You are viewing a single comment's thread from:

RE: Important Changes to Steemit.com and Wallet

in #steem6 years ago

2FA+password could be a solution in the future but it's much more complex from an engineering standpoint. Initially on Steemit.com you could simply set your own password, but we had to disable this. Many users had guessable passwords like password and got compromised. Then we raised the requirement to 16 characters; users were not happy, and it still wasn't enough. E.g. passwordpassword. Generally speaking, if you can remember your private key (password), then it's not secure.

Sort:  

Generally speaking, if you can remember your private key (password), then it's not secure.

The concept of cryptographic salt was invented specifically for this reason.

Store a bcrypt of the user's master password, and a long cryptographic salt. When they provide the bcrypt of their password, give the client app their salt and let it derive their keys. Rate limit the number of tries to the bcrypt-based-salt-providing-service.

Then users can use normal passwords. You could even protect the salt server with 2FA.

(Of course, after login, the user can see all of their derived keys in full without being dependent upon the server to provide the salt, thereby letting them avoid vendor lock-in.)

Yes - I love this idea honestly.

I have a few ideas that would expand upon this concept a bit also.

Interesting, never heard about this concept before.

Normal people needs user-friendly approach.

In my honest opinion, if users are stupid enough to make easily guessable passwords, then they should get compromised. Teach people a damn lesson to do things for themselves and be smart.

Hi @amethystmidnight,

Please don't get emotional. Actually, they aren't doing it wantonly and their ignorance being the reason for this mistake of theirs.

They are thinking about one side of the coin and are not thinking about the other side. A little eye-opener sort of blog post detailing the risks involved in having easy passwords, which is more of like a soldier guarding the palace gates without any armor.

After this strict implementation of this strict feature, they should be knowing now the mistake they did in the past.....FOR SURE!

When users come here they have no idea about the financial part, and how it works differently than their bank site. Which likely has more money and still allows them to save a password.

It doesn't make you sound smart to shame the end users with less knowledge, it just makes you sound out of touch with who we are onboarding.

If you are you are afraid of account compremise then use local softwere to control your main account and use a different account for posting. Delegate your steemit power to that account. Use 50/50 reward, and send the profit back to your main account.So then steem power in your posting account is just a bonus.

Hi @coinmaster4you,

Excellent idea.

But I don't understand one thing.

Can you please enlighten me about the words "....use local software...."?

Well, it is a type of light wallet you can download to control your steemit account.

Posted using Partiko Android

Thank you very much @coinmaster4u for your clarification.

Posted using Partiko Android

Amen to that I had no Problem typing in a 50 digit password. It was secure and sometimes you have to have patience for extra security.