Update 4 November 2021

I’m in love with the design, it looks so nice!!!

7 Likes

It’s a good question. My answer is it’s about marketing, when you ‘call’ launch. The last testnet when SNT is declared real isn’t launch, but it is when the network is considered good enough to launch.

What ‘launch’ is and what needs to be in place for it is I think a marketing decision. So we need to have the things in place for whoever ‘launch’ is aimed at.

What that means, I don’t know, but personally I think good UI & UX are essential to adoption and success. We can be spreading the word before that, but we need to decide what launch means too.

4 Likes

Thus could use a “Pin”

  • it can be optional, no need for user to ever use it, or even take notice of it
  • it can be created as a ECC code of the password. yea yea I know error correcting code code
  • generated at the time of password entry first time, and each time.
  • If user memorised the pin then the pin showing at time of password entry the user will see they made a mistake. The user could enter the correct pin and the code will attempt a ECC correction on the password before using it to access the account.
  • since the ECC will be correcting one or 2 chars (or more if anyone thinks its worth it risk/bigger password needed) then as long as the user’s password is long enough then the pin could be written down and placed into wallet (or tattooed LOL) since it will not help breaking the password, other than allowing a couple of chars error in brute forcing.

But it would saved much heart ache with those virtual keyboards getting the wtpng (wrong) characters sometimes.

3 Likes

This actually confuses me
image

‘Password or Key’. So I might think these are 2 different things, then I look below ‘Enter Your Password’, so yes 2 different things, here I need to type the Password. So where should I type the Key?

So I would use 1 terminology here and maybe get rid of ‘Password’ and just use ‘Key’. Then it is also less confusing with ‘Passphrase’

2 Likes

Hi everyone,

Been jumping in and out of here for a few months (there’s so much history on this project I am far away from feeling like I am up to speed).

The progress I have seen just in these few months has been amazing,

Very impressed with the core principles that are clearly evident in all the topics of discussion to deliver the truest to form result.

No compromises!

Happy to support this project in any way I can even if that is simply offering user data for testing.

And on that note, my reason for actually posting a note today is a thought that occurred to me that is worth checking up on.

My Thought
Ok so today there is a strong focus on the safe creation and credentials.

This got me thinking of ways this could potentially be leveraged by individuals or groups with nefarious intentions later on.

This is a two-fold thought, so firstly:

1- What happens to peoples accounts that are ultimately “lost”?

Naturally, due to the decentralised service, there should technically be no back door into any given safe correct?

Do these accumulate over a large amount of time?
Do safe’s have a lifespan that must be accessed to avoid deletion?
This may be a feasible solution but then perhaps this could also be a draw back, I’m getting the far out conceptualisation hat on to consider a scenario whereby valuable data is lost due to a time-limit, no matter how benign it is.
Mayhaps someone important is in a coma for many years or something :slightly_smiling_face:

2- Could the “safe” creation be used to attack the very platform itself in order to cripple it such as mass user creation with large “data dumping”?

I’m thinking the clear solution to this was already conceived with the safe tokens?

Having to pay to attack the platform doesn’t sound too appealing, though could still be a factor to consider when you think about how lucrative cloud storage is as a paradigm.

Anyways, keep up the great work MaidSafe and congrulations on your promotions Jim and Josh :slight_smile: :+1:

11 Likes

I would hope that this is all on the app-side of things rather than the network. If it is, then I doubt it would slow network development down, and we’ll probably get more testnets without multiple passwords. I’m not sure though.

3 Likes

These are good ideas. One thought is that she uses her desktop quite a bit so can a device key be created for her desktop? Also can two factor authentication be used? That is you confirm with your phone in order to log in to another device? Combined with the QR code this might make logins simpler.

1 Like

Iirc this has already been addressed. Having huge servers doesn’t help as the network favors and awards more tokens to smaller individual nodes. And having to pay to upload inhibits upload spam further. I believe there are other safeguards in place but from my understanding carrying out a DDoS attack on the network would be prohibitively expensive to impossible.

:thinking: I’ve not seen the exact definition of the key to be sure but thinking it’s something like xor and is that roughly huge hex^62 ?

I wonder the problem centres on reducing that huge number, in a number of ways that are accessible.

Above, I don’t see mention of thumbprint but that seems to be roughly 1 in 50,000 unique. Where it exists it could be leveraged?

I’m not sure just yet what other options might be… and thumbprint/fingerprint I don’t know may spawn one of a few prints recognised and confuse any match to remembered data? Still, perhaps there are options to mix what is simple to reduce then what is strings of words, that are of a kind that need storing elsewhere.

Perhaps is for beyond the initially options … face recognition and other unique that can reduce-to-a-number characteristics … could be options to help divide that huge number to something small and simple?.. a combination of diff and parity could mop up the difference… user choosing from small set of pictures given captures might work to a point.

Thinking then one method is more complex that then mix of many… of even a few.

colourless green ideas sleep furiously… which is what I should be doing at 5am!

Edit: another perhaps is what you know… a location on the globe and navigating to that might cut three words (what3words)?.. rotate the world is not enough but zoom to a 3ft square you know that is not obvious to others interface as simple as Rotate the World with additions to zoom like google earth???

2 Likes

Password and passphrase is each turned into a KeyShare using PBKDF2?

I also like your “Key” terminology a lot. It fits nicely with the personal “safe” to store valuables and is perhaps more intuitive. Key, safe, lock, and unlock are great verbage for the layman. So in that case the user needs to supply 2/3 or n/m “keys” to unlock their safe. To keep the terminology consistent these could be called your “keyword/keyphrase” or more generic “word-key”, “phrase-key”, “device-key”.

Regardless of terminology choice you want to always keep it consistent imo. For the QR code you go with “QR-key”, biometrics give a “bio-key”, and then thereis yubi-key, port-key, paper-key, hardware-key etc. The more I think of it the more I find that the use of “keys” is more preferable to numerous “passes”. Keys are something an individual owns and uses, whereas a “pass” is a permission often given by a central authority that is easily revoked.

17 Likes

The ergonomic keys are a welcome addition to the usability.

I’m not sure if was mentioned before, but I wonder if the concept of “mnemonics to key” could be extended for XOR URLs? People could memorize immutables.

Also, the same concept could be an addition to the name resolution system. For example, a site would have an NRS name like safe://my.site and an immutable-automatically-generated backup name like safe://wing-reward-sniff-flip-snake-fork-discover-truck-advance-sadness-slim-cash.

Just an idea, but anyways great work.

9 Likes

Great suggestions. I always found password and passphrase rather confusing. By calling everything something with key, like “word-key” and “phrase-key” it becomes much clearer that they’re just keys that can be used to unlock the safe and a safe maybe need multiple keys to unlock. It then becomes very similar to actual safes which also can require multiple different keys to unlock, such as several regular physical keys or a key in addition to a keycode.

6 Likes

I was thinking the same thing. NRS, XOR, or mnemonic to access content. Could be fun.

4 Likes

very nice!

Personally, I like SN team to inform updates every week. Because this is very good information for me. Through this, I really like that developers communicate freely with community members. I think this is not a report on development, but an effort of the SN team to share development progress for community members. To me, this seems to be the truth of SN team.

I would be very happy if the SN team liked this. But for the SN team, this can be hard. Because a week is too short to complete a new development, and if the plan changes for some reason, it may be necessary to re-develop it in a different direction. It seems difficult to explain all these changes in very technical detail.

Therefore, I think this is not focusing on new development, but on giving new information to community members. Therefore, I was able to relieve my impatience a little with this thought.

In this respect, it may be good for the team to explain the update once every two weeks or a month.

But, I participated in this community late, so I don’t know what has happened to this tradition.

8 Likes

Very true, but the way around this is to split the team updates into four main groups, so each group is reporting once a month, offset by a week each.(or some analogous interleaved schedule) I surmise/presume based on how they have kept the weeklies flowing so consistently, with many different developments, that they have taken a similar approach.

5 Likes

Nice, Congratulations!

I find password reminders useful…!

“birthdays: mine, my wife and son´s + my first car´s number plate”

AMAZINGGGG

Cant wait to use the APP

1 Like

It’s an interesting idea!

Thinking it through though, isn’t the concept of W3W making something which is inherently hard to do—pinpoint a 3x3m square on a map—into something easy by making it a pronounceable and typeable phrase?

Using the hard part of that equation—putting a pin in a map—would likely be quite time-consuming and have it’s frustrations, possibly to the point of being impossible. Imagine if your 3m square was somewhere in the Atlantic Ocean?

Unless it was not random, but a pinpoint selected by the user. But then that becomes inherently insecure, because folk would inevitably choose their home, or a familiar landmark etc.

Funnily enough, when designing this proposal, I did actually take a look at W3W as a possibility for the passphrase scheme and wordlist. However, even with the globe split into 3m squares, you only get around 45-bits of entropy, which isn’t enough for our purposes. And the world list chosen by W3W has been quite heavily criticised because it uses words that look similar, are very close in spelling, and sometimes pronounced the same.

So, contrasting that with the BIP39 based phrase which I’ve been using in this example, with a 12 word phrase we get 128-bits of entropy, words that are unique from their first 3 letters (meaning type ahead is very efficient), carefully selected so not to clash, available in 10 languages, also has a checksum so instant typo feedback. It’s pretty sweet.

The obvious advantage in W3W would be easier memorability, but at a significant cost of entropy. We could reduce the number of words in our phrase scheme to try and improve memorability, by vastly increasing the word list, but that would be at the cost of most of the advantages I’ve listed above.

So, I think it’s best to think of the Passphrase as something you have rather than something you know (even though it could be memorised if your were in a really in a pinch) and then focus on it being efficient reliable to input.

What I would say though, is that the term password is very useful from from a recognition POV, as people instantly know what to expect, how to use it, that it is secret and shouldn’t be shared, it’s chosen by them etc. Whereas Passkey would need explaining… inevitable we’d say “this is just like a password”, which would beg the question…

1 Like