. But put on your mind that hardware and USB are the same, they are object in which we can misplace easily since they are small. If you are a sloppy person like me, USB flash could not be an option for me.

What I'll do in storing my private key is I'll use a notepad and write all of my private keys on all wallets on one of it and will save it on my desktop. Copy a file of that on my laptop, copy of that file to my phone, to my girlfriend's phone.

[o_e_l_e_o]

I do usually save my private key or seed phrase in the memory card from mobile, after saving my private key I'll remove it and put into my closet.

This isn't a very good solution. Your plain text private key or seed phrase should ideally never touch an internet enabled device, even if the device is offline when you do it. You have no guarantees that there isn't malware on your device which will copy your key/phrase and transmit it to an attacker when internet access is restored.

If you want to save your phrase or key on a memory stick, then it should be encrypted and copied via a permanently airgapped device.

[kingpin4321]

I don't support the saving of private keeps on an email that's is foolhardy a thing to do.
But where ever is it one decided to safe there private keys the major aim should be apt security and ease for the owners to get.

[BitMaxz]

I do usually save my private key or seed phrase in the memory card from mobile, after saving my private key I'll remove it and put into my closet.

This isn't a very good solution. Your plain text private key or seed phrase should ideally never touch an internet enabled device, even if the device is offline when you do it. You have no guarantees that there isn't malware on your device which will copy your key/phrase and transmit it to an attacker when internet access is restored.

If you want to save your phrase or key on a memory stick, then it should be encrypted and copied via a permanently airgapped device.

In my own keys and seed phrase, I put them into a plain text then I archive them to a rar file with password 3 times with 3 different passwords (what I mean is after I archived it to rar with the password I archive it again and add another password.) Then the 3rd archive I use base64 encode as my password to make sure if someone trying to brute-force my archived rar seed/privkeys it will take years before they can hack and since I archived it 3 times they can brute-force my archived seed/privkeys and hack after a decade.

The file is saved privately with google drive and I have a backup on my Gmail on the draft page.


As of now, no one knows that I have a backup on my email because I used a different email and never use it for online verification just to make sure no one knows my email.

[jerry0]

Well what if something happens physically in your house then and everything is destroyed or stolen?


I understand backing up your seed in your camera by taking a picture is bad and sending it to an email is foolish.  But if its encrypted, thats not good enough?


Example you type your seed in lastpass or keepass.  You need a password to open the program to reveal all your passwords.  You then upload it to dropbox or google drive.  Now the hacker would need to first hack into your dropbox or google drive account.  Then they would need to know the password for you lastpass or keepass.  So isn't that hard already for them?  I can understand it being easy if say that person targeted your computer and send you link etc to keylog you or you download something.  Also say you use axcrypt to encrypt it.  Example you encrypt lastpass or keepass. 


Now they need to


1. hack into your dropbox or gmail

2.  Know your email and password connected with your axcrypt account to encrypt the lastpass or keepass file

3.  Know the password for lastpass or keepass



So aren't these steps already pretty tough for a hacker?  The issue here though is if you do it this way, you need to remember 2 things, your lastpass/keepass password and your axcrypt password.  But the issue here is don't most ppl use a very long complicated password for axcrypt?  Thus that would mean doing this wouldn't work since you won't know your axcrypt password since its probably put in lastpass/keepass?



Also dont most of you use password managers like lastpass/keepass?  I mean u guys dont know your email and banking passwords right?  Thus keep everything there.  So if you keep everything there along with your private key but make sure you have a strong master password, that isn't safe enough?



So what i described which is the better method?  The one with the 3 steps or


1.   Hacker needs to hack into your dropbox or gmail

2.  Know the password for lastpass or keepass




The thing is i think most ppl dont know their axcrypt pw right and store that in lastpass or keepass?

[o_e_l_e_o]

In my own keys and seed phrase, I put them into a plain text then I archive them to a rar file with password 3 times with 3 different passwords (what I mean is after I archived it to rar with the password I archive it again and add another password.) Then the 3rd archive I use base64 encode as my password to make sure if someone trying to brute-force my archived rar seed/privkeys it will take years before they can hack and since I archived it 3 times they can brute-force my archived seed/privkeys and hack after a decade.

This may or may not be relatively safe, depending on what RAR archiver you are using and what encryption method it uses. Some don't encrypt the data at all, others use AES128 or AES256. A better option, in my opinion, would be use a proper encryption program like Veracrypt, and encrypt it with that, rather than relying on a RAR archiver to encrypt it for you.

The other weak link in this chain is where you are encrypting it. If you are talking about encrypting a plain text file on your usual, everyday computer which is internet enabled, you have no guarantee that the plain text data hasn't already left your machine or been otherwise accessed before you encrypt it. You should be encrypting it on a clean OS on a device without the capability for internet access, and then transferring the encrypted file to your internet enabled computer for uploading.

The best option is not to store any sensitive data, encrypted or not, anywhere near the internet, emails, cloud servers, etc.

[timerland]

Well I would not have made this post not until this week I have a cryptocurrency community on social media(telegram) we doing my own bit to enlighten and empower those I can.
We tell them about cryptocurrency wallet and how they go about it well I made it clear to them never to screenshot there private keys but rather write it down and put it away in a place safe.

But it's has occurred more times where private keys where written, sent and saved on some of my students emails...

Well this has huge consequences. I would want to reach out to the noobs never improvise instructions are instructions when creating a wallet you are told to write your private keys down(not on email or on your device).
Your email can not key your private key safe it's still could be hacked and the information collected.

 It's basic instructions and rules when over looked causes damages.

That is certainly true. And not just emails, the same thing applies to all cloud storage hosts.

A lot of people say that as long as you encrypt it with a password, it doesn't matter where you store it. But in my opinion if someone is able to gain access to your email, it is likely that they were able to crack your password in the first place which makes encrypted file easy to crack as well, since so many people reuse their passwords for everything.

Even though it may seem convenient at the time and the risks are quite far away - trust me, you don't want to be placed in a situation where you are potentially out of pocket thousands of dollars if not more simply because you failed to follow simple procedures. Store it offline.

[jerry0]

Those people that say don't store it online even if you encrypt it, then what happens if something happens to your computer or usb physically?  Say a theft or fire?  Where is your backup then?  That is why i thought online backup has to be a must because if that happens, you can access dropbox or gmail and the file is there.

[Thanasis]

Those people that say don't store it online even if you encrypt it, then what happens if something happens to your computer or usb physically?  Say a theft or fire?  Where is your backup then?  That is why i thought online backup has to be a must because if that happens, you can access dropbox or gmail and the file is there.

Saving the private keys online is risky.

Do you think gmail is hard to hack? It is not much harder to hack and we can see many people were complaining that they bitcointalk accounts were hcked due to their registered email was hacked so saving it physically is the better solution.