search

iancoleman / bip39

A web tool for converting BIP39 mnemonic codes
https://iancoleman.io/bip39/
MIT License
3.59k stars 1.46k forks source link

Suggestion: Hide All Private Info should use a Password Field #685

Open Industrial opened 6 days ago

Industrial commented 6 days ago

Hi. This is a very valuable tool for offline seed generation for air-gapped devices, however I think the "Hide all private info" serves no practical purpose and it can be improved upon.

My security requirements require me to generate, save and retrieve both the seed and private key information without exposing it as clear text.

For this purpose, I think all generate private information should use Password Fields instead of Plain Text Fields. There should be a Copy button to the right of each password field for copying the value to the clipboard.

Users can then copy the generate values, paste it in a password manager (like keepass), copy it from there (again without revealing the value) and paste it into the wallet app. This closes the loop and ensures no private information can ever be viewed (or, say, recorded) by onlookers or hacked devices or the like.

thiagosouza commented 5 days ago

Man, I understand.. but the premise is wrong. It is easier for a malicious software to have to access to the clipboard and steal your password in this moment you copy than to read the screen. The recommendation would be to do this totally offline and erase everything after copying.

On Sat, Nov 23, 2024, 2:41 PM Tom Wieland @.***> wrote:

Hi. This is a very valuable tool for offline seed generation for air-gapped devices, however I think the "Hide all private info" serves no practical purpose and it can be improved upon.

My security requirements require me to generate, save and retrieve both the seed and private key information without exposing it as clear text.

For this purpose, I think all generate private information should use Password Fields instead of Plain Text Fields. There should be a Copy button to the right of each password field for copying the value to the clipboard.

Users can then copy the generate values, paste it in a password manager (like keepass), copy it from there (again without revealing the value) and paste it into the wallet app. This closes the loop and ensures no private information can ever be viewed (or, say, recorded) by onlookers or hacked devices or the like.

— Reply to this email directly, view it on GitHub https://github.com/iancoleman/bip39/issues/685, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAVGNSTNEUOGEJVKNK7HF32CC42XAVCNFSM6AAAAABSLJK5RGVHI2DSMVQWIX3LMV43ASLTON2WKOZSGY4DMMZUGEZTKNI . You are receiving this because you are subscribed to this thread.Message ID: @.***>

Industrial commented 5 days ago

Well, there is a reason that password managers do not reveal the password and instead show dots. It's the same for Cloud Environments with Environment Variables, Secrets and API keys.

Since "Hide Private Info" hides the complete input field, it makes it unusable. By offering a password field with a copy button (like a password manager), it becomes very usable while keeping the private information a secret :)

Industrial commented 4 days ago

I made my own program. It satisfies my needs but only implements 24 word seed phrase and private key https://github.com/Industrial/crypto