I mentioned in the Slack channel a week ago or so that I was concerned that we are starting to pile up funds and we could become a target like the DAO, I suggested 2FA and limited login attempt security, I haven't tried but I don't think you get a time lock if you enter the wrong password too many times. Also articles that provoke other media platforms are dangerous and makes us a target while we are still in incubation.
The coin price remained stable luckily and most of the damage contained..
Hi @Scrawl I'm not a dev so can't answer that. Thanks for bringing that to our attention though. Most exchanges use it, so in my mind it has some security benefits.
There are many ways to log in which are more secure. 2FA probably wouldn't have any significant impact on security. Multisig already exists and you can separate your owner key password from your poster key.
So I suppose you can improve on this technology by allowing a third party to hold a backup key in case something bad happens or something similar to this.
How about limited login attempts to prevent brute force attacks? Someone could possibly hack the main owner password if not set securely enough by the user? What do you think?
I am new here, but excited about the project. Is there a guide somewhere that explains the best way to secure one's Steemit balances, especially if they grow somewhat large? Or is it just a matter of using strong passwords? Where are my private keys being stored when I sign up? Any other security tips would be greatly appreciated. Thanks!
I'm probably not much further than you are in this new platform, but you can find your keys in wallet/permissions. I changed the passwords that access my keys this morning. I use a password manager (KeePass) and the are strong passwords, but easily accessible to me on any of my gadgets.
I'd like to know the difference between 'active key' and 'owner key'. Anybody?
I consider measures like these a must, I develop a number of crypto services that hold users funds, security, even the basic stuff, cant be taken lightly. My general guidelines tend to be, dont inform password/username is incorrect, simply state invalid credentials. lock the account for 5 minutes after 5 invalid login attempts, dont notify on the login screen that this has taken place, notify the account owner via email. Enforce strong passwords. I tend to be making 2fa mandatory now also.
Or completely overhaul the login system all together, I demo'd a proof of concept user registration/authentication system using Jumbucks addresses and cryptographic signatures, all wallets have this functionality. user provides a username and address on sign up, nothing else is required (email optional if they want notifications), user verifies ownership of said address by signing a random token using their wallet. to log in, user enters username, a random token is then presented, they sign token using the address they provided on registration, and boom their in.
I mentioned in the Slack channel a week ago or so that I was concerned that we are starting to pile up funds and we could become a target like the DAO, I suggested 2FA and limited login attempt security, I haven't tried but I don't think you get a time lock if you enter the wrong password too many times. Also articles that provoke other media platforms are dangerous and makes us a target while we are still in incubation.
The coin price remained stable luckily and most of the damage contained..
Regards,
Ricardo Goncalves (BNC Steemit Community Manager)
Correct me if I'm wrong, but 2FA does not protect against cross site scripting attacks, does it?
Hi @Scrawl I'm not a dev so can't answer that. Thanks for bringing that to our attention though. Most exchanges use it, so in my mind it has some security benefits.
I totally agree 2FA should be implemented!
There are many ways to log in which are more secure. 2FA probably wouldn't have any significant impact on security. Multisig already exists and you can separate your owner key password from your poster key.
So I suppose you can improve on this technology by allowing a third party to hold a backup key in case something bad happens or something similar to this.
How about limited login attempts to prevent brute force attacks? Someone could possibly hack the main owner password if not set securely enough by the user? What do you think?
I am new here, but excited about the project. Is there a guide somewhere that explains the best way to secure one's Steemit balances, especially if they grow somewhat large? Or is it just a matter of using strong passwords? Where are my private keys being stored when I sign up? Any other security tips would be greatly appreciated. Thanks!
I'm probably not much further than you are in this new platform, but you can find your keys in wallet/permissions. I changed the passwords that access my keys this morning. I use a password manager (KeePass) and the are strong passwords, but easily accessible to me on any of my gadgets.
I'd like to know the difference between 'active key' and 'owner key'. Anybody?
I consider measures like these a must, I develop a number of crypto services that hold users funds, security, even the basic stuff, cant be taken lightly. My general guidelines tend to be, dont inform password/username is incorrect, simply state invalid credentials. lock the account for 5 minutes after 5 invalid login attempts, dont notify on the login screen that this has taken place, notify the account owner via email. Enforce strong passwords. I tend to be making 2fa mandatory now also.
Or completely overhaul the login system all together, I demo'd a proof of concept user registration/authentication system using Jumbucks addresses and cryptographic signatures, all wallets have this functionality. user provides a username and address on sign up, nothing else is required (email optional if they want notifications), user verifies ownership of said address by signing a random token using their wallet. to log in, user enters username, a random token is then presented, they sign token using the address they provided on registration, and boom their in.
I was wondering why this wasn't an option also.