|
Title: Best practice for passphrase protection? Post by: joecascio on June 28, 2013, 04:45:34 AM I'm building out the collateralized ID prototype (http://joecascio.net/joecblog/2013/03/25/collateralized-identity-using-bitcoin-to-suppress-sockpuppets/ (http://joecascio.net/joecblog/2013/03/25/collateralized-identity-using-bitcoin-to-suppress-sockpuppets/)) which needs to be able to sign messages using the bitcoin-jsonrpc function of the Bitcoin-Qt.
In order to sign a message you need to issue the "walletpassphrase" command, with the passphrase as the first arg and the time-out as the 2nd. Now, I'm obviously concerned about putting the passphrase in a file where its path could be sniffed out in the django setting file, etc. and stolen. So is best practice to actually pop up a form and have the user input the passphrase? Then you'd still have to worry about key loggers but that's the limit. Any advice gratefully accepted. |