[Feature Request] Make Anti-phishing Mnemonic check more generic

[AlexanderKoehn]

Currently the wallet 'only' checks the managed mnemonics and thus fails to check mnemonics of hw based addresses, since it cannot access them. Proposal: instead of checking against the user specific mnemonics, check against the word dictionary. This could also be done for private keys in a similar way.

[AuroxDeFi]

Do you mean for the anti-phishing?

[AlexanderKoehn]

Do you mean for the anti-phishing?

Yes! I've updated the title

[AuroxDeFi]

It's possible but it will need to be tested since it might introduce variety of edge cases. Since the dictionary contains 2048 words, it might:

1. Increase computer resource usage causing potential lagging when user is typing.
2. False positives since some words could be typed in a row by the user when writing an email, message, etc..

It's possible to avoid the second issue by waiting until the user types in 6 or more out of the 12 mnemonics in a row, but certain phishing pages log the input form even if the user doesn't submit it. Which could potentially allow a very persistent attacker to bruteforce the remaining words. Especially if it's a spear phishing campaign with the attacker knowing the victim has significant holdings.

Here is an article on someone bruteforcing 4 unknown words out of the 12 in less than 30 hours: https://medium.com/@johncantrell97/how-i-checked-over-1-trillion-mnemonics-in-30-hours-to-win-a-bitcoin-635fe051a752

Although 6 unknown words would require exponentially more time, the less words that we allow the user to type in before triggering the warning, the better.

As long as the above 2 problems can be resolved properly, your solution does make sense and would help expand protection to hardware wallets. We'll try to implement it and test it.