.

[ben-abuya]

This is actually a very interesting question, because the two problems we want to solve are adversarial. If only one person knows the password (you), you could forget it, or something could happen to you and your money would be lost forever. If many people know the password, there's less of a chance it will get lost, but more of a chance someone else will steal the money, or get hacked. Secret sharing is cool, but it's really just a way to tweak the tradeoffs.

Here's another idea, a time lock. You could decide that for a period of 30 days, nobody has access but you. But if for some reason, you're unable to access the encryption for 30 days, either because you're injured, kidnapped, or forgot the password, then the shared secret password would go into effect and the second group would be able to access the funds. Of course there are all kinds of ways to game this, but it's an old stand by in meatspace security, and it should be a useful tool for the paranoid.

[1714867270]

1714867270

[1714867270]

1714867270

[JohnDoe]

Here's another idea, a time lock. You could decide that for a period of 30 days, nobody has access but you. But if for some reason, you're unable to access the encryption for 30 days, either because you're injured, kidnapped, or forgot the password, then the shared secret password would go into effect and the second group would be able to access the funds. Of course there are all kinds of ways to game this, but it's an old stand by in meatspace security, and it should be a useful tool for the paranoid.

A dead man's switch, very nice. I'd be interested to hear details on how to implement this.

[ben-abuya]

Here's another idea, a time lock. You could decide that for a period of 30 days, nobody has access but you. But if for some reason, you're unable to access the encryption for 30 days, either because you're injured, kidnapped, or forgot the password, then the shared secret password would go into effect and the second group would be able to access the funds. Of course there are all kinds of ways to game this, but it's an old stand by in meatspace security, and it should be a useful tool for the paranoid.

A dead man's switch, very nice. I'd be interested to hear details on how to implement this.

Now that I think about it, I don't see how it could be implemented with just cryptography. But with Bitcoin, it's easy. Just use future transactions, which will be entered immediately into the block chain, but won't actually take effect until a given block number. You do a transaction that empties out your private account into the joint account, in a block that will be computed 30 days from now. Then, each day you're around, you just transfer your bitcoins into a new private account, and that future transaction will fail because the originating account will be empty. You also set up another future transaction to transfer money from your new private account into the shared account in another 30 days. There are probably ways to streamline this, but I don't see any theoretical difficulties.

Amazingly, it looks like this feature is already baked into Bitcoin:

http://forum.bitcoin.org/index.php?topic=8821.0

[Ampix0]

Ok sorry. How exactly.. am I installing bitcoin to the flashdrive

[billyjoeallen]

This is essentially how I use my normal wallet! With that said, I wonder how many people just getting into Bitcoin would be overwhelmed just by steps 1-4.

me, for one. Be happy that your bitcoins will be more valuable when I lose mine.

[opticbit]

for those with poor memory
you still need to rember a color and row or something.

http://www.passwordcard.org/

[finnthecelt]

This is essentially how I use my normal wallet! With that said, I wonder how many people just getting into Bitcoin would be overwhelmed just by steps 1-4.

me, for one. Be happy that your bitcoins will be more valuable when I lose mine.

Being new I will tell you, it's very overwhelming. However I need to figure something out because I've been at this for a mere five days and have already been robbed. I made the mistake of using slush's service and didn't realize the user id and password needed to be separate from my site login credentials.

Someone used my worker's public login credentials for the site login and changed the wallet address and the payout threshold to .01 and cleaned me out!

Pathetic. Some lurker out there is probably watching for new users who continually make this mistake and steal from them. I guess in the open source world people do expect things for free. I do realize thought that there's a bad apple in every crowd. I'm just pissed.

Is there anything at all I can do with the wallet address they forgot to change? 

[PabloW]

I just use Wuala. Got a free 10GB account when I bought a lacie external disk ^^

[lakehaze]

I'm not sure I understand the solution here.  This might be a bit long, so maybe it should be moved to it's own thread, but it seems relevant.

Disclosure: I am Noob.  Please correct me with anything I misunderstand; I am NOT here to dictate my vision of reality.  The only thing keeping me from having bitcoins right now is wallet security.

I see two security issues:
1) Loss of wallet by catastrophe (machine failure, localized sinkhole, terrorist bombing of my house, etc)
Lets strike issue '1' off the list.  It seems clear to me that a secure, encrypted backup stored in a variety of places is an obvious solution to machine failure.

Which leaves us with:
2) Loss of wallet contents due to theft of private key (trojans, keyloggers, posting private key on the bathroom stall, etc...)

My understanding of TrueCrypt is that it simply but securely locks a volume.  Which is great for backups, but once the password is entered, and the user has access to the volume, doesn't the computer and any peeping-toms also have access to the volume?  Key question here; if not, then my points are moot, but if so, all it takes is a couple milliseconds on a dirty computer viewing your savings account for a patient 'trojan' (or whatever you smart hacker people use) to nab the key, no?  And to me, I assume all computers are dirty all the time, since you can never really know.

Is it just impossible to completely secure the wallet?  Is it just an accepted risk that checking your savings is a window of attack, and should be done rarely, only when necessary, and only from a virgin system?  Should I assume that I can only check my savings account after reinstalling a new system?  Would that even be enough to guarantee security?

Thanks,
Paranoid Believer

[PRCman]

Vladimir, how easily could you crack a WinRAR archive with a strong password?

password of WinRAR is not secure at all, don't use it!

if you are using symbol on keyboard to be the WinRAR password, The Government of PR.China is able to crack it in several seconds, the have a rainbow table for it, I was notified that couples of year ago, when I study in collage, on teacher is working for Government as a developer, he told me that.

Remember !

Don't use WinRAR to crypt your data anymore!

[PRCman]

Vladimir, how easily could you crack a WinRAR archive with a strong password?

password of WinRAR is not secure at all, don't use it!

if you are using symbol on keyboard to be the WinRAR password, The Government of PR.China is able to crack it in several seconds, the have a rainbow table for it, I was notified that couples of year ago, when I study in collage, on teacher is working for Government as a developer, he told me that.

Remember !

Don't use WinRAR to crypt your data anymore!

Of course I believe CIA is stronger then PRC Government

[titeuf_87]

I'm not sure I understand the solution here.  This might be a bit long, so maybe it should be moved to it's own thread, but it seems relevant.

Disclosure: I am Noob.  Please correct me with anything I misunderstand; I am NOT here to dictate my vision of reality.  The only thing keeping me from having bitcoins right now is wallet security.

I see two security issues:
1) Loss of wallet by catastrophe (machine failure, localized sinkhole, terrorist bombing of my house, etc)
Lets strike issue '1' off the list.  It seems clear to me that a secure, encrypted backup stored in a variety of places is an obvious solution to machine failure.

Which leaves us with:
2) Loss of wallet contents due to theft of private key (trojans, keyloggers, posting private key on the bathroom stall, etc...)

My understanding of TrueCrypt is that it simply but securely locks a volume.  Which is great for backups, but once the password is entered, and the user has access to the volume, doesn't the computer and any peeping-toms also have access to the volume?  Key question here; if not, then my points are moot, but if so, all it takes is a couple milliseconds on a dirty computer viewing your savings account for a patient 'trojan' (or whatever you smart hacker people use) to nab the key, no?  And to me, I assume all computers are dirty all the time, since you can never really know.

Is it just impossible to completely secure the wallet?  Is it just an accepted risk that checking your savings is a window of attack, and should be done rarely, only when necessary, and only from a virgin system?  Should I assume that I can only check my savings account after reinstalling a new system?  Would that even be enough to guarantee security?

Thanks,
Paranoid Believer

There are different solutions to this. One of the most simple would be to copy your addresses somewhere and check them on blockexplorer or another similar site to see what the balance is. That way you don't have to run the client and don't risk losing your coins.

Another solution would be to store your wallet on an usb drive (with or without truecrypt), and only access it from a livecd environment.

A third solution could be a combination of both: have two wallets, one with your savings, safely stored away and handled with great care, and another wallet with much less in it, that isn't that much of a risk to lose.

[lakehaze]

There are different solutions to this. One of the most simple would be to copy your addresses somewhere and check them on blockexplorer or another similar site to see what the balance is. That way you don't have to run the client and don't risk losing your coins.

Another solution would be to store your wallet on an usb drive (with or without truecrypt), and only access it from a livecd environment.

A third solution could be a combination of both: have two wallets, one with your savings, safely stored away and handled with great care, and another wallet with much less in it, that isn't that much of a risk to lose.

Great, thanks for the reply.  Between liveCD and the blockexplorer, I think I'm set.  Although liveCD (like bartPE, no?) is probably not 100% bulletproof either, but it adds a satisfactory level of obfuscation.

In what environment do I create the wallet?  Inside of liveCD?  Surely not in Windows, at least not a windows account that has or will ever see the interweb.  Can I run the bitcoin client and generate my savings wallet inside of liveCD?

Thanks.

[Hawkix]

for those with poor memory
you still need to rember a color and row or something.

http://www.passwordcard.org/

Password card? What? Limiting all possible passwords to only hundreds combinations to test?

Sorry, no. Password card is bad tool.

[DATA COMMANDER]

How likely is it that someone who's using Ubuntu, looks at porn in firefox, and frequently saves image files (of teh girlies, obv), but doesn't download anything else or visit any really shady sites (cp, snuff, terrorist sites, etc.) has a compromised system? Should I be worried about losing my wallet and taking steps immediately, or am I being paranoid?

[Alex Beckenham]

How likely is it that someone who's using Ubuntu, looks at porn in firefox, and frequently saves image files (of teh girlies, obv), but doesn't download anything else or visit any really shady sites (cp, snuff, terrorist sites, etc.) has a compromised system? Should I be worried about losing my wallet and taking steps immediately, or am I being paranoid?

Does your wallet contain your life savings or just pocket change? It's up the individual to assess how important it is... how would you feel about losing it?

I think anyone with more than just a bit of pocket change should be paranoid about their wallet.dat.

Actually, even if you only have 0.01 btc... can you really say for sure how much USD that's going to be worth in a year or two?

[ben-abuya]

There are some solid solutions in this thread, which are especially relevant to people who have tens of thousands of dollars in bitcoins. The problem is that executing the steps is hugely dangerous in itself. If you're paranoid about your computer being infected with keylogging malware that will send off your wallet pass phrase to a thief, you should be even more paranoid that you're screwing up one of the steps, or that there's a tiny bug in your vaporware. Unless you're a well known target, the chances of you screwing up are probably vastly higher than somebody remotely paying attention to everything you do on your computer.

Personally, I'd much rather use a simple but fully functional open source tool, that's successfully being used by thousands of people and is open to public scrutiny, than any homegrown scripts and protocols. I just don't trust myself enough. Can we get an open source project like this going? I'd be willing to put in a bounty.

[John Tobey]

There are some solid solutions in this thread, which are especially relevant to people who have tens of thousands of dollars in bitcoins. The problem is that executing the steps is hugely dangerous in itself. If you're paranoid about your computer being infected with keylogging malware that will send off your wallet pass phrase to a thief, you should be even more paranoid that you're screwing up one of the steps, or that there's a tiny bug in your vaporware. Unless you're a well known target, the chances of you screwing up are probably vastly higher than somebody remotely paying attention to everything you do on your computer.

Agreed.  I personally have put only a fraction of 1% of my BTC into the keys that I generated with my homegrown script, cited earlier in the thread.  I would put more in, but I first want to prove I can get the BTC out, which will require another round of vaporware to condense.  Even if successful, I will want to test successfully about 100 times to become confident that it doesn't sometimes fail.  Some more vaporware might help: transaction validation code extracted from a popular client.  And even then, to store a lot of wealth, I would probably distribute it among several addresses.

Personally, I'd much rather use a simple but fully functional open source tool, that's successfully being used by thousands of people and is open to public scrutiny, than any homegrown scripts and protocols. I just don't trust myself enough. Can we get an open source project like this going? I'd be willing to put in a bounty.

My genkey.py is open-source, though not well tested as far as I know.  Are you thinking of a friendly front end for the key generator, plus an offline transaction signer and a patch to allow the official client (or BitcoinJ) to import and broadcast the transaction?  I plan to do this eventually (minus the friendly front end).  I might be encouraged to hurry up for some BTC.

[ben-abuya]

John, I've been reading up on your threads -- great stuff! I like the idea of some tools being integrated into bitcoin itself, because it makes that part more authoritative (lots of people looking at it, good maintenance schedule).

I think you could get some really good security combining some of these ideas. For small checking accounts, you'd just use the standard Bitcoin client, probably on an encrypted volume, with backups. For large savings accounts:

1. Never use the standard Bitcoin client -- it connects to the Internet.
2. All sensitive work is done on an offline, LiveCD box. (See https://www.privacy-cd.org/)
3. The LiveCD has a command line tool that generates a new wallet with as many accounts as you want.
4. It requests a pass phrase, generates the wallet, and spits out the account codes in plain text. Signs all this stuff.
5. The pass phrase isn't stored anywhere, it's just used to encrypt the wallet and then forgotten. You can test that you entered the pass phrase correctly by attempting to decrypt the wallet on the LiveCD box. (This "verify" step should be a standard feature of the tool. It lets you feel safe that you can transfer money to the account.)
6. Copy the signed package to a USB drive and then to your regular computer and upload it all over the place.
7. Now transfer lots of bitcoins to one or all of the new addresses in the usual way.
8. To spend, use another tool on the internet computer to download the minimum amount of data needed to sign the transfer. This could be part of the standard client.
9. Export another signed package to the USB drive. Insert USB in the LiveCD box.
10. On the LiveCD box, run a transaction tool. It will ask you for an amount to transfer, recipient address to send to (or maybe let you choose from the original batch you generated), and your pass phrase. It will then write a certified transaction package to the USB drive.
11. On the internet box, use yet another tool to send in the transaction to bitcoin. This could also be part of the standard client.
12. Monitor with an online app, or another tool, or both.

This sounds like a ton of steps, but a lot of them are being done inside the tools and transparent to the user. They're all just a matter of moving a USB disk around and running a few commands. They've been thoroughly tested and they reassure you by acknowledging that you have the right pass phrase and that all your data has been checked for integrity. Ultimately, they could be consolidated into the standard client on the internet box, and an offline gui on the LiveCD box. This is also nothing new, I'm mostly paraphrasing John's previous steps, but it helps me organize it for myself and hopefully others.

1. We don't have to worry much about keyloggers or malware on the LiveCD box because: A. How would they get there? B. How would they send the intercepted data out? We still have to worry about physical keyloggers, but that's a threat most people don't have to worry about, and there are physical ways to handle that. Eventually there could be dedicated devices instead of the LiveCD box.

2. Make sure your pass phrase is really strong.

3. The biggest remaining danger is that you forget your pass phrase. I think the dead man's switch is a good way to approach this. You might have to do the whole USB shuffle once a month, but it would be great if this were built into the tools. You could even have your bitcoins sent to some online trusted entity after a year of no activity, as a final backstop.

See also:

Deterministic wallet
John's vaporware approach
Private key and wallet import/export
Private key import

[brocktice]

I had some "fun" trying to import a key to my workstation that was exported from my dedicated offline savings laptop. It didn't go very well.

In the end I decided for now that the savings laptop is probably enough. It's a little old laptop with a clean debian installation, no outward-open services except the bitcoin client, and it connects to the net through a NAT. I only connect it when I need to make a withdrawal. I decrypt the wallet and start bitcoin to xfer coins out, and then re-encrypt it, copy off the backup, and shred the original before shutting it down.

It's not ideal but it's far more functional than the totally-offline setup I had going. IMO it's very very unlikely that laptop is or will be compromised. I look forward to better key-management tools. Maybe it's time for a bounty?