You are viewing a single comment's thread from:

RE: Important Changes to Steemit.com and Wallet

in #steem6 years ago (edited)

Generally speaking, if you can remember your private key (password), then it's not secure.

The concept of cryptographic salt was invented specifically for this reason.

Store a bcrypt of the user's master password, and a long cryptographic salt. When they provide the bcrypt of their password, give the client app their salt and let it derive their keys. Rate limit the number of tries to the bcrypt-based-salt-providing-service.

Then users can use normal passwords. You could even protect the salt server with 2FA.

(Of course, after login, the user can see all of their derived keys in full without being dependent upon the server to provide the salt, thereby letting them avoid vendor lock-in.)

Sort:  

Yes - I love this idea honestly.

I have a few ideas that would expand upon this concept a bit also.

Interesting, never heard about this concept before.

Normal people needs user-friendly approach.