9

I am afraid of keyloggers or other malware on my computer.

What is a secure way to copy and paste the Seed from my password manager into the desktop wallet?

Zauz
  • 4,454
  • 15
  • 42
Vrom
  • 1,946
  • 7
  • 14

3 Answers3

6

Depending on how thorough the malware is, following could work:

  • don't save the last/first/middle part of your seed in your pw (=password) manager, memorize it and just manually put it in
  • save the encrypted seed in your pw manager and recode the lightwallet so that it decrypts the seed

!!! Although the above solutions could work, "well programmed" malware would be able to still get your seed

Of course: the only valid answer to a question like this is one, that works for the most thorough and best of all malwares out there.
And to be honest, there is no solution to your problem. Just try to not get malware on your PC.

If you think that you already have malware on your PC, backup your all of your important data and reinstall your operating system.
If you can't do that for some reason: Create a bootable USB-Stick (or other medium) and only use your seed on there.

In the (hopefully near) future you won't have to worry about things like this because hardware wallets like Trezor or Ledger will be compatible with IOTA. For more information check out this post.

aboose
  • 3,135
  • 3
  • 15
  • 37
Zauz
  • 4,454
  • 15
  • 42
5

Use Keepass, and activate two channel obfuscation, then change "Override the defaut sequence" to {PASSWORD} only. Then use CRTL + V to use the auto-type function of Keepass.

This will make it harder for Keyloggers to guess where which characters was pasted.

A hardware wallet that signs transactions offline would be even better, I'm sure it will come sooner or later.

Achim
  • 363
  • 2
  • 7
-1

Add a specific number of extra characters into your seed, a specific number of places from the end while it's on the manager. Then after pasting into the wallet, move the cursor over the specific number of characters from the same end, then delete the number of extra characters. When the proper checksum appears, you're golden.

til
  • 95
  • 4
  • 2
    A keylogger would spy on that as well, wouldn‘t it? – Zauz Nov 30 '17 at 06:07
  • No it wouldn't. Any decent password manager would generate a random 81 character seed, bypassing the the keyboard buffer. A keystroke logger wouldn't be able to determine 'where' within the seed you started your extra character insertion as explained below. – til Nov 30 '17 at 10:07
  • A keystroke logger would also not be able to ascertain where within your seed you started the delete process -- because it is extremely difficult to determine where on the screen the wallet's input screen is located, and where within that sub-window the mouse cursor is positioned; thus at which character position the cursor is located, unless the malware is running within either the manager or wallet program. – til Nov 30 '17 at 10:08
  • If the malware is that sophisticated, you're being attacked by a State entity, and THEY could use your cell phone camera or some kind of Stuxnet type worm, which would probably only be used by THEM if the prize were several billions in value. – til Nov 30 '17 at 10:08
  • For most users my method would work fine, show me where I'm wrong. – til Nov 30 '17 at 10:10
  • You're assuming that the malware is just a keystroke logger because you think only a state entity can produce more sophisticated software even though there are numerous keyloggers available to download for free or even open source.

    Yes it would be fine for most users but not for all users that read your answer.

     – Zauz Nov 30 '17 at 11:16
  • I assume no such thing. The OP mentioned key-logger, so I used it as an example. I strongly believe that my method is as secure against malware attacks as is CAPTCHA or two factor email. I agree with you about keeping malware off your computer, however even the best detector won't protect you from a zero day attack. – til Nov 30 '17 at 17:59
  • I believe it would be more economical for a 'large stakes' entity to merely snatch you off the street, and torture the seed out of you, and highly doubt ANYONE with the time/inclination to actually read my answer would be a target to such a perpetrator. Oh, and it is simply good practice to be offline (simply done as you know) when following the procedure postulated. – til Nov 30 '17 at 17:59