Difference between revisions of "Paper wallet"

From Bitcoin Wiki
Jump to: navigation, search
(Alphabetized paper wallet resources and images (preempt self-promotion edit war.) Removed links from general terms to offlineaddress.com and removed recommendation to use live websites. *SEE DISCUSSION*)
m (Paper wallet flaws: Javascript cryptography part removed, its not accurate to single out js)
 
(63 intermediate revisions by 16 users not shown)
Line 1: Line 1:
A '''paper wallet''' is a mechanism for storing bitcoins offline as a physical document that can be secured like cash or anything else of real-world value. Paper wallets are generally created by printing a brand new public address and private key onto paper, and then sending bitcoins from a "live" wallet to the printed wallet's public address for safekeeping. If good security practices are followed, paper wallets are one of the safest ways to to store Bitcoins.
+
[[File:Water-damaged-paper-wallet.jpg|thumb|right|200px|Water damaged paper wallet]]
  
__TOC__
+
A '''paper wallet''' is the name given to an obsolete and unsafe method of storing bitcoin which was popular between 2011 and 2016. It works by having a single [[private key]] and bitcoin [[address]], usually generated by a website, being printed out onto paper.
  
==Producing safe paper wallets==
+
This method has a large number of downsides and should not be used<ref>https://www.reddit.com/r/Bitcoin/comments/670zhy/summary_pitfalls_of_paper_wallets/</ref><ref>https://www.reddit.com/r/Bitcoin/comments/5pnrjb/mentor_monday_january_23_2017_ask_all_your/dcu36a2/?context=3</ref>.
  
[[File:BitcoinPaperWallet-sample.jpg|thumb|right|300px|Paper wallet with private key secured beneath folds [[BitcoinPaperWallet|BitcoinPaperWallet.com]] ]]
+
For storage of bitcoins, a much better way accomplish what paper wallets do is to use [[seed phrase]]s instead, where the user writes down 12 or 24 random words generated by their wallet.
[[File:PaperWallets-offlineaddress-com.png|200px|thumb|right|Paper wallets from [[OfflineAddress|OfflineAddress.com]] ]]
 
A Bitcoin [[private key]] can be represented in several formats. For paper wallets typically used format is Wallet Import Format (WIF), since keys represented that way are very short (51 characters) and thus easy to re-enter when importing or "sweeping" the wallet for withdrawal.
 
  
Several tools exist for producing paper wallets, including [[BitAddress|BitAddress.org]],  [[Bitcoin Address Utility]], [[BitcoinPaperWallet|BitcoinPaperWallet.com]],  [[OfflineAddress|OfflineAddress.com]], [[SafePaperWallet|SafePaperWallet.com]], and  [[vanitygen]].
+
== Paper wallet flaws ==
  
Care must be taken to securely generate paper wallets since an attacker can steal the present ''and future'' balance of a paper wallet if the private key is exposed, transmitted, or generated with insufficient entropy.
+
=== Printing is problematic ===
  
Some services feature a free open-source client-side paper wallet generators written in JavaScript, which can be used offline. Using these generators is relatively safe when the source code hash can be checked against the author's signature. It's advisable to use those services from a [https://en.wikipedia.org/wiki/Live_CD live bootable CD], to ensure that private keys are not compromised by spyware.
+
Paper wallets require using a printer to transfer them to paper. Many printers have a hard drive for internal storage where the paper wallet will be saved. Anybody who reads the file will be able to see the private key and steal the stored bitcoins. Shared printers such as in schools, offices or internet cafes are also usually centrally logged. If the printer is accessed over WiFi then any radio wave listener could also obtain the private keys and steal the money.<ref>https://www.reddit.com/r/Bitcoin/comments/6ajwsv/printing_paper_wallet_at_work_office/</ref>
  
'''Recommendations:'''
+
[[Seed phrase]]s avoid this problem by having the user transfer the sensitive information to paper without a printer but via their own handwriting.
* Paper wallets should be produced on a computer not connected to the Internet.
 
* Be aware that malware often allows a remote third party to view your screen and see your keystrokes, and these can compromise the integrity of your paper wallet.  Also consider that antivirus software cannot completely rule out the possibility of malware.  However, booting from a [https://en.wikipedia.org/wiki/Live_CD live disc] prevents malware from running.
 
* The private keys of paper wallets should never be saved to a computer hard drive.  You should also never scan your paper wallet into your computer or type the private keys or save them in e-mail, except at the moment you are redeeming the balance.
 
* If possible, the private key of a paper wallet should be kept hidden, for example by using BIP38 encryption, or by folding the paper to hide the private key so that a photograph or photocopy of the wallet will not reveal or replicate the private key.
 
* A web-based paper wallet generator should be written such that that all of the generation happens on your computer, not the web server.  Ideally, the HTML/JavaScript for the web generator should be downloaded to your computer, verified, and then run "locally" from an offline computer. Running a paper wallet generator directly from a live website is not recommended unless you can verify that the code has not been tampered with by computing the hash and comparing it with a signed hash by the author.
 
* A paper wallet generator should use an appropriate source of random numbers (entropy).  This means that the generated addresses aren't predictable.  If the addresses come from a predictable or partially-predictable patterns like pseudorandom numbers <ref>[https://en.wikipedia.org/wiki/Pseudorandomness#Cryptography Pseudorandomness] '' is not enough for strong cryptography''</ref>, someone else who can predict the pattern can steal the balance. Ideally, randomness should to be human provided (i.e. using dice rolling or random mouse movements or key strokes.) When using a web-based generator it's important to ensure that both the web browser and the JavaScript code are taking advantage of the strongest cryptographic routines available.<ref>[http://www.w3.org/TR/WebCryptoAPI/ w3.org] ''WebCryptoAPI''</ref>
 
  
 +
=== Promotes address reuse ===
  
===Operating System Cache Security===
+
Paper wallets have just one bitcoin address, so they promote [[address reuse]]. The paper wallet creating websites generally have no warnings against this.
  
The problem with printing out secure documents—even if your computer is 100% virus/trojan free—is that your printer driver and/or operating system may be keeping copies of the documents you print in a "spool" or print queue. If a hacker or virus gets into your computer and knows to look for these cache files, then they can get your private keys and sweep your paper wallets. Precautions to mitigate this type of attack include:
+
[[Deterministic wallet]]s and [[seed phrase]]s avoids this problem by being able to create a new bitcoin [[address]] for every incoming transaction.
  
* Enabling encryption of your entire filesystem so that cache files cannot be 'undeleted'.
+
=== Encouragment of centralized and outsourced validation ===
  
* Setting up a symbolic link from your OS spool directory (e.g. /private/var/spool/cups/cache/ on OS X) to a removable media volume (e.g. a SD card) and disconnecting it when not in use.
+
Despite the name, paper wallets are not actually wallets. They only store the private keys and addresses, and cannot tell users if they have actually received bitcoins and in what quantity.
  
* Using a live-boot CD instead of a regular hard drive OS install. This way when you reboot your computer, all cache files are deleted from memory and no jobs are ever written to disk.<ref>[https://bitcoinpaperwallet.com/#security BitcoinPaperWallet.com] ''Security Tips''</ref>
+
The single bitcoin addresses require the user to have random-access lookups of any address on the blockchain, this requirement pushes users to use centralized third-party blockchain explorer websites. This results in privacy and validation issues, the websites can spy on users and lie to them.
  
===Printer Security===
+
A more private solution is to import the private key into bitcoin-qt and rescan. Nobody watching the bitcoin-qt full node from outside will be able to tell which address it's interested in because all the scanning happens locally on disk. Unfortunately rescanning is not scalable and so is very slow; therefore most users are pushed towards using public blockchain explorers or Electrum servers. These centralized services can spy on the user and learn exactly how many bitcoins they have and where they spend them. An address database created from all bitcoin addresses is nearly 20 GB in size at of October 2018 and takes a long time to build up, so very few people will have this kind of thing available locally for the few occasions when they redeem paper wallets. Almost all wallet software today especially smartphone wallets relies on centralized lookups when redeeming paper wallets.
  
Some advanced printers have internal storage (even hard drives) that preserve copies of printouts. This is a risk if someone gets access to your printer, or if you dispose of your printer. There is also the possibility that a smart enough printer can be hacked. (Consider [http://en.wikipedia.org/wiki/Stuxnet StuxNet] which was able to rewrite the firmware of non-computer devices indirectly connected to the Internet) If this concerns you, use a "dumb" printer, and never let your printer have access to the Internet or to an Internet-connected computer.
+
[[Deterministic wallet]]s and [[seed phrase]]s partly avoid this problem by having a sequence of bitcoin addresses which can be sequentially scanned. Wallets using that tech don't inherently need any extra databases and are compatible with pruning.
  
==Redeeming Keys and Withdrawing Funds==
+
See Also: [[Full_node#Why_should_you_use_a_full_node_wallet]]
  
Paper wallets are very different from "live" wallets such as the Bitcoin-QT client in that it is not possible to transfer (withdraw) a ''portion'' of a paper wallet's bitcoin balance. The only way to withdraw funds from a paper wallet is to import or "sweep" the ''entire'' balance of the paper wallet to a new address, typically a live wallet or online exchange. Once the transfer has been confirmed, ''the paper wallet should no longer be used''.<ref>[http://www.reddit.com/r/Bitcoin/comments/1c9xr7/psa_using_paper_wallets_understanding_change/ reddit.com] ''Using Paper Wallets and Understanding Change''</ref>
+
=== Raw private keys are dangerous ===
  
There are various methods for copying the private key data from a paper wallet to other wallets.
+
Dealing with raw private keys is very unintuative and has lead to loss of funds on a number of occasions.<ref>https://bitcoin.stackexchange.com/questions/29948/why-doc-says-importing-private-keys-is-so-dangerous</ref><ref>https://bitcoin.stackexchange.com/questions/18619/why-so-many-warnings-about-importing-private-keys</ref>. Paper wallets encourage these dangers by only having one private key and exposing it to the user.
bitcoind supports an "importprivkey" RPC method for this purpose.
 
Bitcoin-Qt's debug console can also be used in a similar way (see also [[how to import private keys v7+]]).
 
[[BlockChain.info]] and [[Armory]] can also import them directly into wallets.
 
[[MtGox|Mt. Gox]] provides the ability to Add Funds using a private key:
 
the exchange will then create a "sweep" transaction that spends any amount for that paper wallet address so that the amount is added to your account with them; it will also sweep to your account any bitcoins received to that address in the future as well.
 
  
==References==
+
One example is the mistake of destroy a paper wallet after it's imported into a [[deterministic wallet]], thinking that it has become a part of the [[deterministic wallet]] and it's safe to destroy because the master seed of the [[deterministic wallet]] has been backed up. In reality the private key is not part of the [[deterministic wallet]]. If the paper wallet (the paper) is destroyed and the app is uninstalled, the BTC is gone even if the [[deterministic wallet]] is recovered from its master seed. The unintuative behavour of raw private keys leads to this.
<references />
+
 
 +
Using only fully-featured wallet software is a much better because it only presents with intuative interfaces (like a GUI button to Send) which abstracts all the dangerous details away from the user.
 +
 
 +
=== Change addresses are not handled which leads to screwups ===
 +
 
 +
Users have been known to import the private key into software wallet and then spend part of the funds. They mistakenly believe the remaining funds are still on the paper wallet when in reality they are in a [[change|change address]].<ref>https://www.reddit.com/r/Bitcoin/comments/1c9xr7/psa_using_paper_wallets_understanding_change/</ref>
 +
 
 +
=== Encouragement of raw transactions ===
 +
 
 +
[[Raw Transactions]] are dangerous, unintuitive and have many times resulted in loss of funds.
 +
 
 +
A notable example of such a costly mistake is the address <code>1Acbo3viCYy1TSZB7m2W1nPPNF4rcAPMC9</code> which seems to have been a paper wallet. The owner appears to have been regularly buying bitcoin between April 2014 and January 2017, before apparently making a mistake with raw transactions and sending ''50 bitcoins'' as miner fees.<ref>See transaction <code>d38bd67153d774a7dab80a055cb52571aa85f6cac8f35f936c4349ca308e6380</code></ref> (worth about $50000 at the contemporary exchange rate).
 +
 
 +
Also note the terrible privacy due to [[Address reuse]] that allows us to get such a complete picture of what happened.
 +
 
 +
=== Low error correction ===
 +
 
 +
[[File:Water-damaged-paper-wallet-privkey.jpg|thumb|right|400px|Water damaged paper wallet [[private key]]]]
 +
 
 +
The private keys is typically printed in rather small font. Sometimes the characters could be mistakenly read for another letter, such as a B versus an 8 or 1 versus l. If even a single character is wrong or mistakenly typed then the entire private key will be invalid. Private keys in WIF format have a checksum but there are no tools for regular users to correct mistakes.
 +
 
 +
QR codes were not designed for secure storage of cryptographic material. QR codes have been damaged and made unscannable by water<ref>https://www.reddit.com/r/Bitcoin/comments/1sc02w/make_sure_to_secure_your_paperwallet_against/</ref><ref>https://www.reddit.com/r/Bitcoin/comments/2ni2fq/reminder_keep_your_paper_wallets_dry_if_you_use/</ref>, crumpling and even folding the paper.
 +
 
 +
As [[seed phrase]]s uses natural language words, they have far more error correction. Words written in bad handwriting can often still be read. If one or two letters are missing the word can often still be read. The [[Seed_phrase#Word_Lists|word list]] from which seed phrase words are drawn from is carefully chosen so that the first four letters of a word is enough to uniquely identify it.
 +
 
 +
=== Inconsistent private key format ===
 +
 
 +
The spending of paper wallets relies on wallet software understanding the private key format. There has been at least one situation where an update to private key formats resulted in a user's funds becoming stuck <ref>https://www.reddit.com/r/Bitcoin/comments/8v2lxa/did_i_lose_my_btc_by_sending_to_a_segwit_bc1/</ref>.
 +
 
 +
[[Seed phrase]]s avoid this problem because they are created by the same wallet software which understands how to spend from them.
 +
 
 +
=== Encouragement of obsolete brainwallet style ===
 +
 
 +
Almost all paper wallet websites today also have an interface to the obsolete sha256 brainwallets. These are very insecure and should never be used, yet paper wallet websites do not come with adequate warnings.
 +
 
 +
See also: [[Brainwallet#Obsolete_Brainwallet_Style]]
 +
 
 +
=== Browser wallets are bad ===
 +
 
 +
Almost all paper wallets are made by websites, which therefore involves most of the problems associated with [[Browser-based wallet]].<ref>https://www.reddit.com/r/Bitcoin/comments/771c4z/bitaddressorg_beware_of_possible_scam/</ref><ref>https://np.reddit.com/r/Bitcoin/comments/a7xaej/paperwallet_being_hacked/</ref>
 +
 
 +
== Redeeming bitcoins and withdrawing funds ==
 +
 
 +
[[File:FirstBitcoinBills.jpg|thumb|right|200px|Casascius holding early paper wallets]]
 +
 
 +
The best way to redeem the bitcoins from a private key is to use the "sweep" feature of certain wallet software. This sends the entire balance of the paper wallet to a [[deterministic wallet]]. Alternatively the private key could be imported and the entire balance sent to an address in the wallet.
 +
 
 +
There are various wallets for doing this:
 +
 
 +
* [[Electrum]] and [[Mycelium]] support sweeping private keys.
 +
* [[Bitcoin Core]] supports the RPC call "importprivkey" for this purpose. See [[How to import private keys in Bitcoin Core 0.7+]]
 +
* [[BlockChain.info]] and [[Armory]] can also import them directly into wallets.
  
==See Also==
+
== Bitcoin ATMs and paper wallets ==
  
* [[Private key]]
+
Many bitcoin ATMs use a paper-wallet-like system for delivering bitcoins if the customer doesn't have a bitcoin wallet. The ATMs can print out a private key/address pair onto paper which contain the customer's bitcoins. Ideally the customer would sweep the bitcoins into their own wallet as soon as they can.
  
* [[Securing_your_wallet#Paper_Wallets]]
+
== See Also ==
  
 +
* [[Private key]]
 +
* [[Seed phrase]]
 +
* [[Storing bitcoins]]
 
* [[How to import private keys]]
 
* [[How to import private keys]]
 +
* https://bitzuma.com/posts/how-to-spend-a-bitcoin-paper-wallet-in-three-easy-steps/
  
* [https://blockchain.info/wallet/paper-tutorial Blockchain.info tutorial] on how to generate a paper wallet.
+
==References==
 +
<references />
  
 
[[Category:Security]]
 
[[Category:Security]]
 
[[es:Monedero de papel]]
 

Latest revision as of 14:48, 14 March 2020

Water damaged paper wallet

A paper wallet is the name given to an obsolete and unsafe method of storing bitcoin which was popular between 2011 and 2016. It works by having a single private key and bitcoin address, usually generated by a website, being printed out onto paper.

This method has a large number of downsides and should not be used[1][2].

For storage of bitcoins, a much better way accomplish what paper wallets do is to use seed phrases instead, where the user writes down 12 or 24 random words generated by their wallet.

Paper wallet flaws

Printing is problematic

Paper wallets require using a printer to transfer them to paper. Many printers have a hard drive for internal storage where the paper wallet will be saved. Anybody who reads the file will be able to see the private key and steal the stored bitcoins. Shared printers such as in schools, offices or internet cafes are also usually centrally logged. If the printer is accessed over WiFi then any radio wave listener could also obtain the private keys and steal the money.[3]

Seed phrases avoid this problem by having the user transfer the sensitive information to paper without a printer but via their own handwriting.

Promotes address reuse

Paper wallets have just one bitcoin address, so they promote address reuse. The paper wallet creating websites generally have no warnings against this.

Deterministic wallets and seed phrases avoids this problem by being able to create a new bitcoin address for every incoming transaction.

Encouragment of centralized and outsourced validation

Despite the name, paper wallets are not actually wallets. They only store the private keys and addresses, and cannot tell users if they have actually received bitcoins and in what quantity.

The single bitcoin addresses require the user to have random-access lookups of any address on the blockchain, this requirement pushes users to use centralized third-party blockchain explorer websites. This results in privacy and validation issues, the websites can spy on users and lie to them.

A more private solution is to import the private key into bitcoin-qt and rescan. Nobody watching the bitcoin-qt full node from outside will be able to tell which address it's interested in because all the scanning happens locally on disk. Unfortunately rescanning is not scalable and so is very slow; therefore most users are pushed towards using public blockchain explorers or Electrum servers. These centralized services can spy on the user and learn exactly how many bitcoins they have and where they spend them. An address database created from all bitcoin addresses is nearly 20 GB in size at of October 2018 and takes a long time to build up, so very few people will have this kind of thing available locally for the few occasions when they redeem paper wallets. Almost all wallet software today especially smartphone wallets relies on centralized lookups when redeeming paper wallets.

Deterministic wallets and seed phrases partly avoid this problem by having a sequence of bitcoin addresses which can be sequentially scanned. Wallets using that tech don't inherently need any extra databases and are compatible with pruning.

See Also: Full_node#Why_should_you_use_a_full_node_wallet

Raw private keys are dangerous

Dealing with raw private keys is very unintuative and has lead to loss of funds on a number of occasions.[4][5]. Paper wallets encourage these dangers by only having one private key and exposing it to the user.

One example is the mistake of destroy a paper wallet after it's imported into a deterministic wallet, thinking that it has become a part of the deterministic wallet and it's safe to destroy because the master seed of the deterministic wallet has been backed up. In reality the private key is not part of the deterministic wallet. If the paper wallet (the paper) is destroyed and the app is uninstalled, the BTC is gone even if the deterministic wallet is recovered from its master seed. The unintuative behavour of raw private keys leads to this.

Using only fully-featured wallet software is a much better because it only presents with intuative interfaces (like a GUI button to Send) which abstracts all the dangerous details away from the user.

Change addresses are not handled which leads to screwups

Users have been known to import the private key into software wallet and then spend part of the funds. They mistakenly believe the remaining funds are still on the paper wallet when in reality they are in a change address.[6]

Encouragement of raw transactions

Raw Transactions are dangerous, unintuitive and have many times resulted in loss of funds.

A notable example of such a costly mistake is the address 1Acbo3viCYy1TSZB7m2W1nPPNF4rcAPMC9 which seems to have been a paper wallet. The owner appears to have been regularly buying bitcoin between April 2014 and January 2017, before apparently making a mistake with raw transactions and sending 50 bitcoins as miner fees.[7] (worth about $50000 at the contemporary exchange rate).

Also note the terrible privacy due to Address reuse that allows us to get such a complete picture of what happened.

Low error correction

Water damaged paper wallet private key

The private keys is typically printed in rather small font. Sometimes the characters could be mistakenly read for another letter, such as a B versus an 8 or 1 versus l. If even a single character is wrong or mistakenly typed then the entire private key will be invalid. Private keys in WIF format have a checksum but there are no tools for regular users to correct mistakes.

QR codes were not designed for secure storage of cryptographic material. QR codes have been damaged and made unscannable by water[8][9], crumpling and even folding the paper.

As seed phrases uses natural language words, they have far more error correction. Words written in bad handwriting can often still be read. If one or two letters are missing the word can often still be read. The word list from which seed phrase words are drawn from is carefully chosen so that the first four letters of a word is enough to uniquely identify it.

Inconsistent private key format

The spending of paper wallets relies on wallet software understanding the private key format. There has been at least one situation where an update to private key formats resulted in a user's funds becoming stuck [10].

Seed phrases avoid this problem because they are created by the same wallet software which understands how to spend from them.

Encouragement of obsolete brainwallet style

Almost all paper wallet websites today also have an interface to the obsolete sha256 brainwallets. These are very insecure and should never be used, yet paper wallet websites do not come with adequate warnings.

See also: Brainwallet#Obsolete_Brainwallet_Style

Browser wallets are bad

Almost all paper wallets are made by websites, which therefore involves most of the problems associated with Browser-based wallet.[11][12]

Redeeming bitcoins and withdrawing funds

Casascius holding early paper wallets

The best way to redeem the bitcoins from a private key is to use the "sweep" feature of certain wallet software. This sends the entire balance of the paper wallet to a deterministic wallet. Alternatively the private key could be imported and the entire balance sent to an address in the wallet.

There are various wallets for doing this:

Bitcoin ATMs and paper wallets

Many bitcoin ATMs use a paper-wallet-like system for delivering bitcoins if the customer doesn't have a bitcoin wallet. The ATMs can print out a private key/address pair onto paper which contain the customer's bitcoins. Ideally the customer would sweep the bitcoins into their own wallet as soon as they can.

See Also

References