Blockchain Wallet API: Generating New Address and Second Password

[buffett]

Hi,

I do not know if here is the right forum, but i submitted here anyway...

I'm developing a web application integrated with Blockchain wallet API. The application needs to generate new address automatically for each order. Your wallet api offers creating new addresses (which is great) but the problem is it requires second password to proceed. It means developers need to write the second password in their script which i think it is not a very wise decision. Second password should only be needed for transactional (sending btc out of wallet) and account management actions (changing email/password). Generating new addresses is sure not one of them. Hackers can do no harm by generating new addresses. The most important is the wallet balance safe when the main password is compromised. By forcing applications to send second password for generating new address, is increasing chance for hackers to find the second password and gain full control of the wallet.

Please consider to remove second password for generating new address. Most ecommerce applications need to generate addresses automatically without risking their second password will be stolen by hacker when their server are compromised. Second password should be held by wallet's owner safely and only be needed when making outgoing transfers.

Thanks.

[microlavka]

No password required

[buffett]

No password required

i'm pretty sure password is required.

Code:

curl "https://blockchain.info/merchant/{identifier}/new_address?password={mypassword}&label=test"
{"error":"Second Password Incorrect"}

maybe you've mistaken with Blockchain Receive Payments API which can be used without an account. What Im referring is Blockchain Wallet API

[piuk]

Unfortunately this isn't possible with our current setup. The newly generated address needs to be encrypted with the second password before it can be inserted into the wallet. It would be possible to leave the key unencrypted and encrypt it on next login but that feature is not available at the moment.

[sampathneo]

No password required

yes of cause, no password required for create a new receiving address

[sampathneo]

here is official api docs you should read it https://blockchain.info/api/api_receive

[Abdussamad]

Hi,

I do not know if here is the right forum, but i submitted here anyway...

I'm developing a web application integrated with Blockchain wallet API. The application needs to generate new address automatically for each order. Your wallet api offers creating new addresses (which is great) but the problem is it requires second password to proceed. It means developers need to write the second password in their script which i think it is not a very wise decision. Second password should only be needed for transactional (sending btc out of wallet) and account management actions (changing email/password). Generating new addresses is sure not one of them. Hackers can do no harm by generating new addresses. The most important is the wallet balance safe when the main password is compromised. By forcing applications to send second password for generating new address, is increasing chance for hackers to find the second password and gain full control of the wallet.

Please consider to remove second password for generating new address. Most ecommerce applications need to generate addresses automatically without risking their second password will be stolen by hacker when their server are compromised. Second password should be held by wallet's owner safely and only be needed when making outgoing transfers.

Thanks.

If you are worried about security look into generating addresses using Electrum MPK. Your private keys will never touch the web server and it'll be much more secure than relying on a third party. There are a few implementations that you can refer to:

https://github.com/prusnak/addrgen

http://wordpress.org/plugins/bitcoin-payments-for-woocommerce/