AOI Wallet stored passphrases not secure??
rds last edited by
I'm wondering why when you "add wallet" in the AIO (All in One) Account manager tab, it then says the passphrase is stored on your local machine "not in plain text", i.e. encrypted? The impression is that it is somewhat secure from prying eyes.
That being said, if I get a hold of your encrypted file somehow, all I have to do is put this file in the wallet folder, startup the AIO and select "load wallet" and paste the encrypted passphrase in the login box and then select the dots in the box, copy the dots, then paste them into any text file and there is the unencrypted passphrase.
Not sure if this was an oversight or just a low(er) level of protection. Thought the devs might want to consider a more hardened scheme in future releases.
You are right, the passphrases are hashed and loaded for only 30 seconds in your clipboard when loading the Account. Every AIO can open them.
This is considerably better then having them saved in txt files in plain text and loaded in clipboard for unlimited time - as linux and core users are probably mostly doing.
We are at version 0.3.9.6 and good encryption is tricky. I also never expected such a popularity of the software. (I thought that someone will release a better written solution at some point in time. Lexicon's version is advancing fast).
After managing solo mining for the AIO yesterday, I wanted to start the implementation of a Master-Password System, like FileZilla or Firefox.
I see the additional attack vector rather slim, as if your system is compromised and an attacker can copy your files - then he can keylog every stroke from you too. A master password ain't help you then anymore. If you are still concerned you can use a Passphrase Manager or Lex's AIO version in the meantime.
Lexicon last edited by Lexicon
@rds in my AIO release the passphrases are salted with a code that only the user knows as dawalelt just said. also the current aio dawallet has has a static encryption key so if someone goes through the source they could easily decrypt the file on your disk to get your passphrase. as well as move the file into the same directory to do it that way
ive released the source for this now so if dawallet wants he can use it to make his more secure . i made this open source so everyone can benefit from it and to also show everyone there is nothing nefarious in my code im sure we have a lot more exciting things to come
im designing the new interface in my wallet so that your password cannot be sniffed by keyloggers or clipboard loggers as it just puts the passphrase straight out of the decryption algo into the password box bypassing your clipboard and keyboard
ZapbuzZ last edited by
the-traditional-phrase-system doesn't have to be correct spelling. Deliberate spelling errors or 3v3n 1337 5p33ch words can be put in manually. my favourite is mashing the keyboard. who's gonna get it now.