Impossible to enter a BIP39 passphrase in the dialog to enter the BIP39 mnemonic phrase

[loupiote]

Impossible to enter a BIP39 passphrase in the dialog where you can enter the BIP39 mnemonic phrase.

My BIP39 seed uses both a mnemonic phrase, and a BIP39 "passphrase".

However, there is no way to enter the passphrase in the dialog where the mnemonic is entered, in https://wallet.glif.io/ > test accounts > import seed phrase.

In other words, if my Ledger breaks or becomes unavailable, I have no easy way to recover emergency access to my FIL assets, because my BIP39 seed uses a passphrase, and you guys forgot to support BIP39 passphrased seed.

I am sure that there are ways to generate the FIL private keys, using some programming, but most people are not savvy enough to do that.

I don't even know the derivation path of my FIL accounts, they are not indicated anywhere on the page where I get my Ledger-derived FIL account address. What are the FIL derivation path?

[Schwartz10]

Right now the Glif wallet does not support BIP39 "passphrases". This may be something we support in the future, but it is not currently on the roadmap.

If your Ledger breaks or becomes unavailable, as long as you have the pass and seed phrases, you unfortunately would have to just get another Ledger and restore it from your backups.

The derivation path of FIL accounts follows BIP44 spec if you're ever in need of deriving the accounts yourself.

[loupiote]

Thanks for confirming that your wallet is not BIP39-compatible with regard to account recovery, and that you have no plan to fix that.

I notified the Ledger community of the issue: https://www.reddit.com/r/ledgerwallet/comments/mi66je/psa_if_you_secure_fil_filecoin_with_your_ledger/

I personally feel very uncomfortable securing my FIL on a hardware wallet if the only way to regain access is through a proprietary device, even though I have my BIP39 recovery mnemonic and passphrase.

I am fully aware that using software tools and software wallets to recover access to a crypto account entails risks and defeats the security offered by a hardware wallet, but in some case, account access is more important than security, if the account gets locked-up because the hardware device is unavailable (or maybe the company making it goes bankrupt).

Do you know if there is another FIL software wallet that are BIP39-compliant i.e. that can recover account access from the BIP39 recovery mnemonic and passphrase?

Or are there some software tools, like the Ian Coleman Bip39 tool, that can get the FIL private keys from the BIP39 seed and derivation path?

Also, from looking at the source code, I found that FIL uses this derivation paths for FIL account #x

m/44'/461'/0'/0/x

Could you confirm that this is correct?

The BIP44 spec indicates that the derivation path for FIL account #x should be m/44'/461'/x'/0/0 , but I don't believe that you follow the spec with regard to account number, right? (Account number should be the third number in the derivation path)

[Schwartz10]

Thank you for voicing your concern, and I understand your frustrations! You can see my response on your reddit post, but to reiterate some points here too:

• We completely agree that the Filecoin ecosystem needs better support for bip39 passphrases
• If Ledger ends up dropping support or large groups of users end up losing access to their funds simply because of an issue with bip39, this may change the ways in which we see the priority of supporting bip39 in the Glif web wallet.
• The browser is an insecure environment, and we do not want to coach users into pasting any secrets into the browser at any time (this is why we label the browser based key strategies as "test accounts" and seriously warn the user before using them). While you may be aware of these security issues, other users may not be (even after all of our attempts at warning the user), and our top security priority is to keep user's funds safe.
• If you or anyone you know would like to get involved in helping the effort of creating a wallet in a more secure environment, we'd be happy to help make that happen in some capacity. Check out the Filecoin devgrants!

In terms of key derivation, m/44'/461'/0'/0/x is correct. Here's the function for creating paths: https://github.com/glifio/wallet/blob/primary/utils/createPath/index.js#L6 testnet is 1 mainnet is 461

[loupiote]

Thanks for the clarifications.

Is there any other software or phone wallet that supports Filecoin and also support recovering accounts from a BIP39 seed (mnemonic + optional passphrase)?

Regarding the derivation path: is there a particular reason why FIL does not follow the BIP44 spec for the derivation path? BIP44 indicates that the account number should be the third element of the path (with a hardened derivation), not the 5th element of the path.

[compatibilizer]

I'm not sure about FIL support, but Coinomi is a great multi-coin wallet that supports BIP39 passphrase. To be honest, I can't understand how wallet developers ignore the BIP39 passphrase option, or fail to see the value in it...

It protects your seed backup against theft (at least buys you enough time to move your funds) and also provides a native way to escape the "$5 wrench attack" (passphrase1 unlocks my real wallet, passphrase2 unlocks my fake wallet, I have a small amount of coins in my fake wallet, if I'm forced to unlock at gunpoint, I'll unlock it with passphrase2)