What are keys and which ones are "secret"?

[farafara]

would like to see if someone could use the scenario below so it is relatable to me.  i'm really confused.  a real amateur here so forgive the elementary questions.

to get into my crypto wallet app i have a password, or fingerprint log in option. setting up the the wallet, had to write down a bunch of random words or some other weird sequence of things .. for recovery it said. and in order to send or receive crypto, there is a long code that is used. so this is a collection of passwords and codes i use during a crypto process either from coinbase or wallet.

questions - from the scenario above, what is considered a "key"? which ones are secret keys? which ones are the ones that get hijacked and hackers steal your crypto? is the recovery list of words a crypto version for "forgot password"?

by the things i read online, it feels like everyone gets their crypto hijacked. like nothing is safe. like one could just do nothing and someone can get into your wallet and/or coinbase for example and steal your stuff. or is this an exception to the rule just like a normal "bank account" could be somehow hacked? it just feels that in the crypto world it happens all the time and any minute.

thank you for your help.

[1714061918]

1714061918

[1714061918]

1714061918

[jackg]

People get hacked if they:
1. Use a weak password on a Web wallet like coinbase
2. Download random unknown sources (but if this doesn't shout "hace me" anyway then I don't know what does...
3. Are prone to social engineering attacks.

Your mnemonic phrase is a recovery seed as a backup. Each word in the phrase is a number between 1 and 2048.

Your private key should NEVER be shared with untrusted entities and should be stored encrypted on online machines as well as your mnemonic.

Your public key and address may be shared but for security and privacy its recommended you don't reuse an address.

If you can imagine it as 2 different number elements

Think of your public key as A
Your private key is A.S (where both S and A.S are kept secret to protect S).
Your address is then a hash of A for a additional layer of security which at the moment is redundant but is in there in case either of the functions gets broken.

Think of a hash as taking a large number and finding its remainder: 5%2=1 but when just given 1 and 2 we don't know explicitly it was divided by 5 to get that remainder. This is similar to how hash functions work but they work on a larger scale (and their general function is different from this).

[mk4]

to get into my crypto wallet app i have a password, or fingerprint log in option.

The password and fingerprint option is just there for you to be able to unlock the app, and to prevent people that borrow/steal your phone from accessing your wallet.

had to write down a bunch of random words or some other weird sequence of things .. for recovery it said.

This is pretty much the main "key". If you give other people access to those 12-24 words, they can steal your money. Make sure to protect it, by not storing the 12-24 words digitally. Instead, write it down on a piece of paper as to virtually make it impossible for hackers to access.

is the recovery list of words a crypto version for "forgot password"?

Nope. You lose access to your keys, you lose access to your funds. This is one of the "disadvantages" of Bitcoin; it's the fact that you need to be personally responsible with your security.

by the things i read online, it feels like everyone gets their crypto hijacked. like nothing is safe. like one could just do nothing and someone can get into your wallet and/or coinbase for example and steal your stuff. or is this an exception to the rule just like a normal "bank account" could be somehow hacked? it just feels that in the crypto world it happens all the time and any minute.

It does happen a lot, but it's mostly because people are careless as hell. People have been so used to the "forgot password" solution that they don't know how to properly secure their assets.

Lastly, check out: https://notyourkeys.org/

[Salauddin1994]

Coinbase is much better for storing coins many crypto traders use coinbase but the reason your crypto has been hijacked is because the password is weak and you have shared your private key with someone else this is why your wallet has been hacked. I don't think it's possible to recover but if you keep your confidential information in a safe place and use 2 fa code it keeps it much safer hackers can't hack easily crypto will be much more secure and will not be able to log in knowing confidential information.

[harizen]

In order to protect your exchange account (for example you have mentioned, Coinbase), you need to secure your email passwords, exchange password, and set up a Multi-factor authentication on both.  

In order to protect your desktop wallet, having anti-virus installed can be considered just in case you have the habit of clicking and downloading at random sources. Or if you are not comfortable having anti-virus installed on your system, you can use the default Windows Defender (Windows 10) and be used to have a regular scan of your system via Malwarebytes scanner.

questions - from the scenario above, what is considered a "key"? which ones are secret keys? which ones are the ones that get hijacked and hackers steal your crypto? is the recovery list of words a crypto version for "forgot password"?

I don't know what wallet you are referring too but upon creating one, if there's a notice that you need to save those words, then just saved it and keep it to yourself. It's like protecting your other important credentials such as online banking, email, and even your Facebook account.

The list of words is your backup, not just only when you want to recover your wallet but in an event wherein you will use your wallet on another device.

I suggest spending time learning the difference between custodial and non-custodial wallets. You can make a conclusion about these keys, passwords, etc. after learning those.

[mk4]

Coinbase is much better for storing coins many crypto traders use coinbase but the reason your crypto has been hijacked is because the password is weak and you have shared your private key with someone else this is why your wallet has been hacked. I don't think it's possible to recover but if you keep your confidential information in a safe place and use 2 fa code it keeps it much safer hackers can't hack easily crypto will be much more secure and will not be able to log in knowing confidential information.

People having weak passwords is just one way of their funds getting stolen on exchanges. No matter how secure your password is, if the exchange itself gets hacked, say goodbye to your money.

But yea, "Coinbase is much better for storing coins" is hugely debatable. I personally think that if you know how to use a computer, you can also easily educate yourself on how to protect yourself online. On the other hand, for our older folks that don't even know how to use a smartphone, custodial services like Grayscale might be a better idea.

[farafara]

Salaudin.. i was not hacked.  i was just asking about why i hear so much crypto pirating.

mk4, i'm so paranoid i don't click on links at all.  like the link you posted i was scared to click on it and so i googled it and looked at search results and from there i went to the site itself lol.  this is how paranoid i am about clicking on stuff.  that's excellent info on that page thank you! easy breakdown.

btw, i do have 2 factor authentication thing on all platforms i use so i guess that's a good move thanks for confirming. 

guys. thank you thank you!!! exactly what i needed.  follow up question for jackg.  if mk4 or harizen can help i would really appreciate it too:

jackg said: Your public key and address may be shared but for security and privacy its recommended you don't reuse an address. - my question: from what i wrote in the original post, which ones are considered a "public key".  are they the codes i use to send and receive crypto?  if it is, that is generated for me when i click on "send" or "request" buttons and i just copy paste from there. so when you say it should not be reused, how do i change it?

[mk4]

mk4, i'm so paranoid i don't click on links at all.  like the link you posted i was scared to click on it and so i googled it and looked at search results and from there i went to the site itself lol.  this is how paranoid i am about clicking on stuff.  that's excellent info on that page thank you! easy breakdown.

Which is good. Trust no one online. Verify everything, even what we say here.

jackg said: Your public key and address may be shared but for security and privacy its recommended you don't reuse an address. - my question: from what i wrote in the original post, which ones are considered a "public key".  are they the codes i use to send and receive crypto?  if it is, that is generated for me when i click on "send" or "request" buttons and i just copy paste from there. so when you say it should not be reused, how do i change it?

Without being too technical, the public key is the "address". Yes, pretty much the string of characters that you hand over if you want to receive money. The string of characters that mostly starts with:

• 1xxxxxxxxxxxxxxxxxxxxxxxx
• 3xxxxxxxxxxxxxxxxxxxxxxxx
• bc1xxxxxxxxxxxxxxxxxxxxxx

As for reusing, what wallet do you actually use? Because most wallets nowadays gives you a different address whenever you click on the "receive" button after receiving funds on the past provided address.

Also, since most wallets change wallet addresses every time you receive money, old addresses from the same wallet are re-usable; it's just not recommended due to privacy reasons but totally fine in terms of security.

[Upgrade00]

mk4, i'm so paranoid i don't click on links at all.  like the link you posted i was scared to click on it and so i googled it and looked at search results and from there i went to the site itself lol.  this is how paranoid i am about clicking on stuff.  that's excellent info on that page thank you! easy breakdown.

This is fair, understanding the risks associated with an action helps to prevent you from falling victim. But rather than trusting yourself to be completely safe while browsing, a better option would be to store your bitcoins on a hardware wallet or an old laptop or mobile device which would be off the internet. On such airgapped device your funds are safe from attacks. Of course, if you do not hold too much bitcoins at the moment (<$50), it may not be worth it getting a hardware device just yet, so you can use your device while practicing all safety measures. Some more safety tips
• Use an ad blocker, so when you search on an engine to protect you from pop up ads or any other malicious link or you use a privacy centered engine, like; duckduckgo or Searx

[farafara]

Ahhhhhh. interesting!!!!

Actually I keep my bitcoin in coinbase.  I use xumm wallet for xrp and MEW wallet for etherium.  I am preparing for the spark airdrop.  I need to explore a wallet in an old laptop. I have one that is never connected. (long story lol)

So when I send bitcoin from coinbase to kukoin for example to buy altcoin, that address is likely different every time? I honestly didn't check.  But what you said makes me more comfortable mk4.  I'm not so much worried about privacy as I am for security.  So that's good news right there.

Extremely good info guys  I truly appreciate it. I was expecting some pushback because I am so oblivious to this process it's tough to even put my question together . and the lingo is so confusing. I'm just trying to hold on for dear life so that this digital currency stuff doesn't sky rocket without me  .. that's what it feels like.  Every time I turn around something new is happening. I can't keep up with the world anymore properly.

[Yogee]

....
from what i wrote in the original post, which ones are considered a "public key".  are they the codes i use to send and receive crypto?  if it is, that is generated for me when i click on "send" or "request" buttons and i just copy paste from there. so when you say it should not be reused, how do i change it?

I'm just adding to mk4's answers.

The "public address" is generated from the "public key".
It's like a "shortened" public key.
It's the hash of the public key if you want a more technical answer.

So the characters that you see when you click "receive" in your crypto app isn't the public key but the public address.

[farafara]

thank you yogee!   I should have just come here to ask about this stuff to begin with.  I am so busy during the day I barely have time to eat. Having to research this stuff has been so tiresome and stressful. When you read the answer to what you search it's answered with MORE words that I don't understand ... so I have to research again and again and it never ends.  I have bits and pieces that I understand and was having a hard time putting it together.  The stuff is in my head but it's not clear... It's blurry. With your help, it's become a bit more clear.

This has been so great. Again thank you ALL 🤗♥️

[mk4]

So when I send bitcoin from coinbase to kukoin for example to buy altcoin, that address is likely different every time? I honestly didn't check.  But what you said makes me more comfortable mk4.  I'm not so much worried about privacy as I am for security.  So that's good news right there.

Haven't really tried KuCoin for a while so I really don't know, but most exchanges and wallets do change the receive addresses. Though having less privacy is bad, sending funds to a wrong address(effectively losing your funds in the process) is far worse so make sure to double check addresses every time you're sending. Remember, clipboard hijacking malware that's specifically made to steal your coins exists so be wary.

[webtricks]

Adding more details to already well-detailed answers:

to get into my crypto wallet app i have a password, or fingerprint log in option.

The password and fingerprint option is just there for you to be able to unlock the app, and to prevent people that borrow/steal your phone from accessing your wallet.

Some wallets use password as 'passphrase' in PBKDF2 function for key-stretching the seed phrase (12-24 words). In such cases, user has to input same password while importing seed phrase. Otherwise, user won't see same addresses in the wallet.

So when I send bitcoin from coinbase to kukoin for example to buy altcoin, that address is likely different every time? I honestly didn't check.  But what you said makes me more comfortable mk4.  I'm not so much worried about privacy as I am for security.  So that's good news right there.

Haven't really tried KuCoin for a while so I really don't know, but most exchanges and wallets do change the receive addresses. Though having less privacy is bad, sending funds to a wrong address(effectively losing your funds in the process) is far worse so make sure to double check addresses every time you're sending. Remember, clipboard hijacking malware that's specifically made to steal your coins exists so be wary.

KuCoin doesn't change the receiving addresses. In-fact, most of the centralized exchanges like Binance and KuCoin have 'one address per user' policy. So user is always at risk of losing privacy when sending bitcoins to the centralized exchanges.

[Maus0728]

@farafara

You'll understand the concept of "reused address" more if you also used Electrum wallet which is a very good example in this case.



The string of characters inside the box are your bitcoin address that has been derived from your public keys upon creating your wallet. In this case you are using Legacy (P2PKH) whose addresses start with 1. Take note that all receiving address are the addresses which you can use for receiving/depositing bitcoin however, it is not advisable to use them twice for security and privacy purposes.

The most private and secure way to use bitcoin is to send a brand new address to each person who pays you. After the received coins have been spent the address should never be used again. Also when sending money to people always ask them for a brand new bitcoin address.

So when I send bitcoin from coinbase to kukoin for example to buy altcoin, that address is likely different every time? I honestly didn't check.  But what you said makes me more comfortable mk4.  I'm not so much worried about privacy as I am for security.  So that's good news right there.

Unfortunately, Kucoin does not give you a brand new bitcoin address even after you used their deposit address. They will only give you 3 different kinds of bitcoin deposit address which are prone for address reuse:  Native-BTC, Segwit-BTC and TRC20-BTC

[ranochigo]

@farafara

The string of characters inside the box are your bitcoin address that has been derived from your public keys upon creating your wallet. In this case you are using Legacy (P2PKH) whose addresses start with 1. Take note that all receiving address are the addresses which you can use for receiving/depositing bitcoin however, it is not advisable to use them twice for security and privacy purposes.

The security part should be a non-factor. The main problem with address reuse is the fact that public keys are leaked but honestly I doubt that would be an issue for now. It did help to somewhat mitigate the effects of having a problematic RNG though where multiple signatures are using the same K. But that is solved with RFC 6979 as well.

The privacy part cannot be mitigated if the exchange doesn't want to use a different address but I imagine the cumbersome process to monitor too many addresses. For some use case, it's inevitable for transactions to be linked to the exchange but the source of the coins could be masked using a mixer as well.