Support Trezor passphrase when creating wallet about multibit-hardware HOT 6 CLOSED

There would be no password recovery when users use this option.
Do we really want to support it ?

from multibit-hardware.

I agree it is a very dangerous option. Regardless of password recovery, even if you had your seed phrase but forgot the pass phrase then your bitcoins are gone. This negates the premise of just having to look after a seed phrase.

I'm not convinced this needs to be done so I'll move this issue into discussion and see if we get a demand for implementation from the community.

from multibit-hardware.

I'd like to see this implemented like it is on the myTrezor site ideally - in that the password is used as the seed to the device and thus the device can be any number of wallets.

Currently Multibit HD freezes when connecting to a Trezor with the passphrase enabled. The screen on the Trezor asks to enter the password.

I feel explaining how other software implemented this is worth a mention... This proper implementation does not work with Electrum - it recognizes that the wallet isn't the same that it was created with if you use a different password when reopening (probably sees saved, mismatching addresses?) Thus, the $5 wrench attack (see documentation above) becomes a threat - someone asking you for your password can tell that you gave them the wrong one.

Electrum DOES however allow you to easily create the wallet from the hardware device and passphrase as a new wallet - allowing for a way to spend funds in the case that myTrezor is unavailable. At a minimum that should be supported yet explained. Actually, if password is enabled, it might be wise to behave like myTrezor, and give the option to erase all record of the wallet when disconnecting OR save a copy as watch-only while disconnected. I prefer it to just always erase every trace.

from multibit-hardware.

Thanks for reporting the freeze up bug. I've added an issue to MultiBit HD to cover the freeze up when a passphrase-enabled Trezor is detected. In the first instance this will explain why passphrases are not supported.

Just for clarity I'll summarise your additional use case requirements:

1. User attaches an initialised Trezor with passphrase and sees the normal Trezor Credentials wizard after startup
2. User enters their PIN (optional) and passphrase (mandatory)
3. User confirms the deterministic unlock code
4. MultiBit HD builds the wallet from BIP39 + passphrase and proceed as normal
5. User sets a configuration parameter to secure erase the wallet on exit
6. During Exit MultiBit HD secure erases the wallet

There is an argument for the "erase every trace" option which would allow for plausible deniability of use of another's machine. For example one could attach a passphrase-enabled Trezor and then rely on MultiBit HD securely erasing the wallet. This argument is weakened by these factors:

• MultiBit HD wallets are fully AES encrypted
• key- and USB-logging software being installed a priori by those wishing to build a case against the user
• user loses credibility by attempting to cover their tracks (weak I know)

In general, anyone with the level of sophistication required to adequately cover their tracks would rely on external tools to perform the secure delete so it isn't really necessary for MultiBit HD to provide this.

Overall though, what you are proposing (passphrase support) is an advanced use case that only very few people will use. The overwhelming majority of mainstream users will not use a Trezor (against our recommendation that they should for balances over $500). Of those that do many are unlikely to apply an additional passphrase for fear of losing access to their bitcoin due to the additional complexity.

Given that there is a lot of additional work to be done to support this and we're currently maxed out on the Beta 8, 9 and Release milestones I don't see this happening any time soon.

from multibit-hardware.

Note also that as MultiBit HD uses a direct connection to Bitcoin Core nodes the first time it syncs a Trezor wallet it has to sync from a date earlier than the first ever Trezor wallet. This is slow. It can take 30 minutes.
By erasing the encrypted wallet you'd have to redo this every time rather than syncing from the last block seen, which is much quicker.

from multibit-hardware.

Closing as our policy is to not support passphrase-enabled Trezor devices out of concerns for users losing their passphrase thus negating the benefits of HD "wallet words".

from multibit-hardware.