Author

Topic: [question] Password protected qr codes with sensitive info (Read 219 times)

newbie
Activity: 17
Merit: 1
QR code? Yes, it is possible and a way for you to make any platform easier to access just by a scanning of a QR code to sign in. But this is not secured as what I was thinking due to possible losses of the QR code copies or being taken by someone else and access your account. So the traditional access by inputting password or key would still be ideal.
hero member
Activity: 1722
Merit: 801
Try to protect sensitive information is good but Antonopolous warned (and I think he is right) that don't try anything that exceeds your ability and if your tries don't help you manage the whole process. Simple protection is good if you keep all things safely and secretly. Complicated protection does not mean better protection regards to the recovery process.

Crypto security: Passwords and Authentication (Livestream -aantonop)
legendary
Activity: 3472
Merit: 10611
Isn't this what bip39 was for?
I think you mean BIP-38

BIP 39 also have optional passphrase option (usually as 13/25th word), even though i think it require large QR code.
But that does NOT encrypt your mnemonic, it just extends it. Also considering the fact that PBKDF2 is a weak KDF and on top of that a very low iteration count (<10mil) is used, it is not really providing decent security.

The QR code size is not that big though.
Here is the last test vector of BIP39 with 24 words: https://i.imgur.com/eSdMuMA.jpg
legendary
Activity: 2702
Merit: 3045
Top Crypto Casino
You can save up to 3kb of data on a QR Code depending on the level of error correction you choose. Since you are going to save a highly sensitive data then you should opt for the highest error correction level to ensure keeping your encrypted private key/seed safe.
I have to agree with the replies above. The security of your funds here, relies only on the encryption type you will use and I don't see the benifit of storing the encrypted data on a QR Code.
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory

Isn't this what bip39 was for?
I think you mean BIP-38

BIP 39 also have optional passphrase option (usually as 13/25th word), even though i think it require large QR code.

It probably depends on how you store it and how big the encryption text is.

A stardard 12 word seed could take up less space if encoded in base58 imo as that is 128 bits and a private key is normally below 256 bits. If you had a 12 word passphrase, you'd still take up the same space as a private key (this is assuming you convert the words to numbers and remember what it's for - or leave a note). 
legendary
Activity: 3024
Merit: 2148
Isn't this what bip38 was for? Anything password protected is as strong as the password and your ability to recall it.

If you've got a good password and can recall it well/know where it's written then yes - also you light want to note down the algorithm used to encrypt it as it might not be a cross platform thing - although bip38 ciphertext is represented by an initial U. .

I'd choose password-protected seed over a password-protected QR code, because QR codes might have lower tolerance to data loss than the seed phrases, even with QR code's error correction. With seed words, you can still bruteforce your phrase if you lost a few words, and a loss of individual letters is not a problem, because it's easy to get the words from them. With QR codes, if there's too much damage, your key will be impossible to recover.
legendary
Activity: 1624
Merit: 2481
The idea behind encrypted qr codes is to remove that risk of anyone can scan it and access the info.

But again, a QR is just a representation of data.

You don't "encrypt a QR code". You encrypt information and then represent it as a QR code.
That's the same as encrypting a number and representing it in hex or binary or as characters. There is no difference. In the end, each data is binary.

If you encrypt the information, it is encrypted. Afterwards it doesn't matter whether you represent it as a hex string or as a QR code.


I don't know what exactly you want to accomplish, but the general flow would be:
  • Encrypt your information (e.g. private key, mnemonic code, ...)
  • Save the QR code
hero member
Activity: 2520
Merit: 952
Yes but it's more about security, mobiles phones with camera are not that hard to find/buy lol

This doesn't invalidate his statement: Qr codes are just a form of encoding.

It doesn't matter whether you have something encrypted and then encoded into hex or encrypted and encoded into a QR.
The information stays the same, the data (which represents the information) changes.

Security-wise there is no advantage or disadvantage. It is just a different representation of the information (the secret, e.g. a private key).

I never invalidated his statement either, I quoted specific part I was replying too.

The idea behind encrypted qr codes is to remove that risk of anyone can scan it and access the info.
legendary
Activity: 1624
Merit: 2481
Yes but it's more about security, mobiles phones with camera are not that hard to find/buy lol

This doesn't invalidate his statement: Qr codes are just a form of encoding.

It doesn't matter whether you have something encrypted and then encoded into hex or encrypted and encoded into a QR.
The information stays the same, the data (which represents the information) changes.

Security-wise there is no advantage or disadvantage. It is just a different representation of the information (the secret, e.g. a private key).
hero member
Activity: 2520
Merit: 952
..It also adds a challenge since you have to now be able to read the QR code with another device with camera whereas reading plain text or raw data is so much simpler.

Yes but it's more about security, mobiles phones with camera are not that hard to find/buy lol
legendary
Activity: 3472
Merit: 10611
I don't see the significance of QR code here, QR is just another form of encoding data like hexadecimal or base64 but it creates a picture. It also has a checkusm which you could have added to the string encoding too (like what base58 has). It also adds a challenge since you have to now be able to read the QR code with another device with camera whereas reading plain text or raw data is so much simpler.

Isn't this what bip39 was for?
I think you mean BIP-38
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
Depends on what you're storing. QR code has a limited size that could hinder whatever you're doing.

The effectiveness of this depends on what you're using to encrypt the information. The password has to be a random and non-guessable passphrase with sufficient length. The encryption algorithm should be one that is preferably slow and secure. I'll probably use AES as a cipher.

Ideally, if you were to put anything that you intend to keep as a secret in plain sight, you're just asking for it. It'll be the most secure if you deliberately keep it that way and not expose it around.

Try exploring steganography, it's definitely way more obscure than a QR code.
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
Isn't this what bip38 was for? Anything password protected is as strong as the password and your ability to recall it.

If you've got a good password and can recall it well/know where it's written then yes - also you light want to note down the algorithm used to encrypt it as it might not be a cross platform thing - although bip38 ciphertext is represented by an initial U. .
hero member
Activity: 2520
Merit: 952
You could create password protected qr code with sensitive info, print, laminate and keep it wherever you like, you could even keep it in open since no one would be able to access it without password known to you.

What's your opinion on this?
Jump to: