Two passwords for login process

Hey guys,
Just a brief write-up on what the account secrets mean. Previously we had PIN, Keyword and Password. PIN (used as salt) and Keyword generated the location of login packet on the safe network and once that is fetched, PIN and Password decrypted the login packet. We thought asking the user to type all three was an overkill and went for only one secure Account password. Then internally we derived all three - for e.g. right now it’s done quickly as sha512 of the password and divide it into 3 parts. However this meant that this one password was to be considerably secure and now it seems that this is not very user friendly either, because many people are not very keen on choosing a long, complicated super secure password.

So we are going for a requirement of 2 user passwords. What this would mean is that each password need not be as complex as previously when there was only one. The 1st password will derive the location of account packet in the Network and the 2nd password will decrypt the packet, so ideally both should be secure but 2nd is more important than the first.

As usual, we will again derive the 3 internally and actually use those.


Maybe call one “friendly name” as in pet name that one gives an inanimate object in an attempt to personalise it.

So I might call my media account - “media centre” and my super serial (serious) one - “superserial” and my who cares one - “junkie”. Real easy to remember and then the passphrase is all that I have to work at remembering. Rather than 2 hard passwords.

It can still be internally 2 passwords, but we mere mortals find password1: & password2: triggers the “this is hard” whereas “petname:” & “passphrase:” a little less confronting.

Easier to remember too i reckon


Brainstorm meetings in house - now spilling out to forum, so great.

An issue we are looking at is making account names hard to guess, although not hugely important, it just adds more confusion to attackers and more importantly it means the chance of account name collision is reduced.


Right - but do remember that harder the both of them more secure you are. That is why we didn’t name it as username or something as we thought that can have some drawbacks:

  1. Technically that is not a username. You would never share that with anyone because it solves no purpose. Later when Public IDs become more common and people start sharing that, there might be a little confusion as username also implies something that is shareable but is certainly not meant for that.
  2. If people can easily guess where your account packet is in the Network it narrows down the attack vector to just decrypting that packet.

@neo Seems easiest to stick with username / password as terminology, but there may be other considerations.

I can guess this might have been avoided to make the first less easy to guess, ie encourage people treat both parts as needing to be hard to guess passwords. In which case calling them both passwords might be important.

Whatever we choose needs to be thought through carefully in terms of terminology, user understanding, workflow etc


Thats why I didn’t say user name. Just a pet name for the account, not name for the network. I’d expect a degree of collision so need both to generate account address.

I also realise that the more complex they are the better.

I was thinking you would use the 2 combined to create the network account address.

And you could simply have a complexity test for the two combined. So that if simple familiar/pet name then the password has to be more complex. It should be simple to inform the user that a simple familiar/pet name requires a passphrase with more words and to choose a longer familiar/pet name with more than one word.

Anyhow just an opinion and obviously has to considered in the face of sufficient complexity/randomness

Ya - we have not given up the one-(strong)-password-only approach too yet. Just trying to find a sweet spot without compromising security, so nice to hear inputs.


Is something like a random word generator off the table for the one pass phrase setup?


What bothered me is I couldn’t seem to log into my account from another OS. It said Keyword/Pin were incorrect but all I had access to was the password. Whatever is done I think it needs to be double checked for compatibility with other OSes/machines.

From what is being described here it sounds like you need two passphrases. The original keyword wasn’t really a username as we know it. I think it should be explained somewhere in the launcher as to exactly how the Keyword/PIN/Pass or double passwords work in protecting one’s account. I.e. Something like the original post to this topic except in help file format and perhaps with links to definitions for the technically challenged.

1 Like

The entropy/complexity calculators do use all that to give a score - so they would (should ?) catch if you tired Tr0ub4dor or similar

My opinion is any pass phrase generated for people will see a marked rise (many times) in the pass phrase being written down and the associated security issues arising from that.

Its really not easy to remember 5 or 6 random words given to me, especially since some may not be in my usual vocabulary. BUT if I choose something meaningful to me and it passes a complexity test then I will remember it without ever writing it down.


That should be a UI bug i would guess - when there were 3 (pin, keyword, password) and if (pin and/or keyword) was wrong that would be the output. I guess that error in log-in was a remnant because the UI code has not been updated to change the error to - Could not login or something.

A more serious concern would be if you could login with exact same credential on another OS after you found out could not do so from the first one repeatedly. If it was just random because the request was lost then it’s not as serious though because retrying should get you. If the data was lost, you shouldn’t be able to login through any OS/machine even on repeated tries. However regularly logging in through one OS while not from the other would be a strange thing - is this what you are seeing ?

@Shankar @Krishna_Kumar guys can you confirm if it is a frontend bug here ^^^ ? If not i’ll take a look into core library.

1 Like

I think down the line when people learn they really only need to remember one login for SAFE they will get more creative. I have noticed for myself that over the years of using Last pass my master password has become more complex (I also use Yubikey).

Logins have got out of control for most people. Particularly since smartphones have become more common. My poor 87 year old grandmother doesn’t have any room left on her password paper she keeps next to the computer.

I like the feedback (not good enough, good, better) the password section gives you in the launcher when creating a new account.


Yep, Lastpass and Yubikey for me also.

I like this article: Password Security: Why the horse battery staple is not correct


  1. Users don’t need password memorization schemes, they need to be incentivized to use a good password manager.
  1. For the few passwords they do need to memorize, you should focus on making them dictionary-attack resistant, not just strong from an information theory perspective.

Build a Password Manager into the Launcher? ‘Safe Network - It’s the only password you’ll ever need’

It wont populate the clearnet browser, but I would switch to it and manually copy/paste for clearnet.


And I use often keepass, also to generate the password.

Have you heard the phrase “Don’t put all your eggs in one basket.”? I agree there are way too many accounts and passwords floating around but there’s something to be said for having multiple accounts. I have multiple email addresses for a reason. 1. It helps me stay organized. 2. It keeps all the subscription emails out of my actual mail. 3. It helps ward off spam and if all else fails act as a failsafe should I get overloaded with spam on one acccount. If so, my whole email network doesn’t go down with a single account.

To use this as a metaphor if someone had multiple SAFE accounts if for whatever reason one got compromised they could fall back on another. Say god forbid you got hassled by the feds and they ordered you to release your SAFE password. You could log into SAFE but the question is WHICH account do you log into? If someone is literally looking over your shoulder all the encryption in the world won’t protect you.

This is a little harder than you may imagine. I think it requires mirror accounts and filters. The reason being it should show relevant believable recent history. So definitely possible, but not simple and cannot use determinism of any kind to mirror, otherwise it’s detectable.

Recovery mechanisms are important though along with plausible deniability etc.


I have a question about this one… How are these packets stored? Just like other chunks? So each packet is chunked into 3 parts and stored over the network? Or do they get treated differently? it’s a bit off topic, but just curious.

For the 2 passwords, I think that’s a nice solution.

At the moment a single SD packet type 0, they will be split across SD packets, but in any case they are SD:0 right now.