-
Notifications
You must be signed in to change notification settings - Fork 493
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move password verification to the final step #1142
Move password verification to the final step #1142
Conversation
I tested it. I like it. Concept ACK. |
Okay then, what do you think I should do? What about adding the "See password" button? |
That's a good idea, but I don't think we should mix it with this PR. |
@@ -11,7 +11,14 @@ | |||
<TextBlock Text="You can recover your wallet on any computer with:" FontWeight="Bold" /> | |||
<TextBlock Text="- your mnemonic words AND" FontWeight="Bold" /> | |||
<TextBlock Text="- your password" FontWeight="Bold" /> | |||
<TextBlock Text="Unlike most other wallets if an attacker aquires your mnemonic words, it will not be able to hack your wallet without knowing your password. However, unlike other wallets, you will not be able to recover your wallet only with your mnemonic words if you lose your password." TextWrapping="Wrap" /> | |||
<TextBlock Text="Unlike most other wallets if an attacker aquires your mnemonic words, it will not be able to hack your wallet without knowing your password. However, unlike other wallets, you will not be able to recover your wallet only with your mnemonic words if you lose your password. For that reason, verify the password is correct and back it up." TextWrapping="Wrap" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I should write something like this:
Backup your password too! Unlike most other wallets if an attacker acquires your mnemonic words, it will not be able to hack your wallet without knowing your password. Only with the mnemonic words you will not be able to recover your wallet! For that reason, verify the password is correct and back it up.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Too long, don't read. This is true for the original text, too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree. What do we do with that text? Should I rollback to the original text?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure at this point, I will look at the new UX workflow after the functionality is working.
|
||
try | ||
{ | ||
encryptedSecret.GetSecret(Password + "trolo"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
only for debug right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes. This PR was pushed for discussing the pros/cons of the idea with something real (with code) and to get feedback, i was never for merging. Anyway, if this is good then I will remove this failing trick.
…es/Check-Password-Recovery
4e56050
to
7a09bb2
Compare
Please make a mergable version, so I can review properly. |
The #1152 is better that this so, I am closing it. |
This is a proposal for discussion regarding #1128. The hypothesis here is that users simply forget the passwords because they believe that it is not really important and that they can always recover the wallet with the seed.
The fact that it is clearly stated that password is super important is irrelevant because studies are clear: people DO NOT read. So, in this case, after a user back up the seed he/she is required to reenter the password and check the password match and also make sure the encrypted secret can be recovered with path password (this is an absolutely paranoid checking but anyways)
The PR is for discussion and not for merging.