BTC Paper Wallet Recovery

[PomskyFluff]

Hi everyone, sorry to revisit this old post but I wanted to ask for your expert opinions on whether my newly created paper wallet is safe to use. I've carried out the following steps:

1) Saved https://www.bitaddress.org/ as a html file and saved it to a freshly formatted USB stick
2) I have a PC with freshly installed version of Windows 10 - the PC has no Internet connection.
3) Opened the html file on the non-Internet PC and created the wallets.
4) Closed html file and deleted it from the USB stick.
5) Wallets saved on the USB stick and removed from PC
6) The laptop will never connect to the Internet.

For step 3, is it better to use the passphrase setting rather than the randomizer?

I'd appreciate your thoughts.

Thank you

Thanks everyone. As much as it pains me, I will walk away from this and put it down to a very expensive experience.

What about bitaddress.org as a paper wallet generator. This time, of course, I will generate the wallet offline. Is this still asking for trouble or should I stick to hardware like ledger?

Yes, Bitaddress is good. It's probably best to do it offline and with a LiveCD. You should also sure to download the source code from the official GitHub repository:

https://github.com/pointbiz/bitaddress.org

Stay away from any other generators. In addition to the one you lost the funds to, BitcoinPaperWallet is also a known scam:

https://www.coindesk.com/tech/2021/02/24/bitcoinpaperwallet-back-door-responsible-for-millions-in-missing-funds-research-suggests/

[PomskyFluff]

Thank you for your advice and thoughts. I will certainly be more careful in future.

First off, why would you use a flimsy site such as that to store your most precious asset? That was a little negligent of you dude. But let's save the reprimands for later.

I don't think there's a good way for you to even get your coins back, from the moment you generated that wallet you already relinquished any form of privacy that you may have over your crypto wallet. What's yours is theirs basically. Would've been really nice too if you asked the forum first before you actually dipped your toes into this ordeal. look into this article too though and see if this could enlighten you on how crypto scams work legally so you could discern if you could file a formal complaint or even sue them. Can You Recover Stolen Bitcoin From Crypto Scams?, but if I were you, I wouldn't get my hopes up. Let this be your first pricey lesson not to trust anyone on the internet with anything you own.

[OmegaStarScream]

Hi everyone, sorry to revisit this old post but I wanted to ask for your expert opinions on whether my newly created paper wallet is safe to use. I've carried out the following steps:

1) Saved https://www.bitaddress.org/ as a html file and saved it to a freshly formatted USB stick
2) I have a PC with freshly installed version of Windows 10 - the PC has no Internet connection.
3) Opened the html file on the non-Internet PC and created the wallets.
4) Closed html file and deleted it from the USB stick.
5) Wallets saved on the USB stick and removed from PC
6) The laptop will never connect to the Internet.

For step 3, is it better to use the passphrase setting rather than the randomizer?

I'd appreciate your thoughts.

Thank you

1. You should've downloaded the source directly from GitHub.
2. I guess that works, but a liveCD with Linux would've been better probably.
3..6. Sounds good.


Are you talking about the characters you're asked to type when moving the mouse?
Or about the BIP38 (to encrypt the private keys)?

If the latter, then as far as I know, these two go hand in hand. You can't create and encrypt your wallet unless you go through the "randomness" process.
And yes, it's better to encrypt your wallet, that way if someone find a printed version of it, or gain access to the USB stick, they won't be able to move the funds unless they have your passphrase.

[PomskyFluff]

Thank you OmegaStarScream, I appreciate your reply.

I looked at https://github.com/pointbiz/bitaddress.org but the dates of the files were quite old and that put me off using it - was  I wrong? I have no issue creating new wallets, I'd rather them be created as securely as possible in the first than coming back later down the line.

Hi everyone, sorry to revisit this old post but I wanted to ask for your expert opinions on whether my newly created paper wallet is safe to use. I've carried out the following steps:

1) Saved https://www.bitaddress.org/ as a html file and saved it to a freshly formatted USB stick
2) I have a PC with freshly installed version of Windows 10 - the PC has no Internet connection.
3) Opened the html file on the non-Internet PC and created the wallets.
4) Closed html file and deleted it from the USB stick.
5) Wallets saved on the USB stick and removed from PC
6) The laptop will never connect to the Internet.

For step 3, is it better to use the passphrase setting rather than the randomizer?

I'd appreciate your thoughts.

Thank you

1. You should've downloaded the source directly from GitHub.
2. I guess that works, but a liveCD with Linux would've been better probably.
3..6. Sounds good.


Are you talking about the characters you're asked to type when moving the mouse?
Or about the BIP38 (to encrypt the private keys)?

If the latter, then as far as I know, these two go hand in hand. You can't create and encrypt your wallet unless you go through the "randomness" process.
And yes, it's better to encrypt your wallet, that way if someone find a printed version of it, or gain access to the USB stick, they won't be able to move the funds unless they have your passphrase.

[o_e_l_e_o]

1) Saved https://www.bitaddress.org/ as a html file and saved it to a freshly formatted USB stick

JavaScript key generators are not secure, and there have been a number of vulnerabilities and poor implementations which have resulted in wide spread losses. You should substitute using a JavaScript based website for a piece of good open source wallet software which uses properly secured random number generation, such as Bitcoin Core, Electrum, or Sparrow.

2) I have a PC with freshly installed version of Windows 10 - the PC has no Internet connection.

Use Linux instead.

3) Opened the html file on the non-Internet PC and created the wallets.

Once you've downloaded the wallet software you are going to use, you need to verify it against the developer's signatures before transferring it to your airgappd computer.

[Cricktor]

And yes, it's better to encrypt your wallet, that way if someone find a printed version of it, or gain access to the USB stick, they won't be able to move the funds unless they have your passphrase.

If you encrypt your private key of your paper wallet by BIP38 it is obviously very important to properly document your encryption passphrase on redundant offline media which needs to be stored safely and separately from your paper wallet. Failing to do so or trying to rely on human memory will quite certainly leed to a loss in the future.

It should be obvious that such an encryption passphrase should never touch any online digital device!

I looked at https://github.com/pointbiz/bitaddress.org but the dates of the files were quite old and that put me off using it - was  I wrong? I have no issue creating new wallets, I'd rather them be created as securely as possible in the first than coming back later down the line.

The code of bitaddress.org is pretty well checked and tested, so it doesn't need to be updated like crazy as e.g. browser code desperately needs to be. You also already trusted the page code of bitaddress.org and idealy it should be the same as what you download from the Github repo. The difference is that you can verify the authenticity of the page code from Github!

To generate safe paper wallets any involved software pieces need to be verified for authenticity! The computer environment used needs to be safe (boot a Live Linux that runs solely in RAM best) and offline and after creation, printing^{offline non-saving printer!}/saving your paper wallet(s) the computer working environment has to be erased/formatted (easiest with a Live Linux that only runs in RAM as after a shutdown no traces of your working environment are left behind).

If you save a digital copy of your paper wallet on some removable storage media (if any then redundant copies recommended), those digital copies should never touch an online digital device (temporarily offline doesn't provide safety).

The CSPRNG used by Javascript might have implementation flaws and is dependant of the underlying Javascript engine of the browser. As o_e_l_e_o pointed out, if you're looking for better security (i.e. randomness of your paper wallet's private key) let well known and established wallets like Bitcoin Core, Electrum or Sparrow generate your paper wallet's private key(s). They all use very likely safer CSPRNG implementations than Javascript.