Learning more about Security Phrases

I have mostly used Anytype on my PC but lately, I have had more reason to access it as well from my cell phone. Upon opening it up I find that the program only asks you for your Security Phrase or a QR code you scan. Both are something you obviously have if the account is yours. But it got me thinking about the Security Phrase and the unease set in.

Thankfully I spoke with Alex and they help put me on the right path for learning a bit more about the system.

First, my initial concern was this because I just didn’t know how complex the system is. I know that a security phrase is 12 words and I know 12 potential words from my own security phrase. Theoretically, someone could guess using just those words in different combinations and potentially obtain access to potentially multiple other accounts there would be nothing keeping someone from doing that.

However, the likely hood goes down significantly because of two reasons if I am understanding this correctly.

• Hopefully, the same word is able to be used multiple times in the security phrase instead of each entry requiring a unique entry. This alone with just 12 words and 12 entries in the phrase makes it 8,916,100,448,256 potential combinations.
• The other key thing is that the list of available words is more than 12 if it is using a similar library of words like what I found BEP39 BEP39 Security Phrase List then it is 2048 words to the 12 power that is 5,444,517,870.735.015,415,413,993,718,908,291,383,296 potential combinations your security phrase could be.

This puts my mind at ease a bit, but even as silly as it might be there is a small part of me that kinda wishes there was some sort of optional two-factor. I still feel as if it is somewhat a case of Security Through Obscurity which I feel is a great first measure but a lot of people hope to win the lottery one day too with terrible odds, there is still that astronomic potential.

Without adding a big password or anything I feel like just requiring your security phrase and maybe something like your username. So then it would be a case that someone would need to identify a viable combination for an account and then associate it with the specific username that the phrase’s account belongs to. At that point, if they are capable of that I don’t think they weren’t finding a way in either way.

I’m probably just being silly and perhaps I’m missing something else, in which case I’d love to learn more. Either way, I would like to thank Alex for taking the time to respond to my concern about it in the first place, and hope that this could spark a bit of conversation on the topic and help anyone else curious about it in the future.

I am a bit in the same mindset, but I have no doubt that a phrase is secure. Probably more secure then a password.

I do have a bit of a concern it is the ONLY thing required to access my account. In case somebody gets a hold of it they can access everything and there is no way of changing your phrase.

The same can be said for a username and password ofcourse, but they now need both to acces it and most apps allow you to change it, add 2FA or MFA.

@Axis Thank you very much for specking up!

Great Topic!

This is a great topic to discuss. In my opinion, such topics should and must be discussed in the community, since Anytype is based on one (Any Association ), which also has some weight in the design of AnyType.

Feature Request

I just recently came across a feature request that addresses these exact security concerns, while also calling for two-factor authentication. This feature request/discussion is already two years old. So it might be a good read to see what other people think on this topic.

I’ve linked to it here:

Yes, Key (Recovery) Phrases are vastly superior to traditional passwords by margins of magnitude.

We want to add something like 2FA (Two-Factor Authentication) to improve security. It will not only protect accounts better but also give owners a way to change their Recovery Phrase if it’s lost or compromised.

Glad to hear this is being looked into/pursued in the future. It puts my mind at ease a bit more, with better informing myself about how it works though for now for sure.