Best practices for using the IOTA wallets safely


Author
Message
CoinJohn
C
Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)
Group: Forum Members
Posts: 16, Visits: 7
Thank you Winston for your reply.
Do I read your answer right that only once the wallet is attached to the tangle new addresses can be generated?
Winston
Winston
Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)
Group: Administrators
Posts: 3.6K, Visits: 6.7K
CoinJohn - 17 Dec 2017
Thank you Winston for your reply.Do I read your answer right that only once the wallet is attached to the tangle new addresses can be generated?

@CoinJohn 
That's just the order in which you have to go to generate addresses in the light wallet, I guess. Just keep pushing that button (whether it says "generate address" or "attach to tangle"), and you'll be doing the process correctly. Report back with your results. :IOTA:
CoinJohn
C
Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)
Group: Forum Members
Posts: 16, Visits: 7
Hi Winston,
I opened my wallet with the seed, pushed “Receive”, that showed an address and then pushed “ attach to tangle”. It came up with “invalid response”
I have done this several times and always the same response. The address in the “ Receive” field was always the same.

I am thinking of deleting the wallet completely and install it again.

I did read on the IOTA page that wallet does not need to be attached and would still work fine.

What do you think?
Carpincho
Carpincho
Attached to Tangle (968 reputation)Attached to Tangle (968 reputation)Attached to Tangle (968 reputation)Attached to Tangle (968 reputation)Attached to Tangle (968 reputation)Attached to Tangle (968 reputation)Attached to Tangle (968 reputation)Attached to Tangle (968 reputation)Attached to Tangle (968 reputation)
Group: Moderators
Posts: 33, Visits: 122
CoinJohn - 20 Dec 2017
Hi Winston,I opened my wallet with the seed, pushed “Receive”, that showed an address and then pushed “ attach to tangle”. It came up with “invalid response”I have done this several times and always the same response. The address in the “ Receive” field was always the same.I am thinking of deleting the wallet completely and install it again.I did read on the IOTA page that wallet does not need to be attached and would still work fine.What do you think?

CoinJhon
Maybe try changing your wallet' node.
You can check for this list to see which one is in better shape
https://iota.dance/nodes
Hope it helps!
rahpl3245
r
Attaching to Tangle (6 reputation)Attaching to Tangle (6 reputation)Attaching to Tangle (6 reputation)Attaching to Tangle (6 reputation)Attaching to Tangle (6 reputation)Attaching to Tangle (6 reputation)Attaching to Tangle (6 reputation)Attaching to Tangle (6 reputation)Attaching to Tangle (6 reputation)
Group: Forum Members
Posts: 5, Visits: 0
Hola muchas gracias por su articulo es de mucha ayuda ya que casi hay que ir a la  universidad otra vez para usar esta billetera la verdad es un poco complicada jajaj  pero bueno asi es todo esto. 
queria emitir una pregunta un poco fuera del tema que toco aqui. con exactitud pero sigue siendo referente ala billetera qeu pasa si los numeros de la parte inferior de la billetera no estan coinsidiendo, y escuchado que esos numerois deben estar en similitud (coinsidir) como puedo encontrar informacion del manejo perfecto de la billetera como aplicar correctamente la inclusión de vecinos para que las transacciones se realicen de manera correcta gracias saludos 

Edited 2 Years Ago by rahpl3245
rahpl3245
r
Attaching to Tangle (6 reputation)Attaching to Tangle (6 reputation)Attaching to Tangle (6 reputation)Attaching to Tangle (6 reputation)Attaching to Tangle (6 reputation)Attaching to Tangle (6 reputation)Attaching to Tangle (6 reputation)Attaching to Tangle (6 reputation)Attaching to Tangle (6 reputation)
Group: Forum Members
Posts: 5, Visits: 0
Hello thank you very much for your article is very helpful as you almost have to go to college again to use this wallet the truth is a bit complicated hahaha but well that's all this.
I wanted to ask a question a little outside the subject that I play here. with accuracy but it is still referring to the wallet that happens if the numbers in the lower part of the wallet are not counting, and I heard that those numbers should be in similarity (coinsidir) as I can find information about the perfect handling of the wallet as correctly applying the inclusion of neighbors so that transactions are carried out correctly thanks greetings
CoinJohn
C
Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)
Group: Forum Members
Posts: 16, Visits: 7
Inhabe changed the node and it worked niceley.
Have sent a small amount as test now to see that it works before I sent the rest to the wallet.
Will update once all is in the wallet.

Super help here guys, highly appreciated.
All the best
John
Ronnymarlishausen
R
Attached to Tangle (289 reputation)Attached to Tangle (289 reputation)Attached to Tangle (289 reputation)Attached to Tangle (289 reputation)Attached to Tangle (289 reputation)Attached to Tangle (289 reputation)Attached to Tangle (289 reputation)Attached to Tangle (289 reputation)Attached to Tangle (289 reputation)
Group: Forum Members
Posts: 22, Visits: 0
[Zitat]
[b]EricHop - 30. November 2017[/ b]
IOTA ist ein Protokoll, das für die Verwendung von IoT-Geräten entwickelt wurde. Diese Geräte befolgen gerne alle Regeln, um das Protokoll streng, optimal und sicher zu verwenden. Leider sind Menschen nicht so gut darin, Regeln zu folgen - wenn sie sie überhaupt kennen - und sie haben oft keine Ahnung von den Konsequenzen bestimmter Handlungen. Also habe ich beschlossen, eine Liste mit Best Practices zu schreiben und in diesem Artikel das Warum zu erklären.

Hier sind die Regeln:

REGEL 1: NIEMALS eine Adresse erneut verwenden. NOCH NIE. Keine Ausnahmen.

Regel 2: Fügen Sie IMMER eine neue Empfangsadresse an Tangle an.

REGEL 3: IMMER warten, bis eine Transaktion bestätigt wird, bevor etwas anderes gesendet wird.


Und hier ist das Warum:

Es hat alles mit Multi-Ausgaben zu tun. Welches mehr als einmal von der gleichen Adresse ausgibt. Das Problem hierbei ist, dass IOTA einmalige Signaturen verwendet. Nach Ausgaben sollten Adressen nicht mehr verwendet werden, da bei der Ausgabe zufällig 50% des privaten Schlüssels an die Adresse ausgegeben werden. Das ist an sich kein Problem, alle Geldmittel, die nach einer einzigen Ausgabe ankommen, sind immer noch ziemlich sicher. Die anderen 50% des Schlüssels zu brechen ist immer noch eine entmutigende Aufgabe.

Aber wenn eine zweite Ausgabe an der gleichen Adresse stattfindet, wird eine neue zufällige 50% des privaten Schlüssels für diese Adresse ausgesetzt. Theoretisch werden Ihnen Statistiken zeigen, dass jetzt 75% des privaten Schlüssels verfügbar sind. Aber hier ist der Unterschied zwischen Theorie und Praxis. Da es ein * zufälliger * 50% des Schlüssels ist, der ausgesetzt wird, könnten Sie Pech haben, dass beide 50% -Expositionen nur eine 10% ige Überlappung haben. In diesem Fall sind bereits 90% Ihres Schlüssels verfügbar! In diesem Fall ist Ihr privater Schlüssel Toast und relativ leicht gebrochen.

Also kurz gesagt: 2 oder mehr Ausgaben von der gleichen Adresse ist sehr schlecht!

Sehen wir uns nun an, welche Szenarien auftreten könnten, die zu einem Multi-Ausgaben führen und warum diese Regeln gut sind:


REGEL 1: NIEMALS eine Adresse erneut verwenden. NOCH NIE. Keine Ausnahmen.

Ich kann sofort einige Leute sagen hören: "Aber du darfst mehrmals an einer Adresse empfangen!" Und sie sind technisch korrekt. IoT-Geräte tun dies die ganze Zeit. Aber sie haben den Vorteil, genau zu wissen, was die Parteien, mit denen sie reden, tun werden und wann. So können sie das sicher tun. Hier ist ein Szenario, das nur ein Beispiel zeigt, warum es eine schlechte Idee ist, mehrere Male an die gleiche Adresse zu senden:

Nehmen wir an, ich ziehe X Iotas von einer Börse zurück, um A in meiner Brieftasche zu adressieren. Der ganze Vorgang dauert ein wenig, aber am Ende habe ich X in Adresse A.

Ermutigt durch diesen Erfolg entscheide ich mich, noch ein Yotas an die selbe Adresse A zurückzuziehen. Immerhin kann ich * an * eine Adresse mehrfach senden, oder? Also gebe ich den Auftrag ein und der Austausch beginnt mit der Bearbeitung der Bestellung. Beachten Sie, dass diese Verarbeitung manchmal Stunden oder sogar Tage dauern kann.

In der Zwischenzeit erzähle ich meinem Freund von IOTA, und um ihn zu ermutigen, möchte ich ihm ein paar (sagen wir Z) Iotas schicken. Also installiert er die Brieftasche und gibt mir eine Empfangsadresse B. Ich rate der Brieftasche, Z iotas an Adresse B zu senden. Die Brieftasche ist glücklich verpflichtet und nimmt die Iotas in Adresse A, sendet Z iotas an Adresse B und - um Adresse A zu schützen von Multi-Ausgaben - es sendet auch die verbleibenden X - Z Iotas sicher zu einer neu generierten Adresse C in meiner Brieftasche.

Bis jetzt scheint alles in Ordnung zu sein. Aber mit einem Problem: Der Exchange hat meinen Abzug noch nicht bearbeitet. Wenn es schließlich verarbeitet wird, werden die Y-Itas an Adresse A gesendet, genau wie ich es angewiesen habe. Außer dass diese Adresse jetzt schon früher ausgegeben wurde! Hoppla!

Diese Situation hätte einfach vermieden werden können, indem eine neue Adresse D für die zweite Entnahme erzeugt wurde und diese anstelle der Adresse A verwendet wurde.
Also Fall: NIEMALS eine Adresse erneut verwenden. Nicht einmal zum Empfangen.


REGEL 2: Fügen Sie IMMER eine neue Empfangsadresse an das Tangle an.

Ich kann sofort einige Leute sagen hören: "Aber das musst du wirklich nicht!" Und wieder sind sie technisch korrekt. Es ist vollkommen in Ordnung, Iotas an eine Adresse zu senden, die nicht explizit mit dem Tangle verbunden war. Sie werden gut ankommen. Auch dies tun IoT-Geräte immer wieder, aber sie behalten auch im Auge, welche Adressen sie als Empfangsadressen ausgegeben haben.

Das IOTA Wallet macht es anders. Da es möglich ist, die Brieftasche auf verschiedenen Geräten zu installieren und beide Brieftaschen mit dem gleichen Samen einzuloggen, bestimmen die Entwickler den Zustand der Brieftasche direkt aus dem Tangle. So werden beide Geldbörsen auf Ereignisse gleich reagieren. Sonst hätte man einige wichtige Adressen im Auge behalten können, und der andere hätte davon nichts gewußt. Ziemlich elegante Lösung.

Aber diese Lösung kommt mit versteckten Kosten. Um das zu verstehen, müssen wir uns ansehen, wie der Geldbeutel entscheidet, welche Adressen bereits verwendet wurden. Dies geschieht, indem der fragliche Knoten nach einer Liste von Transaktionen gefragt wird, die diese Adresse enthalten. Wenn noch keine Transaktionen vorhanden sind, wird daraus geschlossen, dass die Adresse noch nicht verwendet wurde.

Wenn Sie eine Adresse an Tangle anhängen, erstellen Sie explizit eine Nullübertragungstransaktion für diese Adresse. Jetzt kann die Brieftasche diese Transaktion im Tangle finden, also weiß sie, dass sie bereits verwendet wird. Und ja, falls jemand Iotas an diese Adresse sendet, kann die Brieftasche diese Transaktion im Gewirr finden und sieht wieder, dass sie bereits benutzt wird. Deshalb müssen wir es nicht explizit anhängen, oder? Bzzzzt! *Falsch*!!

Nehmen wir an, ich habe X Iotas in Adresse A. Ich beschließe, ein anderes Y Iotas aus dem Austausch an Adresse B abzuziehen. Das ist, was ich aus Regel 1 gelernt habe. Verwenden Sie eine andere Adresse. Ich mache mir nicht die Mühe, die Adresse B explizit an Tangle anzuhängen, weil mir vorher gesagt wurde, dass das nicht unbedingt notwendig sei. Also gebe ich den Auftrag ein und der Austausch beginnt mit der Bearbeitung der Bestellung. Das braucht wieder Zeit.

Um mehr Freude zu verbreiten, beschließe ich, Z iotas erneut zu meinem Freund zu schicken. Ich initiiere die Übertragung, und diesmal kann die Brieftasche von der Adresse A nehmen, Z iotas an die Adresse meines Freundes senden, und dann möchte sie die verbleibenden X-z-Iotas an eine neue Empfangsadresse senden. So sieht es im Gewirr aus, welche Adresse noch nicht benutzt wird. Aha! Adresse B wird noch nicht verwendet. Also schickt es fröhlich die Ergebnisse an Adresse B. Oh mein Gott. Jetzt befinden wir uns in der gleichen Situation wie in Regel 1.

Wenn wir uns jetzt entscheiden, eine weitere Menge von Iotas an einen anderen Freund zu senden, werden wir die Adresse B ausgeben, bevor die Auszahlung * an * Adresse B ausgeführt wurde. Und wir enden wieder mit einem garantierten Multi-Ausgaben.

Diese Situation hätte einfach vermieden werden können, indem Adresse B explizit an Tangle angehängt wurde. In diesem Fall hätte die Brieftasche gesehen, dass sie bereits verwendet wurde, und stattdessen hätte sie den Rest an eine neue Adresse C gesendet.
Also Fall: IMMER eine neue Empfangsadresse an die Tangle anhängen.


REGEL 3: IMMER warten, bis eine Transaktion bestätigt wird, bevor etwas anderes gesendet wird.

Ich kann sofort einige Leute sagen hören: "Aber die Brieftasche wird mich davon abhalten, viel auszugeben!" Und wieder sind sie technisch korrekt. Die Geldbörse prüft vor der Ausgabe, ob bereits eine bestätigte Ausgabe für die Adresse vorliegt, und erlaubt in diesem Fall keine zweite Ausgabe. Aber bedenken Sie folgendes Szenario:

Ich habe X Iotas in Adresse A. Ich entscheide mich jetzt, Y Iotas zu einem Austausch zu senden. Dies wird eine Transaktion Nr. 1 erzeugen, die Y iotas von Adresse A ausgibt.
Jetzt entscheide ich mich auch, meinem Freund seine Z iotas zu schicken, bevor Transaktion 1 bestätigt wurde. Da die Brieftasche immer noch die X-Iotas in Adresse A sieht, wird sie glücklicherweise Transaktion 2 ausgeben, die Z iotas von Adresse A ausgibt. Hoppla! Zwei Ausgaben von derselben Adresse.

Diese Situation hätte einfach vermieden werden können, indem gewartet wurde, dass die Transaktion # 1 bestätigt wurde, bevor die Transaktion # 2 gesendet wurde.
Also in diesem Fall: IMMER warten Sie auf eine Transaktion bestätigt werden, bevor Sie etwas anderes senden.


Beachten Sie, dass viele dieser Situationen noch matschiger sind, weil Sie keine Ahnung haben, welche Adresse (n) die Brieftasche als Eingabe für den Versand von Iotas auswählen wird.

Beachten Sie auch, dass ich nur ein Beispiel dafür anführe, wo bei jeder Regel etwas schiefgehen kann. Die Dinge werden noch matschiger, wenn Schnappschüsse passieren. Aber das ist etwas für einen anderen Artikel.
[/Zitat]

In der Tat
Hello, I had made a second transfer from Bitfenix and the first one was not confirmed yet. I've been waiting for payment to the wallet since 07.12.2017: https: //iotasear.ch/hash/XCOOJIMUMZSDGTUFR9UDHEOSREFTUMXFGTXMUCSWQPLIFIVCQRDL9JGRULMSCBGINXKVQJWUVDOGKLGPWGTHNQCDEY

How should I behave? best regards

superresistant
s
Attaching to Tangle (53 reputation)Attaching to Tangle (53 reputation)Attaching to Tangle (53 reputation)Attaching to Tangle (53 reputation)Attaching to Tangle (53 reputation)Attaching to Tangle (53 reputation)Attaching to Tangle (53 reputation)Attaching to Tangle (53 reputation)Attaching to Tangle (53 reputation)
Group: Forum Members
Posts: 6, Visits: 11
The wallet or tangle has no way of knowing if the address was used after a snapshot, right ?
Winston
Winston
Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)
Group: Administrators
Posts: 3.6K, Visits: 6.7K
superresistant - 9 Jan 2018
The wallet or tangle has no way of knowing if the address was used after a snapshot, right ?

@superresistant
This is correct
rosmo01
r
Attaching to Tangle (1 reputation)Attaching to Tangle (1 reputation)Attaching to Tangle (1 reputation)Attaching to Tangle (1 reputation)Attaching to Tangle (1 reputation)Attaching to Tangle (1 reputation)Attaching to Tangle (1 reputation)Attaching to Tangle (1 reputation)Attaching to Tangle (1 reputation)
Group: Forum Members
Posts: 1, Visits: 0
EricHop - 30 Nov 2017
IOTA is a protocol designed for use by IoT devices. These devices will happily follow any rules to use the protocol strictly, optimally and safe. Sadly, humans are not so good at following rules -if they know them at all- and they often have no idea of the consequences of certain actions. So I decided to write a list of best practices and explain the why in this article.

Here are the rules:

RULE 1: NEVER generate your seed online.

RULE 2: NEVER give your seed to anyone.

RULE 3: ALWAYS store a copy of your seed some place safe

RULE 4: NEVER re-use an address. NEVER. NO exceptions.

RULE 5: ALWAYS attach a new receive address to the Tangle.

RULE 6: ALWAYS wait for a transaction to be confirmed before sending anything else.


And here are the whys:

-------

Rule 1-3 all have to do with your seed. The seed is literally the master key to your wallet. Whoever has the key controls the wallet and the iotas therein. So it is very important to have a few best practices that help you keep  your seed safe.


RULE 1: NEVER generate your seed online.

Because iotas have monetary value there are a lot of nasty people out there ready to try and relieve you of your iota stash. One way they do this is by offering to generate a seed for you. Don't fall for it!!! Most, if not all online seed generators are designed to make your seed vulnerable. They either will copy the seed or generate a seed from a limited number of random seeds. And as we have seen in the beginning of January some of them have a lot of patience. All of a sudden over 4 million USD worth of iotas got stolen by the operator of a popular seed generator.
Generating a seed isn't difficult. You just need to know the right method to use. Here are 3 methods to do it yourself:

Method 1. Make up a string of random, unrelated words. Mix in weird words or foreign words. Really, that's the simplest and safest way to go. With 81 characters it is impossible for anyone to guess them as long as you keep them unrelated.
Example (spaces are for readability only): FLOWER BEER JE MAINTIENDRAI CLOCKWORK SHELDON ELDERBERRIES BLITZKRIEG OVENMITT AUTOCORRUPT

Method 2. Use a single finger and slowly type 81 random letters. Just let your finger go around and around and sometimes let it go down. Purposely trying to make it random is okay. Just try to avoid patterns, which is why quickly mashing fingers on the keyboard is not a good idea. If you want, you can throw a 9 in here and there for good measure. Once you have 81 of them, replace some random letters with other random letters, just to make sure you break any patters you unwittingly used.
Example: KUWVQZOVFENI9GTESKPLJKMVFTETTKGSWQBMOPHTJLOHRRGKOKNHKKECDSKNSFFHGKBPYU9NVDL9ECVMB

Method 3: Warning: This method is only for people who actually know what they are doing and what I am talking about. There are a local/offline secure random generators available with most major operating systems. I won't go into detail here to prevent the noob users from using them. You really want to know what you are doing. Mac and Linux for example offer /dev/urandom. If this does not mean anything to you, just use method 1 or 2 instead.



RULE 2: NEVER give your seed to anyone.

Again, there are many predators out there. Some of them will even pretend to be part of the IOTA foundation and offer to help you if you ask for help with a problem in any of the help channels.
Be paranoid in those cases where such a person asks for your seed. Once you give it they will quickly empty your wallet. Most problems you will encounter can be solved without ever giving up your seed to anyone.


RULE 3: ALWAYS store a copy of your seed some place safe

Protect yourself from ever losing your iotas. Keep one or more copies of your seed in safe places. Make sure that it is not easy for anyone to get a quick peek at them. Remember, mobile devices are cameras and snapping a picture of your seed is very easily done. Best to separate your seed in two parts and keep them stored away from each other. I recommend 2 bank safes at 2 different banks. Especially when the amount of iotas becomes large this is no overkill. And while you're at it make sure that it includes a succession list in case anything happens to you and maybe include some trusted persons that can help your heirs get their hands on the funds. Nothing sadder than sitting on a million worth of iotas and no one being able to access them when you die.

--------

Rule 4-6 all have to do with multi-spending. Which is spending more than once from the same address. The problem here is that IOTA uses one-time signatures. After spending addresses are not supposed to be used any more because in the process of spending a random 50% of the private key to the address gets exposed. This in itself is not a problem, any funds arriving after a single spend are still pretty safe. Breaking the other 50% of the key is still a daunting task.

But when a second spend happens on the same address a new random 50% of the private key for that address gets exposed. Theoretically, statistics will tell you that now 75% of the private key is exposed. But here is the difference between theory and practice. Since it is a *random* 50% of the key that gets exposed, you could be unlucky enough that both 50% exposures only have a 10% overlap. In which case a whopping 90% of your key is exposed already! In which case your private key is toast and broken relatively easy.

So in short: 2 or more spends from the same address is VERY BAD!

Now let's see what scenarios could occur that will end up in a multi-spend and why these rules are good:


RULE 4: NEVER re-use an address. NEVER. NO exceptions.

I can immediately hear some people say: "But you are allowed to receive multiple times at a address!" And they are technically correct. IoT devices will do this all the time. But they have the advantage of knowing exactly what the parties they are talking to are going to do and when. So they can safely do this. Here is a scenario that shows just one example of why it is a bad idea to send multiple times to the same address:

Let's say I withdraw X iotas from an exchange to address A in my wallet. The whole process takes a little time, but I end up with X iota in address A.

Encouraged by this success I decide to withdraw another Y iotas to that same address A. After all, I can send *to* an address multiple times, right? So I put in the order and the exchange starts processing the order. Note that this processing can sometimes take hours or even days.

In the mean time I tell my friend about IOTA, and to encourage him I want to send him a few (let's say Z) iotas. So he installs the wallet and gives me a receive address B. I tell the wallet to send Z iotas to address B. The wallet happily obliges and takes the iotas in address A, sends Z iotas to address B, and -to guard address A from multi-spending- it also sends the remaining X - Z iotas safely to a newly generated address C in my wallet.

Everything seems okay so far. But with one problem: The exchange did not process my withdrawal yet. When it finally does process it, the Y iotas will be sent to address A just like I instructed. Except that address now already has an earlier spend on it! Oops!

This situation could have been simply avoided by generating a new address D for the second withdrawal and using that instead of address A.
So case in point: NEVER re-use an address. Not even for receiving.


RULE 5: ALWAYS attach a new receive address to the Tangle.

I can immediately hear some people say: "But you don't really *have* to do this!" And again, they are technically correct. It is perfectly fine to send iotas to an address that was not attached to the Tangle explicitly. They will arrive just fine. Again, IoT devices do this all the time, but they also keep track of what addresses they gave out as receive addresses.

The IOTA wallet does it differently. Because it is possible to install the wallet on different devices, and log in both wallets with the same seed, the developers are determining the state of the wallet directly from the Tangle. That way both wallets will respond the same to events. Otherwise one could have kept track of some important addresses and the other would have no knowledge of that. Pretty elegant solution.

But this solution comes with a hidden cost. To understand this we need to look at how the wallet decides which addresses have been used already. It does that by asking the node it is connected to for a list of transactions that incorporate that address. If there are no transactions yet it concludes that it has not used the address yet.

By attaching an address to the Tangle you explicitly create a zero-transfer transaction for that address. Now the wallet can find that transaction in the Tangle, so it knows it is in use already. And yes, in case someone sends iotas to that address, the wallet can find that transaction in the tangle and again sees that it is in use already. Therefore we don't need to explicitly attach it, right? Bzzzzt! *Wrong*!!

Let's say I have X iotas in address A. I decide to withdraw another Y iotas from the exchange to address B. That's what I learned from rule 1. Use a different address. I don't bother explicitly attaching address B to the Tangle, because I was told before that that was not strictly necessary. So I put in the order and the exchange starts processing the order. Which again takes time.

To spread more joy I decide to send Z iotas to my friend again. I initiate the transfer, and this time the wallet can take from address A, send Z iotas to my friend's address, and then it wants to send the remaining X - z iotas to a new receive address. So it looks in the tangle which address is not in use already. Aha! Address B is not used yet. So it merrily sends the results to address B. Oh dear. Now we are in the same situation as we were in with rule 1.

So if we now decide to send another amount of iotas to another friend, we will be spending address B before the withdrawal *to* address B has executed. And we end up with a guaranteed multi-spend again.

This situation could have been simply avoided by explicitly attaching address B to the Tangle. In which case the wallet would have seen it was in use already, and it would have sent the remainder to a new address C instead.
So case in point: ALWAYS attach a new receive address to the Tangle.


RULE 6: ALWAYS wait for a transaction to be confirmed before sending anything else.

I can immediately hear some people say: "But the wallet will keep me from multi-spending!" And again, they are technically correct. The wallet will check before spending if there already has been a confirmed spend on the address, and won't allow a second spend in that case. But consider the following scenario:

I have X iotas in address A. I now decide to send Y iotas to an exchange. This will generate a transaction #1 spending Y iotas from address A.
Now I also decide to send my friend his Z iotas before transaction #1 has been confirmed. Since the wallet still sees the X iotas in address A it will happily generate transaction #2 spending Z iotas from address A. Oops! Two spends from the same address.

This situation could have been simply avoided by waiting for transaction #1 to be confirmed before sending transaction #2.
So case in point: ALWAYS wait for a transaction to be confirmed before sending anything else.


Note that a lot of these situations are even muddier because you have no idea what address(es) the wallet is going to pick as input(s) for sending iotas somewhere.

Also note that I only provide one example of where things can go wrong for each rule. Things become even muddier when snapshots happen. But that is something for another article.

One crucial element is not mentioned and that is how the user is supposed to remember and enter the seed every time the GUI is started. In current version there is no encrypted and password protected storage of the seed, as per many full node wallets like BTC/LTC NEM/NEO/XMR/DGB, etc....

The current UI forces us to store the seed locally in relative easy access so we can copy/paste it into the login, which in most cases means unencrypted, as there is no assistance in this from the UI.

This is countering all the steps in creating a secure seed as we are unable to remember it, and even if we did it takes forever to type it in - time we cannot afford to waste.

I for one does not entrust my cryptos to any exchange/where I'm not in control of the private key/seed. None of the hardware wallets are supporting Iota yet either.......

I hope I have missed something, but if I have to copy/paste my seed for each login, then I see no use for this wallet. I would like to know when the seed will be encrypted and password protected by the UI.
Winston
Winston
Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)
Group: Administrators
Posts: 3.6K, Visits: 6.7K
rosmo01 - 2 Feb 2018
EricHop - 30 Nov 2017
IOTA is a protocol designed for use by IoT devices. These devices will happily follow any rules to use the protocol strictly, optimally and safe. Sadly, humans are not so good at following rules -if they know them at all- and they often have no idea of the consequences of certain actions. So I decided to write a list of best practices and explain the why in this article.

Here are the rules:

RULE 1: NEVER generate your seed online.

RULE 2: NEVER give your seed to anyone.

RULE 3: ALWAYS store a copy of your seed some place safe

RULE 4: NEVER re-use an address. NEVER. NO exceptions.

RULE 5: ALWAYS attach a new receive address to the Tangle.

RULE 6: ALWAYS wait for a transaction to be confirmed before sending anything else.


And here are the whys:

-------

Rule 1-3 all have to do with your seed. The seed is literally the master key to your wallet. Whoever has the key controls the wallet and the iotas therein. So it is very important to have a few best practices that help you keep  your seed safe.


RULE 1: NEVER generate your seed online.

Because iotas have monetary value there are a lot of nasty people out there ready to try and relieve you of your iota stash. One way they do this is by offering to generate a seed for you. Don't fall for it!!! Most, if not all online seed generators are designed to make your seed vulnerable. They either will copy the seed or generate a seed from a limited number of random seeds. And as we have seen in the beginning of January some of them have a lot of patience. All of a sudden over 4 million USD worth of iotas got stolen by the operator of a popular seed generator.
Generating a seed isn't difficult. You just need to know the right method to use. Here are 3 methods to do it yourself:

Method 1. Make up a string of random, unrelated words. Mix in weird words or foreign words. Really, that's the simplest and safest way to go. With 81 characters it is impossible for anyone to guess them as long as you keep them unrelated.
Example (spaces are for readability only): FLOWER BEER JE MAINTIENDRAI CLOCKWORK SHELDON ELDERBERRIES BLITZKRIEG OVENMITT AUTOCORRUPT

Method 2. Use a single finger and slowly type 81 random letters. Just let your finger go around and around and sometimes let it go down. Purposely trying to make it random is okay. Just try to avoid patterns, which is why quickly mashing fingers on the keyboard is not a good idea. If you want, you can throw a 9 in here and there for good measure. Once you have 81 of them, replace some random letters with other random letters, just to make sure you break any patters you unwittingly used.
Example: KUWVQZOVFENI9GTESKPLJKMVFTETTKGSWQBMOPHTJLOHRRGKOKNHKKECDSKNSFFHGKBPYU9NVDL9ECVMB

Method 3: Warning: This method is only for people who actually know what they are doing and what I am talking about. There are a local/offline secure random generators available with most major operating systems. I won't go into detail here to prevent the noob users from using them. You really want to know what you are doing. Mac and Linux for example offer /dev/urandom. If this does not mean anything to you, just use method 1 or 2 instead.



RULE 2: NEVER give your seed to anyone.

Again, there are many predators out there. Some of them will even pretend to be part of the IOTA foundation and offer to help you if you ask for help with a problem in any of the help channels.
Be paranoid in those cases where such a person asks for your seed. Once you give it they will quickly empty your wallet. Most problems you will encounter can be solved without ever giving up your seed to anyone.


RULE 3: ALWAYS store a copy of your seed some place safe

Protect yourself from ever losing your iotas. Keep one or more copies of your seed in safe places. Make sure that it is not easy for anyone to get a quick peek at them. Remember, mobile devices are cameras and snapping a picture of your seed is very easily done. Best to separate your seed in two parts and keep them stored away from each other. I recommend 2 bank safes at 2 different banks. Especially when the amount of iotas becomes large this is no overkill. And while you're at it make sure that it includes a succession list in case anything happens to you and maybe include some trusted persons that can help your heirs get their hands on the funds. Nothing sadder than sitting on a million worth of iotas and no one being able to access them when you die.

--------

Rule 4-6 all have to do with multi-spending. Which is spending more than once from the same address. The problem here is that IOTA uses one-time signatures. After spending addresses are not supposed to be used any more because in the process of spending a random 50% of the private key to the address gets exposed. This in itself is not a problem, any funds arriving after a single spend are still pretty safe. Breaking the other 50% of the key is still a daunting task.

But when a second spend happens on the same address a new random 50% of the private key for that address gets exposed. Theoretically, statistics will tell you that now 75% of the private key is exposed. But here is the difference between theory and practice. Since it is a *random* 50% of the key that gets exposed, you could be unlucky enough that both 50% exposures only have a 10% overlap. In which case a whopping 90% of your key is exposed already! In which case your private key is toast and broken relatively easy.

So in short: 2 or more spends from the same address is VERY BAD!

Now let's see what scenarios could occur that will end up in a multi-spend and why these rules are good:


RULE 4: NEVER re-use an address. NEVER. NO exceptions.

I can immediately hear some people say: "But you are allowed to receive multiple times at a address!" And they are technically correct. IoT devices will do this all the time. But they have the advantage of knowing exactly what the parties they are talking to are going to do and when. So they can safely do this. Here is a scenario that shows just one example of why it is a bad idea to send multiple times to the same address:

Let's say I withdraw X iotas from an exchange to address A in my wallet. The whole process takes a little time, but I end up with X iota in address A.

Encouraged by this success I decide to withdraw another Y iotas to that same address A. After all, I can send *to* an address multiple times, right? So I put in the order and the exchange starts processing the order. Note that this processing can sometimes take hours or even days.

In the mean time I tell my friend about IOTA, and to encourage him I want to send him a few (let's say Z) iotas. So he installs the wallet and gives me a receive address B. I tell the wallet to send Z iotas to address B. The wallet happily obliges and takes the iotas in address A, sends Z iotas to address B, and -to guard address A from multi-spending- it also sends the remaining X - Z iotas safely to a newly generated address C in my wallet.

Everything seems okay so far. But with one problem: The exchange did not process my withdrawal yet. When it finally does process it, the Y iotas will be sent to address A just like I instructed. Except that address now already has an earlier spend on it! Oops!

This situation could have been simply avoided by generating a new address D for the second withdrawal and using that instead of address A.
So case in point: NEVER re-use an address. Not even for receiving.


RULE 5: ALWAYS attach a new receive address to the Tangle.

I can immediately hear some people say: "But you don't really *have* to do this!" And again, they are technically correct. It is perfectly fine to send iotas to an address that was not attached to the Tangle explicitly. They will arrive just fine. Again, IoT devices do this all the time, but they also keep track of what addresses they gave out as receive addresses.

The IOTA wallet does it differently. Because it is possible to install the wallet on different devices, and log in both wallets with the same seed, the developers are determining the state of the wallet directly from the Tangle. That way both wallets will respond the same to events. Otherwise one could have kept track of some important addresses and the other would have no knowledge of that. Pretty elegant solution.

But this solution comes with a hidden cost. To understand this we need to look at how the wallet decides which addresses have been used already. It does that by asking the node it is connected to for a list of transactions that incorporate that address. If there are no transactions yet it concludes that it has not used the address yet.

By attaching an address to the Tangle you explicitly create a zero-transfer transaction for that address. Now the wallet can find that transaction in the Tangle, so it knows it is in use already. And yes, in case someone sends iotas to that address, the wallet can find that transaction in the tangle and again sees that it is in use already. Therefore we don't need to explicitly attach it, right? Bzzzzt! *Wrong*!!

Let's say I have X iotas in address A. I decide to withdraw another Y iotas from the exchange to address B. That's what I learned from rule 1. Use a different address. I don't bother explicitly attaching address B to the Tangle, because I was told before that that was not strictly necessary. So I put in the order and the exchange starts processing the order. Which again takes time.

To spread more joy I decide to send Z iotas to my friend again. I initiate the transfer, and this time the wallet can take from address A, send Z iotas to my friend's address, and then it wants to send the remaining X - z iotas to a new receive address. So it looks in the tangle which address is not in use already. Aha! Address B is not used yet. So it merrily sends the results to address B. Oh dear. Now we are in the same situation as we were in with rule 1.

So if we now decide to send another amount of iotas to another friend, we will be spending address B before the withdrawal *to* address B has executed. And we end up with a guaranteed multi-spend again.

This situation could have been simply avoided by explicitly attaching address B to the Tangle. In which case the wallet would have seen it was in use already, and it would have sent the remainder to a new address C instead.
So case in point: ALWAYS attach a new receive address to the Tangle.


RULE 6: ALWAYS wait for a transaction to be confirmed before sending anything else.

I can immediately hear some people say: "But the wallet will keep me from multi-spending!" And again, they are technically correct. The wallet will check before spending if there already has been a confirmed spend on the address, and won't allow a second spend in that case. But consider the following scenario:

I have X iotas in address A. I now decide to send Y iotas to an exchange. This will generate a transaction #1 spending Y iotas from address A.
Now I also decide to send my friend his Z iotas before transaction #1 has been confirmed. Since the wallet still sees the X iotas in address A it will happily generate transaction #2 spending Z iotas from address A. Oops! Two spends from the same address.

This situation could have been simply avoided by waiting for transaction #1 to be confirmed before sending transaction #2.
So case in point: ALWAYS wait for a transaction to be confirmed before sending anything else.


Note that a lot of these situations are even muddier because you have no idea what address(es) the wallet is going to pick as input(s) for sending iotas somewhere.

Also note that I only provide one example of where things can go wrong for each rule. Things become even muddier when snapshots happen. But that is something for another article.

One crucial element is not mentioned and that is how the user is supposed to remember and enter the seed every time the GUI is started. In current version there is no encrypted and password protected storage of the seed, as per many full node wallets like BTC/LTC NEM/NEO/XMR/DGB, etc....

The current UI forces us to store the seed locally in relative easy access so we can copy/paste it into the login, which in most cases means unencrypted, as there is no assistance in this from the UI.

This is countering all the steps in creating a secure seed as we are unable to remember it, and even if we did it takes forever to type it in - time we cannot afford to waste.

I for one does not entrust my cryptos to any exchange/where I'm not in control of the private key/seed. None of the hardware wallets are supporting Iota yet either.......

I hope I have missed something, but if I have to copy/paste my seed for each login, then I see no use for this wallet. I would like to know when the seed will be encrypted and password protected by the UI.

@rosmo01
KeePass is preferred by the community for password storage/encryption. The upcoming Trinity wallet will have the features you mentioned as well.
 

EricHop
EricHop
IOTAn Pending (1.5K reputation)
Group: Moderators
Posts: 15, Visits: 1
The latest version of the IRI (node software) now keeps track of all used addresses from before the snapshot.
This greatly improves the usability of the light wallet because it has become much harder to do a double spend.
It also removes some of the pain of having to reattach after a snapshot because attaching a receive address will now skip all addresses with a previous spend on it.
Also, the new wallets that are coming out Q1 2017 will take away a lot of the current pain points of the light wallet.

CoinJohn
C
Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)
Group: Forum Members
Posts: 16, Visits: 7
Hi everybody,
My wallet version is the 2.5.4.
Do I have to upgrade to a newer version whenever one comes out?
If so, how am I going to do this?

Best regards
Winston
Winston
Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)
Group: Administrators
Posts: 3.6K, Visits: 6.7K
CoinJohn - 2 Feb 2018
Hi everybody,My wallet version is the 2.5.4.Do I have to upgrade to a newer version whenever one comes out?If so, how am I going to do this?Best regards

@CoinJohn 
Go ahead and download the latest version of the wallet v2.5.7
https://github.com/iotaledger
CoinJohn
C
Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)Attaching to Tangle (42 reputation)
Group: Forum Members
Posts: 16, Visits: 7
Once I downloaded the newer version, how to I get my funds from the old wallet into the new one?
Winston
Winston
Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)
Group: Administrators
Posts: 3.6K, Visits: 6.7K
CoinJohn - 3 Feb 2018
Once I downloaded the newer version, how to I get my funds from the old wallet into the new one?

@CoinJohn 
It depends. If your funds are available, just regenerate addresses until your balance reappears. If your funds were saved by the Foundation, you would need to complete the reclaim process.
 
skiperaster
s
Attaching to Tangle (3 reputation)Attaching to Tangle (3 reputation)Attaching to Tangle (3 reputation)Attaching to Tangle (3 reputation)Attaching to Tangle (3 reputation)Attaching to Tangle (3 reputation)Attaching to Tangle (3 reputation)Attaching to Tangle (3 reputation)Attaching to Tangle (3 reputation)
Group: Forum Members
Posts: 2, Visits: 0
I made a mistake then? Well, I'm mining in (mineiota . com)
and every x time, send me iota, to the same address ...
What would I have to do new address, every time he sent me?
Winston
Winston
Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)Forum Admin (33K reputation)
Group: Administrators
Posts: 3.6K, Visits: 6.7K
skiperaster - 8 Feb 2018
I made a mistake then? Well, I'm mining in (mineiota . com)
and every x time, send me iota, to the same address ...
What would I have to do new address, every time he sent me?

@skiperaster 
Thanks for the post, and welcome to the community.

You can receive funds at the same address as many times as you'd like UNTIL you send an outgoing transaction. After you send an outgoing transaction, use a new receive address.
 

skiperaster
s
Attaching to Tangle (3 reputation)Attaching to Tangle (3 reputation)Attaching to Tangle (3 reputation)Attaching to Tangle (3 reputation)Attaching to Tangle (3 reputation)Attaching to Tangle (3 reputation)Attaching to Tangle (3 reputation)Attaching to Tangle (3 reputation)Attaching to Tangle (3 reputation)
Group: Forum Members
Posts: 2, Visits: 0
Winston - 8 Feb 2018
skiperaster - 8 Feb 2018
I made a mistake then? Well, I'm mining in (mineiota . com)
and every x time, send me iota, to the same address ...
What would I have to do new address, every time he sent me?

@skiperaster 
Thanks for the post, and welcome to the community.

You can receive funds at the same address as many times as you'd like UNTIL you send an outgoing transaction. After you send an outgoing transaction, use a new receive address.
 

ah!! Smile ok thanks!!
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Reading This Topic

Login

Explore
Messages
Mentions
Search