Oddbean new post about | logout
 amazing! how do you make sure the nsec is safe on local storage? does the user encrypt it every time? 
 does the user encrypt it with a password and decrypt on every usage?* 
 The nsec is stored in an encrypted form with keys generated at the browser, it's a light protection from someone just peeking at the localstore. But if they're smart enough to debug js then they would find the decrypted nsec somewhere inside js variables (same w/ extensions btw).

It is possible to add some pin/password to confirm on every use, although it would mean you can't set 'Don't ask again' checkbox - you'd literally have to confirm (almost) every use of the key. Do you think we need such advanced mode? 
 I’m not sure, I asked because I’m facing a similar problem with encrypting user forms on local storage on formstr, it’s a security vs UI trade-off, perhaps an optional feature for security would be a nice idea, or perhaps a remote decryption key? (This would be too similar to a remote signer, but you’d only have to do this once, instead of signing every event remotely) also key-rotation would be easier. 
 Well with formstr you could encrypt forms w/ user's nsec store locally? It pushes the problem to nsec storage, at least it's one problem to solve, not scattered across apps. 
 Very interesting, I’m not sure why I didn’t think of that! I already encrypt and store the forms as an encrypted list on the relays, it’s not much different than storing locally, thanks! Does nsec.app also do nip-04 encryption?  
 Yes of course all nip07 methods are supported, although getRelays returns nothing atm 
 Wdyt of using nostr-login for formstr? 
 I am sure I replied to your comment earlier but I can’t find the reply anywhere. Clients are buggy! 

We could definitely evaluate it for the increase in UX on formstr. We are already using signers for interacting with a users nostr profile. Will check it out later today!  
 Yes. Security first. I don't mind to put my pin each time I login with nsec.app Nostr-login.