Comments (5)
Dibs on this issue.
I am going to focus on the functionality over styling until we get some more concrete designs.
from burner-wallet.
I think this is one which is worth having a security/convenience tradeoff discussion before going ahead with.
Even password protected keyfiles are not what I'd consider "secure". They are brute forceable, and only as good as a great password. Relevant SO question
Please bear in mind that the 14 years and other results are all theoretical. The real lesson learned: The KDF is negligible if you want to know the real security of your wallet. If you pick a password like "1234" while lower/uppercase, numbers and special chars are allowed neither the KDF nor the AES will help you and your wallet cannot be considered secure
I think the process of exporting the private key should come with some friction and some education about what it means to secure such a thing. The Burner Wallet is very far towards convenience on the security/convenience spectrum, which is awesome. However once the person decides to export the private key, they should be entering a much more secure, responsible world.
One idea on how to facilitate this is to provide the person with the seed phrase, instructing them to either transcribe directly into their other wallet application, or to write it down on paper. I really do think we should have some messaging/education here as well, warning them of the perils of properly securing a private key. This will require some design thought.
from burner-wallet.
I think the process of exporting the private key should come with some friction and some education about what it means to secure such a thing. The Burner Wallet is very far towards convenience on the security/convenience spectrum, which is awesome. However once the person decides to export the private key, they should be entering a much more secure, responsible world.
I disagree with this. Exporting the private key should be easy, since until a user exports it they are vulnerable to loss of the wallet.
I'm making the assumption that it's much more likely that a user will lose funds by losing the private key (incognito mode, etc), than by having it stolen.
If this is the case, then putting barriers in the way of backing up the private key is opposite of what we want to do. Making it harder to back up the wallet makes it more likely that a user will lose funds.
I don't really like the idea of emailing either though because it seems cumbersome. I think that we should just polish the flow around copying the private key. Then, the user can put it somewhere in their phone. Many users will paste it into a todo or text it to themselves. This is not ideal. But if the wallet is securing a small amount, who cares? A security-literate user will paste the private key into a password manager, which I believe is one of the best ways to secure it.
from burner-wallet.
A security-literate user will paste the private key into a password manager, which I believe is one of the best ways to secure it.
This might be exactly what we try to enforce? Is there a way to strongly suggest that a PM is used to store the key?
In the end a wallet is just a high-order password manage for private keys... Thus should the aim of the burner wallet be to at some level manage those keys safely for the user? Installed software wallets are expected to do this, maybe the web-only wallets would not need to do this... But I suspect the app handling this vs. passing it to the user is a better way to go long term.
from burner-wallet.
This issue and #170 address the same problem and should be combined.
from burner-wallet.
Related Issues (20)
- Create a proposal on how the burner-wallet can prevent its private key from leaking when signing an external dapp's transactions HOT 1
- Improve burner-wallet development by using test or local networks
- Use estimateGas for gasLimit instead of arbitrary value HOT 1
- Support Light Clients
- Add Token Meta Transactions
- create continuous integration HOT 4
- Disable or hide the Metamask popoup HOT 1
- Create a Burner Wallet Web3 Provider for Web3connect HOT 3
- Retrieve xdai locked on the link contract
- send with link for large numbers failing
- Incorrect incognito detection
- Add Ethereum address to FUNDING.yml
- Upgrade contracts to GSN network HOT 2
- Using many deprecated dependencies
- scrypt dependency fails on node v12.12.0
- DAI doesn't show in BurnerWallet
- xDAI.io stuck when trying to convert Dai to xDai
- Transactions that are removed from blockchain are still shown in the DApp
- Robinsonwealth
- Top
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from burner-wallet.