Daedalus Security


#1

Dear Daedalus Dev,

I am respectfully requesting that Daedalus at least be password protected. One step further would be to add 2FA and another step further world be to enable wallet encryption (like CloakCoin).


#2

I’m no expert in the Daedalus wallet but doesn’t setting a password for withdrawing already give you some sort of protection? Sure it might not be enough but it still guarantees from someone not withdrawing your coins… Either ways, Daedalus is still in early stage. There are many plans ahead, just be patient :slight_smile: Worst case scenario is to just add a password for withdrawal that way no one can remove the coins from your wallet besides yourself or those that have access to your password.

GL!


#3

I’m still waiting for the paper wallet option from the Daedalus wallet team. However, would you happen to know where I could find the file on my PC that holds the private key to the Daedalus wallet? I’m thinking that if I can cut and paste it into a brand new USB drive & hold it in ‘cold storage’ off-line, then the bad guys won’t have access to it until I’m forced to use it do a ADA transaction. Or is this line of thinking totally off-base?


#4

There prob is a file but I’m unaware of it… Will most likely be in the folder that you installed the wallet though. You could always delete your wallet and restore it once you want to use your ADAs or w/e… Make sure to know and have your 12 word phrase in case you decide to restore the wallet… Also it will most likely take a while to restore.


#5

Thx, Wobster.


#6

You bet! Hope I helped in any way! :wink:


#7

I know little, technically speaking, about crypto wallets, where Daedalus stands compared to others, etc. But from my naive perspective, the addition of 2FA would be a welcomed step, and make me feel more comfortable. And I do think feeling comfortable is an important component when it comes to storing money, especially money in bulk.

But I wholeheartedly admit my ignorance on this topic. For instance, can a person access my wallet without physically accessing my computer? If they were able to get my password by key-logging, or something of that nature, would I be at any risk assuming my computer was safe, in terms of being in my physical space (read: not stolen)?

Thanks to anybody who can fill me in here.


#8

nope, they need your private keys!, your password is only usefull if they have acces to your computer too. And it goes both ways, if they have acces to your computer, they would also need your password (please make it strong).

Your password is in itself a key that decrypts your private or public(don’t know wich yet but leaning to private) key, for a spending request.

Wish i helped a bit!


#9

Indeed, you did help. Thanks!

I now understand why, for instance, a web based wallet would have 2FA, but Daedalus does not. Daedalus might still benefit from offering it as an extra layer of security for those who wish to have it, but so long as access to the source of storage is required along with the password to access funds, security is beyond adequate. Good to know.

And, speaking personally, if somebody were able to steal my password, and my computer, they’d likely have a go at my phone anyway.


#10

well wouldn’t they have his private key if the malware had screenshot capture and was present at the time when the wallet was first initiated? If the malware included a key logger then it would have his private key & his password.

this is my big fear and why I’ve:

  1. pulled an old computer out of the basement
  2. purchased a brand new drive for the computer
  3. installed a fresh copy of my OS of choice
  4. installed Daedalus

that is now a Daedalus only computer.
the only website it will ever visit is an exchange and the original Daedalus download website.

I’ll feel much safer when the Linux wallet is ready
Linux + 2 factor authentication (Google 2FA) & I wouldn’t feel the need for these extreme measures.

Windows or Mac wallet + 2FA & I’m probably still having a separate computer just for the wallet.


#11

Hi @ADA_user! Sorry i don’t follow you, screenshot of what exactly?, the malware screenshot when you click in generate new adress? and how does the keylogger knows what of all the hundred words you write every day are the 12 you need?


#12

when you create a new wallet, Daedalus gives you a secret list of words to write down.

If malware on system performs a full image capture of the screen while you are creating a new wallet, then the secret 12 word list could/would be known to the malware and whomever controls it.


#13

Yes!, but can a virus know if you are creating a new wallet? it sounds hard, i mean, every program believes that it is the only one running on that machine. Maybe some security expert could help here


#14

Hi @ADA_user, I share your concerns, maybe you will find this link interesting:

How To Create An Encrypted Virtual Machine For Managing Your Cryptocurrency Portfolio however I haven’t been able to create the Veracrypt file container it when I realized that I had only 12.GB available on my laptop (probably not enough for downloading the blockchain). Please let me know if it worked for you.

Of course if there is already a keylogger installed on your computer it’s worthless, that’s why installing this environment on a clean machine with a freshly installed OS should solve your problem, as long as you back up your files somewhere.
I am far from being an expert though :slight_smile: