Seed Enigma™ is callable from the System Safety Functions tab. If you have a random seed phrase, for example from a cryptocurrency wallet or USB stick, you will have the task to store it completely safe. Officially it's recommended to write it on paper and put that in a safe. But safes are often visited by multiple family members and some safe models are pretty easy to open or even to take it away. What's more, a safe does always attract the attention of thieves. If somebody gets a hold of your paper you will lose the whole money in your wallet, and - worse than for fiat currency / common money - it's nearly impossible to track down where to the crypto money disappeared. It's a sad fact: First humans are clever and create a very secure wallet but then the easy accessible password is spoiling everything. What can you do?
Mighty Desktop's answer: You will have to encode your seed phrase with a password in your brain. It doesn't have to be the highest security standard in the world. A simple encryption is enough for this special case, because the amount and education of the possible thieves is greatly smaller compared to a computer connected to the internet which has to fight the whole world. Even a decent encryption is much better than storing it as plain text. The more effort a thief needs to invest the less likely s/he will even think about cracking. This is where Seed Enigma™ steps in. It does this in analogy to the system of the Enigma during the second world war:
This machine was successfully used to transmit messages from the headquarters to the troops. It still is a quite good method of protection against not very sophisticated attackers.
This is how it works:
- Have your seed phrase written on a paper. Note: A key to the security is that it should never be stored on a computer in one piece in plain text.
- Write a secret phrase that you remember in your mind very well below the seed phrase on paper so that each letter is below one of the seed. Write all letters in lowercase. If your secret phrase is shorter just repeat it until you have one letter to each one of the seed. Blanks are just skipped.
Now we will rotate the seed letter by the number in the alphabet that the secret letter represents, eg. a=1, b=2 aso. The dialog will make this very easy:
- Pick randomly one of the letters of your seed and click on the corresponding letter in the area 'Seed Letter'
- Press the secret letter that is written below the seed letter in the area 'Secret Letter'. The resulting letter is displayed while the pointer button is down. As soon as you let go the result will disappear. This will reduce the possibility for screenshotting apps to catch it.
- Press some random letters in the area 'Seed Letter' and 'Secret Letter' to confuse any screenshotting or click-catching apps
- Optionally you can press the button 'Permute' to rearrange the letter images to confuse watchers.
Repeat steps 3 to 5 until you have completely encoded your seed phrase.
You can also use the right mouse button and type keys on the keyboard instead of clicking. Best is to mix typing and clicking because two different channels of input are much more difficult to observe than just one. But never do more than 50% by typing!
This system can be used to encode and decode any secret phrase containing only lowercase letters, also for example recovery phrases. If you know that always the first character of each word is a capital letter you can still use it by just treating it as a lowercase letter.
How about the security concerns, shouldn't a seed phrase never be brought in contact with a computer? Not necessarily. You just want to avoid that a spying app can listen to pressed keys, copy the full seed out of the clipboard, out of a textbox or make a screenshot of the whole seed. But with Seed Enigma's system this is nearly 100% guaranteed. How does it guarantee that?
- Seed Enigma™ uses images for the letters, not buttons, not text labels, not text boxes. Any spying app reading out controls would fail miserably.
- The images of the letters are ordered randomly and change at each window display. You can also do that on a button press.
- No key is pressed, only a mouse is clicked on a portion of the screen. Because the letter images change their positions frequently, a spying app is unable to find out which letter you pressed by just logging pointer positions. And it could not just ask for the text of a button because the letter is represented by an image. It would have to do OCR (Optical Character Recognition), which would even be disturbed by the overlaying pointer image.
- The displayed image object doesn't store any hint to the letter it displays. This info is hidden inside Mighty Desktop.
- Mighty Desktop is an obfuscated application. This means if someone would like to peek into it it would be quite hard and time consuming.
- A screenshotting app could see what image you click and get the letters visually. To counteract this, you don't encode your seed linearly from left to right but randomly (see step 3). Secondly, the pressing of several irrelevant letters between the real ones will confuse the screenshotting app. Thirdly, the resulting letter's image can be displayed only a very short time which makes it nearly impossible for a screenshotting app to get all of the letters.
In summary it's nearly impossible for a spying app to get your decoded seed. The probability numbers combining all these factors are extremely small:
- It would need an undetected screenshotter on your computer while you have a good and healthy antivirus solution running (see 'Test Antivirus' function).
- The screenshotter is not detected indirectly by the high processor power that it would consume (just go to Mighty Desktop's Process List, push 'Refresh' and check the column '%')
- The screenshotter is not detected by sending a big amount of data over the internet (either it needs a lot of processing power, a lot of disk space or a lot of data bandwidth, but it needs one)
- The screenshotter must be extremely lucky to catch all of your decoded letters
- The screenshotter can magically distinguish the real ones from the fake ones
- The screenshotter can somehow figure out the correct permutation of the real ones. Compare that with the risk that your seed is lying around in plain text in an insecure safe where family members have access to.
What are the advantages of this system:
- Adds an additional layer of protection to your wallet
- Only your brain and no one else's will be able to decode the seed and have access to the wallet resp. device
- The seed is personalized so only those people that know the secret password can access it
- You are not dependent on Mighty Desktop. You could perform the exact same procedure also on a piece of paper.
- You can choose to store the encoded version in a standard software password safe like KeePass or LastPass. This has the advantage of being transportable. Just put it on a USB stick or your smartphone. But be aware that there is a minimal risk that the encoded seed is caught by a keyboard logger while you are typing it into the software safe. But this probability is tiny in a system with a healthy virus scanner. Consider this: If this probability would indeed be high then every other password in the password safe would also be endangered, for example your bank accounts, credit cards, safe numbers aso. and nobody would ever use a password safe anymore.
For the case that you don't have time for the whole security thing there is the second option in Seed Enigma™. You can encode or decode the whole seed phrase at once by entering it in a field. But we strongly advise against that. It should only be used if a) you are in a hurry or b) you intend to change the seed phrase shortly after.
What should you know about it:
- This encoding is cryptographically not very hard to crack. It will not withstand a sophisticated attack with big computing power. So protect the encoded version the same way as you would your plain text seed. But it's still tremendously better than no protection.
- The secret phrase you used should never be forgotten. Seed Enigma™ can't help you if you don't remember.
- If an attacker knows both, the original seed and the encoded version, he could calculate back your secret phrase. So be sure to completely destroy the plain text seed after encoding, for example by snipping, burning or flushing it in the toilet. Note that trash cans are like an open book for spies.
- If you want to be extremely safe you shouldn't use your master password of your password safe application as your secret phrase. Even deriving the secret phrase from your master password by appending something or similar is not recommended. Just take a completely different secret passphrase. You can still store this passphrase inside your personal password safe program.
- Copying anything to the clipboard is a big risk! It's quite easy for a program in your system to listen to the clipboard. See also function 'Flush Clipboard'.
- The width of the 'Result' field is intentionally limited so a spy can't see the whole result at once.