thank you, but I have a concern with this solution.
one string like nsec is prone to be pasted accidently into a text field of another app that immediately sends it to a server before hitting a "submit" button. At that point you loose your nostr identity... huge security risk imho.
And if we aim to onboard another billion users to nostr, we can't expect people would be careful enough and take appropriate measures.
I agree external signer creates additional layer of complexity. So, I wonder if a "middle ground" solution could be applied.
One thing that comes into my mind would be at least splitting nsec into two parts on UI level (aka login and password). So if you paste this accidentally into wrong text field, you don't loose your identity.
Don't you think single nsec string imposes such security risk?
tonyacid25 / Tony Acid
npub1y4…698kc
2026-06-03 11:50:39 UTC
in reply to nevent1q…rgfj
Author Public Key
npub1y4ttdlnejxnn69f07wkssnh9j8wt34pjvc3w4j07rgz0lfaylavq0698kcPublished at
2026-06-03 11:50:39 UTCEvent JSON
{
"id": "4e718ca044c1d545d8a262a85c27e0008e73027d985fc2f9b302620ff07de4a8",
"pubkey": "2556b6fe7991a73d152ff3ad084ee591dcb8d4326622eac9fe1a04ffa7a4ff58",
"created_at": 1780487439,
"kind": 1,
"tags": [
[
"p",
"2556b6fe7991a73d152ff3ad084ee591dcb8d4326622eac9fe1a04ffa7a4ff58"
],
[
"p",
"32e1827635450ebb3c5a7d12c1f8e7b2b514439ac10a67eef3d9fd9c5c68e245"
],
[
"e",
"003d9da53a6811e56ba04e84ed5714cc759599afec45b5f80fb6579caec376f8",
"",
"root",
"32e1827635450ebb3c5a7d12c1f8e7b2b514439ac10a67eef3d9fd9c5c68e245"
],
[
"client",
"Primal Android"
]
],
"content": "thank you, but I have a concern with this solution. \none string like nsec is prone to be pasted accidently into a text field of another app that immediately sends it to a server before hitting a \"submit\" button. At that point you loose your nostr identity... huge security risk imho. \nAnd if we aim to onboard another billion users to nostr, we can't expect people would be careful enough and take appropriate measures. \nI agree external signer creates additional layer of complexity. So, I wonder if a \"middle ground\" solution could be applied. \nOne thing that comes into my mind would be at least splitting nsec into two parts on UI level (aka login and password). So if you paste this accidentally into wrong text field, you don't loose your identity. \nDon't you think single nsec string imposes such security risk? \n\n",
"sig": "06ea1ce13af65c8e0c0558ce55242f7f6f83d18a28761a9a37bba00a2f561c03716063b96e744bad8df8301d3f335ae9669844d7ce7d454f59ab035fdf068dbe"
}