The utopian hack caused everyone who used utopian to downvote some posts, making their rewards almost go to zero. Posting keys of tons of people at once has a large power.
If you use the account authority system, like utopian did, everyone could just remove authorization from the @utopian.app account and go back to their daily activities. If you give your key, you must now change it.
I think for the masses, ease of use is more important than security. Yeah if there is issues you gotta change your key. A small price to pay for ease of access for most people.
Can't lose money from a posting key really (other than wasted potential from misused votes). Meh.
Well, then at least use the system steemconnect uses, delegated authority. Don't directly store keys...
Steemconnect sucks
Agreed, but less than this service. Why, in your opinion, is storing actual keys on a server better than delegating authority to their account (@steemlogin)
Easier for normal users. Plus I believe irelandscape can make something that actually works. I've had enough experience using steemconnect to interface with various apps to conclude that it makes the user experience bad.
Not everyone cares as much about security as you (gosh most non crypto applications are as secure as steemlogin or much worse). So it's in keeping with the standard.
I am not saying to use steem connect. I am saying to use post authority instead of saving the private key. It is not any harder for the user except having to use an active key to give up the authority at first.
Almost every website nowadays does NOT save passwords in their DB, they save at least hashed passwords. This is not possible in this case obviously, so the closest thing as possible should be used instead.
I have already answered this question on the Discord server.
In theory social login could be done in conjunction with posting authority.
The main issue is that now steemlogin would have to act as a proxy for all Steem requests.
In terms of bandwidth, five 9's availability, scaling etc, there are significant additional costs associated with this solution which I cannot cover.
From an engineering perspective it would require much more significant resources, which unfortunately are limited on my side.
The question is, why hasn't SteemConnect already added social login?
If tomorrow social login was added to a better alternative than the above solution, such as build-in social login within Steem nodes (never going to happen) or Steemconnect, I would be the first one to phase out Steemlogin.
The other point is that for many the risk of sharing their posting key is acceptable.
It is up to each individual to make this call.
What I know for a fact is that there are many Steem app developers that have been discouraged because new potential users were put off as soon as they were presented with a SteemConnect screen asking them to enter their private active key, especially on mobile devices.
The lack of massively popular Steem apps out there and the stagnation of Steem in general is proof that things are not right at the moment and some shaking up needs to happen.
We all want for Steem to become a widely adopted platform for many types of apps, and SteemLogin is probably far from being the best possible solution to the sign in problem.
But I believe that it is a step in the right direction and, if nothing else, it will trigger other solutions which will improve ease of access for the general public.
Thank you for your feedback.
You can lose a lot.
What if someone stars downvoting Bernie with your account?
You apologize to him, change your posting key, and move on. He's not going to punish someone who isn't actually at fault. There's no way, he goes after self-righteous assholes and scammers, not people who made an accident and are sorry.