t3chguy
commented
3 years ago Using the same string for the account password and encryption passphrase without any cryptographic solution (in the Matrix spec, potentially locking out password authentication via means like LDAP) would result in the server having access to all your cross-signing and key backups due to it being to sniff your password during login and use it to unlock your encryption.
https://github.com/matrix-org/matrix-doc/pull/2957 is the Matrix proposal you probably want to follow.
Nesaijn
Is your suggestion related to a problem? Please describe.
For casual users it is already a hassle to signup because they have to memorize a password for their account. Adding another step where they have to come up and also memorize a passphrase for encryption seems to be a bad user experience. Even when they use a password manager having to set two passwords is in today standards too much.
Describe the solution you'd like.
I have seen the "hit list" of 2021 and saw the comment on E2EE improvements where the idea is being considered to use the same passphrase for encryption which is used for the login process. The user creates an account by giving username and password and ideally is also able to use E2EE without any extra choices to make. This means that using a recovery backup is the default and using as passphrase the same which is used as the login password also.
Describe alternatives you've considered.
An alternative may be to give the user a choice after they have signed up. Asking if they want to secure the E2EE encryption keys themselves or not. If not then use a recovery backup with the login password as the passphrase as default. A second alternative goes in the same direction as the first one. After signup have the choice to create a backup oneself or to create a recovery backup. But then ask if the login password should be used or another one.
Additional context
I think that this would immensely reduce the barrier for new users and casual users. That is why with this feature request I advocate for using the same password for login as for the backup as default or at least with not much hassle.