spesmilo / electrum

Electrum Bitcoin Wallet
https://electrum.org
MIT License
7.43k stars 3.09k forks source link

Hide (obscure) seed phrase when restoring a wallet #8157

Open maltfield opened 1 year ago

maltfield commented 1 year ago

This ticket is a feature request to have the Electrum Wallet obscure the characters typed-in when the user is entering their seed phrase to restore a wallet.

Why?

For security reasons, I have wallets in cold storage and only access them occasionally on a stateless session (eg in live distribution like TAILS or a "disposable VM" in QubesOS). Whenever I need to make a transaction from these wallets in cold storage, I need to restore the wallet.

My wallet seed phrases are stored in an offline, encrypted password database. So restoring the wallet in electrum means decrypting the password database and copy/pasting the seed phrase into electrum's input field.

Here's the problem: If I'm working in an office, then I always have to leave my desk and go lock myself in a single-occupancy room with my back to a wall. Sometimes I work from cafes. Sometimes I work in common spaces.

With the current implementation of the Electrum Wallets's seed phrase input field, a single smartphone picture taken by someone else in the room during a restore could compromise all of the wallet's funds.

Secret Inputs should be obscured, per standards

The Web Hypertext Application Technology Working Group says the following about password input fields in their HTML Standard

The user agent should obscure the value so that people other than the user cannot see it.

As we're all used-to in web browsers, the default when typing a password is to obscure the input. Why would Electurm deviate from that standard?

Solution

By default, Electrum should not display any secret keys (like the seed phrase) on the screen. If a "display seed phrase" feature were to be implemented, then there should be a button with an "eye" icon that, when clicked, would de-obsecure the input field.

This would allow someone to restore their wallet in an office or other public or semi-public setting without giving away their seed phrase to anyone watching their screen

donob4n commented 1 year ago

Hi,

I'm not sure if this is really a security improvement for electrum and also could lead to confusion to some users with the difference between seeds and decrypt passwords.

In my opinion your should change the way you handle this:

My wallet seed phrases are stored in an offline, encrypted password database. So restoring the wallet in electrum means decrypting the password database and copy/pasting the seed phrase into electrum's input field.

Instead having the seeds on a offline database, you should use some offline VM or device with electrum and your wallet (better if encrypted with a key) and restore the 'Master Public Key' on your DispVM/tails...

So then you could prepare transactions on the read-only wallet, copy to the offline electrum, sign them, copy again and broadcast! No seed or encryption key should be exposed.

https://electrum.readthedocs.io/en/latest/coldstorage.html

This also could lead to some degree of security ilusion and to users take more risk when exposing their seeds. A good cold storage mechanism can't rely on restoring your wallet from seeds on public places.

ecdsa commented 1 year ago

A good cold storage mechanism can't rely on restoring your wallet from seeds on public places.

I agree with that. In addition, you should not have to type your seed every time you access your wallet.

maltfield commented 1 year ago

Are you opposed to adding a toggle to obscure the seed phrase, even if not on by default?

Please do not assume that everyone has the luxury of having a private place where they can operate their computer without exposing their screen to cameras or eyes.

SomberNight commented 1 year ago

I think it's a reasonable suggestion to be able to obscure the seed words in the text fields.

Especially if it's about restoring (as opposed to generating a new seed), conceptually it looks easy: there could be an "eye" icon in the empty textbox. When the user starts entering text and realises it's visible, they can click the eye icon to turn text into password-asterisks. This way, it would not get in the way for those who don't care, but it would still be easily discoverable and usable.

Also, we already have the architecture to add such an eye icon thingie into the textbox: https://github.com/spesmilo/electrum/blob/72d750c51c1e4c0d0217454eaa93aa254ec2c8e2/electrum/gui/qt/seed_dialog.py#L153 The TextEdit already inherits ButtonsTextEdit/OverlayControlMixin, which allow adding such interactive icons.

However, unfortunately the "turn the text into password-asterisks" part would have to be implemented by us AFAICT, as Qt only supports the relevant echoMode functionality for single line text edits (QLineEdit).

If someone contributes good code for doing this, I would be in favour of adding the functionality.