Coherent names for passwords.

[gitvalds]

Description

Describe here the problem that you are experiencing, or the feature you are requesting.

During the login, using Firefox, I was asked for the "security phrase".
I always save these passwords with the name that they are called by Riot.
There was no such thing.
So I had no alternatives than to try all of my passwords, which is risky because I am giving them all to the server and maybe to others.
The correct name this time was "recovery passphrase".
So now I have written in my notes "recovery passphrase, AKA security phrase".
This happened in the past with different names.
Here are them all.
I have no idea what they are used for, so they are just in alphabetical order.

encryption key
key backup
recovery passphrase
recovery password
recovery key
security phrase

Steps to reproduce

It happened when I was logging in.

Logs being sent: no

Version information

platform: web
Firefox 78.0.1 (64-bit)
Fedora 32

[aaronraimist]

Yeah there should be some kind of hint saying "Security Phrase was previously called..."

Hopefully they've finally picked a name they are happy with and will be sticking with.

[aaronraimist]

This button here still has the old name

[ell1e]

I already mentioned this in #1523 , but all these names once made coherent also really should be mentioned in https://about.riot.im/help#end-to-end-encryption with at minimum the following info: 1. what exactly does each one do, 2. how exactly can each one be changed/reset/recovered (or not), 3. what is the consequence of each one being obtained or guessed by some attacker, 4. which one is stored server-side under which circumstances (e.g. with key backup enabled)

[scode]

In my case, I find myself with a "security phrase" (previously I believe called "backup phrase"). I also have a "recovery key" and a "message key", in addition to the username and password. I have these in my password manager, but it's not clear to me what the differences are. I can understand one recovery key + username and password, but I don't know what the additional secrets are - or which of them are obsolete or duplicative historical artifacts.

Even as a technically inclined person (software developer since many years), and with an interest in end to end encrypted chat, this is confusing. I tried to Google for some form of description, but didn't find it. I think a clearer UX with a simple mental model is key for user adoption.

I would like to mention Keybase as something to draw inspiration from. I don't know if there are differences in the underlying protocol that make it harder with Matrix, but Keybase has multiple devices including backup paper keys and they surface it in a very reasonable manner in the UX. As a keybase user, all I care about are:

• A username and a password, for logging in.
• My set of devices which include phones, computers, and paper keys (the latter is the emergency key/backup key/recovery key equivalent).

UI wise, all I am presented with are devices. Devices have different types (such as phone, paper key, computer), but there is fundamentally only one thing I have to keep in my head and the rule is simple: I need at least one of them to be available in order to add new devices. As a result, it's best practice to keep multiple devices active at any given point in time. If all else false, treat the paper key device as the emergency key.

They also offer an optional ability to turn off the ability to reset the account by logging in using a username and password (turned off by default, meaning that it is possible to reset by login but not access old encrypted state).

One final suggestion I have is that somewhere in settings under security, there should be some clear representation of the secrets that I have (obviously not storing/revealing them) and what their role is. Right now, I have the afore mentioned list of secrets in my password manager, but I can't be sure which ones are relevant anymore. If I could go to security settings and see a list, such as:

• You have a foo key (should have format XXX-YYY-ZZZ) which is required to do bar thing. Click here to change it.
• You have a fizz key (should have format ...) which is required to do baz thing. Click here to change it.
  ...

That would give me confidence what the complete set of things are that I should keep track of, and I can make sure I understand exactly how they map to what I keep in my password manager/safe/whatever.

I would also hide things like "export e2e room keys" under some form of advanced sub dialog, and clearly explain what it is and what the limitations are so that users don't mistake them for something they aren't.

[janvlug]

When I tried to verify a contact, after verification, I got this window:

Actually, I have no idea what I am supposed to provide here.
I tried all key material that I stored in my password manager, but none of them seemed to work. I also tend to store the names provided by the application to the keys in my password manager, but I have no Security Phrase or Security Key.

[pReya]

Inconsistent wording within the same dialog component :(

[richvdh]

Recovery passphrase was renamed (in the UI, at least) to "Security phrase".
Recovery key was renamed to "Security key".

(It's slightly more complicated than that, because previously the recovery phrase/key was only used for server-side backup encryption, whereas it is now used for the more general server-side secret storage, which itself is used to store a recovery key for a key backup. But the migration was supposed to be relatively seamless, and the thing you previously used as a recovery phrase/key can now be used as a security phrase/key).

Please file platform-specific issues highlighting any parts of the UI you see using the old terms.