This is my handout for paranoid people who want a way to store bitcoin safely. It requires a little work, but this is the method I use because it should be resistant to risks associated with:
- Bad random number generators
- Malicious or flawed software
- Hacked computers
If you want a method that is less secure but easier, skip to the bottom of this post. The Secure Method
- Download bitaddress.org. (Try going to the website and pressing "ctrl+s")
- Put the bitaddress.org file on a computer with an operating system that has not interacted with the internet much or at all. The computer should not be hooked up to the internet when you do this. You could put the bitaddress file on a USB stick, and then turn off your computer, unplug the internet, and boot it up using a boot-from-CD copy of linux (Ubuntu or Mint for example). This prevents any mal-ware you may have accumulated from running and capturing your keystrokes. I use an old android smart phone that I have done a factory reset on. It has no sim-card and does not have the password to my home wifi. Also the phone wifi is turned off. If you are using a fresh operating system, and do not have a connection to the internet, then your private key will probably not escape the computer.
- Roll a die 62 times and write down the sequence of numbers. This gives you 2160 possible outcomes, which is the maximum that Bitcoin supports.
- Run bitaddress.org from your offline computer. Input the sequence of numbers from the die rolls into the "Brain Wallet" tab. By providing your own source of randomness, you do not have to worry that the random number generator used by your computer is too weak. I'm looking at you, NSA ಠ_ಠ
- Brain Wallet tab creates a private key and address.
- Write down the address and private key by hand or print them on a dumb printer. (Dumb printer means not the one at your office with the hard drive. Maybe not the 4 in 1 printer that scans and faxes and makes waffles.) If you hand copy them you may want to hand copy more than one format. (WIF and HEX). If you are crazy and are storing your life savings in Bitcoin, and you hand copy the private key, do a double-check by typing the private key back into the tool on the "Wallet Details" tab and confirm that it recreates the same public address.
- Load your paper wallet by sending your bitcoin to the public address. You can do this as many times as you like.
- You can view the current balance of your paper wallet by typing the public address into the search box at blockchain.info
- If you are using an old cell phone or tablet do a factory reset when you are finished so that the memory of the private keys is destroyed. If you are using a computer with a boot-from-CD copy of linux, I think you can just power down the computer and the private keys will be gone. (Maybe someone can confirm for me that the private keys would not be able to be cached by bitaddress?)
- To spend your paper wallet, you will need to either create an offline transaction, or import the private key into a hot wallet. Creating an offline transaction is dangerous if you don't know what you are doing. Importing to a client side wallet like Bitcoin-Qt, Electrum, MultiBit or Armory is a good idea. You can also import to an online wallet such as Blockchain.info or Coinbase.
The only thing you need bitaddress.org to do is to honestly convert the brainwallet passphrase into the corresponding private key and address. You can verify that it is doing this honestly by running several test passphrases through the copy of bitaddress that you plan on using, and several other brainwallet generators. For example, you could use the online version of bitaddress, and brainwallet
. If you are fancy with the linux command line, you can also try "echo -n my_die_rolls | sha256sum". The linux operating system should reply with the same private key that bitaddress makes. This protects you from a malicious paper wallet generator. Trusting your copy of bitaddress.org
Bitaddress publishes the sha1 hash of the bitaddress.org website at this location: https://www.bitaddress.org/pgpsignedmsg.txt
The message is signed by the creator, pointbiz. I found his PGP fingerprint here: https://github.com/pointbiz/bitaddress.org/issues/18
"527B 5C82 B1F6 B2DB 72A0 ECBF 8749 7B91 6397 4F5A"
With this fingerprint, you can authenticate the signed message, which gives you the hash of the current bitaddress.org file. Then you can hash your copy of the file and authenticate the file.
I do not have a way to authenticate the fingerprint itself, sorry. According to the website I linked to, git has cryptographic traceability that would enable a person to do some research and authenticate the fingerprint. If you want to go that far, knock yourself out. I think that the techniques described in this document do not really rely on bitaddress being un-corrupt. Anyway, how do we know pointbiz is a good guy? ;-)
There are a lot of skilled eyes watching bitaddress.org and the signed sha1 hash. To gain the most benefit from all of those eyes, it's probably worthwhile to check your copy by hashing it and comparing to the published hash. "But we aren't supposed to use brainwallets"
You are not supposed to use brainwallets that have predictable passphrases. People think they are pretty clever about how they pick their passphrases, but a lot of bitcoins have been stolen because people tend to come up with similar ideas. If you let dice generate the passphrase, then it is totally random, and you just need to make sure to roll enough times. How to avoid spending your life rolling dice
When I first started doing this, I rolled a die 62 times for each private key. This is not necessary. You can simply roll the die 62 times and keep the sequence of 62 numbers as a "seed". The first paper address you create would use "my die rolls-1" as the passphrase, the second would be "my die rolls-2" and so on. This is safe because SHA256 prevents any computable relationship between the resulting private key family.
Of course this has a certain bad security scenario -- if anyone obtains the seed they can reconstruct all of your paper wallets. So this is not for everyone! On the other hand, it also means that if you happen to lose one of your paper wallets, you could reconstruct it so long as you still had the seed.
One way to reduce this risk is to add an easy to remember password like this: "my die rolls-password-1".
If you prefer, you can use a technique called diceware
to convert your die rolls to words that still contain the same quantity of entropy, but which could be easier to work with. I don't use diceware because it's another piece of software that I have to trust, and I'm just copy/pasting my high entropy seed, so I don't care about how ugly it is. Why not input the dice as a Base 6 private key on the Wallet Details tab?
Two reasons. First of all, this option requires that you roll the die 99 times, but you do not get meaningful additional protection by rolling more than 62 times. Why roll more times if you don't have to? Second, I use the "high entropy seed" method to generate multiple private keys from the same die rolls. Using the Base 6 option would require rolling 99 times for every private key. I'm a big nerd with exotic dice. How many times to roll?
Put this formula in Excel to get the number of times to roll: "=160*LOG(2,f)" where f = number of faces on the die. For example, you would roll a d16 40 times. By the way, somewhat unbelievably casino dice are more fair than ordinary dice The "Change address" problem:
You should understand change addresses because some people have accidentally lost money by not understanding it.
Imagine your paper wallet is a 10 dollar bill. You use it to buy a candy bar. To do this you give the cashier the entire 10 dollar bill. They keep 1 dollar and give you 9 dollars back as change.
With Bitcoin, you have to explicitly say that you want 9 dollars back, and you have to provide an address where it should go to. If you just hand over the 10 dollar bill, and don't say you want 9 dollars back, then the miner who processes the transaction gives 1 dollar to the store and keeps the remainder themselves.
Wallet software like Bitcoin-Qt handles this automatically for you. They automatically make "change addresses" and they automatically construct transactions that make the change go to the change address.
There are three ways I know of that the change problem can bite you:
- You generate a raw transaction by hand, and screw up. If you are generating a transaction "by hand" with a raw transaction editor, you need to be extra careful that your outputs add up to the same number as your inputs. Otherwise, the very lucky miner who puts your transaction in a block will keep the difference.
- You import a paper wallet into a wallet software and spend part of it, and then think that the change is in the paper wallet. The change is not in the paper wallet. It is in a change address that the wallet software generated. That means that if you lose your wallet.dat file you will lose all the change. The paper wallet is empty.
- You import a paper wallet into a wallet software and spend part of it, and then think that the change is in the change address that the wallet software generated. If the transaction did not need to consume all of the "outputs" used to fund the paper wallet, then there could be some unspent outputs still located at the address of the paper wallet. If you destroyed the paper wallet, and destroyed the copy of the private key imported to the wallet software, then you could not access this money. (E.g. if you restored the software wallet from its seed, thinking all of the money was moved to the wallet-generated change addresses.)
For more on this, see here The hot paper wallet problem
Your bitcoin in your paper wallet are secure, so long as the piece of paper is secure, until you go to spend it. When you spend it, you put the private key onto a computer that is connected to the internet. At this point you must regard your paper wallet address as hot
because the computer you used may have been compromised. It now provides much less protection against theft of your coins. If you need the level of protection that a cold paper wallet provides, you need to create a new one and send your coins to it. Destroying your paper wallet address
Do not destroy the only copy of a private key without verifying that there is no money at that address. Your client may have sent change to your paper wallet address without you realizing it. Your client may have not consumed all of the unspent outputs available at the paper wallet address. You can go to blockchain.info
and type the public address into the search window to see the current balance. I don't bother destroying my used/empty paper wallet addresses. I just file them away. Encrypting your private key BIP 0038
describes a standardized way to encrypt your paper wallet private key. A normal paper wallet is vulnerable because if anyone sees the private key they can take the coins. The BIP38 protocol is even resistant to brute force attacks because it uses a memory intensive encryption algorithm called scrypt. If you want to encrypt your wallets using BIP38, I recommend that you use bitcoinpaperwallet
because they will let you type in your own private key and will encrypt it for you. As with bitaddress, for high security you should only use a local copy of this website on a computer that will never get connected to the internet. Splitting your private key
Another option for protecting the private key is to convert it into multiple fragments that must be brought together. This method allows you to store pieces of your key with separate people in separate locations. It can be set up so that you can reconstitute the private key when you have any 2 out of the 3 fragments. This technique is called Shamir's Secret Sharing
. I have not tried this technique, but you may find it valuable. You could try using this website http://passguardian.com/
which will help you split up a key. As before, you should do this on an offline computer. Keep in mind if you use this service that you are trusting it to work properly. It would be good to find other independently created tools that could be used to validate the operation of passguardian. Personally, I would be nervous destroying the only copy of a private key and relying entirely on the fragments generated by the website.
Looks like Bitaddress has an implementation of Shamir's Secret Sharing now under the "Split Wallet" tab. However it would appear that you cannot provide your own key for this, so you would have to trust bitaddress. Durable Media
Pay attention to the media you use to record your paper wallet. Some kinds of ink fade, some kinds of paper disintegrate. Moisture and heat are your enemies.
In addition to keeping copies of my paper wallet addresses I did the following:
- Order a set of numeric metal stamps. ($10)
- Buy a square galvanized steel outlet cover from the hardware store ($1)
- Buy a sledgehammer from the hardware store
- Write the die rolls on the steel plate using a sharpie
- Use the hammer to stamp the metal. Do all the 1's, then all the 2's etc. Please use eye protection, as metal stamp may emit sparks or fly unexpectedly across the garage. :-)
- Use nail polish remover to erase the sharpie
If you trust electrum
you might try running it on an offline computer, and having it generate a series of private keys from a seed. I don't have experience with this software, but it sounds like there are some slick possibilities there that could save you time if you are working with a lot of addresses. Message to the downvoters
I would appreciate it if you would comment, so that I can learn from your opinion. Thanks! The Easy Method
This method is probably suitable for small quantities of bitcoin. I would not trust it for life-altering sums of money.
- Download the bitaddress.org website to your hard drive.
- Close your browser
- Disconnect from the internet
- Open the bitaddress.org website from your hard drive.
- Print a paper wallet on your printer
- Close your browser
This came out of some research I put into finding out the probability of a 51% attack for bitcoin. You'd think that mining 6 blocks in a row would be hard to do, even with 50% hashing power, because most people would probably think about a coin flip and how likely it is to flip 6 heads in a row. Intuitively it seems like a hard thing to do but in reality, if you do it enough times, it becomes not only possible, but downright likely, even with a mere 100 coin flips
With bitcoin mining 144 blocks per day a 51% attack with 50% hashing power is just as likely. Even with 35% hashing power it's relatively trivial to pull off
. The reason most people probably haven't thought about this before is because the math itself isn't very straitforward. According to askamathematician.com, it is a tough question to answer with a simple formula
. Thankfully there are computer programs which can do this. This site
Sense all the legwork had been done solving this problem for bitcoin I thought I'd run the math again for litecoin and what I found is actually quite surprising. Litecoin isn't just more secure than bitcoin, it is orders of magnitude
more secure than bitcoin.
Gambler's Ruin ／ why litecoin is more secure than bitcoin:
I figure the reason is in both cases you're trying to "beat the odds" and mine every single block for a 1 hour period but with more "roles of the dice" occuring during that same period of time it's a lot harder to keep up your winning streak with litecoin than it is for bitcoin.
While a bitcoin pool with 35% hashing power can reasonably expect to be able to pull off a 51% attack within one week, that same hashing power for litecoin makes it almost impossible, not just for a 1 week period, but for an entire year, even for 100 years!
The numbers here are 4,032 trials per week and 24 blocks in a row. The result is 0.0000029760539%. The same problem over a month and a year is about the same and over 100 years the probability is a mere 0.0155609472527%. At 50% hashing power and 100 years an attacker has a 46.46% chance (6.06% for a 10 year period) but bitcoin hits both those thresholds in under 1 day. At 100 years bitcoin is vulnerable to a miner holding just 8% hashing power, while litecoin remains secure all the way up to 50%. No matter how you run the numbers litecoin remains significantly more secure -- entire worlds more secure -- than bitcoin.
How many litecoin blocks give you similar security to bitcoin?
With the numbers so dramatically in litecoin's favor one would assume you'd need overall less time to verify a transaction with litecoin than you would with bitcoin. Generally we have assumed it takes 4 litecoin blocks to equal the security of 1 bitcoin block but this has always been a guess. Even the people who run the litecoin-project on github know this isn't true
(see bullet #3 on Faster transaction time
). The problem again is the math not being a simple equation that you can easily solve for but using that same calculator
at the 50% threshold I've found that 8 litecoin blocks give you about the same security as 6 bitcoin blocks.
The nature of this problem is that it's not a linear relationship -- at 30%, 8 litecoin blocks are about twice as secure as 6 bitcoin blocks, but droping to 7 litecoin blocks and then to 6 very quickly tips things in bitcoin's favor. The only
scenareo where litecoin is less secure than bitcoin is when you compare the two networks block to block. As a function of time litecoin is significantly more secure, so much so litecoin offers similar security at 20 minutes as bitcoin does at 60 minutes.
This is not the first time that privacy coins have been debunked. Researchers from Carnegie Mellon University have found that 99. 9% of Zcash and 30% of Monero – another so-called privacy coin ... From Bitcoin Wiki. Jump to: navigation, search. A fixed money supply, or a supply altered only in accord with objective and calculable criteria, is a necessary condition to a meaningful just price of money. —Fr. Bernard W. Dempsey, S.J. (1903-1960) In a centralized economy, currency is issued by a central bank at a rate that is supposed to match the growth of the amount of goods that are ... 99Bitcoins supplies up to date tutorials on how to buy Bitcoin, Bitcoin mining, Bitcoin wallets and reviews about the best Bitcoin exchanges. Opcodes used in Bitcoin Script This is a list of all Script words, also known as opcodes, commands, or functions. OP_NOP1-OP_NOP10 were originally set aside to be used when HASH and other security functions become insecure due to improvements in computing. House Edge. 999Dice offers the lowest house edge you can find in any Bitcoin dice game, having a house edge of only 0.01%, leaving the 99.9% for the players to win.With such a small house edge for 999Dice, it provides players with a very high chance of a positive return on their investments and makes it possible to make some extra Bitcoins easily.
3 cosas que no te dicen sobre el Bitcoin - Duration: 10:01. Day Trading Academy Español 983,636 views. 10:01. Análisis de Bitcoin [ ELPEOR DE LA HISTORIA] - Duration: 25:34. ... Conozca la verdad sobre el Bitcoin, cómo funciona esta moneda virtual para que no caiga en una pirámide. Escríbeme al WhatsApp +57 304 637 4848 📲 http://bit.... 3 cosas que no te dicen sobre el Bitcoin - Duration: 10:01. Day Trading Academy Español 1,058,187 views. 10:01 ¡EL COLAPSO DEL TODO, EL DÍA DE LA VERDAD LLEGO, BITCOIN, LA BOLSA, ORO, PLATA ... Start trading Bitcoin and cryptocurrency here: http://bit.ly/2Vptr2X Bitcoin mining is the process of updating the ledger of Bitcoin transactions known as th... Bitcoin Technical Analysis & Bitcoin News Today: Is there a big inverse head and shoulders pattern forming in the Bitcoin price? I'll use technical analysis on the Bitcoin price to make a Bitcoin ...