Author

Topic: Blockchain Wallet API: Generating New Address and Second Password (Read 2523 times)

legendary
Activity: 3682
Merit: 1580
Hi,

I do not know if here is the right forum, but i submitted here anyway...

I'm developing a web application integrated with Blockchain wallet API. The application needs to generate new address automatically for each order. Your wallet api offers creating new addresses (which is great) but the problem is it requires second password to proceed. It means developers need to write the second password in their script which i think it is not a very wise decision. Second password should only be needed for transactional (sending btc out of wallet) and account management actions (changing email/password). Generating new addresses is sure not one of them. Hackers can do no harm by generating new addresses. The most important is the wallet balance safe when the main password is compromised. By forcing applications to send second password for generating new address, is increasing chance for hackers to find the second password and gain full control of the wallet.

Please consider to remove second password for generating new address. Most ecommerce applications need to generate addresses automatically without risking their second password will be stolen by hacker when their server are compromised. Second password should be held by wallet's owner safely and only be needed when making outgoing transfers.

Thanks.

If you are worried about security look into generating addresses using Electrum MPK. Your private keys will never touch the web server and it'll be much more secure than relying on a third party. There are a few implementations that you can refer to:

https://github.com/prusnak/addrgen

http://wordpress.org/plugins/bitcoin-payments-for-woocommerce/

full member
Activity: 173
Merit: 100
here is official api docs you should read it https://blockchain.info/api/api_receive
full member
Activity: 173
Merit: 100
No password required

yes of cause, no password required for create a new receiving address
hero member
Activity: 910
Merit: 1005
Unfortunately this isn't possible with our current setup. The newly generated address needs to be encrypted with the second password before it can be inserted into the wallet. It would be possible to leave the key unencrypted and encrypt it on next login but that feature is not available at the moment.
newbie
Activity: 59
Merit: 0
No password required

i'm pretty sure password is required.

Code:
curl "https://blockchain.info/merchant/{identifier}/new_address?password={mypassword}&label=test"
{"error":"Second Password Incorrect"}

maybe you've mistaken with Blockchain Receive Payments API which can be used without an account. What Im referring is Blockchain Wallet API
newbie
Activity: 35
Merit: 0
No password required
newbie
Activity: 59
Merit: 0
Hi,

I do not know if here is the right forum, but i submitted here anyway...

I'm developing a web application integrated with Blockchain wallet API. The application needs to generate new address automatically for each order. Your wallet api offers creating new addresses (which is great) but the problem is it requires second password to proceed. It means developers need to write the second password in their script which i think it is not a very wise decision. Second password should only be needed for transactional (sending btc out of wallet) and account management actions (changing email/password). Generating new addresses is sure not one of them. Hackers can do no harm by generating new addresses. The most important is the wallet balance safe when the main password is compromised. By forcing applications to send second password for generating new address, is increasing chance for hackers to find the second password and gain full control of the wallet.

Please consider to remove second password for generating new address. Most ecommerce applications need to generate addresses automatically without risking their second password will be stolen by hacker when their server are compromised. Second password should be held by wallet's owner safely and only be needed when making outgoing transfers.

Thanks.
Jump to: