Recovery phrase not being fully displayed during account creation. #6581
Comments
|
It's impossible to create an account without knowing the full phrase.
That's exactly what Parity does before creating the account. Can you verify you are really on version 1.7.0? |
|
Yer I'm on 1.7.0, the account was created in a prior version however the issue still exists. I must have used the "copy to clipboard" button to transfer the phrase to the second confirmation field however I backed up the phrase using a pen-paper relying on what is being visually displayed as well as taking a screenie and saving it on a USB for safe keeping. Using the copy button to obtain the phrase for the second confirmation field and using "CTRL+V" to transfer it there while using a pen+paper to create the actual phrase backup from what is (partially) visually displayed is one of the potential pitfalls here. (I forgot about that confirmation step so I will adjust the issue report to better underline the problem.) |
|
On the confirmation step it's not possible to paste the recovery phrase (you need to actually type it) on non-test networks. |
|
I'm able to CTRL+V it on any network with Chromium/Linux. |
|
@tomusdrw, |
5chdn
added
F3-annoyance 💩
|
Pardon me if I am late to address the issue, as I see that fix has already arrived. But I really like to have that ability to paste the code. And I think most developers need to create new parity test wallets every now and then, and would prefer to be able to paste the code. To address the issue of users having missed part of recovery code by viewing, we can provide a download option, which would put the code in a file and make it available to be downloaded. Would that be sufficient? |
If you are a developer, just set If you are not a developer, you certainly want to write down the full phrase or print it out.
You still can copy it. And "download" it, but I would strongly advise against doing this. The recovery phrase is not protected by a password and therefore should only be kept offline. |
* Fix disallowing paste of recovery phrase on first run, ref #6581 * Allow the leader of CATS pasting recovery phrases.
* Fix disallowing paste of recovery phrase on first run, ref #6581 * Allow the leader of CATS pasting recovery phrases.
* Fix wallet view (#6597) * Add safe fail for empty logs * Filter transactions * Add more logging * Fix Wallet Creation and wallet tx list * Remove logs * Prevent selecting twice same wallet owner * Fix tests * Remove unused props * Remove unused props * Disallow pasting recovery phrases on first run (#6602) * Fix disallowing paste of recovery phrase on first run, ref #6581 * Allow the leader of CATS pasting recovery phrases. * Updated systemd files for linux (#6592) Previous version put $BASE directory in root directory. This version clearly explains how to run as root or as specific user. Additional configuration: * send SIGHUP for clean exit, * restart on fail. Tested on Ubuntu 16.04.3 LTS with 4.10.0-33-generic x86_64 kernel * Don't expose port 80 for parity anymore (#6633)
There is an issue during account creation regarding the recovery phrase issuance process. If parity is displayed in a windowed browser or on a screen in portrait orientation where the window width is insufficient, the recovery phrase will be cut off (partially not displayed )due to the QR code image covering it.
The recovery phrase process provides a "copy to clipboard" button to obtain the phrase however if the user is "writing down" the phrase from what is displayed on the screen, it is possible for the user to write down an incomplete recovery phrase possibly missing several (un-displayed) words. While being able to paste the phrase from the clipboard into the confirmation field using "CTRL+V". This can result in user being in possession of an incomplete recovery phrase if they rely on what is visually displayed for their own records.
Issues:
-1. Recovery phrase not being fully displayed under all circumstances.
-2. Confirmation of recovery phrase inadequate given the above issue.
Solutions:
-1. Change how the recovery phrase is displayed so that the phrase is not partially covered by the QR code image regardless of a user's browser window width or zoom settings.
-2. Change the recovery phrase confirmation process so that it better verifies the user has correctly obtained the recovery phrase. For example, Removing the "copy to clipboard" function and/or disable the ability to use "CTRL+V" to transfer the clipboard into the confirmation field. and/or issue the recovery phrase as an image rather than clipboard text.
Further prompting the user to check they have written down 12 words may also be beneficial.
Visual example of issue: http://gph.is/2xqwOeq
Note how recovery phrase words are covered by the QR code area however the advisory text directly below the recovery phrase scales to fit in response to the width available.
On a personal note: I have unfortunately fallen foul of this issue myself and am in possession of a recovery phrase where 1 and a half words appear to be missing, as such I can not recover/access my account. I was unaware at the time that it was possible for words to be covered by the QR code so didn't think to count to ensure I had written 12 down and just wrote what was displayed on the screen. Anyone with any advice on who I might contact to help with this issue please let me know in the comments. I imagine it may be possible for some basic script to be created to brute force the missing word/s but from my rough estimates the possible combinations are between 100k and 60million.
I believe it is important to address this issue swiftly, as it's possible many Parity users may currently be in possession of incomplete recovery phrases due to the issues outlined above. Any correction of these issues would also need to be accompanied by an attempt to alert all users to double check that they have a full recovery phrase in their possession.
The text was updated successfully, but these errors were encountered: