Wallet – Maximum Security

I am relatively new to the whole concept of crypto currencies. I like the idea behind PPC a lot, but the one thing that really concerns me is security of my wallet (esp since Im not very tech savy).

So far I’ve downloaded and encrypted the wallet from peerrcoin.net and it works fine. I’ve also backed up the wallet.dat file on a USB drive. According to the video tutorial by Roots Ical on youtube, I should take further steps to secure my wallet by using True Crypt. Is this the general concensus on the forum? Or is there a better method out there? What do you guys think?

Thanks in advance!

I’m unsure on that as well, also, I would like to ask help in getting the PPC Wallet able to receive the updates after initial install. Is the network down for the updates? I’ve had this program open for two days now with no luck on a signal, Is there something I’m missing possibly, Primecoin, Litecoin, and Bitcoin wallet’s all downloaded no problem.

Thanks in advance

[quote=“epicurus, post:1, topic:1832”]I am relatively new to the whole concept of crypto currencies. I like the idea behind PPC a lot, but the one thing that really concerns me is security of my wallet (esp since Im not very tech savy).

So far I’ve downloaded and encrypted the wallet from peerrcoin.net and it works fine. I’ve also backed up the wallet.dat file on a USB drive. According to the video tutorial by Roots Ical on youtube, I should take further steps to secure my wallet by using True Crypt. Is this the general concensus on the forum? Or is there a better method out there? What do you guys think?

Thanks in advance![/quote]
Once you got you wallet encrypted your are reasonably safe assuming you have used a long and good pass phrase. (multiple words, special character, numbers etc. totalling at least 30 characters I would say, more is better). Tools like Lastpass may help you remembering and retrieving those lengthy pass phrases especially if you have a few of them for other wallets. Just make sure that the Lastpass password is very secure otherwise it would defy its purpose.

True Crypt would only provide another layer of security if you are very paranoia. I don’t think it is needed and I haven’t heard many people using it in combination with crypto wallets, but interested to hear in what other have to say.

[quote=“Baud, post:2, topic:1832”]I’m unsure on that as well, also, I would like to ask help in getting the PPC Wallet able to receive the updates after initial install. Is the network down for the updates? I’ve had this program open for two days now with no luck on a signal, Is there something I’m missing possibly, Primecoin, Litecoin, and Bitcoin wallet’s all downloaded no problem.

Thanks in advance[/quote]
Please check this thread for issues with first time syncing: http://www.peercointalk.org/index.php?topic=2068.0;topicseen

Thanks Cybnate, looks like it’s working now, at least I actually have a low signal rather than none. Good looking out Brother!

[quote=“Cybnate, post:3, topic:1832”][quote=“epicurus, post:1, topic:1832”]I am relatively new to the whole concept of crypto currencies. I like the idea behind PPC a lot, but the one thing that really concerns me is security of my wallet (esp since Im not very tech savy).

So far I’ve downloaded and encrypted the wallet from peerrcoin.net and it works fine. I’ve also backed up the wallet.dat file on a USB drive. According to the video tutorial by Roots Ical on youtube, I should take further steps to secure my wallet by using True Crypt. Is this the general concensus on the forum? Or is there a better method out there? What do you guys think?

Thanks in advance![/quote]
Once you got you wallet encrypted your are reasonably safe assuming you have used a long and good pass phrase. (multiple words, special character, numbers etc. totalling at least 30 characters I would say, more is better). Tools like Lastpass may help you remembering and retrieving those lengthy pass phrases especially if you have a few of them for other wallets. Just make sure that the Lastpass password is very secure otherwise it would defy its purpose.

True Crypt would only provide another layer of security if you are very paranoia. I don’t think it is needed and I haven’t heard many people using it in combination with crypto wallets, but interested to hear in what other have to say.[/quote]

Thanks a lot, good to know. Id really appreciate getting more opinions on this issue, as maximum safety of our investment is essential.

I am not convinced that a good strong password provides sufficient security. I do think the encryption can be strong. But what about the weaknesses of my personal computer? What if it has or gets malware hiding within? For instance, what if it has a keyboard logger reading my every key stroke - including passwords! Then it wouldn’t matter how long or strong my password is: my peercoin would disappear from my wallet - to be owned by some bad guy. No?

Many of the experts and coders on this forum run Linux and so have less problems with malware. But, that doesn’t mean it doesn’t exist and isn’t a growing worse problem. I, unfortunately, am an everyday non-coding schmuck and run windows. Heaven forbid. Haha - talk about insecure!

I believe, that if Peercoin is to grow to widespread success and acceptance in the world at large, it will need to accommodate and make secure people who operate highly insecure computers.

Two factor authentication is a major recent advance in this area. When I send PPC out from BTC-e they send an email to me that I have to click on in addition to the password I had to give to sign in. When I sign in to Coinbase with my password they send a one-time only number code by the Authy app on my phone that I also have to enter. Also, when I send BTC out from Coinbase it requires me to input a numeric code that it sends me via SMS (text) to my phone. Two factor authentication - it’s much more secure.

We don’t have it on Peercoin Qt wallet, do we? (other discussion for a bounty perhaps)

The new wallet update will have the ability to lock the wallet for sending but still allow PoS minting, but I don’t think that would protect your money from a malware keyboard logger.

Paper Wallet:
The only way I know of to truly secure your PPC money at this time is to make a paper wallet by using a computer and printer that are not connected to the Internet. There are numerous tutorials for doing this and at least three different programs that will generate PPC Public Addresses for you to use to securely store your hard earned money as wonderful Peercoin. One such program provided by Fuzzybear of this forum is located at: http://wallet.peercointalk.org. In short, you run this software in an offline computer and it creates Private Key / Public Address pairs that can be printed out offline. By doing this, your all important and controlling Private Key will have never been on the Internet and no malware can have seen it. There are more possible combinations of the Private Key than there are atoms in the known universe, so if you generate a good random Private Key and you don’t let it get on the Internet: your money will be as secure as the network.

Unfortunately, to the best of my knowledge, this paper wallet tactic is not very in-keeping with the desirable Peercoin strategy and protocol of Proof of Stake minting.

I wonder if a Watch-Only wallet could be developed that has no Private Key(s) but does have one or more Peercoin Public Addresses and would be able to participate in PoS minting? Can someone more knowledgeable than myself weigh in on this possibility?

TLDR summary: Paper Wallets offer the greatest security. Secondly, can paper wallet software be created to participate in Proof of Stake minting?

Hi. I bought a load of peercoins over Christmas and I’m a computer savvy user (computer programmer).

The main danger comes from Malware (keystroke loggers). These can come through many vectors like outdated Java, outdated Flash, or clicking on links in IRC channels. Needless to say Windows doesn’t provide any default protection against this. For crypto you should take special measures because the strength of fiat and the financial system is you can always chargeback or start fraud investigation. If you can’t, then you can’t use the same mechanisms to store passwords for convenience as you would crypto because there is no insurance. For example if you store your password in Lastpass and someone uses your password and login to steal money from your bank, you can always go to the bank and get your money back or start legal proceedings. No way to do that with crypto. Once you recognize and admit this is the main weakness of crypto, you can take precautions.

So depending on the number of coin (since I can’t stand the idea of black hats taking coin abusing their powers I would even do it for 1 coin) I would at a minimum as a Windows user:

1. Reinstall Windows and get all updates first
2. Use Firefox and NoScript+Flashblock. Follow settings on browser from Bitcoin Wiki – no default homepage, do not remember history no cache
3. Do not install Java, or if you do make sure to always keep it updated
4. Do not visit forums and do not click on IRC links
5. Run a malware scanner like Malwarebytes with active protection
6. Do not ever type your password without going into safe mode with networking
7. Do not run executables or programs downloaded from the Internet except from reputable commercial sites like Steam
8. Do not use Microsoft Outlook, Microsoft Office or Excel or anything with macros. Do not use Internet explorer.
9. (added) Do not open attachments from well meaning coworkers, ever, and never ever plug in USB that has ever been plugged into another computer. Especially never open attachments in Outlook.

This level of protection should be convenient enough for most casual Windows users (games) plus coin. Of course this level of protection would be for me personally insufficient. Depending on the amount of coin I would take other extreme measures like cold storage / paper wallet / Linux / Live CD. Every three to six months I would also reinstall everything, just to create a dead time. Passwords and logins are traded and sold on black market channels but if you reinstall every three to six months and change all your passwords their knowledge would be useless. When you need to mint, boot up into safe mode.

Another danger is simply forgetting your own password because you make it too complicated haha.

bhldev

Can you please explain more about “never ever plug in USB that has ever been plugged into another computer”

I ask because I have two computers - one for general internet use (which I am using now) and another from work, which they cleaned up, re-formatted and sold off as an old model (I restrict this computer to my peercoin client, visits to a couple of crypto-currency exchanges, and gmail when necessary)

As I do not want to type out long public address keys, etc. I keep them on a USB, but this has meant transferring the USB from one computer to the other

Any more insights on USB keys would be helpful

Well unless you are computer savvy you could have autorun enabled. As soon as you plug in a USB Windows could automatically execute any code on it. Even if you have autorun disabled, Windows has secret vulnerabilities known to government.

The US government did it to Iran with contractors and an ultimate computer virus that would make their nuke cyclotrons run too fast and get destroyed. And of course the Iranian nuke plants had autorun disabled but it didn’t matter since it was Windows. In the end in any workplace careful about security, external USB keys are banned and the USB ports themselves locked behind a cabinet.

Of course the US government has all of the Windows source code and (hopefully) run of the mill script kiddie does not so couldn’t exploit to this level. The risk is probably minimal so long as you keep both computers clean but you would never know if it’s a work computer. Viruses could propagate over the network so you are basically trusting work to be secure. You are better off getting a Yubikey that’s read only (at least according to them).

Hi, NewMoneyEra - following your comments on your use of two-factor authentication at Vircurex (where I have an account) I decided to set one up

However, the Vircurex website is very sparse on information on how to do things. I sent a request for assistance by email, but am still waiting for a response. I was wondering if you could provide guidance in the meantime, as I want to set up two-factor authentication as soon as possible

Basically, their website (the Google Authenticator Activation page) asks for a Google Authenticator One Time Password (so that they know I am properly connected) but they do not explain how I get one of these

The same webpage has a “Google Authenticator Key”, but no explanation as to what this is

If you could give any insights on how I progress this, that would be great. Essentially, all I want is to receive by text a code that I can input, in addition to my usual password

[quote=“RobertLloyd, post:11, topic:1832”]Hi, NewMoneyEra - following your comments on your use of two-factor authentication at Vircurex (where I have an account) I decided to set one up

However, the Vircurex website is very sparse on information on how to do things. I sent a request for assistance by email, but am still waiting for a response. I was wondering if you could provide guidance in the meantime, as I want to set up two-factor authentication as soon as possible

Basically, their website (the Google Authenticator Activation page) asks for a Google Authenticator One Time Password (so that they know I am properly connected) but they do not explain how I get one of these

The same webpage has a “Google Authenticator Key”, but no explanation as to what this is

If you could give any insights on how I progress this, that would be great. Essentially, all I want is to receive by text a code that I can input, in addition to my usual password[/quote]

Hi RobertLloyd,

I think I need to apologize and go back and change what I wrote about Vircurex. I went back to check and it didn’t work how I remembered, so I erased my Vircurex cookies, but still my current Vircurex does not verify the way I said it did.

Maybe I confused it with my Coinbase account? Vircurex does use Yubi keys which I ordered online and have not yet used. I don’t use Vircurex much and just traded some BTC for PPC last night and got a much better deal from BTC-e.com than Vircurex was offering. I stand by my statements about the necessary confirmation via email with BTC-e.com, which I think is a larger more liquid market for PPC and thus gives a better deal anyway.

I did review by signing out and signing back into my Coinbase.com account and the way that account is set up is I had to download an application on my smart phone called Authy. When I sign in to Coinbase after entering my password an additional input window appears on the Coinbase.com signup page asking for additional info, then my smart phone beeps, I open the Authy App and every 20 seconds it supplies a new 7 digit number for Coinbase sign in.

I don’t know what email you have but I have a gmail.com account and a while back followed the instructions to convert it to two-factor authentication. I don’t remember how but it wasn’t too complicated. Making a google two-factor authentication thru google+ or gmail is probably where the answer to your “Google Authenticator Key” lay. For that I’m pretty sure I was using Chrome, upper right hand corner Menu, Settings… or something like that. Google It… if you want

Now, I have to go back and correct what I wrote, sorry about that :-P, and thanks for the correcting feedback.