-
Notifications
You must be signed in to change notification settings - Fork 492
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rename "password" to "passphrase/13th word" #10408
Comments
Why I personally would prefer passphrase over 13th word:
|
As mentioned in #10321 it is my opinion that substituting the word "Passphrase" for "Password" does not make any difference in a user's mind to inform them the thing they type in the 2 boxes gets added as a part of the recovery seed. In English, the differences between these these two terms simply refers to the way the secret information is formatted. A "Word" implies the secret information is formatted as a single string without spaces, such as Canada77. A "Phrase" implies the secret information is formatted as several words concatenated together (with or without spaces, depending on the passphrase creator's preference), such as blue penguin running slowly The terminology has evolved such that choosing (or generating) phrases instead of words for your secret information makes the secret information easier to remember by a human while making it harder to guess by bruteforcing attacker. This concept was made viral by this xkcd comic: As such, the definition of "passphrase" is commonly known as "a password that is multiple words long":
Although I think "13th word" should be defined clearly, I would still recommend the term password if it came down to a coin flip between password and passphrase. Since creation of Bitcoin wallets already involves a 12 word recovery seed phrase, it causes a vocabulary collision if we also refer to the password as a "phrase" especially since (some? most?) users will choose a single word instead of a phrase for their password. |
This should make a difference in the user's mind to inform them the thing they type in the 1 box gets added as a part of the recovery words.
This confirms that it should be called passphrase and not password.
Again, literally all of those definitions and comparisons confirm that it should be called passphrase and not password.
We know from experience and from many users' feedback for years that calling it password was always a source of confusion. Take a look again at the examples mentioned in the description of this issue or at this #10321 (comment) to see how do other bitcoin projects call it, and what is their experience/opinion about this.
We never mention seed phrase in our software, we call them recovery words, so there should be no vocabulary collision.
If that is true then calling it passphrase would maybe push users to use a phrase instead of one word which is more secure. (As the attached picture suggested) |
without creating a new issue i would like to comment here with a sketch prototype the user tests and common knowledge in the space shows us that its very important to help the user to create a solid backup. right now, without telling the user that Wasabis Wallet "Password" = Passphrase / 13th word , we are gambling with the users experience to loose btc and trust in wasabi wallet. that needs to be fixed asap in my opinion. also touches: #10367 13thwordpassword_480.mov |
This is really cool. I like the simplification to only asking for four words, the others should be visible in the UI while it's checked though. There are arguments to check all, but I think convenience matters more here. password check on first wallet load can be skipped. This is nice onboarding in two similar dialogs, no pop-ups or clutter, well done. |
I more or less agree with the idea of confirming only 4 words, I guess (or at least I don't oppose), as long as the others are displayed, but I strongly disagree with this statement:
This is arguably the most important screen in the life of the user, a mistake here could mean all funds lost much later in the future with a false sense of security. If there is one screen in the software where convenience doesn't matter against security, that's this one.
Automatically open new wallets, or at least the first one, good idea. |
displaying the other words is a good idea. absolutely valid. will keep that in mind & as a comment on figma. also i also think its one of the most important steps a user has to do. so its a delicate balance between time convinience and safety. we can save some more time on other steps. |
I absolutely agree with this. IMHO we should let the user take as much time as needed when they are creating and backing up their wallet (recovery words + passphrase).
As pointed out in #10367 (comment) newly generated wallets should be loaded automatically once the creation process is done, which would save some time. |
There are some great ideas and some less so here. It does seem like we all agree on the improvement of the verify backup regarding the elegant checksum solution: choosing the random words wit the mouse, so maybe @editwentyone you could create a new issue and we'll get that work started with the UI team? Regarding the Create Backup screen, it is a confused screen. I have so many thoughts and let's go through them all in the UX meeting, but I'll leave a few here randomly:
Regarding not having a password screen, but rather make the password verification happen on these pages, I am still trying to decide if it's genius or a terrible idea. It might reduces the number of steps, but it might also end up being confusing. From an operational point of view, I'd default to what we have currently. On new wallet naming. We should only do that if it's not the first wallet as we discussed. Also what happened to the "Success! Your wallet is created" final screen you talked about before? |
The print out template is a pdf with placeholders for recovery words and passphrase (and maybe fingerprint). |
everything on a sketch is just for explanation, no final wordings until high fidelity designs (and even then everything is up to debate and optimization). only high fidelity designs can tell if it will be a wall of text, right now its hard to sketch in the right proportions. passphrase doesn't need to be named, we just need to make sure that its backuped.
its just a blank Din A4/ Letter Size Paper Template without any words. so no trust is needed for printers. the user just needs to fill out what he sees on the screen. the template has the same design as our backup screen.
I think that's not a good UX because most of the users wouldn't see/ recognize the label change while hovering and also they thought they can go to the next screen (continue does exactly that) but suddenly they have to stop and go back into the middle and work with the words. reveal does exactly what it needs to do, make sure, that the user is ready to write down the words in a save environment.
its not only about reduction of steps. its about the teaching how important that backup of 12+1 is. because we decided to use the 13. word as a password mechanism, we need to make absolutely sure, that the user also understands that. without this step, by keeping the actual default way we have, we are risking that the funds and trust of our users.
totally agree, if its the first wallet, it should be named in the background and not shown to change. every other wallet needs to see this naming screen / step.
its at the beginning, right before "create backup" flow starts. I skimmed through my sketches and don't see a success screen at the end. after (optional) naming, the user should arrive at the empty home screen of the application with his newly created und unlocked wallet. if its ok, I wouldn't put more steps on the user to start using the app. I would create an animation for a success screen in-between, now that I thought about it again… |
I would argue to even remove wallet naming from the second creation, and just call it Maybe we could generate some random human friendly short identifier names automatically for each wallet, so we avoid the numbering? |
you can combine that thougth: present the naming step, suggest a good name already so the user can just accept it by finishing without edit, but you also give the possibility to edit it quickly and continue. best of both worlds. |
I think as long as we don't have a dedicated screen exclusively for naming the wallet, I'm happy. |
How do you set an empty/blank password if the continue button does not activate until you enter text in the field? |
Good question. IF the password is not mandatory it should be active as soon the verification is done. Something I can’t decide. I understood that it should be mandatory. More security to unlock your wallet and prevent others from accessing it. Just let me know if it’s not mandatory and I will redesign it |
It is not. |
Why it shouldn't? Many if not most other bitcoin projects call it |
I don't agree with that, for reasons stated above and on other issues/PRs.
It is not proven that the word |
please see this video from minute ~2:30 #10661 (comment) |
Another case/proof that shows that many users don't know that the password is in fact a passphrase and it is required to recover their wallet. #10886 There are countless of cases like this one that we have seen through out the years of Wasabi's life but somehow we keep ignoring this feedback. ¯\_(ツ)_/¯ The terminology is very important specially for newbies. Currently it is very misleading. |
What do you mean "keep ignoring this feedback"? There has been hundreds if not thousands of back and forth discussions about it. That does not qualify to me as "keep ignoring this feedback." If anything it's an argument to START ignoring this feedback and deliver shit instead. |
There should haven't been a lot of discussions for many years, but more importantly all of those discussions didn't move us forward so far.
That's what I have been saying for long, we know that what we currently have isn't optimal and we can easily improve it by a simple PR or two regardless of all the UX redesign which seems to be taking much more time than it should, at east for such obvious and easy issues. |
ok, to be clear:
my suggestions is in #10661 and its another "try and error" without any testing and research to nudge the user to define and use a passphrase as a daily password. also to write it down (with the help of a template, to make it even clearer). its still not perfect, but its a balance between: we want the user to use a daily password (aka passphrase) and also make it recoverable with 12 words + passphrase best would be: 12 words + passphrase (12+1 backed up for recovery, but stored separately ) + dedicated password (for extra security on a daily basis, can be forgotten) but apparently its decided to use the passphrase as a password, its ok-ish, but then this route needs definitely assistance to back it up, also as a consequence we need to re-design the recovery flow after #10661 is implemented |
The feature of "password" in wallets usually means just to unlock the software and decrypt the seed or private key stored within. It does not mean the same thing as a "seed extension" in any sort; and is de facto expected not to be required a backup precisely because passwords are often forgotten. Security-wise this "password as seed extension" thing is irrelevant: the user can and often will save both things in the same place, against all recommendations, and software cannot control nor should impose this kind of restriction. It is also surprising to find that your seed phrase + password does not derive the same keys from other wallet software because of this situation, which increases adoption friction. It took me a while to understand why Wasabi was not actually deriving the keys I wanted it to derive because of this and I am skeptical on using such mission-critical software which on my view does not comply to such basic usability norms. I also find it unacceptable to store unencrypted key material (I am assuming that is the case if I do not employ a password during wallet creation or import) and it is also unacceptable to be forced to move coins to a Wasabi-only wallet just because of a password. Finally, assuming I understood the situation correctly, changing passwords is technically impossible without generating a brand new wallet, which is also unacceptable. I would kindly suggest to implement a wallet password feature which does exactly the same thing as every other piece of software dealing with key material do: merely encrypt the stored key material without touching it (in this case, extending the seed). The current functionality of seed extension can be left as is for users willing to use it and should be renamed to what it actually is: a seed extension, not a password, neither a "passphrase" (which is essentially the same thing). |
Using the word
password
is very confusing for users specially newbies who most likely do not know that it is very important to recover/access their wallet.There are a lot of examples from users confused and complaining that they lost access to their wallet because of this, and we can easily say they are newbies just from the terminology they use or from the fact that it didn't occur to them that the password is part of their backup, it proves the point that they do not know it is important for their recovery.
I did the recovery and entered the keywords.
I entered another password on the new installation.
For more example see this #10321 (comment).
Quoting this very good explanation from @lontivero on why we should call it
passphrase
instead ofpassword
:A simple solution to this confusing issue:
passphrase/13th word
orrecovery words extension
. (IMO we should call it passphrase and mention that it is a recovery words extension/13th word on the dialog's description)The text was updated successfully, but these errors were encountered: