Open sotpapathe opened 6 years ago
Interesting idea.
I've decided to not pursue security measures that involve trying to contain data within a compromised system. They have value but not enough for me to prioritize them. As I see it they are redundant given the button press confirmation requirement. The master password, even if intercepted, can't be used without the user's participation. That said, I will accept pull requests for features like this however if they can be turned on and off from settings.
Of course such a feature would not be a priority right now. I mainly added it for future consideration. As for the use case, what I had in mind was mainly an untrusted computer, such as a work or friend's computer, where you wouldn't mind exposing one or two specific password but possibly giving away your encryption password would be too much.
Entering your Signet encryption password in a hardware keyboard could potentially lead to its interception by keyloggers or similar software. For added security, an on-screen keyboard could be added to the Signet desktop client in order to bypass the hardware keyboard. For extra security, the positions of the keys of the on-screen keyboard could be shuffled around each time it is used.