Jump to content
Thailand Visa Forum by Thai Visa | The Nation
simon43

Fundamental question about storing crypto safely

Recommended Posts

seancbk    1,412
On 9/7/2017 at 9:02 PM, simon43 said:

Thanks very much for your reply.  BX really doesn't provide any support files about this - looks like they much prefer to keep them on their exchange!

 

I checked another thread on this forum about exodus.io, which looks like a good way to safely hold my crypto.  I can now understand the process of sending bitcoins or Ethereum etc from BX exchange to my wallet.

 

I'm a little wary of BX exchange.  For example, my verified account previously was linked to my Bangkok Bank account, and I previously sent some small funds from Bangkok Bank to my BX account, and traded with these.

 

Today, when I logged into BX, I found that my bank account data had been deleted!  How did that happen?  I never deleted it.  Very worrying.

 

I wouldn't worry about your bank details not being saved.  That sounds like a security feature in fact.

I have been using BX for some time.   I only use it to purchase Bitcoin which I then send to Bittrex where I do my actually trading.

For security sake you should be using 2FA on all accounts (BX, Bittrex, etc).   It is also a good idea to create a separate email account to setup your crypto accounts and absolutely use 2FA to access that email account.

For offline storage I prefer myetherwallet which is a paper wallet for ETH and ERC 20 tokens.   

 

Share this post


Link to post
Share on other sites
zib    29
4 minutes ago, taiping said:

Is there any particular brand of hw that you recommend? I would like to experiment with one, although i don't think there is much danger from using Exodus/Electrum on my home PC. Even if the wallet is hacked, without the password they could not access the coins. Am I correct about that?

You are correct. But some malware can of course also grab your password when you input it.

 

One good example is with the BitcoinCash fork. Immedietly after ElectronCash (Electrom for BitcoinCash) came out someone registered a bunch of similar domains and put up a "backdoored" client that sent your private key to some server. It was up for about a week until the domains got cut off. Some people either lost all their new found BCC or they also lost their old BTC if they put the same recovery seed into ElectronCash. With a hardware this would never have happened. You could even have used the backdoored ElectronCash successfully and it would not be able to send any private keys since it never sees them.

 

I actually have 3 hw-wallets because I'm doing some testing. Trezor, Keepkey and Ledger Nano S. The Ledger Nano S seems so far to be superior atleast when it comes to the software.

 

I hate printing out my recovery seed and storing it somewhere because I don't consider that safe either. I'd rather take these 3 brands of hw-wallet and use the same recovery seed on all of them and give for example 1 to a friend for safe keeping. It would be extremely unlikely for all 3 to fail at the same time. Unless there's a huge tsunami but then the printed recovery seed would most likely be gone too :P

  • Thanks 1

Share this post


Link to post
Share on other sites
zib    29
8 minutes ago, seancbk said:

 

I wouldn't worry about your bank details not being saved.  That sounds like a security feature in fact.

I have been using BX for some time.   I only use it to purchase Bitcoin which I then send to Bittrex where I do my actually trading.

For security sake you should be using 2FA on all accounts (BX, Bittrex, etc).   It is also a good idea to create a separate email account to setup your crypto accounts and absolutely use 2FA to access that email account.

For offline storage I prefer myetherwallet which is a paper wallet for ETH and ERC 20 tokens.   

 

I would never recommend any online service myetherwallet included. However it is completely safe, and easy,  to use for example myetherwallet together with a hardware wallet. They currently support Trezor or Ledger.

 

If you have ERC20 tokens then Myetherwallet is the best one to use. If you have a hw-wallet it is also a must since none support ERC20 tokens.

Share this post


Link to post
Share on other sites
speedtripler    1,935
51 minutes ago, DeeMak9 said:

Use paper wallets and rent a safe deposit box 😊

Use encrypted paperwallets because they're useless without the password as well ;)

 

 

Share this post


Link to post
Share on other sites
speedtripler    1,935
2 hours ago, taiping said:

Is there any particular brand of hw that you recommend? I would like to experiment with one, although i don't think there is much danger from using Exodus/Electrum on my home PC. Even if the wallet is hacked, without the password they could not access the coins. Am I correct about that?

If you have a non trivial amount of  money in crypto you could get an old 2nd hand laptop  just for the purpose 

 

Create your wallets on that and maintain an "airgap machine " at all times (so it never goes online) 

 

That's the best way to get as close to maximum security as possible but it depends how you value your investment and how much losing it would hurt

Share this post


Link to post
Share on other sites
seancbk    1,412

A good way to securely store your passphrase is to hide it in plain sight.

Your passphrase will be some thing like 12 random words.    

So go to a random word list generating site.    I use this one - https://www.randomlists.com/random-words

Generate a list of 200+ words  (the more the better)

Choose a single word you will remember - for example Artichoke.

Somewhere in the list of 200+ words you created type in the Key word.    Then immediately after that key word paste your passphrase words.

Now anyone finding the document has no idea which 12 words out of the 200+ words are your passphrase.   

You can find the passphrase because you know which key word proceeds it.


Print it out and put it in a file, and store it in an email to yourself as well as in Google docs.   Just remember the key word.

 

 

 

Share this post


Link to post
Share on other sites
zib    29
18 minutes ago, seancbk said:

A good way to securely store your passphrase is to hide it in plain sight.

Your passphrase will be some thing like 12 random words.    

So go to a random word list generating site.    I use this one - https://www.randomlists.com/random-words

Generate a list of 200+ words  (the more the better)

Choose a single word you will remember - for example Artichoke.

Somewhere in the list of 200+ words you created type in the Key word.    Then immediately after that key word paste your passphrase words.

Now anyone finding the document has no idea which 12 words out of the 200+ words are your passphrase.   

You can find the passphrase because you know which key word proceeds it.


Print it out and put it in a file, and store it in an email to yourself as well as in Google docs.   Just remember the key word.

 

 

 

So then I just take your let's say 1 Million words wordlist. Create a script that takes 12 words -> save, step 1 word, take the next 12 words -> save and then generate electrum wallet files with all those seeds and then cycle through them with electrum cli until i find addresses with balance.

 

Would probably take a few hours for a 1 million wordlist. For a 200 one...a minute?

 

Smart suggestion dude!

 

Edited by zib

Share this post


Link to post
Share on other sites
zib    29
1 hour ago, speedtripler said:

Use encrypted paperwallets because they're useless without the password as well ;)

 

 

Yeah this is one of the best ways. Take your seed, aes-encrypt it, base64-encode it and then print it out.

Share this post


Link to post
Share on other sites
seancbk    1,412
6 minutes ago, zib said:

So then I just take your let's say 1 Million words wordlist. Create a script that takes 12 words -> save, step 1 word, take the next 12 words -> save and then generate electrum wallet files with all those seeds and then cycle through them with electrum cli until i find addresses with balance.

 

Would probably take a few hours for a 1 million wordlist. For a 200 one...a minute?

 

Smart suggestion dude!

 

 

And you guessed which coin each passphrase is for.  Well done.   
 

Share this post


Link to post
Share on other sites
zib    29
9 minutes ago, seancbk said:

 

And you guessed which coin each passphrase is for.  Well done.   
 

haha guessing what type of coin it is is hardly considered a problem

 

Anyway please give me your wordlist and let's see how long it takes ;)

Share this post


Link to post
Share on other sites
zib    29
1 minute ago, zib said:

Also most clients (if not all) use BIP39 as the wordlist. This list consists of only 2048 words. So it's easy to for example take a wordlist generated on https://www.randomlists.com/random-words and exclude all words not in BIP39

 

If you then also add to look for 12 words in sequential order that are in BIP39 you can probably narrow it down to 1 right away.

  • Like 1

Share this post


Link to post
Share on other sites
seancbk    1,412
44 minutes ago, zib said:

If you then also add to look for 12 words in sequential order that are in BIP39 you can probably narrow it down to 1 right away.

 

Very smart.   OK my method needs work :-)   

Share this post


Link to post
Share on other sites
jago25    5

Buy a ledger HW1.1 or ledgerwallet nano if you need ETH. 

Split the recovery phrase into 3 parts using http://point-at-infinity.org/ssss/demo.html on a secure offline computer (difficult...), 

print it out after testing and send 2-3 parts via registered post to different relatives who live at different addresses to store somewhere safe. 

This is a total PITA by the way but I wasn't able to find something better. 

 

An alternative could be find a cheap phone, install Mycelium on it and just put the backup phrase in a safe but that's only as secure as the safe. Possibly just split into 2 parts but without properly splitting with teh shamir method. This again will probably be fine on the basis that hopefully people won't know what the words are and have the ability to fix the split but it isn't the best 

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

BANGKOK 27 September 2017 04:52
Sponsors
×