wallet security

[HNajafi]

How to prove it different generating e-wallet website(such as "https://walletgenerator.net/" and  "https://www.bitaddress.org/" ) doesn't create the same e-wallet(With similar specifications)?

[ranochigo]

I don't trust anything that requires the user to go online to generate any addresses. As the browser has to load the script from the website, it'll mean that it is totally possible that the site owner can insert a backdoor or any MITM attacks can happen as well. Browsers are not specifically designed to generate addresses anyways, I would rather just download a desktop wallet and do so myself.

However, if you want to see the script for bitaddress, go here[1]. During the generation, it calls for the CSPRNG function within the browser and salts the entropy with mouse movement as well as other random variables.

[1] https://github.com/pointbiz/bitaddress.org

[HNajafi]

do you know the best way to create a secure paper wallet?

[Upgrade00]

do you know the best way to create a secure paper wallet?

You can create an address using a non custodian wallet service like Bitcoin core or electrum;
• You'll be given a master private key or a seed phrase which gives you access to the balance on the wallet,
• Write down you private key on a paper and store it in a secure location.

You can also use a more damage resistant material than paper for long term storage; which would be resistant to fires and other hazards.
You can also store your seed phrase in multiple secure locations as a contingency plan.

[ranochigo]

do you know the best way to create a secure paper wallet?

Rather than focusing on getting a paper wallet, try getting an airgapped wallet instead. Paper wallets are not very secure in the sense that it is only a backup method. The main thing that you should be focusing on is the generation and the spending part.

I'll probably just recommend you to search for guides to make an airgapped wallet. You can do so by using a LiveUSB with an OS distribution and just install and generate your wallet completely offline. You can also spend it offline by signing the transaction on that offline device and thus ensuring that the private keys and the seeds are never exposed.

[BlackHatCoiner]

How to prove it different generating e-wallet website(such as "https://walletgenerator.net/" and  "https://www.bitaddress.org/" ) doesn't create the same e-wallet(With similar specifications)?

I hadn't heard about walletgenerator.net, so the chances for me to trust it are nearly zero. If you really want to go with the paper wallet way, I'd recommend you downloading the source code of bitaddress.org somewhere locally and then use it offline. As ranochigo wrote, during the generation it's confirmed that it calls the CSPRNG function, which is a known one. Keep in mind that bitaddress.org has been used in the past by a lot of people and their source code has been studied. I wouldn't be that sure for walletgenerator.net.

do you know the best way to create a secure paper wallet?

May I ask you why you want the paper wallet method? There are tons of reasons why you should avoid it, but the most important one is that you're having 1 address per wallet. You can achieve the same thing with electrum, by storing a twelve-words seed phrase instead of a private key and you'll have access to as many addresses as you want.

Cons of paper wallet:

• Only one address.
• You write down the entire private key, which may result into possible mistakes.

(Example of a paper wallet that you'll have to print and write the proper values)

Pros of seed phrase:

• Unlimited addresses.
• You only write 12 words.

(Example of a seed phrase written on paper)



(By importing them to electrum)

[o_e_l_e_o]

Do not use walletgenerator! It is either a deliberate scam or has a terrible vulnerability which resulted in the same private keys and addresses being generated for different users, and users generating address which were already being used by someone else. You can see the details here - https://medium.com/mycrypto/disclosure-key-generation-vulnerability-found-on-walletgenerator-net-potentially-malicious-3d8936485961. You can also search and find plenty of threads on this forum and on Reddit of people who used this site and then had their coins stolen.

I would agree with ranochigo above - if you really want to back something up on paper, then use tried, tested, and verified wallet software to generate a seed phrase and back that (along with some receiving addresses if you like) to paper. It is preferable to backing up an individual private key in my opinion. It is easier to write down correctly and harder to get wrong, more easily recovered if you have made a mistake, you can generate multiple addresses and therefore not have to sweep and destroy it when you want to spend from it, you never have to worry about change being sent to an address you don't control, etc.

[khaled0111]

You should never generate your addresses online no matter how trusted the website is.
You have to download the script and inspect the source code line by line (if you have the skills to do so) then run it on an air gapped computer.
Why don't you create an HD wallet which is way easier to back up either digitally or physically and easier to restore?

[HNajafi]

To protect against theft and scamming I need to know
"paper wallet" and all cryptocurrency wallets(such as app wallet, hardware wallet and...) all of them just store public and private key into themselves(with different encryption ways)?
Which one of them has other mechanisms for protecting theft such as confirming transactions via email confirmation, SMS code, or...?

[pooya87]

To protect against theft and scamming I need to know
"paper wallet" and all cryptocurrency wallets(such as app wallet, hardware wallet and...) all of them just store public and private key into themselves(with different encryption ways)?

Paper wallet is something you create so it depends on what you do and what tool you use.
For example a good method for creating paper wallet is using a deterministic wallet application offline to generate a seed phrase and writing that down on a piece of paper. So you end up with a mnemonic (not public/private key, not addresses either).
As for encryption you have to choose encryption yourself too. For example when creating a paper wallet using a single private key you can use BIP38 to encrypt it with a strong password.

Which one of them has other mechanisms for protecting theft such as confirming transactions via email confirmation, SMS code, or...?

These methods don't add any security and there is no third party with access to your secrets to send you any kind of confirmation code such as SMS, etc. You do everything on your own including generation of the keys and you must do it offline (on an airgap computer).

[o_e_l_e_o]

"paper wallet" and all cryptocurrency wallets(such as app wallet, hardware wallet and...) all of them just store public and private key into themselves(with different encryption ways)?

Essentially yes, all wallets are just different ways of storing private keys. Good ones such as paper wallets or hardware wallets are safest because they store them offline, mobile wallets and desktop wallets are not as safe because they are stored on devices which connect to the internet, and web wallets and some app wallets are the least safe because someone else stores them for you.

Which one of them has other mechanisms for protecting theft such as confirming transactions via email confirmation, SMS code, or...?

The only way to achieve this is by having a third party hold your coins, or using a multi-sig set up with a third party holding one of your private keys. Storing your coins entirely with a third party is not recommended for a wide variety of reasons (scams, hacks, poor security, poor privacy, being locked out of your accounts, KYC demands, etc.) so I wouldn't do this. The only other option I am aware of is setting up an Electrum wallet using their built in 2FA option. This sets up a 2-of-3 multi-sig with a provider called "Trusted Coin" who will co-sign every transaction you make after you provide a 2FA code from your mobile authenticator app. Note that this service charges their own fee, and because it is multi-sig, your transactions will be larger in size and therefore your network fee will also be larger.

[sheenshane]

Which one of them has other mechanisms for protecting theft such as confirming transactions via email confirmation, SMS code, or...?

It's a Multi-sig wallet feature and I tend to agree with what o_e_l_e_o said above regarding your question and that is a Multi-sig wallet set up.  But if your a newbie to this kind of wallet, this isn't advisable because it isn't simplified enough for average users, it should be better if you know what you're doing, and putting extra security level like this might good but it all depends on how you keep it.  It should always separate your mobile phone wallet and desktop wallet without any backup on the device and paper wallet in a separate location.

Here is the wallet that supports with Multi sig feature.

• Electrum
• Armory
• Coinbase
• Copay
• BitGo

Edited:

[dkbit98]

Here is the wallet that supports with Multi sig feature.

• Coinbase
• Copay
• BitGo

Have you even checked that source before you recommended this?
Copay wallet doesn't even exist anymore, and Coinbase/BitGo are not really wallets but more centralized services that support multisig feature.
I made a list of most multisig wallets excluding hardware wallets that have some issues:

• Electrum wallet
• Armory wallet
• Green wallet
• Lily wallet
• Specter desktop
• Sparrow wallet
• Blue wallet
• Caravan wallet

More information can be found in Multisig Wallets topic.