When we created Steemit we set out to create a system that was as easy to use for normal individuals as possible.  Just a few weeks ago there [were posts complaining about password length being too long](/steem/@hisnameisolllie/my-experience-biggest-barrier-to-signing-up-friends).   Back then we only required a 16 character password.

Since then a white-hat hacker has brute forced hundreds of passwords. Brute forcing is possible when people pick simple and predictable passwords.  I wouldn’t be surprised if the same people complaining about passwords being too long are the ones who were brute forced.

A recent article by @arhag states that [If you can remember your Steemit password, then it probably isn’t secure](https://steemit.com/steem/@arhag/can-you-remember-your-steemit-password-if-so-you-are-in-danger).  We would like to extend his thoughts and say, “if you can easily type your password then it probably isn’t secure”.  


On our beta platform we ended up compromising security for ease of use. It is clear that we erred too far on the side of ease of use. 

## Steemit will Generate Passwords

Going forward users will not be given the option to pick their own passwords.  Instead, a random password will be generated in the user’s browser.  Users will be asked to backup the password in a password manager, write it down, take a picture or print it out.  All of these things are *more secure* than using a weak password. 

Services such as [LassPass…](https://lastpass.com/) specialize in keeping your passwords secure and available on all of your devices.  By generating passwords we will make adopting a password manager the easiest option.

## Reasons for Insane Password Strength 

Unlike almost every other service on the internet, Steem maintains a public database: the blockchain.  This means that Steem is operating in the same state that Google, Apple, Microsoft, Yahoo, and your Bank do *AFTER THEY ARE COMPROMISED*.  Once Google user accounts are compromised they require everyone to change their passwords because it is only a matter of time before the passwords are brute forced.

Steem requires users to have passwords that cannot be brute forced.  

By having long and completely random passwords, everyone can rest assured that no one will successfully brute force their password.

## Updates to Website Key Management 

The Steem blockchain has a very advanced and complex permission scheme.  This enables it to be incredibly secure and compartmentalized.  This security comes at the price of complexity. The feedback we have received is that most users do not understand the difference between owner, active, and posting authorities.  

Going forward the standard user experience will be to have *one* password from which all other authorities can be derived.  Any time you change your password, we will update all of your authorities to use a password derived from your master password.

### Key Management

When you login Steem will only cache your *posting* key, all other keys derived from your master password will be immediately discarded.  Every time you navigate from one page to another on Steemit we will check for active and owner keys and remove them from memory. This check is done out of an abundance of caution. 

When you want to make a transfer or change your password, then you will be prompted for your password so that the website can derive your active or owner key.  The password and keys are discarded as soon as they are used to sign the desired transaction.

The result of these changes to our key management is to make your active and owner private keys unavailable to script injection attacks.  

### Power Users

Power Users will be able to login with their posting and/or active private keys directly. If you know how to do this then we will presume you know how to keep things secure. Steem is an open platform, power users will have access to tools for more powerful key management.  Steemit is our interface that we are targeting at the masses. 


## Why we don’t store Passwords on the Server

Many people have asked us to keep user keys on the server and encrypt them with a more traditional password.  Under this model our users would be in the same position as Google or Yahoo users.  A compromise of our database would result in their accounts being vulnerable to brute force attacks.

At some point in the future we may consider such an option, but for the time being we prefer to leave password/key security and storage to the experts (LastPass) who can certainly do it better than we could for the time being. 

## Why we don’t offer N-factor authentication 

Our password recovery process is a form of N-factor authentication that only takes effect *after* you have had your keys compromised.  Normally we do not have to be involved with your transactions.  

It has been repeatedly stated that we should offer multi-factor authentication for transactions. This would require our servers to co-sign every transaction.  This is inconvenient for normal use and usually considered overkill for a social media platform.  

Once we add time-delayed transfers and notification, then the account recovery process will essentially give “after-the-fact” 2-factor authentication on almost all transfers. 


## Look for Updates

Over the next couple of days we will be rolling out updates that will guide all users to migrate to more secure, randomly generated, passwords.  Account recovery, password change, and new user signup will all require the use of these randomly generated passwords.


## Summary 

We have learned a lot from having our site hacked and are taking strong measures ensure everyone’s account is as secure as possible.