Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve password input security (random order) #744

Open
Giszmo opened this issue Apr 11, 2021 · 3 comments
Open

Improve password input security (random order) #744

Giszmo opened this issue Apr 11, 2021 · 3 comments
Labels
feature New feature proposal or a request; much more work than "ehancement"

Comments

@Giszmo
Copy link

Giszmo commented Apr 11, 2021

If entering the password in a public setting, it is almost impossible not to leak it. The discreet left-middle-right clicks are very easily detected at a great distance.

Although it makes input even harder, the three groups should get shown in random order.

(Should my proposal #743 get implemented, then the alphabet could start looping at a random pace until click occurs. In this mode, the initial click may be very imprecise.)

@x1ddos x1ddos changed the title Improve password input security Improve password input security (random order) Apr 12, 2021
@x1ddos x1ddos added the feature New feature proposal or a request; much more work than "ehancement" label Apr 12, 2021
@jadzeidan
Copy link
Contributor

Hey @Giszmo, thanks for the input (pun intended :p). I understand the concern, however something like this will likely have a strong negative impact on usability, which a key component of the BitBox02 design principle (to be the easiest to use hardware wallet). Also, the screen would still be visible to the public, so I think the overall benefit of a randomizing the characters is limited. If something like this were to be implemented, it would probably be an advanced option.

@malesch
Copy link

malesch commented Jun 29, 2021

I was always wondering if the slider input of the BB would allow scrolling directly through the list of input characters (or block of chars: a-z,A-Z,0-1,...) what would allow much faster input and improve security. The current method requires multiple interactions just to select a single char. In my opinion this is not very user friendly and tempts to limit yourself to shorter phrases.

@benma
Copy link
Collaborator

benma commented Jun 29, 2021

@malesch it would be possible, and ideally we'd like to offer both ways of input.

We tested some prototypes of inputting via scrolling in the past, and while it was a bit more intuitive, it also turned out to be a slower way of entering with the prototypes we made. The reason is that tapping one of the three groups can be done quickly and accurately and committed to muscle memory.

That being said, we didn't iterate a ton on the scrolling variant, so there is room for improving that too, maybe even to the point where it can be as quick as the tapping variant. However, it was always low priority compared to other features since the current way of inputting seems to work very well generally. It is not likely we will work on the scrolling variant anytime soon.

cc @jadzeidan

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature New feature proposal or a request; much more work than "ehancement"
Projects
None yet
Development

No branches or pull requests

5 participants