RippleWarpWallet is a fork of the original WarpWallet used for making Ripple wallets instead of bitcoin ones. It is a deterministic Ripple wallet generator. What this means is that you never have to save or store your secret key directly anywhere. Instead, you pick a good passphrase - see the section of the page about choosing a password - and never use it for anything else. Then, whenever you want to access your actual secret key, you put your password back into RippleWarpWallet and it will generate the same address as before as long as the same password was used as input. This is what "deterministic" means. Much like other wallet generators, all of this is done on your computer only; an external server is never contacted after you download the initial page. This has a number of benefits, but also a number of possible weaknesses.
The benefits are that, in theory, you don't have to store your password anywhere but in your own brain. You can use a method like a mnemonic peg to memorize a password very thoroughly. However, even if you do store your password, you'll be guarded against the most common malware that tries to specifically steal crypto wallets since your password will not be in the form that they are looking for. This allows you to disguise your crypto password in ways that make it look quite innocuous unless someone is targeting you specifically, which is quite unlikely unless you have a ridiculous sum that you regularly advertise online.
The weaknesses are that, if you choose a bad password, an attacker could very easily take your coins, since the only thing they need to be able to generate your secret key (and therefore take control of your wallet) is your password. WarpWallet adds two improvements over the traditional brainwallet to try to mitigate these weaknesses:
(1) WarpWallet uses scrypt to make address generation both memory and time-intensive. This means that it takes a matter of several seconds to run a password through the algorithm and get the resulting private and public key, rather than a matter of a fraction of a millisecond like with a traditional brainwallet generator.
(2) you can "salt" your passphrase with your email address. Though salting is optional, we recommend it. Any attacker of WarpWallet addresses would have to target you individually, rather than netting you in a wider, generic attack, since they would need to add your email address together with your password. And your email is trivial to remember, so why not?
However, even with these safegaurds, it's not infallible. If you use a bad password, even with a salt, your coins are still easily stolen. This is why I have a whole section on the tool dedicated to how to choose a good password.
The main thing that I added in this version of the tool is the ability to verify that the code in the GitHub repository is the same code that is compiled and hosted on the live web version. What does this mean for you as far as security?
- If you trust the code in the repository, then you can trust the code on the web version
- You are able to verify that I'm not adding any back doors to the web hosted version that aren't present in the uncompiled source code (this kind of vulnerability in "open source" wallets has been used to great, or awful, effect with other cryptocurrencies).
In order to verify this for yourself, head over to the github page: https://github.com/termhn/ripplewarpwallet and follow the instructions there.