Confusion when entering passphrase

The statement that it is strongly encouraged to use generated mnemonic phrase confuses newcomers who don’t quite know that for accessing objects which were previously stored with an encryption phrase, that phrase needs to be entered to access those objects.

A better statement would be:

“If you are storing a particular object for the first time, it is strongly encouraged to use the generated mnemonic phrase. If the object is already stored and you are trying to access it, then you will need to enter the mnemonic phrase which was used when uploading that object.”

I agree. But let me bring up some additional points as I believe the particular screen should be reworked. There are many ways how this could improved:

  1. Make sure the user has copied or downloaded the passphrase, by disabling the ‘next’ button until the user either has confirmed in a checkbox or pressed the copy or download button.

  2. Use colors. Simple red if something is missing or dangerous, green when everything is fine, e.g. the copy button has been pressed it could turn green permanently.

  3. I thought it is common practice for a complicated passphrase that the user has to confirm it twice by entering and re-entering (either the full passphrase or specific characters or words from it), but what we see here, that he can enter a complicated passphrase only once and then proceed but maybe has mistyped his phrase and then loses access to his data. Well this really does not look well-thought.

  4. To me it was not clear until I tried that generating a passphrase will be enough to be able to click next, meaning that the passphrase will be used without me expecting it. For me it would have been clearer, if I generate a passphrase and then explicitly have to confirm that I will going use that, for example by copying it into an input field.

  5. Pressing “generate passphrase” multiple times generates a new passphrase each time, which is fine, but why hide this feature? Make it clear that a user can click as many times as he likes to generate a passphrase that suits him.

  6. And yes, finally the wording. It is always hard to find the right balance between power users and novices.
    I am not English native so I will not make a suggestion for wording, but I would try to pass following information:

  • All uploaded data gets encrypted with a passphrase only the user knows.

  • Storj will never know this passphrase, never ask for it or be able to retrieve it or decrypt the data for the user.

  • Tell the user that below he has the choice between generating a secure passphrase or entering his own.

  • That he will not be able to access/download his uploaded data without the exact password he used when uploading.

  • Strongly encourage the user to write the passphrase down, use the copy or the download button and to store the password securely before clicking ‘next’.

  • The passphrase will only display once/this time and never again.

    That’s a lot of information but it is also a very crucial step in the entire workflow. I would strongly suggest that Storj reworks the entire thing to at least some extent.

  1. Maybe a plugin to password managers can be made so that they recognize the field and suggest to store the contents (I know LastPass can do that when you log into a site the first time)

  2. And maybe a last point: The expression ‘mnemonic phrase’ I have seen often related to crypto currencies/wallets but the function was different. There it is often used to recover a lost or forgotten password. So it should be made absolutely clear to the user that this passphrase is the one and only ‘chance’ for him to get access to his data later again (and that even creating an Access Grant will not help if he does not have the password).

1 Like

The mnemonic phrase is a seed for deriving encryption keys. In wallets - pair public/private key.
So, when they call it “recover” they are a little cunning. Your original wallet could be generated when you adding a new account (generate the next private key from the phrase), it could be at attempt 1, 10 or 100, etc.
We uses mnemonic phrase or your specified phrase for exactly the same - to derive private keys.
But we could call it “recover” too.

I hope you understand, that ALL suggested will be showed every time when you use Objects browser (we doesn’t store either encryption phrase or state).

How about “Enter the phrase to unlock your data”?

Yes technically.
I checked with my Atomic Wallet. There I have my password to enter and my passphrase to recover.

From such a habit a user might not be aware that there won’t be an option to create a different password for access any time later not even a change will be possible.

Well technically, you could put information into tooltips, provide read more links or even link to information on Storj website or Youtube tutorials. So it should be able to gather some ideas what to display and how to present it.

Yes, the password is used to encrypt local files (at least they claim so), where they store derived private keys.
We do not store either private keys or mnemonic phrase, so there is no use for both. Your mnemonic/pass phrase is the only way to unlock your data.