this post was submitted on 02 Sep 2023
11 points (92.3% liked)

Monero

1653 readers
24 users here now

This is the lemmy community of Monero (XMR), a secure, private, untraceable currency that is open-source and freely available to all.

GitHub

StackExchange

Twitter

Wallets

Desktop (CLI, GUI)

Desktop (Feather)

Mac & Linux (Cake Wallet)

Web (MyMonero)

Android (Monerujo)

Android (MyMonero)

Android (Cake Wallet) / (Monero.com)

Android (Stack Wallet)

iOS (MyMonero)

iOS (Cake Wallet) / (Monero.com)

iOS (Stack Wallet)

iOS (Edge Wallet)

Instance tags for discoverability:

Monero, XMR, crypto, cryptocurrency

founded 1 year ago
MODERATORS
 

I'm currently using monero addresses as the sole authentication method for a custodial service, similar to how mullvad VPN has a single account number to authenticate. My understanding is that these are unique, and impossible to guess. For a custodial service, this makes withdrawing user funds trivial as well.

Can anyone tell me why this is a bad idea?

top 3 comments
sorted by: hot top controversial new old
[–] Unkn8wn69@monero.town 3 points 1 year ago

I don't see a reason why it should be a monero address tied to it. Just make it a random string like mullvad does)

[–] Saki@monero.town 3 points 1 year ago

The nature of Monero address is public (it can be used publicly to receive xmr), and you don't want to use a public string as a secret password. Practically, though, if it's possible for you to keep it absolutely secret and safe, you're free to do so at your own risk.

If it's the main address starting with "4" and later you happen to decide having fun p2pooling using the same address, then obviously that's not good. To avoid unnecessary worries, perhaps making it a random string, like @Unkn8wn69 said, is a good idea.

Technically, since the string length of a monero address (hence the name space) is finite, it's not guaranteed to be unique, though the probability of collision is vanishingly small and this won't be a real concern at all.

[–] jet@hackertalks.com 0 points 1 year ago

Its a good idea.

If the service supports delegated user accounts (some permissions but not full account access), it might not work