>> (p.1)
    Author Topic: An exercise in security: Best practices for the naïve end user?  (Read 1311 times)

    • elux (OP)
    Legendary
    *
    Offline Offline

    Activity: 1458
    Merit: 1006



    View Profile
    May 18, 2012, 03:50:44 PM
     #1
    So Bitcoinica got rooted and robbed. In expectation of the announced mass leak, I've got an exercise for you ninjas.

    Assume for a minute that:

    • My name is Joe Average. Hello.
    • I love my Bitcoins. I have a good number of them for some reason.
    • I'm completely naïve when it comes to securing my accounts.
    • I'm of reasonable intelligence and able to carry out simple instructions.
    • I prefer to use the login javerage across all services, and I like the password JoeBitcoin123.
    • I have an account with every major money-handling merchant, service and exchange.

    What steps should I follow to manage my credentials in a more safe, more sane manner?

    Securing the wallet is already covered, so we can assume that my Bitcoin Retirement Fund is stored on a stick in some secure vault.

    Consequently, I'm mostly concerned with risks involving the compromise of 3rd party services.

    Some sub-problems:

    • How do I produce sufficiently strong passwords for each account?
    • How do I store and retrieve tens of strong passwords safely?
    • How do I keep track of logins, passwords, email addresses, and other account data
      across tens of services over several years, for use by many devices?
    • What precautions should I take when sites get compromised, when account data gets leaked?
    • How do I stop myself from eventually being lazy, eventually getting robbed?

    How do you stay safe? Smiley

  • Realpra
    Hero Member
    *****
    Offline Offline

    Activity: 815
    Merit: 1002


    View Profile
    May 18, 2012, 03:56:33 PM
     #2
    I have a "safe password" (two actually) and one I use for everything.

    safe one(s) used for email, paypal and bitcoin.

    BTC wallet in the cloud has been secured with two passwords (safe/unsafe both), on disk is always encrypted with one (the safe one).
    Cheap and sexy Bitcoin card/hardware wallet, buy here:
    http://BlochsTech.com

  • Serge
    Legendary
    *
    Offline Offline

    Activity: 1050
    Merit: 1000


    View Profile
    May 18, 2012, 04:01:16 PM
     #3
    use a password manager, something like KeePass, it's available to all common OS' including smartphones
    password manager will also help you choose strong passwords
    don't use same password at multiple locations
    additionally same password manager will help you keep safe other associated credentials, notes, etc
    keep a backup of its database

  • apetersson
    Hero Member
    *****
    Offline Offline

    Activity: 668
    Merit: 501



    View Profile
    May 18, 2012, 04:06:59 PM
     #4
    i used the "multi-tier" password strategy as well before entering bitcoin, and thought it is reasonably secure.

    when i saw what was going on in bitcoin i abandoned this idea, because really, you cannot trust anyone to keep your data safe, even if they have the best intentions.

    today i have a totally seperate password for each service. i write them down on a non-network connected device which uses a software to encrypt my passwords.
    i do not remember most of my passwords, but i use password reset quite often Smiley

    for quite powerful passwords you could use http://www.passwordcard.org

  • Agent Provocateur
    Full Member
    ***
    Offline Offline

    Activity: 198
    Merit: 100


    View Profile
    May 18, 2012, 05:33:00 PM
     #5
    I'm creating a new pw with min. 13 chars for every service or task & store 'em in a pwcontainer on an old iPaq, which is never data-connected to whatever. In case of iPaq failure pws are written down and stored safely.

    Besides pwsecurity for the average user I'm more interested in something I've read on this forum: the RPC-attack on bitcoinqt. I've read the attack can be avoided through setting up a propper bitcoin.conf in theappdata, with: RPC user & pw set, allowing only trusted nodes, disallowing irc-connection, localhost's rpcs allowed only,...too much for the average user.
    Neither a bitcoin.conf with a minimum of security settings is created when installing the client nor can I identify trusted nodes. Where to find a list of trusted nodes and how can I be sure they're safe?
    Maybe such a standard-bitcoin.conf is surcharged or this is just a minor issue, but I thought it should me mentioned when talking about security-standards to the average user.

  • mav
    Full Member
    ***
    Offline Offline

    Activity: 169
    Merit: 107


    View Profile
    May 19, 2012, 12:03:38 AM
     #6
    I highly recommend http://passwordmaker.org/

    It's a simple way to make a unique strong password for each site using one master password. It has convenient plugins for all browsers.
    Pages: [1]
      Print  
Page 1
Viewing Page: 1

IRLBTC™ © 2025 IRLBTC.com