How do you keep your private key PRIVATE?
If the key is lost, your Nostr account is rendered useless, right?
Currently, I'm using a Password Manager to store it, but I'm curious how others are handling it.
Should there not be 2 forms of authentication?
#nostr #tech #privacy #authentication #security
By 2 forms you mean like 2FA?
Otherwise, for me password manager with regular offline backups worked so far :)
Basically, yes. So private key a YubiKey for example.
No 2fa is retarded. One is good enough people don't need two. I use notepad & keep the file on a usb.
I guess this is where I'm at a loss then. What happens if the USB key is stolen? The account is then in someone else's possession or forever in the wind, and as far as I can tell, with no way to change the key?
There is no way to change a key. To the what if's I guess i'll have to be responsible like everyone is suppose to be. But I am it's on a usb & not in a password manager which could get compromised.
Never use a proprietary password manager open source only if you must. To be safer if anyone gets thier hands on my text files they need to get past the encryption which i've used picocrypt to encrypt the files.
I get the sentiment about what if's, but when you invest so much into a system, you like to ensure you're doing your best to maintain a positive security posture, at a minimal cost (time, effort).
Would you be against the idea of 2FA? I can't remember if things like my Ledger waller uses 2FA for extra protection. I really need to dig that out sometime.
Coldcard has a password manager: https://coldcard.com/docs/secure_notes/
Looks interesting! Will have to dive deeper into that. Thanks!
A password manager is pretty standard for holding Nostr keys. It basically has built in 2FA: something you have (the password database) and something you know (the password to unlock it).
There are people working to make this more usable/safer in the future.
nostr:npub1manlnflyzyjhgh970t8mmngrdytcp3jrmaa66u846ggg7t20cgqqvyn9tn is exploring using seed words to generate multiple linked private keys so each client/device you use could get its own key.
There's Amber, which holds your private key in one app and then other nostr clients can request that Amber signs each post (so the nostr clients never see the key, only Amber does). That doesn't address backups, but it helps lower the risk of a key being compromised.
https://github.com/greenart7c3/Amber
Other people are working on multi-sig solutions so two apps would need to be involved in signing each post. There's quite a bit going on in this area.
nostr:npub16v82nr4xt62nlydtj0mtxr49r6enc5r0sl2f7cq2zwdw7q92j5gs8meqha I think your hardware signer will come in handy with the multisig solutions… we should chat 👀
Ooooo 👀 👀
Yeah, so the sharing of the private key is one of my major concerns with whatever application/ platform you're utilising. You can control your key and be as careful as ever, but it only takes one mistake and it's gone.
The whole seed words being able to generate "application passwords/ keys" is a great idea. Will give Mani a follow and stay up to date with that project.
Will take a look at Amber. I'm still only early days on Nostr, but it's a concern I couldn't shake today when utilising the private key to log into other applications.
Thanks for the write up, appreciate it and great food for thought.
Feel free to ask any more questions, Dan. Most of us here are happy to help, and you may even get consistent answers!
