You are NOT safe - How to Create a Powerful Steem Password to Last a Lifetime

in money •  8 years ago  (edited)

Dear whales, as steemit grows hackers will target the richest users first, and there is a 9 in 10 chance your password sucks.

Unprecedented growth, whether it is a city or a website always attracts the attention of unsavory characters. Research shows that psychopaths flock to the largest cities, and online psychopaths will flock to the largest forums. And they will see your STEEM Power and jealousy, even rage will drive them to new lengths of malicious creativity. Feeling safe because it hasn't happened yet is not the answer. You will have to protect your account from getting hacked.

Now why did I write this article? Because I know for a fact that many people on this site are using unsecure passwords. Using a custom made script I have been able to guess several of them - and gain access to several steem accounts. But because I have long given up being a “blackhat” or cybercriminal from over a decade ago in my teenage days, I have informed these users to change their password and I suggest you do the same.

How is this possible?

When you sign up directly on steemit, your keys are generated from your password. Do NOT think you are clever because you used a song lyric, popular quote, or a line from a book. This is exactly what helped me bruteforce (“guess”) several accounts.

I’ve noticed that steem offers a new “generated password” feature, and you may feel secure using something so cryptic and long. But this password is unreadable, difficult to write down and overall a total nightmare. And I don’t know how it was created! That worries me.

Random number generators are a notorious nightmare, and their insecurities have lead to numerous hacks. Most notably the bitcoin wallet website Blockchain.info was hacked because they used predictable “R” values and randomisation “seeds”. Thousands and thousands of dollars were lost because all of their randomly generated passwords followed a certain pattern and didn’t have enough “entropy”. Simply put, they weren't as random as they claimed to be.

Thankfully the main hacker was a good samaritan and returned it. Johoe, the nice whitehat hacker, returned 267 BTC worth an estimated $170,000.

But that doesn't mean you should rely on people acting in good faith!

How can I make a truly secure password that is easy to write down?

You can use several services to generate a 12 word passphrase which will be extremely long and easier to remember than random digits.

This lets you create a bitcoin wallet using a 12 word passphrase, but you can use it as a password as well: http://counterwallet.com

This is the library that it uses: https://bitcore.io/api/mnemonic/

Of course, you can download your own version of bitcore and generate your own 12 word passphrase on an offline computer. ( Even better if you install linux on a thumbdrive and then run a temporary operating system by booting from USB.)

These are a few examples that I have vetted myself, but you are welcome to research them further to make sure they are secure. Don't trust anyone on the internet. Not even me! Read about Bitcoin "best practices" and realize that they apply to steemit as well.

Here is an example of a 'passphrase' which is easier to remember and write down than random characters:

“driver jeans cage follow spread glove drug egg deal leave clue serious”

You can cut this down to a single word:

“driverjeanscagefollowspreadglovedrugeggdealleaveclueserious”

And for extra security you can add some numbers in there as well:
“353driverjeanscagefollowspreadglovedrugeggdealleaveclueserious634”

Hope that helps! I’d really hate for this site to go through another mass-hacking. Here are a few other best practices:

  • Do not use public proxies, TOR, or VPNs. They are very likely to store your password for future use.

  • Always make sure you are on the right domain “steemit.com” and not “steemlt.com” even though the difference may be difficult to notice.

  • Do not give your password to anyone, even if they claim to be from steem support and especially not if they offer to increase your POWER

  • Do not copy paste your password if you have any other tabs open than steem! It could be captured from your temporary storage and saved on a 3rd party (malicious) website.

  • Do not leave large amounts on any exchange, because these often get hacked, shut down by the admins, or closed by the authorities.

  • Do not believe any “cheats” or “hacks” on how to make it. Just make good content and you will be rewarded!

  • Do not click steemit.com links from outside of the website, especially if they are in shady e-mails or pages. Even if they are real, they could execute code on your browser and make you upvote their posts or worse!

  • Hope this helps. Happy steeming!

    Authors get paid when people like you upvote their post.
    If you enjoyed what you read here, create your account today and start earning FREE STEEM!
    Sort Order:  

    Wish I were a whale. Still security is important for all, right ?

    Yes, of course. But those with the most to lose will cry the most and the loudest, causing a lot of reputational damage to steemit. Hackers are likely to target the richest accounts first.

    I'm trying to add the full article but steemit is buggy and won't let me update it... Please bare with me

    thanks for the info , take care from now :)

    Would you advise against letting your computer 'remember' your password? @filip-martinka