Implement User-Defined "25th Word" Passphrase for Enhanced Wallet Security

[y4ssi]

As someone who values keeping my cryptocurrency safe, I believe it's crucial to have robust security measures in place. Currently, the Zashi wallet provides solid security with its 24-word seed phrase. However, I think we can take it up a notch by introducing a feature that allows users to add their own "25th word" passphrase when opening the wallet.

Here's why I think this is important:

Extra Layer of Protection: Adding a custom "25th word" passphrase would give users an additional layer of security beyond the standard 24-word seed phrase. This means even if someone somehow gets hold of the seed phrase, they'd still need the custom passphrase to access the wallet.

User Empowerment: By letting users define their own "25th word" passphrase, we're putting more control in their hands. They can choose a passphrase that's meaningful and memorable to them, making it easier to remember while still keeping their funds secure.

Reduced Risk of Compromise: With this feature, users can ensure that their sensitive information remains safe from unauthorized access. This significantly reduces the risk of compromise and adds peace of mind for users.

Prevents Coercion: In case of coercion, users can utilize the wallet without entering the passphrase, accessing dummy funds instead. This strategy allows users to comply with demands while safeguarding their actual funds, which remain inaccessible without the passphrase. By employing dummy funds, users effectively thwart unauthorized access attempts, enhancing the wallet's security against coercion

By implementing this enhancement, not only do we enhance the overall security of the Zashi wallet, but we also empower users to take more control over their passphrase security. I believe this would be a valuable addition to our wallet and would greatly benefit our users.

[str4d]

For clarity, "25th word" in this context specifically means a BIP 39 passphrase (which is combined with the mnemonic phrase to derive the master seed of a key tree). Existing wallets use the empty string "" (as specified in BIP 39 when a passphrase is not provided).

Extra Layer of Protection: Adding a custom "25th word" passphrase would give users an additional layer of security beyond the standard 24-word seed phrase. This means even if someone somehow gets hold of the seed phrase, they'd still need the custom passphrase to access the wallet.

This needs to be more concretely specified: extra layer of protection against what adversary? A few cases off the top of my head:

• If the adversary is someone who gains access to the phone, then there are other ways that we could achieve an equivalent "layer of protection", such as storing the seed phrase in the phone's keystore protected by the phone's passphrase (or a custom passphrase, but one that is specific to the usage of this seed phrase on this device).
• If the adversary is someone who gains access to a backed-up (e.g. paper) copy of the seed phrase, then we need to consider two aspects (in addition to whatever other considerations we make for Decide on key and database backup behaviour for 1.0 #20):
  • If users are writing down their 24 words, it is not improbable that they also write down the BIP 39 passphrase, and then there is no extra layer against this adversary.
  • If users don't write down the BIP 39 passphrase, then there is a risk of complete loss of funds if it is forgotten, that needs to be accounted for in the UX of this change.

User Empowerment: By letting users define their own "25th word" passphrase, we're putting more control in their hands. They can choose a passphrase that's meaningful and memorable to them, making it easier to remember while still keeping their funds secure.

Is the rationale here that because the 24 words are generated for them, they are not necessarily meaningful or memorable? Users are not good at picking secure passphrases, and a BIP 39 passphrase once selected cannot be changed (at least after any wallet address has been given out, because the user might receive funds in that key tree). The mnemonic phrase does provide some level of "passphrase hardening" in that it effectively acts as a salt on the passphrase (ignoring how the BIP 39 seed derivation actually works) that means the adversary can't reuse hash tables, but the inability to rotate is a problem shared by the mnemonic phrase itself, which means that if the BIP 39 passphrase is disclosed even once (or reused by the user in another context like a website account that is subsequently compromised), then it provides no extra layer of protection.

Reduced Risk of Compromise: With this feature, users can ensure that their sensitive information remains safe from unauthorized access. This significantly reduces the risk of compromise and adds peace of mind for users.

There is no meaningful distinction between this and the "Extra Layer of Protection" rationale; they should be merged. This is also not sufficiently specified:

• "Sensitive information" can include viewing key material (and thus wallet-private data), which will necessarily be on phones in a way that cannot be protected by a BIP 39 passphrase (it is necessary for scanning), and thus the BIP 39 passphrase cannot have any effect on how that information is protected from unauthorized access.
• "Risk of compromise" similarly needs to be defined relative to an adversary.

Prevents Coercion: In case of coercion, users can utilize the wallet without entering the passphrase, accessing dummy funds instead. This strategy allows users to comply with demands while safeguarding their actual funds, which remain inaccessible without the passphrase. By employing dummy funds, users effectively thwart unauthorized access attempts, enhancing the wallet's security against coercion

This is IMO the primary reason for supporting BIP 39 passphrases. However, unlike with Bitcoin, we run into a problem: Bitcoin fund discovery is very cheap (you can just ask any block explorer to look up the unspent notes controlled by a given address), so in coercion-prevention cases the wallet would never store information about funds associated with BIP 39 passphrase wallets, and would instead look it up on-the-fly. For Zcash, we need to actively scan the chain to find funds, which requires the viewing keys to be accessible. This results in a few different potential situations:

• The viewing keys are visible in the wallet database (and the adversary can keep using their $5 wrench until you are sufficiently convinced to give them the BIP 39 passphrase).
• The wallet has to perform "recover from seed" every single time you log into your BIP 39 passphrase wallet (which would require DAGSync at a minimum for discovering and making funds spendable).
• The wallet implements some kind of "deniable encryption" for the wallet database, which means that background becomes much harder for the default (in this case dummy) wallet, and the BIP 39 passphrase wallet cannot have background sync at all (as in a coercion situation you can't assume you will have time to evict viewing keys from memory), and the wallet has to be able to justify its disk space usage (the "deniable encryption" part) which means increasing disk usage for all Zashi users regardless of whether or not they use BIP 39 passphrases.

[daira]

the rationale here that because the 24 words are generated for them, they are not necessarily meaningful or memorable? Users are not good at picking secure passphrases, and a BIP 39 passphrase once selected cannot be changed (at least after any wallet address has been given out, because the user might receive funds in that key tree).

To me the motivation for a 25th word is to provide time to move funds. That is, if you know you've been burgled then you create a new wallet and transfer all the funds from your old wallet. But if the burgler has the whole seed, you might find that your wallet has been emptied out before you can do that.

In theory, you can do that just by not writing down all of the words. But then you are constrained to only using some sequence of BIP 39 words as the thing you need to remember. You are far more likely to forget that, especially over the long term when you're not using it regularly, than a passphrase you've decided on yourself.