Why is the Daedalus wallet enforcing provably less secure password requirements?

daedalus

#1

Hey I love this project… but team, this is a mega fail on the password requirements on the Daedalus wallet. Requiring an uppercase, lowercase, a number etc is provably less secure than just a long sequence of random words… It is a relatively small thing, but it kind of creates some cognitive dissonance for me since my understanding is that the entire point of this project is that it is peer reviewed by the scientific community etc.

Someone on the team should read this and then the obvious question becomes why enforce a provably less secure password requirement. Sure a decade ago this was probably a decent heuristic, but even forbes is writing about this stuff now.

I would much prefer to have a easy to remember, very secure password, than a hard to remember relatively speaking less secure password. It just doesn’t make sense.

I’m not expecting this to get changed, but I was mostly just REALLY surprised. This is an $18B cryptography project and this is kind of like first year undergrad college crypto 101…

Love to hear any thoughts here.


#2

I agree. I have commented the same observations on this thread (in addition to locking the wallet on startup). Security feature request: Lock wallet on open


#3

hello can you direct me to a ink for the wallet please thanks


#4

The linked illustration compares 28 vs 44 bits of entropy assuming that hackers let guess their conputers arrangements of arbitrary characters.
But what if there is a smart guy using the ~250k known words in English?
I’m with you that certain combo-rules like one upper + one numeric + min lenght wouldn’t support thus of us having a certain method for safe passwords. But the main question should be how to ensure that people is not going to use one of the top100 or something like mycardanopass or 1029384756


#5

#6

There is nothing stopping someone from using a super secure complex sequence of random numbers and letters. The uppercase, lowercase, number etc… is only a minimum requirement that the average person is accustomed. A super techy geek can still use their complex Apple keychain passwords that are like kdG56$-p0sFb39-jxRL6T which still meets the requirements.

Will the wallet accept a long sequence of of random words? Have you tried it?