search

spesmilo / electrum

Electrum Bitcoin Wallet
https://electrum.org
MIT License
7.5k stars 3.1k forks source link

Command line passphrase/password input risk management #5185

Open voneiden opened 5 years ago

voneiden commented 5 years ago

It's a fairly minor thing, but I'm concerned that the current handling of passphrase/password when creating a new wallet via command line exposes a careless user to leaking their wallet password into a shell history file, such as .bash_history.

In previous version (at least in 3.2.3) electrum create would use getpass to get the new wallet password if one was not given. From at least 3.3.0 onwards, there doesn't seem to be a password prompt and the wallet is created without a password. OK, the user can use electrum password after creating the wallet, but this may not be immediately obvious and in turn may encourage supplying the password as an argument instead.

For passphrase (seed extension), the use of getpass doesn't seem to be currently available.

Ability to supply these as command line arguments should be naturally retained for programmatic access, but how to reduce the risks for a shell user?

For example, could we make getpass somehow the default approach and issue a warning/reminder about history files if the secrets are given through command line arguments?

AbdussamadA commented 5 years ago

See magic words. Example restore:

electrum -w filename restore --passphrase :  :

First prompt is for extension and second is for seed.

SomberNight commented 5 years ago

Or specifically for the create command, e.g.: electrum create --password : --passphrase :

From at least 3.3.0 onwards, there doesn't seem to be a password prompt and the wallet is created without a password

Do you suggest making it harder for the user to create a wallet without a password?

ecdsa commented 5 years ago

maybe a password with concealed prompt should be the default here. but we need a way to create a wallet without password

SomberNight commented 5 years ago

we could raise if a password is not provided, except if e.g. --disablepassword is given, or something like that

voneiden commented 5 years ago

Oh, nice, my bad. I missed those magic words.

From at least 3.3.0 onwards, there doesn't seem to be a password prompt and the wallet is created without a password

Do you suggest making it harder for the user to create a wallet without a password?

I was more concerned with the user creating a wallet by supplying the password as an argument (without the use of magic words and getpass), due to the possibility that the user may not be aware that the password may end up stored in a history file in plaintext. In addition, the password may also leak via other unexpected ways, like for a short moment it could be visible via the process list (ps) while the electrum process is running.

One possibility that comes to my mind is prohibiting passing insecure arguments without explicitly allowing them using another switch, something like --allow-insecure-arguments . This would preserve programmatic access, while making the user aware of the possible risks involved.