Master password needs to be phased out for several reasons, one of which is that it derives to the owner key (which is meant to be entirely offline) yet many users continue to use it for logging in to Steemit.com, as well as a number of other apps. So this change had to happen at any rate. We did step up our communication for the rollout (many posts over the last few months) but it's evident it was not enough. While we don't anticipate any changes as big as this one anytime soon, we will keep all the feedback in mind as we proceed. The benefits of limiting the social site to posting key only are numerous. There are many other features we've had to postpone or reject due to security concerns. This change allows us to move faster, safely, and add more features that users expect from a social network.
You are viewing a single comment's thread from:
Hi @roadscape,
Not a single Steemian is criticizing this security feature, which is of course a necessary one.
"We did step up our communication for the rollout (many posts over the last few months) but it's evident it was not enough."
We agree that you stepped up your communication, but if you would have added "If the users don't take necessary steps seriously, one fine morning they will be pushed to hardships" sort of warning like message, at least 50% of them would have surely given ears to your communication and this word of mouth would have reached some more Steemians and the like.
"This change allows us to move faster, safely, and add more features that users expect from a social network."
Yes, yes...we agree to it completely. There is no second thought about it.
Thanks for the comment @marvyinnovation. We will make future announcements about changes of this magnitude easy to understand and hard to miss.
I never saw ONE mention about this change & I was on here a few weeks ago.
Why not 2-FA
And a password that could be remembered would be so much easier
i like that idea too.
I don't know that 2FA would be any friendlier for the people that can't handle keys; what if they lost or broke their phone - they'd be just as lost about how to get back in.
2FA+password could be a solution in the future but it's much more complex from an engineering standpoint. Initially on Steemit.com you could simply set your own password, but we had to disable this. Many users had guessable passwords like
password
and got compromised. Then we raised the requirement to 16 characters; users were not happy, and it still wasn't enough. E.g.passwordpassword
. Generally speaking, if you can remember your private key (password), then it's not secure.The concept of cryptographic salt was invented specifically for this reason.
Store a bcrypt of the user's master password, and a long cryptographic salt. When they provide the bcrypt of their password, give the client app their salt and let it derive their keys. Rate limit the number of tries to the bcrypt-based-salt-providing-service.
Then users can use normal passwords. You could even protect the salt server with 2FA.
(Of course, after login, the user can see all of their derived keys in full without being dependent upon the server to provide the salt, thereby letting them avoid vendor lock-in.)
Yes - I love this idea honestly.
I have a few ideas that would expand upon this concept a bit also.
Interesting, never heard about this concept before.
Normal people needs user-friendly approach.
In my honest opinion, if users are stupid enough to make easily guessable passwords, then they should get compromised. Teach people a damn lesson to do things for themselves and be smart.
Hi @amethystmidnight,
Please don't get emotional. Actually, they aren't doing it wantonly and their ignorance being the reason for this mistake of theirs.
They are thinking about one side of the coin and are not thinking about the other side. A little eye-opener sort of blog post detailing the risks involved in having easy passwords, which is more of like a soldier guarding the palace gates without any armor.
After this strict implementation of this strict feature, they should be knowing now the mistake they did in the past.....FOR SURE!
When users come here they have no idea about the financial part, and how it works differently than their bank site. Which likely has more money and still allows them to save a password.
It doesn't make you sound smart to shame the end users with less knowledge, it just makes you sound out of touch with who we are onboarding.
Absolutely @whatsup.
If you are you are afraid of account compremise then use local softwere to control your main account and use a different account for posting. Delegate your steemit power to that account. Use 50/50 reward, and send the profit back to your main account.So then steem power in your posting account is just a bonus.
Hi @coinmaster4you,
Excellent idea.
But I don't understand one thing.
Can you please enlighten me about the words "....use local software...."?
Well, it is a type of light wallet you can download to control your steemit account.
Posted using Partiko Android
Thank you very much @coinmaster4u for your clarification.
Posted using Partiko Android
Amen to that I had no Problem typing in a 50 digit password. It was secure and sometimes you have to have patience for extra security.
I still can't distinguish the differences between a master password and the owner key. Too many keys, but it does make me feel safer to have all these options.
Hi @tntdabomb,
MASTER PWD: The master password is the actual password that you get after Signing up for the Steemit account and that is given by Steemit.
OWNER KEY: The owner key is the master key for the account and is required to change the other keys. This key has additional permissions to recover your account or change your other keys. It's the most important key and should be securely stored offline.
ONE MORE THING: Please watch the Steem basics video posted above between the 1:21 and 2:21 minutes duration, you will clearly understand what is what.
Hope this info gives you clarity.
Take a look at the 3rd party tracking cookies your picking up from all these ads, might make you reconsider that statement.
🎁 Dear @woodywood143,
SteemBet Seed round SPT sale is about to start in 2 days!
When our started the development of SteemBet Dice game, we couldn’t imagine that our game would go so viral and that SteemBet would become one of the pioneers in this field.
In order to give back to our beloved community, we’ll distribute 4000 STEEM to SPT holders immediately after Seed sale. Plus, investors in this earliest round will be given 60% more tokens as reward and overall Return on Investment is estimated at 300%!
Join the whitelist on SteemBet webiste now and start investing! Feel free to AMA on Discord
🎁 Dear @woodywood143,
SteemBet Seed round SPT sale is about to start in 2 days!
When our started the development of SteemBet Dice game, we couldn’t imagine that our game would go so viral and that SteemBet would become one of the pioneers in this field.
In order to give back to our beloved community, we’ll distribute 4000 STEEM to SPT holders immediately after Seed sale. Plus, investors in this earliest round will be given 60% more tokens as reward and overall Return on Investment is estimated at 300%!
Join the whitelist on SteemBet webiste now and start investing! Feel free to ask us anything on Discord https://discord.gg/tNWJEAD
I agree you guys did step up your communication.
Hi R, Are you reachable via discord or email @roadscape? I'd really appreciate a minute of your time.
I would suggest a upcoming release note on the right side of steemit... Weeks to a- month before any major rollout with a big days till change clock..... Something like this....
It should use a graphic and stick out like a sore thumb... so everyone sees it. and it should have a link embedded so that they can follow up with details.... But tell it in simple to understand terms. NO TECH TALK......
I've been a systems designer for 30 years and the present systems out there have terrible UX, and a lack of erogonmetrics. With just an extra hour taken on big issues to take care of the ergonometrics. You would have avoided 90% of your complaints.
PS: as I have said before I live in New York and am willing to donate some pro-bono time to the staff.