> For the complete documentation index, see [llms.txt](https://docs.mybucks.online/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.mybucks.online/concept/security-consideration/security-deep-dive.md). # Security Deep Dive **Threat: The salt used in the key derivation process is derived from the user's passphrase/PIN rather than being a globally unique, randomly generated value. This effectively makes it a "longer password" rather than a true cryptographic salt, potentially making the wallet vulnerable to various attacks.** **Architectural Response**: We acknowledge that by strict definition, a cryptographic salt should be a unique, random value stored alongside the hash. However, mybucks.online operates under a **Zero-Storage** philosophy. Since we do not have a database to store and serve unique salts to users, we must derive the key deterministically from the user’s own credentials. To mitigate the lack of a traditional random salt: * we mandate **high-entropy inputs**. Our UI utilizes a **strength meter** based on the **zxcvbn** algorithm, which actively prevents the use of common, compromised, or dictionary-based patterns. * By requiring both a Passphrase and a PIN, we utilize "**password chunking**"—a method that is more effective than a single long password because it encourages higher total entropy. This dual-input creates a high-entropy, self-contained "salt" that makes your wallet unique and resilient. * we use the **Scrypt** Key Derivation Function (KDF) with high-cost parameters. Scrypt is a "memory-hard" algorithm specifically designed to make brute-force and hardware-accelerated (ASIC/GPU) attacks extremely expensive. * **We recommend utilizing our auto-fill feature, which generates random Passphrase and PIN credentials** with approximately 130 bits of entropy; this ensures a machine-generated high-entropy input that effectively resolves the traditional 'unique salt' requirement. This design keeps your wallet secure without needing a central database, as long as you use long, unique credentials. This trade-off is what makes the wallet fully decentralized, private, and easy to use. **Threat: Anyone who has the Transfer Link can extract the wallet's passphrase and PIN because they are encoded in Base64 format.** **Architectural Response**: This architecture is a deliberate choice to support our **1-click gifting** mechanism and our commitment to a zero-server infrastructure. Anyone with the URL can extract the passphrase and PIN, as Base64 is an encoding format used for URL compatibility rather than a layer of encryption. Mybucks.online operates without any databases or storage, meaning the wallet is fully decentralized and exists only through the credentials provided in the link. This allows recipients to take ownership of a wallet instantly without registration or app installs. The convenience of a 1-click gift, allowing a wallet to be sent as easily as a chat link, is the primary value proposition of this feature. However, using standard URLs can expose credentials to being logged by ISPs, corporate firewalls, or third-party servers via referrer headers. To minimize this, we utilize hash fragments (#) to keep data in the browser and away from server logs. #### Disclaimer Convenience and one-time use are deliberate priorities; this is not a vault like MetaMask and does not target the same threat model as cold storage or a machine-generated 12/24-word seed phrase. A credential-based, browser-derived wallet is an intentional trade-off: accessible onboarding and 1-click gifting in exchange for users bearing responsibility for credential strength and for how gifting links are shared. The framework is meant for temporary envelopes and micro-gifting—not a primary vault or long-term wealth storage. #### User Responsibility & Security The safety of each envelope is directly tied to the **complexity of your credentials**. We strongly encourage a long, unique passphrase and PIN, or the **auto-fill** feature for machine-generated credentials. Accordingly, mybucks.online is intended for **micro-transactions and gifting**, not long-term storage of high-value assets. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.mybucks.online/concept/security-consideration/security-deep-dive.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.