create account

Steemit to Update Password Policy by steemitblog

View this thread on: hive.blogpeakd.comecency.com
· @steemitblog ·
$150.85
Steemit to Update Password Policy
When we created Steemit we set out to create a system that was as easy to use for normal individuals as possible.  Just a few weeks ago there [were posts complaining about password length being too long](/steem/@hisnameisolllie/my-experience-biggest-barrier-to-signing-up-friends).   Back then we only required a 16 character password.

Since then a white-hat hacker has brute forced hundreds of passwords. Brute forcing is possible when people pick simple and predictable passwords.  I wouldn’t be surprised if the same people complaining about passwords being too long are the ones who were brute forced.

A recent article by @arhag states that [If you can remember your Steemit password, then it probably isn’t secure](https://steemit.com/steem/@arhag/can-you-remember-your-steemit-password-if-so-you-are-in-danger).  We would like to extend his thoughts and say, “if you can easily type your password then it probably isn’t secure”.  


On our beta platform we ended up compromising security for ease of use. It is clear that we erred too far on the side of ease of use. 

## Steemit will Generate Passwords

Going forward users will not be given the option to pick their own passwords.  Instead, a random password will be generated in the user’s browser.  Users will be asked to backup the password in a password manager, write it down, take a picture or print it out.  All of these things are *more secure* than using a weak password. 

Services such as [LassPass…](https://lastpass.com/) specialize in keeping your passwords secure and available on all of your devices.  By generating passwords we will make adopting a password manager the easiest option.

## Reasons for Insane Password Strength 

Unlike almost every other service on the internet, Steem maintains a public database: the blockchain.  This means that Steem is operating in the same state that Google, Apple, Microsoft, Yahoo, and your Bank do *AFTER THEY ARE COMPROMISED*.  Once Google user accounts are compromised they require everyone to change their passwords because it is only a matter of time before the passwords are brute forced.

Steem requires users to have passwords that cannot be brute forced.  

By having long and completely random passwords, everyone can rest assured that no one will successfully brute force their password.

## Updates to Website Key Management 

The Steem blockchain has a very advanced and complex permission scheme.  This enables it to be incredibly secure and compartmentalized.  This security comes at the price of complexity. The feedback we have received is that most users do not understand the difference between owner, active, and posting authorities.  

Going forward the standard user experience will be to have *one* password from which all other authorities can be derived.  Any time you change your password, we will update all of your authorities to use a password derived from your master password.

### Key Management

When you login Steem will only cache your *posting* key, all other keys derived from your master password will be immediately discarded.  Every time you navigate from one page to another on Steemit we will check for active and owner keys and remove them from memory. This check is done out of an abundance of caution. 

When you want to make a transfer or change your password, then you will be prompted for your password so that the website can derive your active or owner key.  The password and keys are discarded as soon as they are used to sign the desired transaction.

The result of these changes to our key management is to make your active and owner private keys unavailable to script injection attacks.  

### Power Users

Power Users will be able to login with their posting and/or active private keys directly. If you know how to do this then we will presume you know how to keep things secure. Steem is an open platform, power users will have access to tools for more powerful key management.  Steemit is our interface that we are targeting at the masses. 


## Why we don’t store Passwords on the Server

Many people have asked us to keep user keys on the server and encrypt them with a more traditional password.  Under this model our users would be in the same position as Google or Yahoo users.  A compromise of our database would result in their accounts being vulnerable to brute force attacks.

At some point in the future we may consider such an option, but for the time being we prefer to leave password/key security and storage to the experts (LastPass) who can certainly do it better than we could for the time being. 

## Why we don’t offer N-factor authentication 

Our password recovery process is a form of N-factor authentication that only takes effect *after* you have had your keys compromised.  Normally we do not have to be involved with your transactions.  

It has been repeatedly stated that we should offer multi-factor authentication for transactions. This would require our servers to co-sign every transaction.  This is inconvenient for normal use and usually considered overkill for a social media platform.  

Once we add time-delayed transfers and notification, then the account recovery process will essentially give “after-the-fact” 2-factor authentication on almost all transfers. 


## Look for Updates

Over the next couple of days we will be rolling out updates that will guide all users to migrate to more secure, randomly generated, passwords.  Account recovery, password change, and new user signup will all require the use of these randomly generated passwords.


## Summary 

We have learned a lot from having our site hacked and are taking strong measures ensure everyone’s account is as secure as possible.
👍  , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , and 46 others
👎  
properties (23)
authorsteemitblog
permlinksteemit-to-update-password-policy
categorysteemit
json_metadata{"tags":["steemit"],"users":["arhag"],"links":["https://steemit.com/steem/@arhag/can-you-remember-your-steemit-password-if-so-you-are-in-danger"]}
created2016-07-21 22:22:51
last_update2016-07-21 22:22:51
depth0
children29
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value132.655 HBD
curator_payout_value18.197 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length5,708
author_reputation332,472,558,821,177
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id260,004
net_rshares23,967,668,306,633
author_curate_reward""
vote details (111)
@alexgr ·
Why is this buried? If it weren't for a bitcointalk link I wouldn't have seen it.
👍  
properties (23)
authoralexgr
permlinkre-steemitblog-steemit-to-update-password-policy-20160722t182821750z
categorysteemit
json_metadata{"tags":["steemit"]}
created2016-07-22 18:28:21
last_update2016-07-22 18:28:21
depth1
children0
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length81
author_reputation45,645,291,230,585
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id278,959
net_rshares12,806,877,688
author_curate_reward""
vote details (1)
@andersrh ·
What about requiring a password with a minimum of x or xx characters? These random-generated ones are hard to use.
properties (22)
authorandersrh
permlinkre-steemitblog-steemit-to-update-password-policy-20171007t204437218z
categorysteemit
json_metadata{"tags":["steemit"],"app":"steemit/0.1"}
created2017-10-07 20:44:36
last_update2017-10-07 20:44:36
depth1
children0
last_payout2017-10-14 20:44:36
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length114
author_reputation62,397,247,186
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id17,043,524
net_rshares0
@arhag ·
$0.79
First, I am very happy to hear about the new policy to generate random passwords for the user and disallow user-selected passwords.

But I think there is much more to be done to improve security.

I have a full response to this post written out [here](https://steemit.com/steemit/@arhag/a-response-to-steemit-to-update-password-policy).
👍  ,
properties (23)
authorarhag
permlinkre-steemitblog-steemit-to-update-password-policy-20160722t175530589z
categorysteemit
json_metadata{"tags":["steemit"],"links":["https://steemit.com/steemit/@arhag/a-response-to-steemit-to-update-password-policy"]}
created2016-07-22 17:55:30
last_update2016-07-22 17:55:30
depth1
children0
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value0.777 HBD
curator_payout_value0.017 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length336
author_reputation52,490,827,205,383
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id278,314
net_rshares614,111,438,558
author_curate_reward""
vote details (2)
@ben99 ·
great update, i really appreciate your post but  in my opinion the 2-factor authentication or sms verification by phone  will be  better than just a password , hackers will try always  and they never give up, that is just my opinion i'm not a pro i'm jus an other guy
properties (22)
authorben99
permlinkre-steemitblog-steemit-to-update-password-policy-20160722t175744293z
categorysteemit
json_metadata{"tags":["steemit"]}
created2016-07-22 17:57:39
last_update2016-07-22 17:57:39
depth1
children0
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length267
author_reputation2,457,670,192,450
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id278,356
net_rshares0
@bendjmiller222 ·
Solid work by the developers who have now handed the hacker back his white hat and raised the bar infinitely. People underestimate how easily a password can be hacked and I'm guessing 50 (maybe less since there are many with high crypto it's) percent or more people probably use the same password for multiple accounts, so once a hacker has your password or email password they can wreak havoc on you. Thanks for keeping our hard work safe!
properties (22)
authorbendjmiller222
permlinkre-steemitblog-steemit-to-update-password-policy-20160721t223203278z
categorysteemit
json_metadata{"tags":["steemit"]}
created2016-07-21 22:32:03
last_update2016-07-21 22:32:03
depth1
children0
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length440
author_reputation24,513,111,975,788
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id260,222
net_rshares0
@bhokor ·
thank you devs, now with your efforts we have a much more safer platform
properties (22)
authorbhokor
permlinkre-steemitblog-steemit-to-update-password-policy-20160721t230318150z
categorysteemit
json_metadata{"tags":["steemit"]}
created2016-07-21 23:03:21
last_update2016-07-21 23:03:21
depth1
children0
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length72
author_reputation1,535,566,094,086
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id260,955
net_rshares0
@cognoscere ·
Thanks for the explanations, this is the first post I've read and up-voted since joining!
properties (22)
authorcognoscere
permlinkre-steemitblog-steemit-to-update-password-policy-20160731t023425842z
categorysteemit
json_metadata{"tags":["steemit"]}
created2016-07-31 02:34:24
last_update2016-07-31 02:34:24
depth1
children0
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length89
author_reputation66,151,555,677,101
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id503,734
net_rshares0
@dana-edwards ·
What random number generation process will this generated password be using? I'd rather generate my own passwords as an expert. If there is any flaw in the random number generation process then all passwords generated from that process could be compromised.

So how will this work? Where would the sources of entropy come from? Where is the source code for generating the random numbers to do this password generation?
properties (22)
authordana-edwards
permlinkre-steemitblog-steemit-to-update-password-policy-20160722t023024914z
categorysteemit
json_metadata{"tags":["steemit"]}
created2016-07-22 02:30:24
last_update2016-07-22 02:30:24
depth1
children1
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length418
author_reputation353,623,611,191,427
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id264,505
net_rshares0
@myself ·
https://steemit.com/steemit/@steemitblog/how-steemit-generates-secure-random-passwords
properties (22)
authormyself
permlinkre-dana-edwards-re-steemitblog-steemit-to-update-password-policy-20160722t190915474z
categorysteemit
json_metadata{"tags":["steemit"],"links":["https://steemit.com/steemit/@steemitblog/how-steemit-generates-secure-random-passwords"]}
created2016-07-22 19:09:15
last_update2016-07-22 19:09:15
depth2
children0
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length86
author_reputation590,656,105,566
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id279,730
net_rshares0
@gekko · (edited)
good stuff from the devs

hacked site in the early times is the best lesson for the future times

thanks guys
👍  
properties (23)
authorgekko
permlinkre-steemitblog-steemit-to-update-password-policy-20160722t032449371z
categorysteemit
json_metadata{"tags":["steemit"]}
created2016-07-22 03:24:48
last_update2016-07-22 03:25:06
depth1
children0
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length109
author_reputation1,185,517,433,922
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id265,370
net_rshares283,935,377
author_curate_reward""
vote details (1)
@grape ·
$0.06
Thanks for the update. Your work is highly appreciated.

But I think we should reconsider the 2-factor authentication.
I do agree, generally speaking, n-factor authentication is an overkill for social media.

But Steemit is not our regular social media. It contains lots money in it. Some users may have more money invested in Steemit than their banking accounts or online brokerage accounts.

So probably should we consider 2-factor authentication if a login tries to initiate a transfer or withdraw over certain amount of money?
👍  , ,
properties (23)
authorgrape
permlinkre-steemitblog-steemit-to-update-password-policy-20160721t223917169z
categorysteemit
json_metadata{"tags":["steemit"]}
created2016-07-21 22:39:39
last_update2016-07-21 22:39:39
depth1
children1
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value0.058 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length530
author_reputation79,730,012,124
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id260,427
net_rshares52,650,106,241
author_curate_reward""
vote details (3)
@ireasons ·
2-factor authentication is a great idea!
properties (22)
authorireasons
permlinkre-grape-re-steemitblog-steemit-to-update-password-policy-20180129t180636325z
categorysteemit
json_metadata{"tags":["steemit"],"app":"steemit/0.1"}
created2018-01-29 18:06:42
last_update2018-01-29 18:06:42
depth2
children0
last_payout2018-02-05 18:06:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length40
author_reputation125,361,623
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id33,344,855
net_rshares0
@joelinux · (edited)
$0.05
Here is a low tech way to choose a good password from Steve Gibson. He also has a random password generator.
 https://www.grc.com/ppp.htm
https://www.grc.com/passwords.htm
👍  , ,
properties (23)
authorjoelinux
permlinkre-steemitblog-steemit-to-update-password-policy-20160721t223636446z
categorysteemit
json_metadata{"tags":["steemit"],"links":["https://www.grc.com/ppp.htm"]}
created2016-07-21 22:36:36
last_update2016-07-21 22:37:00
depth1
children5
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value0.044 HBD
curator_payout_value0.003 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length171
author_reputation4,604,092,068,298
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id260,354
net_rshares44,378,865,684
author_curate_reward""
vote details (3)
@cryptohustlin ·
I just use a bitcoin private key that holds no balance... copy and paste to log in
properties (22)
authorcryptohustlin
permlinkre-joelinux-re-steemitblog-steemit-to-update-password-policy-20160721t224044025z
categorysteemit
json_metadata{"tags":["steemit"]}
created2016-07-21 22:40:48
last_update2016-07-21 22:40:48
depth2
children3
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length82
author_reputation35,183,938,577,926
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id260,446
net_rshares0
@imjefe ·
Interesting. Does the Trezor password manager do something similar to that?

I currently do a few one-way hashes.
properties (22)
authorimjefe
permlinkre-cryptohustlin-re-joelinux-re-steemitblog-steemit-to-update-password-policy-20160722t015033823z
categorysteemit
json_metadata{"tags":["steemit"]}
created2016-07-22 01:50:36
last_update2016-07-22 01:50:36
depth3
children2
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length113
author_reputation391,327,543,055
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id263,817
net_rshares0
@dana-edwards ·
$0.81
I never had a problem with passwords. I use long passwords by default. The issue here is most people aren't like me so we need a simple way to generate passwords. So now you're putting the responsibility into the hands of Steemit and how will we know their random number generator is truly random?

I understand this is a difficult problem but I would like to request an expert mode to bypass this for people who know what they are doing. I would also like to know more about the random number generator Steemit will be using and the sources of entropy. If they use a pseudo random number generator then that might not be good enough, but if they get entropy from random keystrokes and mouse movements that might be slightly better and I'm guessing that is how they will do it.
👍  ,
properties (23)
authordana-edwards
permlinkre-joelinux-re-steemitblog-steemit-to-update-password-policy-20160722t023325376z
categorysteemit
json_metadata{"tags":["steemit"]}
created2016-07-22 02:33:24
last_update2016-07-22 02:33:24
depth2
children0
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value0.618 HBD
curator_payout_value0.193 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length777
author_reputation353,623,611,191,427
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id264,544
net_rshares624,214,825,905
author_curate_reward""
vote details (2)
@julirasan ·
hello Dear, kony he lost his password yeaterday because he made some emails from suppor@steemconnect. when I chacked it, I saw Update. So, he can't be able to long in now. please, guide me about that.
properties (22)
authorjulirasan
permlinkre-steemitblog-steemit-to-update-password-policy-20180316t053523596z
categorysteemit
json_metadata{"tags":["steemit"],"app":"steemit/0.1"}
created2018-03-16 05:35:33
last_update2018-03-16 05:35:33
depth1
children0
last_payout2018-03-23 05:35:33
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length200
author_reputation4,218,815,375
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id44,731,341
net_rshares0
@nox1492 ·
A strong password does not prevent account hacking.
- The hacker can put a keylogger in your computer and very easily collect all the password you type. 
I remind you that the keylogging if a feature of Windows 10. Everything you type in this system is reported to Microsoft.

- Every browser ask you to store your password. This kind of storage is very unsecured. You can very easily recover your password stored in this way.

I think that 2 factor authentication is a must when it comes to protect your fund. You should use either U2F (FIDO) or TOTP authentication. 
U2F authentication requires you to push the button of your usb authentication key that's It. It's quick and simple.
https://www.youtube.com/watch?v=oJ46LDiVx_Y
A U2F key costs less than 10 $.
👍  ,
properties (23)
authornox1492
permlinkre-steemitblog-steemit-to-update-password-policy-20180106t190616216z
categorysteemit
json_metadata{"tags":["steemit"],"image":["https://img.youtube.com/vi/oJ46LDiVx_Y/0.jpg"],"links":["https://www.youtube.com/watch?v=oJ46LDiVx_Y"],"app":"steemit/0.1"}
created2018-01-06 19:06:18
last_update2018-01-06 19:06:18
depth1
children0
last_payout2018-01-13 19:06:18
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length760
author_reputation9,273,583
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id27,591,435
net_rshares0
author_curate_reward""
vote details (2)
@ooak · (edited)
After reading this post I turned to google and found this site : https://www.grc.com/passwords.htm
It generates high quality random passwords of 64 characters.
here you can check the power of your password against brute force :https://www.grc.com/haystack.htm
properties (22)
authorooak
permlinkre-steemitblog-steemit-to-update-password-policy-20160721t223236588z
categorysteemit
json_metadata{"tags":["steemit"],"links":["https://www.grc.com/passwords.htm"]}
created2016-07-21 22:32:00
last_update2016-07-21 22:37:06
depth1
children1
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length259
author_reputation3,028,635,488,673
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id260,221
net_rshares0
@dana-edwards ·
Right so why not just use SQRL and get rid of the password for people who don't want to care about passwords anymore? 

Access control is by either something they have, or something they know, or something they are, or any combination of that. So you don't really need a password for authentication or access control but you do need their smart phone, or biometric, or something else. If a password must be used then pick a high entropy password. But I think another issue is most people's computers can be compromised so a keylogger would capture them entering in their password anyway.
properties (22)
authordana-edwards
permlinkre-ooak-re-steemitblog-steemit-to-update-password-policy-20160722t024636142z
categorysteemit
json_metadata{"tags":["steemit"]}
created2016-07-22 02:46:36
last_update2016-07-22 02:46:36
depth2
children0
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length587
author_reputation353,623,611,191,427
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id264,772
net_rshares0
@pheonike · (edited)
This great news. Helping to understand the value of strong passwords is important especially like someone mentioned the amounts money people could potentially have in their accounts.  Use this invitation link to LastPass and get a free a month of premium service.   https://lastpass.com/f?4635516 . Only the first 24 people will be able to use this.  If you do sign-up get your referral link and pass it on to new users. Password management tools like this are must for all users .
properties (22)
authorpheonike
permlinkre-steemitblog-steemit-to-update-password-policy-20160721t232459382z
categorysteemit
json_metadata{"tags":["steemit"],"links":["https://lastpass.com/f?4635516"]}
created2016-07-21 23:24:57
last_update2016-07-21 23:38:45
depth1
children0
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length481
author_reputation13,601,091,311,745
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id261,361
net_rshares0
@pinklee ·
Thanks for the info and elaborations. Really much appreciated.
👍  
properties (23)
authorpinklee
permlinkre-steemitblog-steemit-to-update-password-policy-20160721t222736080z
categorysteemit
json_metadata{"tags":["steemit"]}
created2016-07-21 22:27:39
last_update2016-07-21 22:27:39
depth1
children0
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length62
author_reputation817,588,332,083
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id260,113
net_rshares177,548,585
author_curate_reward""
vote details (1)
@rentko ·
It's some old thread I guess, but has something changed since then? Let's say person who has significant money on steem account got lastpass hacked. After logging I can see priv keys, so I guess all money can be transferred without any issue.
properties (22)
authorrentko
permlinkre-steemitblog-steemit-to-update-password-policy-20170910t124414012z
categorysteemit
json_metadata{"tags":["steemit"],"app":"steemit/0.1"}
created2017-09-10 12:44:21
last_update2017-09-10 12:44:21
depth1
children0
last_payout2017-09-17 12:44:21
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length242
author_reputation17,595,437,702
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id14,451,735
net_rshares0
@tarindel ·
The upside of this is that brute-force hacking will be much harder.

The downside is that many people are going to start writing their too-complicated-to-remember passwords down, and that will lead to its own problems.

But it sounds like this is a don't let perfect be the enemy of good solutions.

That said, given the choice, I'd rather have a remember-able password and have to 2 factor auth using google authenticator every time I log in.  Perhaps at some point in the future you can let user choose which they'd prefer?
👍  
properties (23)
authortarindel
permlinkre-steemitblog-steemit-to-update-password-policy-20160721t232012909z
categorysteemit
json_metadata{"tags":["steemit"]}
created2016-07-21 23:20:12
last_update2016-07-21 23:20:12
depth1
children1
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length525
author_reputation477,578,742,546
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id261,284
net_rshares53,702,140
author_curate_reward""
vote details (1)
@dana-edwards ·
Writing it down is the least of the problems. The problem is now going to be keyloggers and obvious backdoors. How will they type in a password without hackers capturing it? SQRL and other methods can bypass that but then their smart phones would have to be secure and they probably aren't always secure.

In the end we have to access that people are going to be hacked no matter what and have good disaster recovery procedures.
properties (22)
authordana-edwards
permlinkre-tarindel-re-steemitblog-steemit-to-update-password-policy-20160722t024841739z
categorysteemit
json_metadata{"tags":["steemit"]}
created2016-07-22 02:48:42
last_update2016-07-22 02:48:42
depth2
children0
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length428
author_reputation353,623,611,191,427
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id264,806
net_rshares0
@weenis ·
![Jackie Boy](http://i.imgur.com/Wyu9PqZ.gif) 
 Heard there was a fellow steamian in here. Knock Knock @steemitblog!
👎  
properties (23)
authorweenis
permlinksteemit-to-update-password-policy
categorysteemit
json_metadata""
created2016-07-21 22:23:33
last_update2016-07-21 22:23:33
depth1
children0
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length116
author_reputation-4,781,861,673,917
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id260,016
net_rshares-383,070,373,037
author_curate_reward""
vote details (1)
@x9twm ·
The best way I have found for making a strong password is by using a mneumonic or a series of rhyming couplets. It's the length of the password that provides protection against brute force not complexity.

This is a really good site to give you an idea of how fast numeric passwords can be brute forced with no prior knowledge:
>http://calc.opensecurityresearch.com/
properties (22)
authorx9twm
permlinkre-steemitblog-steemit-to-update-password-policy-20160721t224000243z
categorysteemit
json_metadata{"tags":["steemit"],"links":["http://calc.opensecurityresearch.com/"]}
created2016-07-21 22:40:00
last_update2016-07-21 22:40:00
depth1
children0
last_payout2016-08-24 22:41:42
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length366
author_reputation1,321,501,345
root_title"Steemit to Update Password Policy"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id260,434
net_rshares0