Lisk-sdk: Provide a setting to disable BIP39 passhrase enforcement.

I could be wrong, but isn't BIP39 only enforced in the client? Couldn't you still use the API to generate and access other accounts?

Yes, BIP39 is only enforced in the UI. The API accepts any kind of passphrase up to 100 chars.

I could be wrong, but isn't BIP39 only enforced in the client? Couldn't you still use the API to generate and access other accounts?

Yes, I understand this. You can use the API to work with account numbers or you could sign your own transactions and publish them through the API if this is what you desire to do.

However, consider the case where someone manages an application that uses a secure RNG stream generator for seed creation. If a customer has a problem and you need to inspect the transactions associated with one of these accounts, it would be nice to be able to export the seed and then manually enter it into the main Lisk client for further research.

Without the ability to turn off BIP39 enforcement, you have to roll your own tools to manage your non-compliant seeds. If you can hash your own valid addreses, you can probably create your own management tool. Regardless, that doesn't mean that it wouldn't be beneficial to inspect an account and potentially send funds from the account via the official Lisk client.

well there is a conflict here, between handling good practice for the user and security handeld by third part. I would not remove it. However we could provide some mechanism to toggle it on request like.

https://login.lisk.io/login?bip39check=0

what do you think @MaxKK ?

@fix,

To be clear, I am not requesting that BIP39 be removed; just provide an option for it to be turned off. Once Lisk is installed, an admin should have to open a config file and add a line like:

bip39-checks-disabled:true

...or something to that affect. If a user can navigate to the config directory and modify the file as such, they should be smart enough to not create ridiculously simple passwords. This is a feature for the top 5% of competent users.

Regarding your mention of adding a parameter to the login page, I personally like the idea but that is rather less "secure" than my approach. Attackers could pass a link around to new users and hope they create accounts that could be searched via rainbow tables.

I'm a little hard on my expectations of my users regarding security and self-policing their own behavior but if Lisk wants to makes sure that BIP39 will protect the more naive of users, I don't think that such a parameter on the login URL is a good idea.

you mean you would do that on your own server not accessible to public so no hacker would pass your url around to trick people?

The only viable option I see is that a user can switch into "Expert Mode" in the config.json. Then more elaborated features will become available/visible. E.g. that users can use any passphrase.

But I would say there are definitely more important items on our task list at this moment.

Maybe also add to the UI, a warning if expert mode is on too

You mean add the switch to the UI or only the warning? I think the expert mode would have a slightly different design (other colors). However, nothing for today. Maybe around end of the year when there are enough things to integrate into this expert or developer mode.

There's a reason for bip39 though, and those 12 words are not so random, they include checksum/parity words at the end, so not just any random phrase is valid. If you were to use a random 12-word phrase that was non-bip39-compliant, or just a random password of alpha/special chars then it may actually not generate a valid pubkey or it could trigger internal checksum failures/warnings. These specific internal checks could be disabled probably, but if you generated an invalid pubkey you may be burning any funds you try to send there, so you would definitely want to test for and be aware of that possibility.

@MaxKK I see another reason disable BIP39 on demand: when the passphrase was created on some OS and upgraded libraries does not recognise as BIP32 (for instance the IE cases). I expect this issue poping up from time to time

@rhartness have you considered developing your own LISK client. It sounds that your environment would yield many specific use cases that lisk-ui definitely won't fix

Closing as out of context for lisk core, as we will also soon decouple and discontinue lisk-uiin favour of a new client.