make wallet unlocked by default

[KlausT]

A wallet that's locked by default is generally a bad idea. Lots of people will forget the password and then everything is lost. Locking the wallet should not be done automatically, ever. Let them do it manually.

[DavidVorick]

I understand where you are coming from, but the entire foundational idea is that the data is never unencrypted on disk.

Backing away from that would either require a big design overhaul, or it would require saving the password in some predictable location like password.json

[KlausT]

I'm not talking about the encryted files. It's about the wallet being locked after a restart.

[DavidVorick]

If everything is encrypted on disk, then there's no way to know how to load it on start. You can't decrypt anything until you have the password. It has to be locked at start because there's no secret data on disk for you to load.

The only way to have the wallet be automatically unlocked after a restart is to put unencrypted secret data on disk, which I think is a pretty big security concern.

[KlausT]

So you have to decide what kind of damage is bigger: Stuff being stolen by malware, or stuff being lost because of lost passwords

[DavidVorick]

It's certainly not an easy question to answer. Most people have grown up expecting there to be a 'reset my password' button, and don't like the idea of sharp corners where a misplaced password means loss of all data. I think that as a whole though this is a very weak security construction, and we can already see that it leaves things like the bitcointalk forum vulnerable to social engineering attacks (someone called the datacenter and asked for a password reset - though they were not the admins or the owners, they were granted a password reset and therefore the keys to the bitcointalk kingdom). But we don't want to alienate users by suddenly switching to a forceful security model that they are not familiar with.

Sia is also working really hard to be enterprise friendly, and I think a lot of enterprises would gladly trade the sharp corners for the increased security.

Certainly we need to protect users. Perhaps there are other things we can do to make sure that users have properly stored, written down, or otherwise secured backups of their encryption passwords. One of the things that we do is make the passwords cryptographically secure - too long and complicated to be memorized. We also tell them explicitly to write the password down somewhere.

I think I prefer keeping things always-encrypted, but if you have other ideas for steps we can take to minimize the number of coins lost to forgotten passwords, I'm open to hearing them.

I wonder if there are other coins with good solutions to this problem. For example, Nxt suffers from the same issue - forget your password and you lose your coins forever. So there is a definite precedent for sharp corners in the altcoin industry.

[KlausT]

Yeah. Right now I can't see a solution to have both bullletproof security and userfriendlyness at the same time. That's probably not possible.

[DavidVorick]

So, there's sort of a middleground solution.

Right now, there's a double-whammy of the wallet being locked at startup, AND the balance displaying as 0 until the wallet is unlocked. The wallet must be locked at startup, but we can at least make the balance readable at startup. So that's the direction this issue is taking: display a balance at startup.

[DavidVorick]

This is currently being handled UI-side