Surprisingly, I don't recall a single instance where anyone's Nostr account was hacked. Entering your private key into an insecure app would be the most obvious way how that could happen.
Compromise of a popular app would be bad. Maybe we'll need app and device specific keys signed by other keys of yours at some point.
However, Nostr doesn't have the traditional attack vectors associated with passwords, email, SMS and third party account recovery, which is already very good.
we’ll definitely need multisig with separate devices
isn't that a pretty reasonable point he made?
whether it comes true or not we'll see, but it seems reasonable
Bitcoin wasn’t always someone’s life savings and the BIP infrastructure around key management was non-existent. Nostr is growing much in the same way.
Roll back the clocks to the first few years of bitcoin and Parker is essentially advocating for keeping your money stored in an FDIC bank.
Yep, my accounts have only ever been compromised when a third party service has allowed it to happen.
I could be wrong, but I think in this instance Parker doesn't know what he's talking about.
And doesn't seem to grasp the significance of digital identity, in that, even if my digital identity on Nostr is anonymous, I can still get paid in Bitcoin and verify my messages.
NIP-05 could be implemented better at the client level to make it obvious what's going on at the NIP-05 level. Like, what domain someone is verified through, and perhaps more importantly, if it has changed. For someone like myself, it's whatever, but for a more public personality, where you have your website people know you through, it'd be a pretty solid warrant canary style assurance that you are still in control of your nsec. If you're not, delete the file on your webserver, and bam, it should be obvious in clients that your npub is no longer you. Now, getting your followers back could be a pain at that point, but surely you can get creative with clarification back on your website for which new npub people can point to for your content.
Multisig could help too, but is probably honestly overkill in most cases. Long term thinking though, it's worth having built out and tested, and iirc, there are a few projects seeking to do just this, including Frostr.
We have nsecbunker but IMO it needs to be widely adopted.
