Which wallet for a long term storage?

[o_e_l_e_o]

Since you are giving it to a family member, I would also recommend that you keep a copy of this private key as well. I have family members who do not touch the address, and have "lost" the only copy of the private key, fortunately I have a backup for them.

If they can't be trusted to keep a paper wallet safe, then why give it to them at all? If you are going to keep a copy safely yourself anyway, then why risk them losing their copy and having someone steal the coins? Why not just create a wallet for them, store it yourself, and hand it over to them in 5/10/whatever years' time? You can tell them you've done so and where to find/access the wallet should something happen to you in the meantime.

This is partly why I think it's better to get someone to create their own wallet and them send some coins to them, rather than just handing them a pre-loaded wallet. If they are willing to spend the time to educate themselves on how to set up, back up, and securely store a wallet, then they are far more likely to keep it safe and not be careless with it.

[1715107361]

1715107361

[1715107361]

1715107361

[1715107361]

1715107361

[rdluffy]

Thank you guys, again to help me
I'll use a paper wallet generated on https://www.bitaddress.org/

This method will fit my needs, I'll print a paper wallet, generated with the app above, totally off-line, and them I'll send 100 USD and gave this to my niece
As I said before, she's not so old, so I have to create for her and gave in a paper format, it's awesome, and I'll grab a copy for me just in case she lost, but the lesson here is to learn about BTC, investments, and how to deal with money

 

[pooya87]

I'll use a paper wallet generated on https://www.bitaddress.org/

FWIW you don't need to use a "paper wallet generator" to generate a "paper wallet". in fact it may be best if you don't use that because it only generates single unrelated keys for you.
basically a paper wallet is a "secret" printed on piece of paper (or any other medium). so you can use any wallet that lets you export keys to do that. for example you could use bitcoin core and dumpwallet to get a private key and print it.

a better solution is to use an HD wallet (like Electrum for example) and create a mnemonic (seed phrase) and print that on paper. this method solves a problem with paper wallets that you must throw them away after you use them. for example if you store 1BTC in a paper wallet and the other day wanted to spend 0.1BTC you must create another paper wallet and spend 0.1BTC while sending the remaining 0.9BTC to that NEW wallet. with an HD wallet (the mnemonic) you don't need to do that anymore since you can create as many key pairs as you want and when you use one you simply send the rest to the next key.

[o_e_l_e_o]

a better solution is to use an HD wallet (like Electrum for example) and create a mnemonic (seed phrase) and print that on paper.

This is a good solution, but I wouldn't recommend Electrum since it generates non-BIP39 phrases, meaning that importing to other wallets in the future could run in to compatibility issues. Any time I have wanted to generate a seed from scratch, I have either used a freshly reset hardware wallet or https://iancoleman.io/bip39/ run on a live OS on an airgapped machine. For extra security, you can use Ian Coleman's site to input your entropy from flipping a coin or rolling a die.

[figmentofmyass]

a better solution is to use an HD wallet (like Electrum for example) and create a mnemonic (seed phrase) and print that on paper.

This is a good solution, but I wouldn't recommend Electrum since it generates non-BIP39 phrases, meaning that importing to other wallets in the future could run in to compatibility issues.

this point is debatable IMO.

electrum doesn't implement BIP39 specifically because it has compatibility/portability issues. they documented their motivation for not using it here: https://electrum.readthedocs.io/en/latest/seedphrase.html#motivation

core developer andrew chow has said this about BIP39, to explain why it will never be implemented in bitcoin core:

Also, more generally, many Bitcoin Core contributors don't consider BIP 39 to be secure. It uses PBKDF2 which is generally regarded to be a fairly weak KDF so it isn't considered to be good for the secure storage of all of your Bitcoin. Some software (such as Electrum) used BIP 39 in the past but have switched to using their own mnemonic algorithm because of this weakness in BIP 39.

https://bitcoin.stackexchange.com/questions/88237/is-there-a-reason-to-why-bitcoin-core-does-not-implement-bip39

also this:

However, some of the data in a BIP39 phrase is not random,[2] so the actual security of a 12-word BIP39 seed phrase is only 128 bits.
https://en.bitcoin.it/wiki/Seed_phrase#Explanation

With the standard values currently used in Electrum, we obtain: 2^(132 + 11 - 8 ) = 2^135. This means that a standard Electrum seed is equivalent, in terms of hashes, to 135 bits of entropy. https://electrum.readthedocs.io/en/latest/seedphrase.html#motivation

i have cold storage wallets generated with electrum on an airgapped PC. i feel secure with this setup. the electrum developers have shown a lot of foresight re compatibility.

[o_e_l_e_o]

Genuine question, not just trying to be contrary: How does the weakness in using 2048 rounds of PBKDF2 make any difference here? Provided the seed phrase is generated securely on an airgapped machine and written on a single piece of paper, then the only weakness* is the piece of paper being found by an attacker. If that happens, then it is irrelevant whether the seed phrase is BIP39 or Electrum, the funds will be stolen.

The secondary point regarding BIP39 phrases having less entropy than Electrum phrases is easily countered by using 24 words instead of 12.


*Assuming we are not including someone attempting to brute force every possible 128 bit seed.

[figmentofmyass]

Genuine question, not just trying to be contrary: How does the weakness in using 2048 rounds of PBKDF2 make any difference here?

assuming the keys are generated securely, it probably doesn't, but we need to consider how people actually generate keys. it doesn't make sense to assume everyone uses best practices.

one problem with BIP39 seeds is they can be generated as brain wallets:

Well, the checksum for a 128-bit seed is only 4 bits, so you have a 1 in 16 chance of passing on the first try, and otherwise you can just change a couple of the words until you do. – Nate Eldredge Jun 8 '19 at 4:23

As an illustration, it only took about a minute of random guessing to come up with the valid BIP 39 phrase baby baby baby baby baby baby baby baby baby baby baby zebra. – Nate Eldredge Jun 8 '19 at 4:26

https://bitcoin.stackexchange.com/questions/88237/is-there-a-reason-to-why-bitcoin-core-does-not-implement-bip39

If the keys are chosen securely then there is no gain from having a KDF (and no real harm in having a weak one, except for code complexity). If people use it like a brainwallet then given what we know about how users choose "random secrets" then the KDF is seriously inadequate; considering the infrequency of use and the huge attacker advantages (precomputation because brainwallet schemes cannot be effectively salted, and hardware advantages) you'd likely want something that takes several seconds on the best hardware the user has access to.

The secondary point regarding BIP39 phrases having less entropy than Electrum phrases is easily countered by using 24 words instead of 12.

the same can be done with electrum of course. https://bitcointalk.org/index.php?topic=1989877.msg19823236#msg19823236

this point is unimportant either way, but i would say default user behavior is what matters, not best practices. 12 word seeds = the default across most wallets. i suspect very few people would generate a 24 word seed when using ian coleman's site.

anyway, we're going off on a tangent from the original issue---whether BIP39 is necessary re compatibility. i still say no. there is no reason to discourage people from using electrum in this capacity.

[o_e_l_e_o]

it doesn't make sense to assume everyone uses best practices.

one problem with BIP39 seeds is they can be generated as brain wallets

Agreed, which is why I mentioned either using a hardware wallet or manually generated entropy via Ian Coleman's site to generate the seed phrase. Although obviously brain wallets are a massive security risk, I don't think it's necessarily fair to judge a method by how it can be misused. I could create a wallet with Electrum, and then save my seed phrase in plain text on my email account. It wouldn't be the fault of Electrum or their method for generating seed phrases when all my coins are stolen.

Thanks for the quotes and the links. Made for interesting reading.

anyway, we're going off on a tangent from the original issue---whether BIP39 is necessary re compatibility. i still say no. there is no reason to discourage people from using electrum in this capacity.

My thought process was more along the lines of thinking about OP's niece, who he says is very young and has zero knowledge about bitcoin and related matters. Unless he also leaves clear instructions that the seed is an Electrum seed, she could spend a long time inputting the seed in to a variety of different wallets (and risking its security each time) before realizing where she was going wrong.

[pooya87]

I don't think it's necessarily fair to judge a method by how it can be misused.

this is what i also think.
as for BIP39 and usage of PBKDF2 i believe usage of this KDF has nothing to do with security. it seems to me that the creators of this BIP wanted a way to let the user store the entropy (which is seen as the set of words) but be able to derive a different BIP32 seed from it and end up with an entirely different set of keys.
to achieve that you'll need a cryptography function that takes two inputs: a data and a salt. there are a lot of options, from HMACs to KDFs. a simple HMAC-SHA512 would have done the same job and an extremely expensive scrypt KDF would have done the same job. but the former would have been too fast and the later too slow. and you have to consider users who wouldn't like it if their initial wallet setup took 1-2 minutes.
since the point was not security but at the same time they wanted to make it a bit expensive choosing PBKDF2 is a good choice in my opinion but as long as people don't see it as a security thing such as a way to encrypt their mnemonic.