Nostr Web Client

Can someone much smarter than me explain why nsec login isn't widely supported anymore?

If we are going to purple pill millions and make nostr work.... sign up, login, and account recovery has to be easy! Normal people could understand saving a string of letters and numbers as "their password" and how losing it means losing their account.

#asknostr

If we apply "wisdom of the crowd" ;

(aggregating the judgments of many individuals, you can often cancel out individual biases and errors)

This would make copy paste nsec login the happy middle.

Above that, more advanced users that want extra security, privacy, or features can just use those things available like amber and the rest of em.

And below basic nsec login, it wouldn't even be a nostr login.

Reply to this note

Please Login to reply.

Discussion

Manánguri 11mo ago

Every single nostr app I use has nsec login. Some have additional login options, but it's not consistent.

Nsec login is the only login that every nostr client supports.

Dikaios1517 11mo ago

Not #Coracle, and for good reason. Even devs with the best intentions can compromise their users' private keys if that information is available to them because the user is pasting in their nsec to log in.

ภ๏รtг๏ภคยt 11mo ago

Today if I drop my phone in a volcano, get robbed, or throw my phone through a wall in anger...

I simply get a new phone, put my nsec i have saved on paper into amethyst and I have my nostr account back.

Simple. Intuitive.

NO EXTRA APP NEEDED.

🤷

Apparently my key is at risk because of this, according to you?

Dikaios1517 11mo ago

Not according to me. According to real events that have actually happened where private keys were exposed because nsec login was permitted and though the dev believed he was being careful not to let that data be exposed, he found out there was something he hadn't taken into account.

Other clients may have actually intentionally gathered private keys from their users. A lot of early Nostr users may have had their private keys compromised from one client in particular. nostr:nprofile1qqsr7acdvhf6we9fch94qwhpy0nza36e3tgrtkpku25ppuu80f69kfqpz9mhxue69uhkummnw3ezuamfdejj7qghwaehxw309aex2mrp0yhxummnw3ezucnpdejz7qg4waehxw309aex2mrp0yhxgctdw4eju6t09ug4n6q3 would probably remember which one. It started with an A, if I remember correctly. No, not Amethyst.

I believe even nostr:nprofile1qqsyvrp9u6p0mfur9dfdru3d853tx9mdjuhkphxuxgfwmryja7zsvhqpzamhxue69uhhv6t5daezumn0wd68yvfwvdhk6tcpz9mhxue69uhkummnw3ezuamfdejj7qgwwaehxw309ahx7uewd3hkctcscpyug has talked about dropping support for nsec login in the past.

Derek Ross 11mo ago

Anigma back in the day, December 2022, has a cross site scripting issue and potentially leaked every key of users logging into their web app.

Vitor mentioned removing it, yes. I think that's a good idea and a bad idea 😂 It's good for all of us here now, but confusing as hell for new users. Hey, wanna use this app? Well you have to install another ap first. That's not good UX.

Dikaios1517 11mo ago

I wonder if the best way to resolve this is to have a kind 1 client as a user's initial onboarding client, that gets them set up with a private key, their profile, and allows them to have a NIP-60 wallet right away or connect a wallet of their own, and then can be used as a signer app for any other Nostr app they want to log into. That way it is still just one app that has their nsec, and provides them instruction to back it up, of course, but also only one app that a new user needs to install to get onboarded.

ภ๏รtг๏ภคยt 11mo ago

Yes. Way ahead of you. Help us bring back the cool myspace days, but in a nostr client.

MILLIONS HAVE NOSTALGIA FROM MYSPACE.

I'd like a full functional browser and mobile client by the start of 2026 that at least has all the things mentioned here:

https://spacestr.com/npub1wl89d7yazg500lehg08p45dj2jzhhyqg2erj067458e3wd30djns4zn8lu

S!ayer 11mo ago

I can't gauge if I'm smarter than you

ภ๏รtг๏ภคยt 11mo ago

Theres a good chance you probably are.

𝐒𝐧@𝐱 11mo ago

Where r u seeing its not supported? There is something better and thats being promoted, but its supported everywhere i know off

Repeatedly nuked profile 11mo ago

Nostr hasn't had a "famous fail" yet. But it will. Picture someone well-known on Nostr, maybe an existing Nostr personality, maybe a famous person who has wandered over and built a good following. A client has weak security. This well-known personality pastes in their Nsec, a hacker lurking in the client by some means grabs it.

The hacker then starts posting troll content from the personality's account. Both the personality and the hacker have access, neither can lock the other out, so it's likely going to be pretty Benny Hill for a little while at least. The personality now has to start from scratch in full public view, and might be be hard to watch. Certain niche tech media will have fun covering it.

Like I said this kind of thing will happen and when it does Nostr as a whole will need to use the event to point out that nsec hygiene is critical. That'll be helped if nsec copy-paste login has been widely deprecated. At any rate everyone will be suddenly pretty freaked out about their own accounts.

Also remember that is someone has your nsec you could never know about it, for years even. They're popping in now and again to have a look at your NIP-60 wallet, waiting for the balance to grow.