Redesign Passphrase

[slush0]

Make the workflow same for client for both non-passphrase device and passphrase device. Currently, client receives state only when passphrase is enabled.

[prusnak]

[prusnak]

We can ask for the passphrase 2x to avoid typos. And only ask for the passphrase once when the state is provided and we can detect these typos.

[prusnak]

Another option is to show passphrase on the device (if the user wants to - i.e. dialog Show passphrase?) after it has been entered.

[tsusanka]

Another option is to show passphrase on the device (if the user wants to - i.e. dialog Show passphrase?) after it has been entered.

Or add an icon that shows the passphrase (as is used sometimes). I'm not sure it can fit on the screen though.

[prusnak]

Related to Protocol redesign: #79

[andrewkozlik]

Some good points about passphrase design were made here: https://www.reddit.com/r/Bitcoin/comments/bp0nqs/trezor_or_ledger_which_one_is_better/enof517?utm_source=share&utm_medium=web2x

To summarize:

• Make it possible to easily switch between passphrases on the fly.
• Get rid of enable/disable passphrase as a configuration option. There should be no indication of whether in the past the device was used with a (non-empty) passphrase or not.
• Use a 2nd PIN to unlock the device and automatically enter a preconfigured passphrase.

I think the first two points can be solved by adding a "Switch passphrase" button to the web wallet. As for the third point, I actually think that this is in contradiction with plausible deniability. For one thing, there is likely to be some side-channel information, which could reveal whether the primary or secondary PIN was entered. So in general I am not too keen on supporting multiple PINs. However, I would like to make it possible to configure a default passphrase which would be automatically used upon start-up. The reason is that people may want to use a passphrase for various reasons:

• Plausible deniability, i.e. to have a real wallet and a decoy wallet.
• Providing additional protection, because they do not trust the PIN and hardware to protect their seed if the wallet is stolen.
• Providing additional protection in case their paper backup is stolen.

Say you are worried about protecting your paper backup but you trust the hardware and PIN to provide sufficient protection. In that case entering a passphrase during every start-up can be a real burden, which is why you'd like to configure it.

[prusnak]

I strongly agree with the first and second Reddit suggestions. Strongly Disagree with the third one.

I would like to make it possible to configure a default passphrase which would be automatically used upon start-up.

Where would this passphrase be stored? I think it is antipattern to store it anywhere. For various usability and security reasons.

[matejcik]

agree with @prusnak. Mainly because if passphrase is stored, it becomes another piece of "static" data that you don't remember after a month of not needing it, and you need to back it up somehow. Either you add it to the seed (which defeats point (3)), or you handle it separately (which gives you a brand new point of failure).

[andrewkozlik]

Where would this passphrase be stored? I think it is antipattern to store it anywhere. For various usability and security reasons.

It would be stored encrypted in the storage just like the mnemonic. This doesn't prevent you from using more passphrases. For example, you can have:

• passphrase1 to access your regular accounts which you use often and where you have say around $1000, and
• passphrase2 to access your savings accounts which you use rarely and where you have larger sums.

You configure passphrase1 to be stored on Trezor and used as default, whereas passphrase2 is not stored anywhere. That way you can easily access your regular accounts. If somebody steals your paper backup, they are not able to access neither your regular accounts nor your savings accounts. If they steal your Trezor and guess the PIN or extract the sensitive data by some means, then they gain access to your regular accounts but not to your savings accounts. So this feature merely provides a way to fine-tune your risk/usability tradeoff.

[prusnak]

I don't like that, honestly. It introduces confusion and people will surely forget the stored passphrase.

[tsusanka]

Consider splitting up reset device and backup device as part of this issue, because it is a breaking change for wallet / third parties as well.

[tsusanka]

Two QA scenarios I have forgotten:

For 2.3.0:

• Enable the "passphrase always on device" setting using trezorctl set passphrase enabled -f.
• Test against both Wallet and Suite that the passphrase is always requested on the device.

For 1.9.0 and 2.3.0:

• Test basic passphrase usage in Electrum.

[sorooris]

1. QA OK

2.3.0 (0b7a844)
Suite: bc1225231da00906c40a46d8cf5eac32bdfda206
Wallet (stage): 59e011aabb0d494ba569028e3eb8a2ad51c9eabc
Next Wallet (stage): 08826e1e8555a83d84eeedb55b5995c508ed8518

Passphrase was correctly requested only on the device, per session.

2. QA OK

2.3.0 (0b7a844)
1.9.0 (0b7a844)
Electrum 3.3.8

Passphrase was correctly prompted only once per session, tested send & receive, sign & verify.

A trivial visual bug was present in the passphrase entry prompt in the app.

[tsusanka]

The visual bug should be fixed in Electrum's master, se spesmilo/electrum#6064 (comment) . So I consider this done 🎉