Bitcoin Forum
February 24, 2017, 10:08:59 PM *
News: Latest stable version of Bitcoin Core: 0.13.2  [Torrent]. (New!)
   Home   Help Search Donate Login Register  
Pages: [1]
Author Topic: An exercise in security: Best practices for the naïve end user?  (Read 1108 times)
Offline Offline

Activity: 1459

View Profile
May 18, 2012, 03:50:44 PM

So Bitcoinica got rooted and robbed. In expectation of the announced mass leak, I've got an exercise for you ninjas.

Assume for a minute that:

  • My name is Joe Average. Hello.
  • I love my Bitcoins. I have a good number of them for some reason.
  • I'm completely naïve when it comes to securing my accounts.
  • I'm of reasonable intelligence and able to carry out simple instructions.
  • I prefer to use the login javerage across all services, and I like the password JoeBitcoin123.
  • I have an account with every major money-handling merchant, service and exchange.

What steps should I follow to manage my credentials in a more safe, more sane manner?

Securing the wallet is already covered, so we can assume that my Bitcoin Retirement Fund is stored on a stick in some secure vault.

Consequently, I'm mostly concerned with risks involving the compromise of 3rd party services.

Some sub-problems:

  • How do I produce sufficiently strong passwords for each account?
  • How do I store and retrieve tens of strong passwords safely?
  • How do I keep track of logins, passwords, email addresses, and other account data
    across tens of services over several years, for use by many devices?
  • What precautions should I take when sites get compromised, when account data gets leaked?
  • How do I stop myself from eventually being lazy, eventually getting robbed?

How do you stay safe? Smiley
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Hero Member
Offline Offline

Activity: 819

View Profile
May 18, 2012, 03:56:33 PM

I have a "safe password" (two actually) and one I use for everything.

safe one(s) used for email, paypal and bitcoin.

BTC wallet in the cloud has been secured with two passwords (safe/unsafe both), on disk is always encrypted with one (the safe one).

Cheap and sexy Bitcoin card/hardware wallet, buy here:
Offline Offline

Activity: 1050

View Profile
May 18, 2012, 04:01:16 PM

use a password manager, something like KeePass, it's available to all common OS' including smartphones
password manager will also help you choose strong passwords
don't use same password at multiple locations
additionally same password manager will help you keep safe other associated credentials, notes, etc
keep a backup of its database
Hero Member
Offline Offline

Activity: 666

View Profile WWW
May 18, 2012, 04:06:59 PM

i used the "multi-tier" password strategy as well before entering bitcoin, and thought it is reasonably secure.

when i saw what was going on in bitcoin i abandoned this idea, because really, you cannot trust anyone to keep your data safe, even if they have the best intentions.

today i have a totally seperate password for each service. i write them down on a non-network connected device which uses a software to encrypt my passwords.
i do not remember most of my passwords, but i use password reset quite often Smiley

for quite powerful passwords you could use
Agent Provocateur
Full Member
Offline Offline

Activity: 198

View Profile
May 18, 2012, 05:33:00 PM

I'm creating a new pw with min. 13 chars for every service or task & store 'em in a pwcontainer on an old iPaq, which is never data-connected to whatever. In case of iPaq failure pws are written down and stored safely.

Besides pwsecurity for the average user I'm more interested in something I've read on this forum: the RPC-attack on bitcoinqt. I've read the attack can be avoided through setting up a propper bitcoin.conf in the /appdata, with: RPC user & pw set, allowing only trusted nodes, disallowing irc-connection, localhost's rpcs allowed only,...too much for the average user.
Neither a bitcoin.conf with a minimum of security settings is created when installing the client nor can I identify trusted nodes. Where to find a list of trusted nodes and how can I be sure they're safe?
Maybe such a standard-bitcoin.conf is surcharged or this is just a minor issue, but I thought it should me mentioned when talking about security-standards to the average user.
Full Member
Offline Offline

Activity: 169

View Profile
May 19, 2012, 12:03:38 AM

I highly recommend

It's a simple way to make a unique strong password for each site using one master password. It has convenient plugins for all browsers.
Pages: [1]
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!