Can you remember your Steemit password? If so, you are in danger.

in #steem8 years ago (edited)

Clickbaity title, I know. But this is an important message, so I have to grab people's attention. I hope you read it fully.

Warning sign

Are you familiar with that situation when the (centralized) website you use gets hacked, and the hackers grab the entire database full of the website's (hopefully hashed) passwords?

What do they always tell you to do in that situation? Change your password.
In fact, ideally, they shouldn't even let you login to the website unless you first change your password, simply as a way to just force you to do the right thing and change your damn password.

Do you also know how the experts always seem to tell you to not reuse passwords? Why is that?

It is because when (not if) the websites you use get hacked and their database of (hopefully hashed) passwords is stolen, the hackers could then use that recovered password to log in to the other services for which you use that same password. So the one website you use that got hacked ends up being a central point of failure for all the websites you use (that you use the same password for). Even if the password database stored salted and hashed passwords (which is the standard procedure), the actual plain-text password can be brute forced.

Brute forcing the password under normal circumstances is not typically a big worry. This is because the hashed password is kept by the centralized website operator only (until they get hacked of course). The website operator can then rate-limit attempts at guessing the password, thus making brute-forcing infeasible.

But when the database of hashed passwords is hacked, the hackers have the entire database offline available for them to brute force at the fastest rate their available computing power allows them to guess passwords. There is no rate-limiting possible anymore under this condition. This is why it is urgent for the user to change their password quickly because eventually the hacker will discover the password and be able to log in unless it is a really really strong password (Note: if you are not sure what makes a strong password, or you don't understand what the word "entropy" is, you almost certainly do not have a really strong password as used within this context.)

But the hackers can keep their CPUs busy brute-forcing the password even after you have already changed your password on the website, assuming they are interested in doing so. You have to assume when the database of hashed passwords was compromised, that the hacker will eventually discover your (not strong) password if they wish to do so. So changing the password on the service that got hacked is not good enough if you are the type of person that reuses passwords (and most unfortunately do). You need to make sure that nothing you care about or depend on uses that (not-so-)secret information (your old password) as authorization. In other words, you need to change that compromised password on any services that use them, whether those services were hacked or not.

So what does this have to do with Steemit? Well Steemit is not like a traditional website you may be used to. Steemit puts its entire database (including the database of hashed passwords) on the public blockchain. That's right. The normal operating state of Steemit is the state in which most typical centralized websites are in after they get hacked.

Jackie Chan WTF meme

Now this is actually a good thing in most situations because Steemit (the company) does not have a monopoly over your data. Free market competition can exist within this space. A competitor can create their own front-end to the Steem blockchain that perhaps has a better user experience or nicer features. And you would be free to move over to that service without giving up all your data or social network of friends and followers.

The downside, however, is that the hashed password database is on the public blockchain for everyone (including malicious hackers) to see and have fun with. This puts incredibly demanding requirements on the password used to derive your Steem keys that are not typical of other (centralized) services. You may have been surprised by the 16 character requirements when signing up for steemit.com. Now there is talk of moving to 32 character passwords. Unfortunately, that is not likely to be enough. Some idio... err beloved user... may decide to get around that length requirement by choosing the password "passwordpasswordpasswordpassword" which would likely get cracked in a brute-force attempt in seconds. Even if the entropy checker catches that and refuses to allow the user to use that password, there are always ways around it that are nearly as bad. The user may decide to repeat their name backwards 4 times instead (a name which they may have published in their introduction post by the way). This too will likely be cracked in a relatively short time period by moderately sophisticated brute force tools.

At this point you may be sighing in desperation asking "But arhag, what am I supposed to do? If I choose a password that actually is strong, there is no way my memory is good enough to actually remember it."

EXACTLY

That's the point. You aren't supposed to remember it. It should be strong enough that you cannot remember it.

Avengers Hulk That's my secret meme: "That's my secret. I don't know my password."
(I found this image meme from this post and I thought it was great.)

I don't know nearly all of my passwords, with the exception of the master password for my password manager and just a few other passwords/passphrases for decrypting the encrypted volumes on my devices or for unlocking the screen of my devices.

The big idea is to use a password manager. You use the password manager to generate random high-entropy passwords to use on any website or service. In the case of your Steem/Steemit password, you ideally want to have 256-bits of entropy (many password managers have easy settings to generate this for you). You also use the password manager to store your passwords and other secret authorization information that you don't trust yourself to properly remember.

You may ask what is the point in having a strong 256-bit entropy Steemit password stored in your encrypted password manager database, when the passphrase to decrypt that password database has to be memorizable and therefore likely to be much less than 256-bits of entropy. Well besides the fact that you have to remember less unique passwords assuming you use the password manager for more than just one website/service, the major benefit is that your encrypted password database isn't stored on a public blockchain! The encrypted password database is either stored on your local computer, meaning your computer would need to be hacked (or stolen if you don't use disk encryption) before the hackers could begin brute-forcing the passphrase, or it is stored on a password manager service provider's servers, in which case they can rate-limit brute-force attempts to make brute-forcing infeasible and perhaps additionally require two-factor authentication for better security.

There are a few posts floating around steemit.com talking about password managers. So I recommend you use the search function to find them and read up on them. Here is one as an example. Personally, I like to use KeePass. But for convenience and ease of use, I would actually recommend something that takes care of the syncing problem for you and has good browser support, such as Lastpass (but you may prefer some other similar service).

So in conclusion, if you are currently using a password on steemit.com that you remember, you are doing it all very very wrong. You will almost certainly eventually get hacked, assuming you haven't already. The solution is to use a password manager to generate a random 256-bit entropy password for steemit.com and to save and manage that password using your password manager app/service. More generally, it isn't a good idea to use memorizable passwords for any website or service when you have the much better option of using a password manager. It actually becomes less of a burden on you (in terms of remembering and managing passwords) when you take that leap and start using a password manager. You only end up needing to remember one good password (or better yet a passphrase). And it makes it super easy to use best practices (very strong passwords that are unique to each website and service) because you just let the password manager generate a new password for you for every website/service.

Now go out there and find a password manager that works for you, generate a strong password, and change your steemit.com password as soon as possible. Think about how hard you likely work to earn a good amount of money. Learning how to properly use a password manager in comparison is very unlikely to be anywhere near as hard. A lot of you may have a decent amount of money in your accounts that are at risk by your use of a password that your brain came up with rather than a password the computer (i.e. the password manager) comes up with it. So by continuing to not use a password manager for your steemit.com password, you are essentially devaluing your own hard work.

Sort:  

Hey @arhag, that post you're looking for is right here: https://steemit.com/steemit/@lukestokes/upvote-if-you-changed-your-owner-password-active-password-posting-password-and-memo-password

THANK YOU for raising awareness on this issue! I've been saying it over and over again in comments all over the place. Password managers are how we need to Internet in 2016. Every other approach is unsafe. We all need to skill up and get with the program. Email used to be too hard for people, but now it's common. Same thing goes for password management, OS security updates, and up-to-date antivirus software. We have to get it done if we want to use the new shiny tools the future has to offer.

I made a Diceware based password generator for those who are too lazy to do it themselves :D
https://steemit.com/steemit/@d3m0t3x/diceware-password-generator-or-shortcut-to-a-safer-password

Typical example of the out of the box way of thinking, and I like it!
I'm not sure whether this's a right place to ask but maybe someone will answer. How much time does the new user have to copy the private owner key?

Well I remember my password, and it's 88 chars and 360 bits of entropy. I think it's pretty secure...

This post helped a lot of people. The first I heard that there was an intrusion, I changed my owner and active key, which saved me.

I also tried to make a FAQ (look me up) for other issues to stop the junk posts.

Arhag, thanks again.

In case you didn't notice, I actually already linked to it in the post. : )

https://steemit.com/steem/@conda/lpt-how-to-create-a-long-hard-to-crack-password-you-can-remember
Just wrote this based on this post. At the very least this is a good way to create a password you may want to use for your password manager.

Thanks , very informative. I have a job to do now :D

This is so true and great advice!! I was hacked yesterday and guess why...my awful choice of a password. Happy to say my new PW would probably give most a head ache just looking at! I guess the only mistakes we make are the ones we don't learn from. clearing throat "um, lesson learned I took a screen shot of my success minutes before I was hacked check out that dollar amount...yeah it stung.

Had it not been for this post, I would have probably not changed my password and eventually gotten hacked. Thank you so much arhag! You are a life saver. Thank you so much!!