Security Deep Dive

Threat: The salt used in the key derivation process is derived from the user's passphrase/PIN rather than being a globally unique, randomly generated value. This effectively makes it a "longer password" rather than a true cryptographic salt, potentially making the wallet vulnerable to various attacks.

Architectural Response: We acknowledge that by strict definition, a cryptographic salt should be a unique, random value stored alongside the hash. However, mybucks.online operates under a Zero-Storage philosophy. Since we do not have a database to store and serve unique salts to users, we must derive the key deterministically from the user’s own credentials.

To mitigate the lack of a traditional random salt:

• we mandate high-entropy inputs. Our UI utilizes a strength meter based on the zxcvbn algorithm, which actively prevents the use of common, compromised, or dictionary-based patterns.

• By requiring both a Passphrase and a PIN, we utilize "password chunking"—a method that is more effective than a single long password because it encourages higher total entropy. This dual-input creates a high-entropy, self-contained "salt" that makes your wallet unique and resilient.

• we use the Scrypt Key Derivation Function (KDF) with high-cost parameters. Scrypt is a "memory-hard" algorithm specifically designed to make brute-force and hardware-accelerated (ASIC/GPU) attacks extremely expensive.

• We recommend utilizing our auto-fill feature, which generates random Passphrase and PIN credentials with approximately 130 bits of entropy; this ensures a machine-generated high-entropy input that effectively resolves the traditional 'unique salt' requirement.

This design keeps your wallet secure without needing a central database, as long as you use long, unique credentials. This trade-off is what makes the wallet fully decentralized, private, and easy to use.

Threat: Anyone who has the Transfer Link can extract the wallet's passphrase and PIN because they are encoded in Base64 format.

Architectural Response: This architecture is a deliberate choice to support our 1-click gifting mechanism and our commitment to a zero-server infrastructure. Anyone with the URL can extract the passphrase and PIN, as Base64 is an encoding format used for URL compatibility rather than a layer of encryption.

Mybucks.online operates without any databases or storage, meaning the wallet is fully decentralized and exists only through the credentials provided in the link. This allows recipients to take ownership of a wallet instantly without registration or app installs. The convenience of a 1-click gift, allowing a wallet to be sent as easily as a chat link, is the primary value proposition of this feature.

However, using standard URLs can expose credentials to being logged by ISPs, corporate firewalls, or third-party servers via referrer headers. To minimize this, we utilize hash fragments (#) to keep data in the browser and away from server logs.

Disclaimer

While our dual-input system is designed to be highly secure, it is important to note that a credential-based wallet does not inherently provide the same level of security as a machine-generated seed phrase. We believe this seedless, credential-based approach is an innovative bridge for both Web2 and Web3 users, prioritizing accessibility and ease of use.

User Responsibility & Security

The safety of your wallet is directly tied to the complexity of your credentials. We strongly encourage users to choose a long, unique, and complex passphrase and PIN. Because our system derives your keys mathematically from these inputs, the longer and more complex your credentials are, the more resilient your wallet becomes against attacks.

We recommend utilizing our auto-fill feature, which generates random Passphrase and PIN credentials with approximately 130 bits of entropy; this ensures a machine-generated high-entropy input that effectively resolves the traditional 'unique salt' requirement.

Accordingly, we do not recommend using this wallet for long-term storage or high-value assets. Mybucks.online is intended for micro-transactions and gifting purposes.