Security Suggestions for Steemit: How to Secure Accounts and Safeguard Against Lost Passwords

in #security7 years ago (edited)


Source
Hey guys! This is a repost of an article I wrote a couple days ago. I will likely keep reposting this until I get a somewhat official response regarding this issue! I feel like these ideas have great potential and could very useful in our ecosystem.

One thing I'm always paranoid about is getting hacked or losing my account, so I try my best to protect and remember my keys. However, this paranoia still remains no matter how secure I try to be. Then I thought to myself, why am I so worried about Steemit when I have more funds on exchanges like Binance? I realised it's because if someone has my password, I'm FUCKED and if I lose my own password, I'm equally fucked!

Helping Adoption

This paragraph might seem a bit out of place, because it is! I had it at the bottom but moved it to the top. If some of these references make no sense, just read ahead and come back at the end!

Having these measures could help adoption as the average person would probably prefer these OPTIONS (not mandatory). To John Smith, having all your money on an account that could be hacked due to your own carelessness is not ideal. Furthermore, having your money on an account where if you lose your password, your money is also similarly gone is not ideal. These are some flaws of decentralisation, but we CAN counter it.

With 2FA, your accounts will virtually be unhackable, and phishing would be impossible given you have 2FA activated. By linking your account with another trusted account, your account can be returned to you even without your initial password so it's alright if you lose it! But with the 7 day lock-out period, it would decentivise people from losing their password and also prevent people pretending to have lost their password to hack someone else's account. This will help mainstream adoption and current users' ease of mind as it essentially makes it impossible for people to lose their funds!

Google Authenticator

I wish the Steem blockchain had an option to enable it. That would help ease my paranoia tenfold!

To developers out there, is there someway to do this? It doesn't have to be Google Authenticator, maybe an in-built Steem one that works on the Steem blockchain that you can download onto your phone? I'm not sure since I'm not a developer and honestly quite technologically illiterate despite studying computer science (first year!).

When Would You Need to Enter the Code?

Well, why don't we let the users decide! There can be a few options that could require Google Authenticator and users can select whether they want it enabled, for example:

  • Changing the master password
  • Withdrawing funds over (user set limit)
  • Posting
  • Upvoting
  • Not limited to these 4
    In my opinion, it'd mainly be the first two as it could cause irreversible damage and using a Google Authenticator for posting/upvoting is a bit excessive/useless. I feel like this would give me peace of mind that my account is protected twice, thus impossible to hack!

This would also combat phishing attempts as even if scammers have my password, they can't move my funds nor change my master password without having my phone!

Linking Accounts

This idea is a new idea I'm quite proud of, conceived half way through writing this post. Steemit accounts should be given the option to link their account with one or more other accounts. What do I mean?

  1. Nominate a trusted account from your account
  2. That account will have to accept the nomination
  3. This means your account is connected (one way) to your trusted account
  4. Nominate an email address, this is where your reset token will appear
    What does this mean?

Suppose you forget your password, or the piece of paper it was on got burnt, or the computer you stored it on got exploded. You're fucked!

Now let's say you're not!

You enter your username, say forgot password and you'll have the option to send your nominated trusted account(s) a notification. If one of them (just one) accepts that you lost your password, your account will be white-locked for 7 days. This means you can still do anything you want on your account provided you log in, but as soon as you have any activity, the 7 day lockout will end and you won't be able to receive your reset password. Some people have auto votes and auto reward claims set up, so you will have the option to allow these actions to happen during the white-lock if you wish.

If your white-lock is successful, after 7 days you'll receive a new password in your email address and you will be able to use your account as usual!

Suggestions and Discussions

If you liked this idea, please help resteem it so maybe an actual dev will be able to see it! If these ideas aren't possible, you have better ideas or there's anything you'd like to discuss, feel free to talk about it below!!

Thanks for reading!

A bit of shameless promotion below ;)

What to be in the draw to win FREE STEEM EVERY WEEK? Click here for more information!

Want 20-25% ROI on selling votes and be in the running to win 90% of my referral money per week?

Join SmartSteem using this link, and every time I reach 1 SBD in earnings, I'll distribute 90% of my earnings to one lucky winner!

Sort:  

Google Authenticator would be gold update and then I wont change my password every day :D

that's some pretty extreme length to keep your password safe but honestly I'm considering that right now. I have so much invested on here if I lose my account I'd be devastated!
I have about 4.1k steem sitting on binance and the only reason I'm not powering up some more is because I'm scared I'll lose my account haha

Oh god, it would be disastrous for you. Most of the other pages are updating their security and privacy policy, steemit should do it too I beleive...

4.1k steem would be more than enough for me to pay for my school :D Also powering up is risky because of the 13 weeks stuff. I don't like it but I support it at the same time...
I hope steemit will bring the authenticator sooner than we think...

Yeah! Steemit's next move should be security and ease of use. That's how we get more widespread adoption.

I'm first year uni right now and talking about student loans scare me :(((

Good thing is where I live, I don't have to start paying them off until I start earning above a certain income threshold! I live in Australia btw

That is so great, I want to move to the Australia in the future, maybe for a while, maybe for the rest of my life I dont know yet... I live in Turkey right now and... Nevermind, you get the point :)

haha yeah, Australia is a great country! Fresh food, fresh water fresh air. I'm truly blessed to live here to I'm trying my best to help others who live in less fortunate countries like Nigeria and Venezuela through my weekly giveaways!

To listen to the audio version of this article click on the play image.

Brought to you by @tts. If you find it useful please consider upvoting this reply.

2FA would be a huge improvement to the login process. I go to great lengths to keep my login safe. Granted my account is brand new and doesn’t have much intrinsic value at the moment I still consider it an investment. Thanks for sharing!

Nice article!! Resteemed to my Cyber-Security blog!