How safe is an Encrypted Bitcoin core wallet with a strong password?

[Muhammed Zakir]

I think always using on screen keyboard will make it very safe from keyloggers

I only use on screen keyboard for simple purposes. How can you type everything in on screen keyboard? or Are you telling that you type passwords and other sensitive datas with on screen keyboard?
Kindly,
         MZ

[RedDiamond]

I think always using on screen keyboard will make it very safe from keyloggers

Screen keyboard gives you protection against physical keyloggers like this: http://www.amazon.com/Keyllama-4MB-USB-Value-Keylogger/dp/B004ZGXU48. However there exist also keylogger software which can capture also screen keyboard.

[tsoPANos]

There is no way to be safe from keyloggers.
Of course you can take some measures to limit the possibility of lousing your coins.

Use on-screen keyboard, to type your password, or even use a key scrambling software.
That makes it impossible for most keyloggers to record your keystrokes.
Sadly, more sophisticated hacking tools allows to get past the key scrambling and even record
 your screen and send screenshots the the hacker.
But, when talking about bitcoin, smart hacking tools DON'T EVEN NEED YOUR PASSWORD!
They just need your private keys to steal your money.
When your wallet program prompts you to enter password, it does because it needs to decrypt your wallet
to do something.(Like spend some coins)
When you do this, the wallet gets unencrypted for a very small period of time
which is enough for hackers to dump your private keys.
They can also read them from memory.
The best way to protect your coins is to NOT GET INFECTED
Just don't install crapware!

Using strong passwords only protects from brute-forcing.

End of story.

[Muhammed Zakir]

Find a simple guide but useful : http://www.vistatalks.net/2009/11/3-simple-tricks-to-prevent-keylogger-from-stealing-your-password/

edit : Search 'prevent keyloggers from grabbing your passwords' in google to get many tips and tricks.

Kindly,
      MZ

[shorena]

I would partially disagree.
They have the password (to something) as you said, but they did not get the wallet.dat
So you have essentially protected the wallet.dat, Have you not ?

Why not install VirtualBox on the Windows PC. Then use a virtualized Ubuntu installation when you need to access your wallet?

Because it gives you complexity not security. If the host system is infected any virtualisation as protection is useless. While you might be able to fool very simple malware that just searches for the wallet.dat with this, it will not help you against a keylogger. If you type in a password in the VM ware it is still piped through the host OS.

Yes, I would argue against that however that simple malware is not something you need to be concerned about. Most malware today is no longer written by borred, talented teens, but by professionals. Modern malware C&C Servers even have support build in [4]. Thus a search for running VM Ware is routine

You can easily rename the file type to something else like .wkshw and rename it back to .dat when you needs it. They most probably won't spend time to search for a file type like this.

Which -again- only protects you against simple malware. It is not much more difficult to seach the fileheaders instead of the file ending.

I think always using on screen keyboard will make it very safe from keyloggers

Nope, to be safe from keyloggers use something like keepas [1] which is designed to protect against keyloggers. A screenkeyboard is easily detected and taking a screenshot for each click is something e.g. Zeus [2] does if you want. AFAIK Zeus isnt even the latest shit [3] out there.

Find a simple guide but useful : http://www.vistatalks.net/2009/11/3-simple-tricks-to-prevent-keylogger-from-stealing-your-password/

edit : Search 'prevent keyloggers from grabbing your passwords' in google to get many tips and tricks.

Kindly,
      MZ

"use a portable browser" might be usefull, however what is preventing the malicious internet cafe operator to make a copy of all of your data? There might be more interesting stuff. Public computers are not safe.

-snip-
But, when talking about bitcoin, smart hacking tools DON'T EVEN NEED YOUR PASSWORD!
They just need your private keys to steal your money.

Yep.

-snip-
The best way to protect your coins is to NOT GET INFECTED
Just don't install crapware!

"Common sense" is probably the best (sometimes the only) line of defense against malware. Well a secure OS is helping as well.


[1] http://keepass.info/help/base/security.html#secdesktop
[2] https://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29
[3] https://en.wikipedia.org/wiki/Operation_Tovar
[4] AFAIK it was mentioned here https://www.youtube.com/watch?v=GA7S0JK8o_k - didnt check, its been a while since I lasted watched that talk. Watch it. It will make you think different about todays malware.

[RedDiamond]

Nope, to be safe from keyloggers use something like keepas [1] which is designed to protect against keyloggers.

If malware hits even KeePass can not protetect you. Quoted from KeePass webpage: "For example, consider the following very simple spyware specialized for KeePass: an application that waits for KeePass to be started, then hides the started application and imitates KeePass itself. All interactions (like entering a password for decrypting the configuration, etc.) can be simulated. "

"use a portable browser" might be usefull, however what is preventing the malicious internet cafe operator to make a copy of all of your data? There might be more interesting stuff. Public computers are not safe.

Again, if the computer is infected, the portable browser offers no protection.

One possible solution is boot computer from live linux cd when sensitive data need to be accessed.

[RedDiamond]

It is also posssible that malware infects your machine’s BIOS. If it happpens then you are in big, big trouble.

[shorena]

Nope, to be safe from keyloggers use something like keepas [1] which is designed to protect against keyloggers.

If malware hits even KeePass can not protetect you. Quoted from KeePass webpage: "For example, consider the following very simple spyware specialized for KeePass: an application that waits for KeePass to be started, then hides the started application and imitates KeePass itself. All interactions (like entering a password for decrypting the configuration, etc.) can be simulated. "

Ah yes, didnt think of that. So only a secure OS can.

"use a portable browser" might be usefull, however what is preventing the malicious internet cafe operator to make a copy of all of your data? There might be more interesting stuff. Public computers are not safe.

Again, if the computer is infected, the portable browser offers no protection.
-snip-

Yep that was what I wrote, the 3 tipps behind the link where pretty much useless.

It is also posssible that malware infects your machine’s BIOS. If it happpens then you are in big, big trouble.

Hardware trojans and not even your secure OS can help you. BadBIOS is the one that comes to mind.

[cuddaloreappu]

Nope, to be safe from keyloggers use something like keepas [1] which is designed to protect against keyloggers.

If malware hits even KeePass can not protetect you. Quoted from KeePass webpage: "For example, consider the following very simple spyware specialized for KeePass: an application that waits for KeePass to be started, then hides the started application and imitates KeePass itself. All interactions (like entering a password for decrypting the configuration, etc.) can be simulated. "

Ah yes, didnt think of that. So only a secure OS can.

"use a portable browser" might be usefull, however what is preventing the malicious internet cafe operator to make a copy of all of your data? There might be more interesting stuff. Public computers are not safe.

Again, if the computer is infected, the portable browser offers no protection.
-snip-

Yep that was what I wrote, the 3 tipps behind the link where pretty much useless.

It is also posssible that malware infects your machine’s BIOS. If it happpens then you are in big, big trouble.

Hardware trojans and not even your secure OS can help you. BadBIOS is the one that comes to mind.

If the NSA spends all its resources for a whole week to crack our wallet, nobody can save us..

So please try to discuss what is common, how can a mainstream man protect his wallet?
i am sure these sophisticated trojans wont bother this common man

[RedDiamond]

i am sure these sophisticated trojans wont bother this common man

How can you be so sure?

For example even if I do not use twitter much I got some time ago this tweet claiming "US government trying to shutdown the bitcoin network.": http://www.thewhir.com/web-hosting-news/tweet-claims-us-government-wants-ban-bitcoin-actually-spreading-malware

Did not open the “video” however  

[shorena]

-snip-

If the NSA spends all its resources for a whole week to crack our wallet, nobody can save us..

So please try to discuss what is common, how can a mainstream man protect his wallet?
i am sure these sophisticated trojans wont bother this common man

If the NSA spend all their resources for a whole week to crack your wallet, theyd still be cracking. A properly secured wallet can not be bruteforced, not even by the NSA. They have slightly different ways however:



from: https://xkcd.com/538/ ofc

Zeus is what is (or was, there is better stuff now) after you and your bank accounts. 95% of the worlds mail came from botnets for a while. IIRC its less now, but that should give you an estimate what you are up against. The rest that your anti virus scanner detects is just the crap from last year or something a borred teen put together.