Bitcoin Forum
December 13, 2024, 03:31:53 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: An exercise in security: Best practices for the naïve end user?  (Read 1296 times)
elux (OP)
Legendary
*
Offline Offline

Activity: 1458
Merit: 1006



View Profile
May 18, 2012, 03:50:44 PM
 #1

So Bitcoinica got rooted and robbed. In expectation of the announced mass leak, I've got an exercise for you ninjas.

Assume for a minute that:

  • My name is Joe Average. Hello.
  • I love my Bitcoins. I have a good number of them for some reason.
  • I'm completely naïve when it comes to securing my accounts.
  • I'm of reasonable intelligence and able to carry out simple instructions.
  • I prefer to use the login javerage across all services, and I like the password JoeBitcoin123.
  • I have an account with every major money-handling merchant, service and exchange.

What steps should I follow to manage my credentials in a more safe, more sane manner?

Securing the wallet is already covered, so we can assume that my Bitcoin Retirement Fund is stored on a stick in some secure vault.

Consequently, I'm mostly concerned with risks involving the compromise of 3rd party services.

Some sub-problems:

  • How do I produce sufficiently strong passwords for each account?
  • How do I store and retrieve tens of strong passwords safely?
  • How do I keep track of logins, passwords, email addresses, and other account data
    across tens of services over several years, for use by many devices?
  • What precautions should I take when sites get compromised, when account data gets leaked?
  • How do I stop myself from eventually being lazy, eventually getting robbed?

How do you stay safe? Smiley
Realpra
Hero Member
*****
Offline Offline

Activity: 815
Merit: 1000


View Profile
May 18, 2012, 03:56:33 PM
 #2

I have a "safe password" (two actually) and one I use for everything.

safe one(s) used for email, paypal and bitcoin.

BTC wallet in the cloud has been secured with two passwords (safe/unsafe both), on disk is always encrypted with one (the safe one).

Cheap and sexy Bitcoin card/hardware wallet, buy here:
http://BlochsTech.com
Serge
Legendary
*
Offline Offline

Activity: 1050
Merit: 1000


View Profile
May 18, 2012, 04:01:16 PM
 #3

use a password manager, something like KeePass, it's available to all common OS' including smartphones
password manager will also help you choose strong passwords
don't use same password at multiple locations
additionally same password manager will help you keep safe other associated credentials, notes, etc
keep a backup of its database
apetersson
Hero Member
*****
Offline Offline

Activity: 668
Merit: 501



View Profile
May 18, 2012, 04:06:59 PM
 #4

i used the "multi-tier" password strategy as well before entering bitcoin, and thought it is reasonably secure.

when i saw what was going on in bitcoin i abandoned this idea, because really, you cannot trust anyone to keep your data safe, even if they have the best intentions.

today i have a totally seperate password for each service. i write them down on a non-network connected device which uses a software to encrypt my passwords.
i do not remember most of my passwords, but i use password reset quite often Smiley

for quite powerful passwords you could use http://www.passwordcard.org
Agent Provocateur
Full Member
***
Offline Offline

Activity: 198
Merit: 100


View Profile
May 18, 2012, 05:33:00 PM
 #5

I'm creating a new pw with min. 13 chars for every service or task & store 'em in a pwcontainer on an old iPaq, which is never data-connected to whatever. In case of iPaq failure pws are written down and stored safely.

Besides pwsecurity for the average user I'm more interested in something I've read on this forum: the RPC-attack on bitcoinqt. I've read the attack can be avoided through setting up a propper bitcoin.conf in the /appdata, with: RPC user & pw set, allowing only trusted nodes, disallowing irc-connection, localhost's rpcs allowed only,...too much for the average user.
Neither a bitcoin.conf with a minimum of security settings is created when installing the client nor can I identify trusted nodes. Where to find a list of trusted nodes and how can I be sure they're safe?
Maybe such a standard-bitcoin.conf is surcharged or this is just a minor issue, but I thought it should me mentioned when talking about security-standards to the average user.
mav
Full Member
***
Offline Offline

Activity: 169
Merit: 107


View Profile
May 19, 2012, 12:03:38 AM
 #6

I highly recommend http://passwordmaker.org/

It's a simple way to make a unique strong password for each site using one master password. It has convenient plugins for all browsers.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!