Wallet security architecture

[KiaKia]

How does AES 256 encrypted keys works in a crypto wallet?does this makes a crypto wallet more secured in any form?

[pooya87]

The encryption is used in bitcoin wallets to try to eliminate the chance of losing your coins in case someone gained access to your wallet file. The details of the implementation depends on the wallet software that is used but generally the encrypted private keys remain on disk encrypted until you want to use the private key for things such as spending your coins, in which case the software asks for your passphrase which is used in AES algorithm to decrypt the key that is kept temporarily in memory and discard after the job is done.

[bullrun2024bro]

How does AES 256 encrypted keys works in a crypto wallet?does this makes a crypto wallet more secured in any form?

Using AES 256 encryption for your private keys does indeed make your Bitcoin wallet more secure. It is basically an extra barrier for attackers to get through in order to steal your keys. Plus, AES 256 is a pretty advanced encryption method (industry standard). So its going to take quite a lot of computational power to break it.

AES 256 is widely used, so your wallet should be secure by industry standard assuming you doesn't use weak password.

Agree, you mentioned one crucial point here:

No security measure is foolproof. So one should always make sure to also take other security measures like using a unique and strong password (which is one of the biggest beginner mistakes IMHO), and keeping your device locked and secure at all times of course.

[joniboini]

AES 256 is widely used, so your wallet should be secure by industry standard assuming you doesn't use weak password.

Is there any reliable tool to test whether a password is weak or not? I'm aware of some online websites that test your password entropy but I don't feel safe using an online website for it. While I can download the page, the question of reliability comes up. I've been using KeePass to generate at least 100 bits of password for every account that I use, but some websites or app, unfortunately, doesn't allow creating passwords with more than 8 characters.

Fortunately, most wallets don't have such limitations. CMIIW.

[bullrun2024bro]

Is there any reliable tool to test whether a password is weak or not? I'm aware of some online websites that test your password entropy but I don't feel safe using an online website for it.

This chart might give you a hint, if your password is weak or not. Always remember to combine uppercase and lowercase letters, numbers and symbols. Also make it at least 12 or more characters. Especially if you're setting passwords for sensible services like Bitcoin exchanges, bank accounts or email addresses.



Source: https://www.statista.com/chart/26298/time-it-would-take-a-computer-to-crack-a-password/

While I can download the page, the question of reliability comes up. I've been using KeePass to generate at least 100 bits of password for every account that I use, but some websites or app, unfortunately, doesn't allow creating passwords with more than 8 characters.

KeePass works fine, I agree. By using that, you're probably doing better than 95% of regular internet users.

[DdmrDdmr]

<…> I've been using KeePass to generate at least 100 bits of password for every account that I use, but some websites or app, unfortunately, doesn't allow creating passwords with more than 8 characters.

You can though create an entry on Keepass and ask it to generate a password with only 8 character to fit the website’s delimitation (press key icon to the right of the "Repeat" field -> Open Password Generator -> Length of generated password (adjust)).

<…>

Statista’s referenced article is dated December 2021, though I’ve seen an archived end of 2020 version of the original site showing the same results when I tested a couple of password cases (see here).
The data coincides largely with a 2020 table in this comparison. Now the interesting thing about this comparison is how these time references get shattered year after year, or using different equipment.

This is Hive System’s 2022 equivalent table:

Notice how, for example, a 12 character password maxed-out in complexity, takes 34K years to crack according to Statista’s chart, but the time goes down by over a factor of 10 in Hive’s 2022 table (3k years).

[tbct_mt2]

The data coincides largely with a 2020 table in this comparison. Now the interesting thing about this comparison is how these time references get shattered year after year, or using different equipment.

This is Hive System’s 2022 equivalent table:

Notice how, for example, a 12 character password maxed-out in complexity, takes 34K years to crack according to Statista’s chart, but the time goes down by over a factor of 10 in Hive’s 2022 table (3k years).

Brute force password and time to break it depends on the complexity of a password and the calculation power of an equipment. A more powerful equipment, a shorter time o break a password with same complexity.

You noticed a very good point that with same method but different equipments in calculation powers, a table would be different.

It is reason for differences in two tables from Statista and Hive System. They are only one year different. So using a little bit longer than 12 characters for password with good complexity can help us have better password.

I don't like to use password generator softwares but will try to use a long password with good complexity created by myself. I know advantage of password generated softwares but I'm more worrying about their data leaks.

[witcher_sense]

Is there any reliable tool to test whether a password is weak or not? I'm aware of some online websites that test your password entropy but I don't feel safe using an online website for it. While I can download the page, the question of reliability comes up.

One of the tools I know is https://www.security.org/how-secure-is-my-password/. It estimates how much time it will take for a computer to crack your password and also analyzes it from a security perspective: password length, patterns, character variety, etc. Their methodology can be found at the bottom of the page.  Regarding reliability, you should always assume that everything you type in a search field gets collected, analyzed, stored, and intercepted by hackers, which means you should never check the passwords you are going to use for your accounts. That also means you shouldn't even check similar passwords because it may expose information about password length and alphabet preferences.

[DdmrDdmr]

<…>

I checked the site out yesterday, obviously trying out fake passwords, and what it seems to be doing is responding in accordance to Statista’s/Security.org’s 2020ish table. It doesn’t however appear to change the estimates based on the specific content, but rather on a generic analysis of the password structure.

i.e. it renders the same results for "Aa&123456789" than for "$(agTPk1CmZ%". Likely, the former should be easier to crack than the latter, despite the overall pattern being the same (upper,lower, number, symbol).

[joniboini]

Thanks for all the replies and suggestions. Fortunately, most of my passwords are good enough at least by today's standards. Unfortunately, some services that I use still put such weird limitations on password characters that weaken the security.

Usually only online account which have such weird limitation, so there's no need to worry about that. And you come across to wallet which have such limitation, i'd avoid that wallet since it's likely they have other weird or poor security measure.

True. I wonder why they do that, I don't think it takes many server resources if I can use a 100 characters password or something similar. Fortunately, most crypto apps don't follow the same thing.

You can though create an entry on Keepass and ask it to generate a password with only 8 character to fit the website’s delimitation (press key icon to the right of the "Repeat" field -> Open Password Generator -> Length of generated password (adjust)).

Thanks for the info. I already know this but I just want to try to test the security with another reliable tool, if there is any. That being said, I probably should avoid websites like that unless it's absolutely necessary to use them.