Geth’s insecure unlock

Photo by George Becker from Pexels
Error: account unlock with HTTP access is forbidden
--rpc            Enable the HTTP-RPC server (deprecated, use --http)
--ropsten Ropsten network: pre-configured proof-of-work test network
--rpcaddr value HTTP-RPC server listening interface (deprecated, use --http.addr) (default: "localhost")

Best practices when using accounts

  • Do not enable the RPC or WebSockets interfaces when doing operations on Geth that require an unlocked account. You can use the IPC endpoint for attaching to the interactive javascript console. For e.g. you can start a light node on the ropsten testnet using geth --ropsten --syncmode "light". The node prints the IPC endoint address in the logs on startup. You can then attach to the IPC endpoint using geth attach path/to/ipc/geth.ipc
  • When using the CLI, it is recommended to do the account unlock interactively as opposed to specifying the password directly as part of the command. For e.g. The following command starts a node on the Ropsten testnet with the specified account unlocked. The HTTP-RPC and Websockets interfaces are not enabled.
geth --ropsten --syncmode "light" --unlock 7a67c39db201fbba9e9e0e...
  • Avoid entering your password in the Geth’s Javascript interactive console, and if you do, erase the $HOME/.ethereum/history file. If you execute personal.unlockAccount(eth.accounts[0], "myethsecret", 5) you will be able to see your password printed in the .history file mentioned above. By default the directory in which your .history file is located is only readable by your own system user. But if your system user account is compromised, your password will be visible in your history file.
  • Consider using a wallet to interact with the Ethereum blockchain. For e.g. using Metamask you can securely manage your account, use your account to authenticate to websites and send transactions.





Computer Science, Blockchain and DLT

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Whatsapp vs Telegram vs Signal: The Search for Privacy

IoTeX *Project Updates* №18 — September 3 — October 8, 2019

What is the Internet of Things?

What if… Terrorism was a service?

New Video: MetaMUI SSID

TryHackMe | Metasploit

Something different this time.

How to spot COVID-19 scams

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Clyde D'Cruz

Clyde D'Cruz

Computer Science, Blockchain and DLT

More from Medium

Commonly Used Jargon

Offset Trading


HOT QUICK Cashapp Paypal Western Union Transfer Secured High balance bank transfer