Nostr Web Client

semisol 2mo ago 💬 57

I do not get why some HWW manufacturers recommend entering a passphrase on *every boot*, compared to storing it on the HWW itself.

The entire point of a HWW is to securely store your keys, and the PIN is a much stronger mechanism than passphrase. (because of the limited tries)

So you could store the passphrase on the HWW without losing security, and keep it separate *for the paper backup*.

But some dumb vendors say for "additional security" enter your passphrase every time. Which is basically "we do not trust our PIN mechanism to be secure enough."

Such an implementation also increases the risk your passphrase gets stolen, as you use it much more frequently, and so will most likely store it in a more convenient but less secure location.

Reply to this note

Please Login to reply.

Discussion

Disagree.

Security over convenience.

Just spend the extra 10 minutes entering the passphrase.

semisol 2mo ago

What security is there? My point is that this does not provide any realistic security benefit, except the illusion of it.

semisol 2mo ago

What is the benefit of PIN + passphrase, when the HWW could keep the passphrase and you have a longer PIN instead? This means:

- You can store your passphrase more securely as you do not need to reach for it every time (just like your seed!)

- PIN attempt counters are more secure compared to a passphrase that is "convenient", as you can brute force passphrases without limit

JackTheMimic 2mo ago

Because the value proposition of a passphrase is the separation from the seed. If the seed is found (i dunno like on a SeedQR you left laying around because you seem to have a blindspot about Seedsigners) then the Passphrase is the last line of defense.

semisol 2mo ago

I am not talking about backups, where you should have a passphrase or multisig.

I am talking about when you are using an HWW, why not store the passphrase on the HWW?

Please read my post.

JackTheMimic 2mo ago

Did. Read my other replies.

A gun to the head you will give the pin number. If you don't have the passphrase they can't access the wallet.

semisol 2mo ago

A gun to the head will also make you spill your passphrase

Not if it's in a different location.

semisol 2mo ago

You could keep your PIN in another location. Or use a 2-of-2, which is the exact same thing.

Yeah, you could... or you could have a decoy pin.

But if I were the one pointing the gun to the head I wouldn't believe that at all. A pin is something you remember, a strong passphrase is not.

semisol 2mo ago

A decoy PIN would fix this. A 2-of-2 would as well to some extent.

It does not matter what they believe, because if they want to kill you, they probably will.

A decoy PIN would take you to a wallet with a few sats right? If the PIN opened a wallet that's empty wouldn't you ask why there's a PIN in the first place

semisol 2mo ago

Yeah

I think saying the passphrase is in another location is a valid excuse to a gun to the head

JackTheMimic 2mo ago

Okay, the point is if the PIN is found (written elsewhere) then the Passphrase is a final bulwark against signing your money away. This isn't about trusting the PIN it's about segmented defense. Something that someone so skilled in digital saftey should understand.

Literally the PIN used to open the HWW and the passphrase have the same usage frequency so why is the PIN secure but the Passphrase not?

It's things like this that discredit your bonafides.

semisol 2mo ago

> Literally the PIN used to open the HWW and the passphrase have the same usage frequency so why is the PIN secure but the Passphrase not?

Because the PIN has a try counter, and can be changed.

> Okay, the point is if the PIN is found (written elsewhere) then the Passphrase is a final bulwark against signing your money away

Then why not split your PIN into 2 parts? One that you remember, and the other you keep where you would put your passphrase.

semisol 2mo ago

Your approach would be

So, there are 2 routes:

- They find your seed (location A), and the passphrase (location B)

- They find your HWW (location C), the passphrase (location D) and your PIN (your head)

But you could easily split your PIN and get this:

- They find your seed (location A), and the passphrase (location B)

- They find your HWW (location C), the 1st part of the PIN (location D) and the 2nd part of the PIN (your head)

Except now you can change your PIN for the 2nd path in case you think it may have gotten lost and have a significantly more secure system. And for the most common route, you don't reveal location B, as you rarely go to it.

JackTheMimic 2mo ago

Again, it's additive, you can do all of that. But also you can change your passphrase, nothing is stopping you from sending to the new address set. And somehow I am reduced to just hardcopy backups as if I was saying that.

I am talking about using a HWW as well. PIN protected (split or not) plus a passphrase you enter. This is not insecure by any stretch.

semisol 2mo ago

Security is not always additive. Each step has a cost (in terms of usability, in terms of you permanently locking yourself out, and a lot more) and they can interact with each other as well.

Adding one step may allow you to break another step much easier.

JackTheMimic 2mo ago

PINs and Passphrases are additive in the context in which we are speaking. Obviously not infinitum or I would have said that.

semisol 2mo ago

Not really. Think of this:

1. Someone is following you (maybe via a surveillance network like Flock, etc.)

2. When you go out to do a spend, they see where you store your passphrase, and your HWW.

3. They hold you at gunpoint and ask for your HWW and your PIN. You think this is safe, but this is enough as they can now export your seed.

4. They already know where your passphrase is and can break your wallet.

If you kept your seed and passphrase on the HWW in an unexportable way, and had a 2-part PIN, this would happen:

1. They see where you store your HWW.

2. They have a much harder time tracking where you store your PIN, as you could change this every few uses.

3. They would have to get the PIN out of you, the HWW, and the location of the other part of the PIN.

JackTheMimic 2mo ago

K. And most people DO give up that information at gunpoint. Because duress setups are largely useless and make the gunman more dangerous. We are not talking about these scenarios because they are unavoidably insecure because we are people with extinguishable lives.

Either way assuming you are a stalwart a passphrase stored via entropy grid negates your threat model because the passphrase is not knowable outside of recording you inputting it even if you were seen with the grid itself.

semisol 2mo ago

Same thing could be said about PIN codes. You could construct one the same way, but now you can change grids/patterns as well.

semisol 2mo ago

A PIN and passphrase fulfill the same goal: adding an additional layer that is required to use the keys.

They can both be created and manipulated the same ways, whether it be creating via entropy grids, joining 2 separate passwords together, etc.

If your HWW started treating the passphrase like a 2nd PIN today you wouldn’t even notice.

Except a passphrase is significantly harder to change than a PIN.

If someone sees your passphrase when using your HWW, that weakens the security of your paper backup. But not if they see your PIN.

JackTheMimic 2mo ago

You can't have a 100 ASCII character PIN. I'm kind of bored with this discussion. There is a reason you don't have seeds and passphrases backed up in the same place, the same logic applies to a HWW. Regardless of PIN splits or changes, or frequency of use.

semisol 2mo ago

You can. Every phone already supports this and HWWs can too.

You are just not allowed to by the manufacturers who have incentives to offer making your life easier for $$$.

semisol 2mo ago

The reason paper backups need passphrases where HWWs don’t is that paper backups are completely defenseless, while an HWW has a SE which it can use to enforce certain requirements.

semisol 2mo ago

In the end, the root problem is that HWW companies have misaligned incentives with the user, and create problems so they can sell solutions.

ede3d957... 2mo ago

What do you need to produce a HWW?

Maybe we can come up with some funding.

Open hardware. Software and a trusted scheme for inheritance. Maybe integration of Nostr keys (multisig).

JackTheMimic 2mo ago

What does the "N" in PIN stand for? ASCII character with hundreds of options?

Not everything is the greedy capitalists man. Sometimes things just are things. Personal Identification Numbers are numbers and don't have a robust character set.

The goal posts keep moving and terms are getting redefined. If I tell my client "Enter a PIN it can be any ASCII character up to 100 characters" they would think I am crazy.

semisol 2mo ago

In the end it’s a key that you use to unlock the SE.

All the SEs used right now by HWWs could be changed next day to accept letters and symbols and hundreds of characters.

What I am noticing is you trying to shift away from the root question of the post: What benefit does a passphrase entry on the HWW have compared to a longer PIN in terms of threat model?

semisol 2mo ago

If you want an example, look no further than Satochip: https://satochip.io

Their cards support any text as a PIN. And the chips in smart cards are almost the exact same as HWW SEs. So all you need is a display.

You can set a passphrase when setting up a seed, and it will be automatically used when you use your full PIN.

JackTheMimic 2mo ago

Yeah, blind signers have no security holes....

semisol 2mo ago

How is that relevant to the conversation? Put the same chip in a signer with a display.

JackTheMimic 2mo ago

Are we talking DIY devices or manufactured? Please stay consistent.

semisol 2mo ago

We are talking about a manufactured device. A manufacturer can put the same chip in a HWW with a display and I think we both know that was what we were talking about.

JackTheMimic 2mo ago

COULD yes, they don't. I could also buy an ESP32 and fashion my own device. We are talking about fully manufactured market devices.

semisol 2mo ago

They don’t because due to financial interests, and this is what the entire point is!

JackTheMimic 2mo ago

I explained that. The passphrase can be longer, more complex, and actually changes the key.

A PIN is generally more truncated, only numeric, and doesn't change the key.

Humans generally have a better memory for language over numbers.

Both are entered as frequently, both can be obscured and backed up safely, and both can be coerced with a threat of violence. Having a duress wallet in either case is ineffective but much simpler to maintain in the passphrase instance as you can just NOT enter the passphrase to make duress transactions where as you would have to manually remove the passphrase in your scenario.

Again, I disagree with your assessment of Passphrase entry and HWW manufacturer incentives.

semisol 2mo ago

How does changing the key matter, if you cannot get the key out of the SE in the first place? If I have 2 doors and I don’t have the key for the outer door, the key for the inner door is useless.

And as I said, it does not have to be short, it does not have to be numeric, and it could work.

If you disagree with my assessment of how SEs work and what the incentives are for the HWW market, as someone that is working on HWWs and secure elements, you can and I can’t stop you really.

Many flat earthers also disagree with people that have gone deeper into this than they have.

JackTheMimic 2mo ago

Aight, thanks for the Ad Hominem. Also, you don't know who I am or what I work on.

semisol 2mo ago

the only thing I said is what position my perspective is from, but sure.

JackTheMimic 2mo ago

You are comparing me to a flatearther because you think your credentials supercede mine.

semisol 2mo ago

Nope, but it matches here perfectly

✅ intentionally misinterpret

✅ ignore provided proof

✅ make baseless claims

JackTheMimic 2mo ago

1. You can also send to another malleated seed so the Passphrase can be changed too. PINs are nearly identical in threat model. Pin counters versus the literal nonadecillion combinations of passphrases.

2. Because regardless the security there is additive. Why not split up your PIN AND have a separate passphrase?

semisol 2mo ago

> You can also send to another malleated seed so the Passphrase can be changed too

Yes, but that is much more costly and risky (visit all backup/storage locations, rekey, retest) than a PIN change which can be done instantly.

> PINs are nearly identical in threat model. Pin counters versus the literal nonadecillion combinations of passphrases.

A passphrase can be brute forced until the end of time. There is overlap between what you can remember, and what is secure is small.

If you have to write down your passphrase somewhere to be able to use it, it may be best to instead use a 2nd seed and do a 2-of-2.

> Because regardless the security there is additive. Why not split up your PIN AND have a separate passphrase?

Instead of that we could have a longer PIN and split the PIN into 3 parts!

This assumes security has no "cost" and is *always additive*. It is not.

Adding more moving components can make it weaker as you get the weakest path as your security level.

With a HWW(seed+passphrase inside) + PIN, and then separate seed+passphrase, each method has distinct locations.

But with HWW(seed) + PIN + passphrase, and seed+passphrase, you now have the HWW path (which is the most common) making it more likely your passphrase gets found. Because every time you have to use it, you have to go there, someone might be following you.

They get a headstart on stealing your physical backup just by monitoring you, and all they need is the seed now.

JackTheMimic 2mo ago

(Sorry I don't use Highlighter.)

Most people can remember 12 words (a trio of 4 word associations) but even barring that you have things like entropy grids that multiply your ability to save longer strings of data by using shapes and patterns.

Suffice it to say I disagree with your assessment and I also deal with security on a daily basis.

I’m liking the nerd talk I’m seeing here

semisol 2mo ago

I think the conclusion is that all of these schemes are unreasonably complex to reason about (and provide an illusion of higher security) and multisig just works.

Passwords are the worst

People use the same one everywhere because no one can remember the password for every site they visit

So the accepted practice is to store all of them in a single location/application with some less secure than others

Passwords are prone to scams because anyone can click “forgot your password” and so the site is only as secure as the next “secret” that lets you reset it like your mother’s maiden name

Limited PIN attempts is superior

semisol 2mo ago

This is for passphrases for Bitcoin seeds which are even worse because brute forcing and immutable