Bitcoin has seen its share of controversy lately, with a lot of people losing a lot of money in various thefts, and most recently the widely-publicized collapse of Mt. Gox. This is unfortunate, because (with a little care) Bitcoins can be made so secure that theft is functionally impossible.
We’ve covered getting started with Bitcoin before, but the software and security available have improved a lot since then. In this article, we’ll show you how to set up a hot and cold wallet, and teach you to use both. It takes ten minutes, requires no special software, and provides quite a bit of security.
You can follow this tutorial on Windows, OS X, Linux, Android, and iOS. If you’ve been thinking about getting into Bitcoin, now is the time, and this is how.
What You’ll Need
- A modern, up to date web browser that supports HTTP Secure (aka HTTPS), like Google Chrome
- A long book
- A pen and paper
- A secure place to store something (like a safety deposit box)
Picking Secure Passwords
Pay careful attention to this step, because – while it isn’t hard – it is where most people get sloppy and make a mistake. To use this technique, you’ll need a cryptographically strong password. In order to generate this, we’ll use something called “pass phrases,” a technique for generating memorable but secure passwords (see this recent xkcd for a vivid example). As with cryptographic tools like TrueCrypt, you must take your choice of password seriously: don’t use birthdays, poems, quotes, names, or short passwords. Be aware that there are bots that do nothing but attack random Bitcoin wallets all day, using sophisticated dictionary attacks. Weak passwords will be cracked, often within seconds, and there is no way to recover stolen Bitcoins.
Here’s how we’ll generate your password: get out your book, and flip to a random page, then put your finger down on the page with your eyes closed. Look at the word under your finger and write it down on a sheet of paper, then close the book. Repeat until you have seven words. In my case, this produced the string ‘am welding carpet attacked tranquilized laughs postage‘ (generated from a Kurt Vonnegut anthology). Obviously, you should never post your real password online, but I won’t actually be using this one for anything, so it’s okay!
Be sure to only write your password down on a single sheet of paper. Do not save it on your computer, don’t put it anywhere on the Internet, and don’t let anyone else see it. Spend some time memorizing it; it’ll save you trouble down the line.
These kinds of passwords are more secure than you might think. The entropy of a seven word randomly generated passphrase is about 80 bits, which means that, on average, it’ll take a dictionary attack about a septillion guesses to crack it, a task that would take a modern supercomputer many billions of years.
Setting Up Your Hot Wallet with CoinBase
A “hot wallet” is the term for a Bitcoin address that you actively use for transactions, sending or receiving. The private key is stored on an Internet connected machine, and is at increased risk of theft. In contrast, a ‘cold wallet’ is a bitcoin address not connected to the Internet, used only to store Bitcoins in a safe way.
Think of it as the difference between storing money in your pocket and storing money in your bank account: your pocket is easy to access, but vulnerable to theft, so you don’t store much money in it. When you have more than you want to spend at once, you move most of it to your bank account. Likewise, you should never store more in your hot wallet than you’re prepared to lose. It may also be worth malware-proofing your computer to keep your hot wallet a little safer.
For our hot wallet, we will use a service called CoinBase, which provides an SSL/TLS connection (which you’ll recognise thanks to the HTTPS prefix to the URL) to a secure online wallet that’s easy to use. Go to CoinBase and create an account. You don’t need a cryptographically secure passphrase here, but do try to pick a strong password . The website will ask you to connect your bank account and verify your phone. Follow their instructions. From there, using your hot wallet is easy! There’s even an Android app available, if you find the mobile browser uncomfortable.
You can buy Bitcoins at coinbase.com/buys.
You can sell Bitcoins at coinbase.com/sells.
You can send Bitcoins to someone else at coinbase.com/transactions.
If you want to be paid in Bitcoin, you can find your address here: coinbase.com/addresses.
You can distribute that address to anyone, freely, and they can use it to send Bitcoins to your account, using CoinBase or any other Bitcoin client.
Setting Up Your Cold Wallet with WarpWallet
Setting up your cold wallet is also a simple, easy process. We’ll use the WarpWallet service, which automatically converts pass phrases into the public-private key pairs that make up a Bitcoin wallet. Warp Wallet is secure, open source, and does all of its processing locally, so it’s reasonably trustworthy.
For added security, if you’re using your PC, you can download a local copy of the web page and use that in the future, to protect against the website getting hacked later or simply becoming unavailable (right click on the page, select ‘save as’, then open the file in your browser when it’s done downloading).
To use WarpWallet, get the strong password you generated earlier, and type it into the ‘passphrase’ field and enter your email address under ‘salt’, and let it run (make sure there are no misspellings or unwanted spaces). After a few seconds, it’ll provide you with a public and private key. Ignore the private key, but grab the public key: this is the address of your cold wallet. You can transfer excess funds to it using CoinBase as you would send any other transaction. The public and private keys will look like this:
Once again, obviously never post your real private key online. This is a dummy wallet I’m using for the purposes of this tutorial. Once you close the webpage, the only way to retrieve Bitcoins sent to that address is by repeating the process with your passphrase, getting the private key, and importing it into CoinBase. This means that Bitcoins stored in your cold wallet are very, very hard to steal. Your private key / password aren’t stored anywhere, on any computer, so there’s nothing to be hacked. The only way for an attacker to retrieve your Bitcoins is by brute-forcing your password. And, if you were careful about generating it, that is likely to take a very, very long time. Furthermore, since WarpWallet uses your email address as a salt, any attack would have to be targeted specifically at you: you couldn’t be caught up in a mass, brute-force sweep.
At this point, the password written on the sheet of paper is called a ‘paper wallet.’ It’s your backup in case you forget the password to access your cold wallet. Find a safe place to keep it (like a safe, a safety deposit box, or a loose floorboard). Don’t lose it, don’t carry it on your person, and don’t show it to anyone. That sheet of paper is money now: treat it as such.
At some point in the future, you’ll probably want to get money out of your cold wallet. To do this, enter your password and email into WarpWallet, and copy the private key when it’s done processing. Then go to coinbase.com/paper_imports, paste the private key under ‘Enter Private Key Manually’ and click ‘import.’ This will give your CoinBase account access to your cold wallet. At this point, you should probably make a new cold wallet with a new passphrase and move any unneeded funds into it, as your old one could be compromised if CoinBase or your PC is hacked.
Advantages to This Approach
This technique has a number of advantages over using a standard Bitcoin wallet for all of your funds: CoinBase is amazingly convenient, and, by maintaining a simple cold wallet, you can still effectively protect the majority of your funds from theft. You’re never trusting CoinBase with all of your funds for any length of time, and if CoinBase is ever compromised, your total risk is limited to whatever’s in your hot wallet at the time. To make things better, by using a passphrase, you allow relatively convenient access to your cold wallet in the event of an emergency, provided you can remember the passphrase. And, unlike so called ‘brainwallets’ which don’t store the passphrase anywhere but inside your head, this technique includes a recourse if you do forget your passphrase. It’s secure, convenient, simple, and probably ideal for a Bitcoin beginner.
Once it’s all set up and you have a few Bitcoins safely stored, you can order from Overstock.com, donate to Wikipedia, or buy a ticket to space. If you give it a try, let us know how it goes in the comments. Are there any great Bitcoin utilities that we’re missing?