You are viewing a single comment's thread from:

RE: My Experience: Biggest Barrier to 'Signing up Friends'

in #steem8 years ago

Thanks for your feedback and for recruiting! We didn't pick 16 characters because we thought it would be super secure, we picked it because it is the minimal level of security that doesn't require users to backup anything else and doesn't make us responsible for securing user data.

Unlike traditional services, the "password database" of Steem is public. This means hackers can trivially brute force passwords against any account they like. Normally each password submission must go to a server and the server can rate-limit hackers. With Steemit your password is your private key. Attackers can try millions or billions of passwords per second. An 8 character password could be brute forced in a couple of days assuming it was perfectly random.

A 16 character randomly generated password containing upper and lowercase letters and numbers contains just 96 bits of entropy. Normal private key security requires 256 bits. Keep in mind that each bit of entropy DOUBLES the security and you will see that a 16 character password is actually incredibly weak.

In 2007 there was estimation that cost to crack 88 bits using brute force is $300M if you apply Moore's law you reduce this price by factor 16 or you might get 4 extra bits by now.

All of that said, just because it is difficult doesn't mean we shouldn't attempt to find a better solution.

Sort:  

This means hackers can trivially brute force passwords against any account they like. Normally each password submission must go to a server and the server can rate-limit hackers. With Steemit your password is your private key. Attackers can try millions or billions of passwords per second. An 8 character password could be brute forced in a couple of days assuming it was perfectly random.

what about hard code on steem a 1-3 second delay after password is asked before accepting it? Like keepass makes with "Key transformation"....

@dan, what would be best practice for securing our account beyond the 16char password, with the private keys? I can only assume that as Steemit gains popularity we're going to be attacked in some way if we aren't already.

The issue seems a little distant for me as I always use random passwords of more than 16 characters and then use a password manager to store them all. It does seem to be more of an issue than I thought with most people who just browse social media sites .

I don't think the solution would be to reduce the security - maybe just a message when signing up briefly explaining why it's important?
I guess it's quite unusual for most people to be asked for a password that's 16 characters long.

Same here I've never picked password shorter then that. I didn't know this was an issue, seems like a lethargic problem to me. How about a big disclaimer "you are becoming your own bank, would you want a shit security system or one of high quality, pick a secure password" 👍 Lol.

Autogenerate passwords.
Boom.
Problem solved.

I'm not sure that's a good idea. Users will more than likely forget auto-generated passwords.

No one remembers an auto generated password, the point is you auto generate a random password, put it in a password manager that you can use on your phone and computer then just remember the 'master password' that unlocks them all.

but my question is, can a hacker not then target the password rememberer program?