Hey everyone so tbh I don’t know much about blockcerts but my school used it for high school diplomas and before graduation they asked us to make accounts (or passphrases) and then add the school as issuer. I did that and noted down my phrase but i lost my cell phone and I had to log in onto the app first i tried many time with the passphrase i wrote down but it gave an error saying that it was invalid or incorrect passphrase but after checking the passphrase through the Bip39 word list and everything I got a passphrase that let me access the account but when i entered I was surprised that there was no issuer there already added but I tried to open the URL link to import my credential and it worked and i got my credentials imported then just to confirm that it was my account and i did not accidently logged into someone else’s account I got another mobile phone downloaded the app made a passphrase and without adding any issuer i added a credential directly from the URL and it went through so how is it safe like this means anyone who has the URL can add and something that is bothering me so much is how is this secure I mean if you go to Ian Coleman’s BIP39 tool and start messing around, you can literally generate working passphrases that give access to valid wallets. Sure, it’s almost always just random wallets with nothing inside, but the fact that you can technically stumble upon a real one makes it feel insecure. Another thing now I am feel very paranoid that the first account i added my credentials into was not mine and now my credentials are in some one else’s wallet/account so can you delete credentials from an account
Hi,
your post covers many unformulated questions so I’ll try to hopefully address most of your concerns.
it gave an error saying that it was invalid or incorrect passphrase but after checking the passphrase through the Bip39 word list and everything I got a passphrase that let me access the account
This is a bit unclear. A passphrase is a seed to generate a key pair of which the public key then gets derived to a bitcoin address.
I’m not sure if you are reporting a bug, when you say you managed to get a passphrase with a BIP-39 generator, was it any passphrase, or was there a missing character or something with the passphrase you had written down and that website helped you recover the missing bit?
Nonetheless I haven’t extensively tried the wallet’s generator, but I’m surprised you’d have an error manually entering a phrase. Did you try to import a file or enter it manually with the keyboard?
I was surprised that there was no issuer there already added
The passphrase recovers the public key, but not the account history which is not backed up anywhere (cloud or local), and only exists on your phone while the app is installed. Having to re-import your credentials is the expected way when re-installing the app.
I tried to open the URL link to import my credential and it worked and i got my credentials imported then just to confirm that it was my account and i did not accidently logged into someone else’s account I got another mobile phone downloaded the app made a passphrase and without adding any issuer i added a credential directly from the URL and it went through
The wallet is supposed to check the ownership of the recipients public key, so what you are describing could be a bug I’d need to take a look at.
Ian Coleman’s BIP39 tool and start messing around, you can literally generate working passphrases that give access to valid wallets. Sure, it’s almost always just random wallets with nothing inside, but the fact that you can technically stumble upon a real one makes it feel insecure.
I’m fuzzy on the details and by no means an expert but I think the randomness is high enough that the whole bitcoin ecosystem works on this system. Key takeaway is:
- 256 bits = 2²⁵⁶ possible combinations.
- ≈ 1.16 × 10⁷⁷ possibilities.
- Even if you had the fastest supercomputer guessing 10¹⁸ seeds per second, it would still take longer than the age of the universe to brute-force a single 24-word phrase.
so can you delete credentials from an account
You can ask your school to revoke and re-issue a credential