Pin code over password for some functions?
Okay don’t shoot me down I am just asking and maybe suggesting some improvements to the user experience. I get to send coins out of your wallet you should need to enter your password I get that but is there a reason I have to enter my password to swap coins from anon to public balances within my own wallet? I think if we had something like a 6 digit pin instead of a password it would be much more user friendly! as my password is stupid bloody long.
would there be any way to have an option where just like you select “unlock for staking” and then your wallet is unlocked for staking have an option where you could select to use your pin over the password for most things excluding actually sending coins out of the wallet?
so for things like.
paying a listing fee when publishing a item
converting coins from public to private or vice versa
and other things that will probably pop into my head latter on. I think having a 6 digit PIN you could select to use over password for some options would be far more user friendly.
In my head it would work like this ideally.
- like staking you would click the padlock
- select activate PIN (Or something like that)
- enter your password
- select time frame to Activate PIN
- once time frame was up it would auto lock and you would need to reenter Password to do anything.
Not really great at putting my ideas into words so hope you understand what I am trying to say/suggest.
first of all: no worries about being shot down in here!
The reason you have to enter your password when converting balances is this:
By doing so, you are spending coins just as if you were sending them to any other address, hence the incurring transaction fees. Spending coins always requires to unlock the wallet for security reasons.
This is how Bitcoin wallets work and since Particl adapts to the Bitcoin codebase, this is how Particl wallets work.
There is a function to unlock your wallet for a specified amount of time. I think in Particl Desktop this possible now even without the debug console.
So you could set it for an hour if you know you are doing stuff for a while.
Technically it should be possible. Have people enter a pincode that in turn will use the passphrase to unlock your wallet.
In this case you would need to store the original passphrase on your machine in some form however, which would reduce security.
So it’s a trade-off between ease-of-use and security.
It would certainly be cool if users could choose this for themselves with Particl Desktop.
Do you know the waves blockchain? Their desktop app (wallet and integrated DEX) works just like this: you enter a password once at startup and then it’s all unlocked until you close the app.
So, principles regarding security aside, I don’t see a reason why we can’t have this for Particl Desktop.
what confuses me about the converting balances is there is nowhere to enter address so is it even possible for this to be used as method for a hacker to steal coins if there was no password required?
If there’s an attacker that can access your wallet but doesn’t have the private key or wallet password to do anything but convert between private/blind/anon?
That’s a good question. Want to ask that in support on Discord?
At least the attacker could convert back and forth a lot and make you poorer through transaction fees…
hahah good point boring attacker though the fee is so small it would take a long time I think they would get bored
But yeah I am not suggesting no password at all for things like converting balances and other things like paying listing fee but something a bit simpler like a PIN. if hacker can’t get your Password I doubt he will be able to get your pin either. but if you have long password and complicated like you should it makes the whole process a pain in the ass the PIN would be so much better.
A PIN for intra-wallet transactions. Why not.
Sounds reasonable to me.
Awesome! first step towards making it a reality is getting someone to agree with you it’s a good idea so Amen to that
Hey dadon, I see your point.
It’s definitely a balance between convinience and security. From my understanding there can’t be made a distinction between sending coins out to a third party or to convert them to one of your own blind or anon addresses. For sending them out from your initial public address you need to sign them with the corresponding private key, nevertheless whether its a small or large amount or whether its related to a conversion or a conventional transaction.
Your private key is stored in the wallet.dat-file on your PC and therefore its crucial to protect them from being accessible to a potential hacker. That’s why wallet.dat is secured by your password and that’s why you always have to enter this when you need to send any coins. I don’t know how the desktop app handles this, but by unlocking your desktop wallet for a certain amount of time, your wallet.dat or your private key seems to be easier accessible and thus makes the whole “security measures” more vulnerable to attackers. I’m not sure whether it would help to put another security layer on top of it (e.g. PIN, photoTAN, 2FA, …) when the principal underlaying basic security measure (private key in wallet.dat) is already attackable.
well is it possible to. just like we can activate staking by entering our password and selecting unlock for staking or selecting the unlock wallet and setting a time frame before autolock, have an the option to select use PIN. (6-8 digits)
So in my head the ideal user experience/process would be (for me at least) and why I would love a option to use a PIN).
I open my wallet (wallet is locked)
I press padlock icon and select “Unlock for PIN” (or however it would be phrased) and enter my main/regular password
set a time limit the wallet is unlocked for PIN use(when this is up your wallet will automatically lock back to requiring your main password for all functions so you don’t leave it on and forget) (time limit of 60-120 minutes max for extra security)
Now using this PIN I would be able to convert coins, send coins, accept bids place orders everything that would normally require me to use my main password. But excluding some functions like unlock wallet/turn on staking/change password or anything like that.
Is something like this possible and can you see where I am coming from with this… say you have a long complicated Password 50+ digits by using this 6-8 digit pin you can do everything you normally do that requires a lot of password entering with a lot more ease of use… but you need main password to turn it on initially so it’s not easily abused so hackers can’t get your wallet.data and just try to crack the pin they would need the main password to turn it on and once you were done even if you got up and walked away from computer and forgot about it. it would auto lock it turning off pin access. this seems to me it would be fairly safe… no less safe then current Password protection but far more user friendly for people like me who use long passwords which I think most probably do (Should).
I agree, your proposal would be more userfriendly, but most important is the security of the private key. I don’t know how the desktop app is getting access to the private key. When having the wallet.dat unlocked for a longer period of time, the user should be aware of that and not relying on the security of a PIN while underneath the wallet.dat-file might be still easily accessible. If ease of use is needed, I would just unlock the whole desktop app for a longer period of time, then neither password nor PIN would be to enter.
If there’s a way to store the private key in a secure manner inside the desktop app, I would rather use 2FA or a photoTAN to release each new transaction. This will give additional security over a PIN and is also a little bit more userfriendly than entering a long password.
However, I personally would prefer to integrate hardware wallet support also into the desktop app. I think this should be a midterm project goal as well, because this would give the possibility to sign transactions just by pushing a button on the hardware device.
“If ease of use is needed, I would just unlock the whole desktop app for a longer period of time, then neither password nor PIN would be to enter”.
problem I see with just unlocking wallet over PIN is even with the current option to unlock wallet for specified time to allow bids to process/listings to load. to do things like send coins/pay listing fees/convert balances you still need to enter password. the only way to disable password completely so it’s not required for anything is to not set up a password at all at creation of wallet meaning no protection. PIN is best of both worlds.
the only way to disable password completely so it’s not required for anything is to not set up a password at all at creation of wallet meaning no protection. PIN is best of both worlds.
Then why not setting up your PIN as password?
This would mean only weak protection, but I guess it would be the same when you keep your system often in “Unlock for PIN” status. In my eyes the best solution would be to integrate hardware-wallets like ledger or trezor.
So, being your own bank is not trivial and often also not convenient
because having a 8 digit password is weak security. and honestly I don’t like using 3rd party hardware to secure my coins. If a PIN set up in the way I described is possible. meaning you would.
Activate the pin like staking by entering your Password.
set a time frame before it auto-locks
then you have
A. the security of a regular complicated Password
B. usability of a simple easy to hack password.
“This would mean only weak protection, but I guess it would be the same when you keep your system often in “Unlock for PIN” status”.
No because you activate PIN by entering your main password same as turning staking on. if anyone get your wallet.dat they still need your main password and if your using a PIN that means you are entering this main password less which is also good for security.
particltribe - last edited by
Sounds to me that a 2FA option does make it more reliable and does also cover the idea/need of the OSD keyboard.
2FA is terrible IMO I can’t even count how many accounts I have lost access to because I had 2FA on. I wouldn’t use it. but If you had a option to use PIN and/or 2FA I wouldn’t complain. seems like 2FA would be more difficult to implement over a Simple PIN option also.
And I am guessing 2FA would not replace your password it would just be an extra security layer on top of it meaning i would still have to enter my super long Password + enter the code from the 2FA.
zaSmilingIdiot - last edited by
Just thought to mention that the simple explanation for the need to unlock the wallet, even when converting funds, is related to the private key in the wallet being encrypted. Converting funds still generates a transaction, and the transaction needs to be signed, and hence the wallet’s private key is needed, thus requiring that an encrypted wallet be unlocked.
@zaSmilingIdiot But is there anyway a hacker could steal your coins in the theoretical situation that converting coins did not require a password? and would a pin code in the way I described be possible? eg pin code activated like staking is activated by entering password then setting time frame for pin code use to be activated (ex 60 min) before pincode is automatically switched off and password required for all functions.
see the problem is you want people to enter a password for all functions and at the same time you want people to have a strong complicated password I am trying to find a happy medium for friendly user experience in the form of a pin code that is activated like staking for a set period of time by entering password and activating pin for all functions.
if someone gets hold of your wallet.dat this is no issue as you would require the regular password to activate pin so this would not weaken security by making it easier to crack as password is always required to turn the pin option on.
zaSmilingIdiot - last edited by
@dadon Lets maybe cover how this generally currently works, before getting into specifics (Note that this is in particl-core, and works more or less in a similar way in bitcoin core):
- In the wallet.dat file, the private key of the wallet is stored.
- Every transaction that sends funds to a different address is required to “sign” that transaction (which makes use of the private key). The signing basically indicates that the owner of that address was actually the one spending the coins (the “owner” here is the one holding the private key corresponding to that address).
- If someone was to copy the wallet.dat file from the core folder, and then place it into their own particl-core folder on their own node, they could spend funds belonging to that wallet, because they have access to the private key.
- To prevent this type of behaviour, its possible to encrypt the private key in the wallet.dat file.
The encryption of the wallet, where a password is specified and confirmed, is setting up step 4 for you. However, keep in mind that any spending of funds on addresses that belong to that wallet still need to be signed, so in order for core to read in the private key to do what it needs to do, core needs the private key to be in its unencrypted form… thus requiring your password to be input and the wallet’s private key unencrypted for a period of time, which then allows core to read it and use it as it needs.
Keep in mind from point 2 above that any spending of funds requires the private key. Converting funds IS spending funds, and is the same as “sending” funds to a different wallet. In both cases, you’re sending funds to a different address: in the case of “converting” funds, you’re just sending them to a different address in the same wallet that you control. Its a convenient case: rather than having the user go to the Receive tab > copy an address of the relevant type > go back to the Send tab > perform the necessary sending action, something similar is done internally. Thus, conversion of funds still creates a blockchain transaction, and thus still requires access to that private key to complete its action.
Now, lets go back to the original request:
Adding a pin code option somewhere in the mix here (in core) would simply be replacing (well, duplicating actually) the password functionality already provided. In other words, unlocking the private key would then be possible with either of the pin or password. With a pin code option being a lot easier to break, it would be pretty easy for a wallet.dat file thief to break the pin option very quickly. You’re basically weakening the ability of the longer more complex password intentionally, which doesn’t make much sense.
On the desktop application’s side, it doesn’t make much sense here either, since we’re basically weakening the security model of what core is offering. Its just shifting any focus of attack to the desktop.
We also shouldn’t be pushing the narrative that the wallet should remain unlocked for extended periods of time: if you feel the need or have reason to encrypt your wallet to begin with (which is recommended), then you don’t want to leave that wallet un-encrypted while you’re not able to monitor and manage it.
I hear the need to make it “more convenient”. But there’s a balance between convenience/simplicity and security: there’s a minimum requirement for each, and we need to ensure that we don’t exceed that minimum for one in pursuit of achieving/improving the other (note: I’m not suggesting that one needs to be sacrificed, I’m just saying that we should just not drop below the minimum necessary for each). Perhaps in this case a decent compromise is using a pin code for a password, and then making use of the multiwallet functionality to only store as much funds as what one cares to in this wallet, with the remainder funds sitting in one or more securer wallets. Which interestingly, is partly why we had/have the marketplace only on a second wallet (named “market”) in the v2.0 to v2.3 PD releases.
@zaSmilingIdiot “Adding a pin code option somewhere in the mix here (in core) would simply be replacing (well, duplicating actually) the password functionality already provided. In other words, unlocking the private key would then be possible with either of the pin or password. With a pin code option being a lot easier to break, it would be pretty easy for a wallet.dat file thief to break the pin option very quickly. You’re basically weakening the ability of the longer more complex password intentionally, which doesn’t make much sense”.
My suggestion was to “Unlock” the pin code option by entering your password first like you unlock staking and for the pin code to have a time limit you set where it auto locked back to requiring full PW after the time frame had expired. so if someone got hold of your wallet.dat they would not be able to access your coins easier because they would still require the password to activate the pin code option.
this would be the best of both worlds as doing things like accepting bids etc requires password. a seller for eg who needed to process a lot of orders could. enter password to unlock pin. set time limit for an hour or so do his business, only needing the pin instead of the probably long complex password he would normally need to enter probably dozens of times. then walk away from his computer and let it auto-lock back to requiring password to do anything.
My suggestion does not weaken security.