Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
Already on GitHub? Sign in to your account
add secure-your-wallet page #118
Conversation
luke-jr
and 1 other
commented on an outdated diff
Apr 9, 2013
en/secure-your-wallet.html
| +<h3>Backup your entire wallet</h3> | ||
| +<p>Your wallet contains many private keys that receive the change of your transactions in order to protect your privacy. If you only have a backup of your visible private keys, you might not be able to recover a great part of your funds with your backup.</p> | ||
| + | ||
| +<h3>Encrypt online backups</h3> | ||
| +<p>Any backup that is stored online is highly vulnerable to theft. Even a computer that is connected to the Internet is vulnerable to malicious software. As such, encrypting any backup that is exposed to the network is a good security practice.</p> | ||
| + | ||
| +<h3>Use many secure locations</h3> | ||
| +<p>Single points of failure are bad for security. If your backup is not dependent of a single location, it is less likely that any bad event will prevent you to recover your wallet. You might also want to consider using different medias like USB keys, papers and CDs.</p> | ||
| + | ||
| +<h3>Make regular backups</h3> | ||
| +<p>You need to backup your wallet on a regular basis to make sure that all recent Bitcoin change addresses and all new Bitcoin addresses you created are included in your backup. However, all applications will be soon using wallets that only need to be backed up once.</p> | ||
| + | ||
| +</div> | ||
| + | ||
| +<h2>Encrypt your wallet</h2> | ||
| +<p>Encrypting your wallet allows you to set a password for anyone trying to withdraw any funds. This helps protect against thieves and hackers, though it cannot protect against keylogging hardware or software.</p> |
luke-jr
Contributor
|
luke-jr
and 1 other
commented on an outdated diff
Apr 9, 2013
en/secure-your-wallet.html
| + | ||
| +<h3>Make regular backups</h3> | ||
| +<p>You need to backup your wallet on a regular basis to make sure that all recent Bitcoin change addresses and all new Bitcoin addresses you created are included in your backup. However, all applications will be soon using wallets that only need to be backed up once.</p> | ||
| + | ||
| +</div> | ||
| + | ||
| +<h2>Encrypt your wallet</h2> | ||
| +<p>Encrypting your wallet allows you to set a password for anyone trying to withdraw any funds. This helps protect against thieves and hackers, though it cannot protect against keylogging hardware or software.</p> | ||
| + | ||
| +<div class="box"> | ||
| + | ||
| +<h3>Never forget your password</h3> | ||
| +<p>You should make sure you never forget the password or your funds will be permanently lost. Unlike your bank, there are no password recovery options with Bitcoin. In fact, you should be able to remember your password even after many years without using it. In doubt, you might want to keep a paper copy of your password in a safe place like a vault.</p> | ||
| + | ||
| +<h3>Use a strong password</h3> | ||
| +<p>Any password that contains only letters and recognizable words can be considered very weak and easy to break. A strong password must contain letters, numbers, punctuation marks and must be at least 16 characters long. At the same time, this should not prevent you to remember your password.</p> |
luke-jr
Contributor
|
luke-jr
and 1 other
commented on an outdated diff
Apr 9, 2013
en/secure-your-wallet.html
| +<ol> | ||
| + <li>Create a new transaction on the online computer and save it on an USB key.</li> | ||
| + <li>Sign the transaction with the offline computer.</li> | ||
| + <li>Send the signed transaction with the online computer.</li> | ||
| +</ol> | ||
| +<p>Because the computer that is connected to the network cannot sign transactions, it cannot be used to withdraw any funds if it is compromised. <a href="https://bitcoinarmory.com/using-offline-wallets-in-armory/">Armory</a> can be used to do offline transaction signature.</p> | ||
| +</div> | ||
| + | ||
| +<br> | ||
| +<div class="box boxexpand"> | ||
| +<h3><a href="#" onclick="boxshow(event);">Temporary environment</a></h3> | ||
| +<p>This approach involves loading a wallet inside a temporary environment. For example, it is possible to boot on a Linux live CD, load a light SPV wallet software with its configuration from an USB key and issue a transaction. When a computer is booted from a trusted read-only environment that is only loaded in memory, malicious code is kept away and no trace of your wallet is left on the hard drive. You should however be very careful with the following points.</p> | ||
| +<p><b>Losing funds</b></p> | ||
| +<p>A temporary environment is the perfect place to lose funds forever. If your wallet is not correctly loaded from an external permanent storage like an USB key, any changes made in your wallet will be lost permanently. Including the new Bitcoin adresses that might have been created during the temporary session to receive the change of your last transactions.</p> | ||
| +<p><b>Password mismatch</b></p> | ||
| +<p>Booting in a temporary environment is likely to assign a different layout to your keyboard which will later produce different characters then expected. When using encryption, this can cause password mismatches. You might want to type your password on the screen in order to prevent problems.</p> |
|
|
luke-jr
and 1 other
commented on an outdated diff
Apr 9, 2013
en/secure-your-wallet.html
| + <li>Sign the transaction with the offline computer.</li> | ||
| + <li>Send the signed transaction with the online computer.</li> | ||
| +</ol> | ||
| +<p>Because the computer that is connected to the network cannot sign transactions, it cannot be used to withdraw any funds if it is compromised. <a href="https://bitcoinarmory.com/using-offline-wallets-in-armory/">Armory</a> can be used to do offline transaction signature.</p> | ||
| +</div> | ||
| + | ||
| +<br> | ||
| +<div class="box boxexpand"> | ||
| +<h3><a href="#" onclick="boxshow(event);">Temporary environment</a></h3> | ||
| +<p>This approach involves loading a wallet inside a temporary environment. For example, it is possible to boot on a Linux live CD, load a light SPV wallet software with its configuration from an USB key and issue a transaction. When a computer is booted from a trusted read-only environment that is only loaded in memory, malicious code is kept away and no trace of your wallet is left on the hard drive. You should however be very careful with the following points.</p> | ||
| +<p><b>Losing funds</b></p> | ||
| +<p>A temporary environment is the perfect place to lose funds forever. If your wallet is not correctly loaded from an external permanent storage like an USB key, any changes made in your wallet will be lost permanently. Including the new Bitcoin adresses that might have been created during the temporary session to receive the change of your last transactions.</p> | ||
| +<p><b>Password mismatch</b></p> | ||
| +<p>Booting in a temporary environment is likely to assign a different layout to your keyboard which will later produce different characters then expected. When using encryption, this can cause password mismatches. You might want to type your password on the screen in order to prevent problems.</p> | ||
| +<p><b>Leaving no trace</b></p> | ||
| +<p>As long as a storage media like a hard drive is connected to the computer, there is a small risk that some traces of your private keys can remain. You might want to disconnect any hard drive or disable all swap transactions before loading your wallet.</p> |
|
|
|
I would like this page to be pushed soon. Any more comments or reviews on this? The only comment I didn't fix yet is one luke-jr proposition to recommand users to use softwares to generate their passwords. (1) Because we need to recommand at least one if we do so that people don't use weak tools and (2) because I was afraid that this would increase the risk of people forgetting their passwords. More opinions are welcome on this one. |
saivann
added a commit
that referenced
this pull request
Apr 20, 2013
saivann
merged commit 41aafd1
into
master
Apr 20, 2013
saivann
deleted the
securewallet branch
Apr 20, 2013
jl2012
pushed a commit
to jl2012/bitcoin.org
that referenced
this pull request
Apr 5, 2016
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
saivann commentedApr 4, 2013
In the same spirit then the "You need to know" page, I produced a "secure your wallet" page in order to give more serious advices and help users to adopt good security practices. In the hope that this can contribute in reducing unsecure setups and loss of funds over time.
This page is replacing (and recycling) the little box in the "you need to know" page and is adding the following content :
Result can be seen live there :
http://bitcoinsecwallet.zapto.org/en/you-need-to-know
http://bitcoinsecwallet.zapto.org/en/secure-your-wallet
The content of this page is sensitive and I took a lot of time to proof-read it. But I think it requires many ACK from developers before we choose to merge it.