The paranoid user's security guide for using Electrum safely.

[NotATether]

We all know the basic stuff like "double-check addresses you are pasting" and "only use Electrum.org" and "verify the GPG signatures after downloading", but what if you wanted to have true piece of mind that your funds are indeed safe inside Electrum? That's why I have created this short guide of things you should be checking so that you can always be at peace of mind that your funds, no matter how little they might be, are safe in your wallet. So without further ado, let's begin.

Verifying OS integrity

Even if your Electrum is genuine, if your OS is compromised then it's game over. So these measures can help you control the software running on your computer.

- Do not download cracked software from random websites, because almost of the time, it is just cheap malware. Resist the urge of taking the cheese, so the mouse trap does not fall on you.
- Do not click on random links in your email that ask you for bitcoins or say that you have won some bitcoins. These are specialized phishing attempts designed to steal all of your crypto.
- Research the domain of the link or the email address sender before clicking on any links in your email message. Even this can be a malware infection attempt of some sort.
- Always keep the OS with your wallet on it up-to-date with the latest security patches.
- Antivirus software should be used if your wallet is running on Windows.
- Ensure that AutoPlay or any kind of "opening applications on USB/DVD insert" is switched off. This is a massive security risk.
- Make sure you have a firewall running and that it's blocking all inbound connections.
- Do not store your wallet on any removable media/device that you frequently carry around with you, to prevent theft. Even if you use it on TailsOS, this isn't something you want to carry with you.
- Monitor the processes running on your system and make sure you are familiar to every process name, its location, and what it does.
- Use a clipboard monitor such as Sysmon (12.0+) and regularly track the text that is being written to the clipboard.
- Use Google Enhanced Safe Browsing, uBlock Origin, DNS server's like 1.1.1.1 or those provided by VPNs such as Proton, or similar software/extensions/features that block malicious and phishing domains from your browser.
- Note the IP address of Electrum.org, and make sure that visits to the website match this IP address.
- To detect keyloggers, use an anti-virus or set up Process Monitor, start it, type some keys and then stop it and analyze the events.
- Periodically inspect all shortcuts to Electrum programs to make sure they aren't bugged.
- Check Electrum program files to make sure they haven't been tampered with after the date you installed/updated it.

Verifying Electrum integrity

- Use these methods of installing Electrum, in order of decreasing preference:

Python source tarballs
Python PIP packages
Prebuilt binaries eg. AppImage, EXE, DMG
Any kind of portable Electrum binary

The reason why portable binaries are the least preferred is that if you make a shortcut to them, it is very easy to place a malicious binary in a similar-looking place, and most likely you wouldn't notice it.

- Of course, you must ALWAYS VERIFY THE AUTHENTICITY OF ALL ELECTRUM PACKAGES THAT YOU DOWNLOAD. this thread is a good start.

- Use a diceware password for guarding Electrum wallet access. Diceware passwords are multi-word strings of words taken from a dictionary similar to BIP39, but is 10x more secure than using a regular password. It is best to use at least 8 or even 12 words and memorize them - using screen readers to hammer the words in your head is a good start. Once you set a diceware password, you don't have to change it unless it has been compromised as it provides no security benefit in doing so. Ignore this advice at your own risk!
- If you have a strong password, you don't need 2FA protection, especially not the one that's bundled with Electrum.
- Do not write your password down on paper even if you cannot remember it. That is counter-intuitive and can result in your wallet getting hacked physically.
- Only seed phrases should be written on paper and stored in a secure location.
- Do not use advanced features like custom wordlist, BIP39 password, custom derivation path, Shamir's secret sharing, etc for your seed phrase. All of these are easy to screw up and will destroy your seed phrase copy as they can't possibly be remembered.
- Create a "sentinel" wallet without a password or with an easy password and load it with $5-$10. And always open this wallet first before opening your main wallet so that a possible compromise can not wipe you out.
- Do not use the "Export wallet" feature for any reason, you can just copy the wallet from the AppData or local folder. Older versions do not encrypt the exported wallet. Same goes with exporting private keys - do not do it at all.
- Do not use the Console feature at all. You are running a wallet not a Jupyter notebook.
- Don't open a Lightning channel unless you have a watchtower running 24/7, or you might lose channel funds to inactivity.
- Don't click on update dialogs from Electrum, instead navigate to Electrum.org manually.
- Double check that addresses are fully correct before sending money to them.

OpSec (user integrity)

- Do not tell people how much funds you have for no good reason. Especially do not write it on the public internet.
- Do not flaunt your wealth or brag about how much money you have on social media, or you could get robbed by criminal enterprisers and $5 wrenches.
- Do not piss tons of people off with decisions that could potentially impact thousands of users (particularly if you provide some internet software or service). Disgruntled people will make an example out of you - Luke-jr was a victim of this. For a more recent example (or at least an attempt of doing one), look up "Reddit API hackers" on Google.
Do not store any wallet passwords or seed phrases inside password managers, even if they are encrypted and the software is open-source. All it takes is one flaw, vulnerability, or backdoor to undermine the security.
- Make sure all of your passwords are unique and strong so you don't become a victim of extortion.
- Similarly, use disposable emails whenever possible such as SimpleLogin, to avoid getting phishes and threats in the first place. And if you do get those, simply create a new alias and discard the original address.
- Use HaveIBeenPwned to see if your email address has been caught in a data breach.
- Don't keep large sums of money on a software wallet. Use a reliable hardware wallet for cold storage.


Global Mods / admins - please sticky this thread.

[Not your key not your BTC]

Even if your Electrum is genuine, if your OS is compromised then it's game over. So these measures can help you control the software running on your computer.

is it unsafe if I used Windows 7?

[BitMaxz]

is it unsafe if I used Windows 7?

Yes because the security patch of Windows 7 is outdated and ended support by Microsoft 3 years ago and Electrum's latest version no longer supports Windows 7 since the release of version 4.2.0.
It's not safe if you stay using Windows 7 so to ensure you are safe use the latest Electrum and better upgrade to Windows 10 and follow all suggestions from the OP.

[DireWolfM14]

is it unsafe if I used Windows 7?

Yes.  Irrespective of using it with old versions of Electrum, unsupported OSs are risky for all kinds of reasons.  The web browser your using is likely not supported anymore, and you're likely using it to log into your bank account, right?  As long as you're careful you're probably safe, but the risk is still there.

Microsoft still allows you upgrade to win10 or win11 with your win7 key, although it is technically a violation of their terms of use.

[NotATether]

Even if your Electrum is genuine, if your OS is compromised then it's game over. So these measures can help you control the software running on your computer.

is it unsafe if I used Windows 7?

If Windows 7 supported newer versions of Electrum, then my answer would've been: only if you use it as an offline, airgapped (never connected to the internet) wallet.

However, now that Electrum does not support Windows 7, you should not be using this operating system to store your wallet as there may be unpatched security vulnerabilities inside old versions of Electrum in the future.

[Not your key not your BTC]

I just use cracked windows 7 for long time, i don't know how it safe. I can't upgrade to windows 10 too, What can i do?

[The Sceptical Chymist]

- Don't keep large sums of money on a software wallet. Use a reliable hardware wallet for cold storage.

Christ, this thread makes me want to break down in tears until I'm a snotty-nosed quivering mess.  You just made me more paranoid, because it takes some technical knowledge to follow your suggestions and, as I've said a million times before, using bitcoin for me is like driving a car with little understanding of what's under the hood and I lack the skills to get said car roadworthy again in case of a breakdown. 

What's this about the autoplay function being a big risk?  I run Windows but I'm not sure if I have that activated or not.  I'll check after I post this, but it isn't clear to me what the danger is.

In any case, I very much appreciate the suggestions, NotATether.  The only other software wallet I like is Sparrow, but I much prefer Electrum.

[20kevin20]

What's this about the autoplay function being a big risk?  I run Windows but I'm not sure if I have that activated or not.  I'll check after I post this, but it isn't clear to me what the danger is.

When you insert an USB drive, you’re asked if you’d like Windows to open the folder for you or do other actions. If you insert an install disc now, you’ll find out there’s also the option for Windows to AutoPlay the disc which basically makes Windows execute a .exe. If the disc has music on it and you choose Windows should automatically play the disc, it’ll launch those files by itself. But you also have the checkmark under the launch options in case you’d like Windows to do the same thing every time (e.g. you want Windows to automatically open the folder showing contents of a USB drive every single time you insert one). Now I guess you get why it’s a risk

[NotATether]

What's this about the autoplay function being a big risk?  I run Windows but I'm not sure if I have that activated or not.  I'll check after I post this, but it isn't clear to me what the danger is.

When you insert an USB drive, you’re asked if you’d like Windows to open the folder for you or do other actions. If you insert an install disc now, you’ll find out there’s also the option for Windows to AutoPlay the disc which basically makes Windows execute a .exe. If the disc has music on it and you choose Windows should automatically play the disc, it’ll launch those files by itself. But you also have the checkmark under the launch options in case you’d like Windows to do the same thing every time (e.g. you want Windows to automatically open the folder showing contents of a USB drive when you insert one). Now I guess you get why it’s a risk

Back in the day, it was also a really popular vector for infecting computers with malware. You'd receive a sketchy USB stick or find it somewhere on the ground, and then insert it into your PC, and *bam* you're compromised. Sometimes you might even accidentally infect your USB by sticking it into some infected work computer somewhere and plugging it inside somewhere else. And the malicious files are using OS properties to "hide" themselves.

The only reason this is falling out of favor is because most people are using mobile devices now (which do not support Autoplay).

[DireWolfM14]

I just use cracked windows 7 for long time, i don't know how it safe. I can't upgrade to windows 10 too, What can i do?

If your hardware is limiting you from using Win10, then you're better off switching to a Linux distribution.  Linux Mint is a good gateway OS for Windows users to get their feet wet in the Linux pool.  It's basically Debian with the Cinnamon desktop environment and a bunch of tweaks that make the OS behave a lot like Windows.

- Don't keep large sums of money on a software wallet. Use a reliable hardware wallet for cold storage.

Christ, this thread makes me want to break down in tears until I'm a snotty-nosed quivering mess.  You just made me more paranoid, because it takes some technical knowledge to follow your suggestions and, as I've said a million times before, using bitcoin for me is like driving a car with little understanding of what's under the hood and I lack the skills to get said car roadworthy again in case of a breakdown.

Hardware wallets are not that difficult to use, the learning curve is about 10 minutes.  Pick one that's open source and supports the coins you collect.

What's this about the autoplay function being a big risk?  I run Windows but I'm not sure if I have that activated or not.  I'll check after I post this, but it isn't clear to me what the danger is.

The danger was far more significant in the olden days of Windows, like XP and before.  Remember when you would insert a CD or DVD into your drive reader, and the OS would automatically start the application?  On Win10 or Win11 that sort of thing now requires user confirmation with a couple of clicks.  The risk is still there, but significantly reduced.

In any case, I very much appreciate the suggestions, NotATether.  The only other software wallet I like is Sparrow, but I much prefer Electrum.

This thread might be better off in the "Wallet Software" sub-board since these safety measures really apply to any software wallet, not just Electrum.

[o_e_l_e_o]

I disagree with a few of your points.

- Do not write your password down on paper even if you cannot remember it. That is counter-intuitive and can result in your wallet getting hacked physically.

If you cannot write it down and cannot remember it, then what? No password at all? That's even worse. I have no problem with people writing down long and complex passwords - the key is to store that password safely. If you can store a seed phrase on paper, storing a password on paper is less risky, since the seed phrase is enough to compromise your coins on its own whereas with the password an attacker also needs access to your computer.

- Do not use advanced features like custom wordlist, BIP39 password, custom derivation path, Shamir's secret sharing, etc for your seed phrase. All of these are easy to screw up and will destroy your seed phrase copy as they can't possibly be remembered.

I assume by BIP39 password you mean extending your seed phrase with a passphrase. I would suggest everyone uses this. It is a fantastic tool. Write it down on paper separately to your seed phrase and back it up securely in a separate location to your seed phrase. It provides another layer of safety should your seed phrase be compromised, and provides you with plausible deniability in the event of a physical attack. Even better to use multiple passphrase if you can, as well as helping you keep coins from different sources entirely segregated and therefore better for your privacy too.

[NotATether]

I disagree with a few of your points.

The guide was written with newbies in mind, so naturally, advanced users will disagree with some of the things.

- Do not write your password down on paper even if you cannot remember it. That is counter-intuitive and can result in your wallet getting hacked physically.

If you cannot write it down and cannot remember it, then what? No password at all? That's even worse. I have no problem with people writing down long and complex passwords - the key is to store that password safely. If you can store a seed phrase on paper, storing a password on paper is less risky, since the seed phrase is enough to compromise your coins on its own whereas with the password an attacker also needs access to your computer.

You gotta be able to remember your password, otherwise if you have to write it down and you get physically robbed, you're going to be SOL as bitcoin transactions are not reversable after the 1st confirmation.

The US military has a language program where students learn thousands of foreign-language words under intense conditions for 2-3 years. Memorizing 12 English words in a particular sequence should not be that difficult by comparison. Regular passwords on the other hand, the truly random ones with numbers and symbols, cannot be memorized at all. Especially once we get to 20+ characters.

- Do not use advanced features like custom wordlist, BIP39 password, custom derivation path, Shamir's secret sharing, etc for your seed phrase. All of these are easy to screw up and will destroy your seed phrase copy as they can't possibly be remembered.

I assume by BIP39 password you mean extending your seed phrase with a passphrase. I would suggest everyone uses this. It is a fantastic tool. Write it down on paper separately to your seed phrase and back it up securely in a separate location to your seed phrase. It provides another layer of safety should your seed phrase be compromised, and provides you with plausible deniability in the event of a physical attack. Even better to use multiple passphrase if you can, as well as helping you keep coins from different sources entirely segregated and therefore better for your privacy too.

It's also a foot gun (re: c++ jokes).

Yes if you know how to use these features, nothing bad will happen. It's like the about:config in Firefox or the Windows Registry. But imagine telling a new bitcoiners about BIP39 passphrase. When you combine that with the fact that not all wallets support it (and those that do place it in very different GUIs and screens), it's easy to see how someone can accidentally mess up.

I myself just deal with 12/24 word BIP39 seeds using whatever default derivation path is given to me by the wallet software, and I make a note of that in my head.

[o_e_l_e_o]

You gotta be able to remember your password, otherwise if you have to write it down and you get physically robbed, you're going to be SOL as bitcoin transactions are not reversable after the 1st confirmation.

The same is true of seed phrases, and yet we all write those down. Just ensure it is stored somewhere securely.

Memorizing 12 English words in a particular sequence should not be that difficult by comparison. Regular passwords on the other hand, the truly random ones with numbers and symbols, cannot be memorized at all. Especially once we get to 20+ characters.

They definitely can by coming up with some memory system, but that doesn't mean anybody should. You shouldn't rely on your memory for anything really sensitive, be that seed phrases or long and complex passwords/passphrases.

Yes if you know how to use these features, nothing bad will happen. It's like the about:config in Firefox or the Windows Registry. But imagine telling a new bitcoiners about BIP39 passphrase. When you combine that with the fact that not all wallets support it (and those that do place it in very different GUIs and screens), it's easy to see how someone can accidentally mess up.

That's a fair point, but making a blanket statement of "do not use passphrases" is not helpful, I think. Rather you should avoid them initially but spend some time learning about how they work to make you confident to use them one day.

[The Sceptical Chymist]

What's this about the autoplay function being a big risk?  I run Windows but I'm not sure if I have that activated or not.  I'll check after I post this, but it isn't clear to me what the danger is.

When you insert an USB drive, you’re asked if you’d like Windows to open the folder for you or do other actions.
<snip>
Now I guess you get why it’s a risk

Wait a sec, I think I need an explanation geared toward a 5-year old child.  I know what the autoplay thing is on Windows, because on my previous PC that had a DVD drive I kept it on so I wouldn't have to be hassled with having to choose to play a DVD each time I put one in.  Is enabling it dangerous in and of itself, or is it just a vector for malware as NotATether described? 

If your hardware is limiting you from using Win10, then you're better off switching to a Linux distribution.

Not sure what you mean by my hardware limiting me from using W10, but the suggestion of using Linux is an excellent one.  The problem is that I'm an absolute retard when it comes to learning new things in the realm of coding, which Linux does require you to do a little bit of if you want to use it like a boss (just like knowing command line *stuff* in Powershell, which I also haven't grasped fully).  I have fooled around with Raspberry Pi's and also tried making a PC with a Linux distro, but I freakin' got stuck at the installation stage, threw up my hands in frustration, and subsequently sobbed silently and alone in a corner until my house cats became concerned.

What appeals to me about Linux primarily is that you're not being exploited by Microsoft and, as highlighted very nicely by Ledger, you just never know what's in those goddamn updates.

[DireWolfM14]

If your hardware is limiting you from using Win10, then you're better off switching to a Linux distribution.

Not sure what you mean by my hardware limiting me from using W10, but the suggestion of using Linux is an excellent one.

That was in response to another member, but to explain; by "hardware" I'm referring to the computer in question, and it's construction.  Old computers or those with low processing power and low amounts of RAM often won't meet the minimum requirements for newer Windows distributions.  Most Linux distros don't need a very powerful computer to run properly, so Linux can be great for keeping otherwise obsolete computers in working order.

[LoyceV]

You just made me more paranoid

That's a good thing

using bitcoin for me is like driving a car with little understanding of what's under the hood and I lack the skills to get said car roadworthy again in case of a breakdown.

But you know how to drive it, you know you have to lock it, and you know parking in a bad neighbourhood is risky. And you also know that's still no guarantee it won't get stolen.
Financial freedom comes at a price.

- Don't keep large sums of money on a software wallet.

So, basically, to use Electrum safely, you shouldn't use it for much. After reading the title, I was expecting a topic about offline usage after closing the curtains and running from RAM.

[20kevin20]

Wait a sec, I think I need an explanation geared toward a 5-year old child.  I know what the autoplay thing is on Windows, because on my previous PC that had a DVD drive I kept it on so I wouldn't have to be hassled with having to choose to play a DVD each time I put one in.  Is enabling it dangerous in and of itself, or is it just a vector for malware as NotATether described?  

Warning before you read my message: there’s a good chance I didn’t understand what you meant lol

I think it’s pretty much just about it being a vector for malware. Since it’s autorunning by itself, I think it’s pretty unsafe when inserting USB drives and CDs or DVDs in case the inserted device is infected. I guess autorun/autoplay isn’t dangerous on its own, but combined with an infected drive you’re basically gonna accept possible malware with open arms lol

[PawGo]

is it unsafe if I used Windows 7?

Yes because the security patch of Windows 7 is outdated and ended support by Microsoft 3 years ago and Electrum's latest version no longer supports Windows 7 since the release of version 4.2.0.

That's a good point. There is a similar problem with smartphones, especially android ones, where we have many producers and many OS versions, distributed by phone producer. Sooner or later they stop publishing a new OS updates, then users should think twice if still want to use banking app etc. on not-updated phone.

[o_e_l_e_o]

Is enabling it dangerous in and of itself, or is it just a vector for malware as NotATether described?

No, having it enabled is not intrinsically dangerous. The risk comes by allowing any external media such as DVDs or USBs to automatically execute whatever software happens to be on said media. If it's a DVD you burned yourself of some home movies, then no harm done. It it's a USB drive you just received from a friend or colleague, then you actually have no idea what is lurking on it and if their devices were free from malware when using the USB drive previously.

The problem is that I'm an absolute retard when it comes to learning new things in the realm of coding, which Linux does require you to do a little bit of if you want to use it like a boss (just like knowing command line *stuff* in Powershell, which I also haven't grasped fully).

I would +1 to DireWolfM14's suggestion above of Linux Mint. It is as simple to set up as you can get, and has a very "Windows" feel to the GUI, making the transition much easier. There are pretty comprehensive guides available as well: https://linuxmint-installation-guide.readthedocs.io/en/latest/

[dkbit98]

I think it’s pretty much just about it being a vector for malware. Since it’s autorunning by itself, I think it’s pretty unsafe when inserting USB drives and CDs or DVDs in case the inserted device is infected. I guess autorun/autoplay isn’t dangerous on its own, but combined with an infected drive you’re basically gonna accept possible malware with open arms lol

You can disable autoplay easily in settings, but USB are usually much worse than CDs because you can easily add more stuff there and modify it.
Biggest problem I have with USB drives is that they can go crazy with no specific reason and make all data unusable.

That's a good point. There is a similar problem with smartphones, especially android ones, where we have many producers and many OS versions, distributed by phone producer. Sooner or later they stop publishing a new OS updates, then users should think twice if still want to use banking app etc. on not-updated phone.

I am not a fan of iPhones but they have longest support from all smartphones, and for Android devices Samsung and Pixels are one of the best with longest support.
Everything else is trash and I would not waste money on this devices, but maybe they can be used as alternative offline wallets for bitcoin (if done correctly).

I would +1 to DireWolfM14's suggestion above of Linux Mint. It is as simple to set up as you can get, and has a very "Windows" feel to the GUI, making the transition much easier. There are pretty comprehensive guides available as well: https://linuxmint-installation-guide.readthedocs.io/en/latest/

I don't like that Mint is based on Ubuntu, so Debian version is a bit better, but Fedora is much better in recent years and it's supper easy to install and use it.