Lazyweb, crypto question. When storing private keys encrypted with a passphrase, is there a compelling reason to do so in a way that makes it easily testable whether the passphrase was correct?
Conversation
Obviously there's a positive ux reason, so what I'm asking is if there's a compelling argument that the loss of security by doing so is inconsequential.
2
Replying to
Under duress, you can give the wrong passphrase resulting in deriving a different key. BIP39 seed phrases use this for an optional passphrase added to the end of the seed phrase. Trezor (who created BIP39) treat it as an advanced feature since it can result in harmful mistakes.
1
2
The only state that's stored is the seed phrase so if you enter the wrong passphrase, you get a completely different wallet:
wiki.trezor.io/Passphrase
They make sure you back up the seed phrase, so if the device dies or is lost you don't lose funds or other keys (SSH, GPG, etc.).
If you forget the passphrase though, you lose everything. People might also make the mistake of entering the wrong one and then using the wrong keys (wallet). They generate all the necessary keys via deterministic derivation paths from the initial seed for all different uses.
1
So there's a derivation path for Bitcoin with support for separate accounts and any number of addresses (each one is a key pair) for each. SSH, GPG, U2F/FIDO2, etc. have their own key derivation paths. Forgetting the PIN locking device isn't fatal. Forgetting passphrase though...
Replying to
Yeah, I'm aware there are situations where this property is an advantage. I'm asking about the other direction - whether there are situations where there's a compelling argument that it doesn't matter if the attacker can see if passphrase is right or wrong without testing it.
1
Show replies