Saving your private key in your email is a lethal move

[vapourminer]

sure, IF your passphrase is something like 36 truly random characters. but even then if a seed is compromised  i would still create a new wallet (with a new seed) and move the coins over.

the passphrase will slow them down, perhaps for a long time, but would you leave your coin there knowing that? considering youll probably never know someone has accessed your email/seed till its too late?

It depends on the amount you store in your seed but if it's not millions of $ it's very unlikely to happen.
The hackers will check your funds in your seed first and they will compare to the cost for them to try to break your passphrase... and it's huge!

yes, today its computationally expensive, and as that chart points out its obviously less as time goes on. so long term largish amounts i would not want in any electronic form.

physical security of a printed/engraved/whatever seed is safer and easier for some, not so much for others. depends on your technical levels, the amounts, convenience, redundancy needed etc.

as long as people know how to calculate the risks they can choose what works best.

[1714516210]

1714516210

[o_e_l_e_o]

The hackers will try to evaluate the amount of your funds first and they will compare it to the cost for them to try to break your passphrase... and it's huge!

The majority of users don't use a passphrase, and of those who do, the majority likely use something that is easy to remember that they have come up with themslves, meaning it is neither long nor random.

Studies show that the average password has only 40.5 bits of entropy. The 6 lines on the table you've shared correspond to roughly 51, 54, 57, 61, 64 and 67 bits of entropy respectively. It's not clear how they have calculated their "attack costs", but since we can see that for each increment of 3 bits of entropy results in a 10 fold increase in attack cost, we can work backwards and see that a 40.5 bit entropy passphrase would only require around $1,000 to break.

Think of the millions, if not billions of online accounts, emails, cloud servers, etc. that have been hacked. It is exponentially more common than a house being broken in to. Furthermore, someone can hack your email and steal your seed without you even knowing about, so you wouldn't even know to transfer your coins out while they are busy brute forcing your passphrase.

Storing your seed online is dangerous.

[Saint-loup]

Studies show that the average password has only 40.5 bits of entropy. The 6 lines on the table you've shared correspond to roughly 51, 54, 57, 61, 64 and 67 bits of entropy respectively. It's not clear how they have calculated their "attack costs", but since we can see that for each increment of 3 bits of entropy results in a 10 fold increase in attack cost, we can work backwards and see that a 40.5 bit entropy passphrase would only require around $1,000 to break.

They've calculated the costs like that :

rent out an NVIDIA Tesla V100 GPU from Amazon AWS, which can compute 2160 million SHA-512 hashes per second (see hashcat benchmarks) at $3.06 per hour (see Amazon EC2 Pricing).
With the recovery seed in hand, checking one passphrase requires 2048 HMAC computations, the derivation of some public keys, and checking whether any of them appear on the blockchain. That amounts to over 4096 SHA-512 computations plus additional work checking the blockchain. Thus the attacker could check no more than 620 million passphrases for $1
https://blog.trezor.io/is-your-passphrase-strong-enough-d687f44c63af

The majority of users don't use a passphrase, and of those who do, the majority likely use something that is easy to remember that they have come up with themslves, meaning it is neither long nor random.

40.5 bits of entropy it's 7.8 random lower case alphanumeric characters, that's just 2 characters less than a $1.3M cost breakable password(9.8 char) according to this table. I don't think it's infeasible for most of people to remember 2 extra random alphanumeric characters of the same case.

[o_e_l_e_o]

40.5 bits of entropy it's 7.8 random lower case alphanumeric characters, that's just 2 characters less than a $1.3M cost breakable password(9.8 char) according to this table. I don't think it's infeasible for most of people to remember 2 extra random alphanumeric characters of the same case.

I also don't think it's infeasible for expect someone to remember a 10 character password. The majority of people in the world have memorized various phone numbers, addresses, email addresses, etc., which all contain more entropy than a 10 character password. The question isn't one of feasibility though, it's one of human nature. People choose passwords, and therefore passphrases, which are short, easy to remember, and quick to enter. Believing that everyone who owns a hardware wallet is using a long, random, and difficult to brute force passphrase is just wishful thinking. Given that only the minority do, it's not a good idea to tell people that they can safely store their seed online when in the vast majority of cases a compromised seed will lead to their funds being stolen.

[Kakmakr]

What if you send potions of your Private key in no specific order and with several different emails within pictures with the help of Steganography? So you insert the first few letters and numbers within a couple of boring cat pictures and then you send a few more emails with different photos containing the remainder of the Private key to another email address you own or that someone else owns?

You then phone them and discuss the pictures in order, eg. So how did you like the picture with the cat in the basket? ....etc.. Nobody listening to the conversation will know that you are actually giving the receiver of that email the order in which he or she has to reconstruct that Private key.

In any way, if you are not under surveillance or a target from a hacker, normal people will not be able to decipher something complicated like this and it will be very difficult to spot. 

[jerry0]

Thoughts on program like lastpass and typing it in there and storing it in email?  First that person needs to hack your email.  Then they need to know the master password. 


What about typing in a document but encrypting it with axcrypt?  That way someone get into your email, they still need axcrypt password?



Now what about lastpass.  But you encrypt lastpass too?  So basically you need your email password, axcrypt password and finally lastpass password?

[Velkro]

Your email can not key your private key safe it's still could be hacked and the information collected.

Not to mention people that have access to your emails all the time like for example gmail server maintance team. They can pull out all private keys from gmail. They probably want to keep their job so they won't do that for now but who knows?
Its really bad idea to store your private keys (BTC) on any cloud service (email included). Cloud service/synchronization options means in reality that your informations (private keys in this example) are put on other person/company server that they have full control of which is bad.

[pooya87]

Thoughts on program like lastpass and typing it in there and storing it in email?  First that person needs to hack your email.  Then they need to know the master password. 

answer me this, lets say you did encrypt it with a password. how are you going to store that password?
is it something you can memorize? if yes, then there is a good chance that the password you used is a weak one and the encryption can easily be broken.
are you going to back that up also on your cloud? that obviously is not safe!
are you going to make a physical backup like writing it on paper? then why not print the private key or seed on paper in first place?

[witcher_sense]

~
are you going to make a physical backup like writing it on paper? then why not print the private key or seed on paper in first place?

Actually, a physical backup of private key or seed phrase would be worse, than same backup of master password. The reason is that in case of random hackers attack, hackers need to know exactly what this is password for. It might be impossible for hackers to find out where to apply that password except that you were stupid enough to write all information next to it. However, both seed phase and private key have notable structure and might be easily recognized.

[bakasabo]

Look how I've saved my private key - while making a wallet, I made a photo of private key in iPhone "notes" and put a password on on.
As a picture, it cant be copy/pasted from a document (so I wont fail with that somehow).

This is not a 100% safe way to keep the key, but at least I cant imagine how someone could connect to my iPhone, navigate in apps, tap on notes and fill the password form.

[Pffrt]

Look how I've saved my private key - while making a wallet, I made a photo of private key in iPhone "notes" and put a password on on.
As a picture, it cant be copy/pasted from a document (so I wont fail with that somehow).

This is not a 100% safe way to keep the key, but at least I cant imagine how someone could connect to my iPhone, navigate in apps, tap on notes and fill the password form.

Your phone can easily be compromised and a hacker can get your private key. It's never a good way to go with such a sensitive matter. It's good for a small amount of BTC but for a bigger amount, you must use a paper wallet or hardware wallet. When you generate a seed key in electrum wallet, it's written that you must not store that electronic device because these are prone to be compromised.

[o_e_l_e_o]

Look how I've saved my private key - while making a wallet, I made a photo of private key in iPhone "notes" and put a password on on.

This is terrible way to store your private key. If I were you, I would be creating a new wallet and backing it up securely, and transferring all my coins to it immediately.

Notes will sync through both iCloud and other third party applications like Gmail, meaning there is a good chance that your private key is now stored on any number of servers located anywhere in the world, protected only by a simple password which you likely though up yourself and can remember, meaning it is both short, non-random, and easily brute-forced. You are also trusting Apple 100% in terms of security, password protection, encryption algorithms, uploading process, server security, etc., etc.

There is a reason that every good wallet tells you to store you seed phrases on paper and offline.

[jerry0]

Best way to store your private key physically?  Heard of cryptosteel but wouldn't that have to hidden somewhere similar to like if you wrote it down on the cards?

[Pffrt]

Best way to store your private key physically?  Heard of cryptosteel but wouldn't that have to hidden somewhere similar to like if you wrote it down on the cards?

Yeah, otherwise anyone known with BTC may steal your private key. Or even someoe who don't know may throw away too  In my case, I'm storing all of my crypto stuff in my room which is very safe. Be cautious if you are using paper wallet. It may easily get destroyed.

[NeuroticFish]

Best way to store your private key physically?  Heard of cryptosteel but wouldn't that have to hidden somewhere similar to like if you wrote it down on the cards?

Laminated paper in a safe may be almost as good.
Notes in a book in your library (if you have one) can be also pretty good, but you'll need a backup in case your house gets on fire.

The really good part with cryptosteel is that you can bury it and you're fine.

[bakasabo]

Notes will sync through both iCloud

But they sync only with iCloud. If someone tries to login in to my iCloud account, I'll receive a notification on the phone with map (ok, person can use VPN, but doubt that he will be in exact location where I usually used to be) asking for a verification, plus he'll need to enter 6 digit code.

How can someone hack or brute that?

[NeuroticFish]

How can someone hack or brute that?

There was quite a known hack some years ago, celebrities' private photos went online, you may remember that.
That has happened because somebody has managed to find a hole in iCloud security and exploited it.
Trusting others, especially if we talk about life changing funds, is a terrible idea.

[o_e_l_e_o]

But they sync only with iCloud. If someone tries to login in to my iCloud account, I'll receive a notification on the phone with map (ok, person can use VPN, but doubt that he will be in exact location where I usually used to be) asking for a verification, plus he'll need to enter 6 digit code.

A little bit of social engineering is enough to get your phone number and account transferred to a new SIM card. Or maybe they stole your Apple account or email account log in with a key logger or other malware. Or maybe your passwords leaked in one of the multiple data breaches which happen every week. Or maybe your passwords have been stolen via a phishing site. Or maybe you've logged in via a public WiFi and they were stolen that way. Or maybe a security flaw in your browser, OS, or some other piece of software. Or maybe Apple's security isn't top notch. Or maybe a rogue employee has been digging through backed up data looking for something valuable.

There are endless security holes with storing your data online, especially when you aren't encrypting it yourself and are relying entirely on a third party, especially a third party who have been hacked repeatedly in the past.

[bob123]

How can someone hack or brute that?

That actually not as hard as you might think it is.

While it indeed could be quite frustrating to break into this from a different location, the easiest approach would be to compromise your mobile phone.
You wouldn't notice the notification. The verification would be given within a split second and the 6 digit code would be sent to the attacker.
The whole security in this kind of attack relies on your mobile phone security.


And that's just one attack vector, and definitely not the only one.