Passwords are a Problem!

in steemit •  8 years ago 

People want to join SteemIt but there's a problem

I've been having great success getting people to sign up for SteemIt! I count 15 people who I directly got on board, and even more indirectly if I'm allowed to count those who they later got on board. My sister on the other hand has had mixed results. Her social circle is pretty different from mine, but I think a bigger issue is that she started raving about SteemIt later than I did and by then the new password system was in place.

Everyone she talked to was intrigued about SteemIt. A new social network that pays you?! Pretty awesome! Of course some thought it was too good to be true, it must be a scam, but many got past that. But few got past the user experience problem.

Passwords are an Anachronism

We treat passwords like they are a fundamental part of using the internet, but that's wrong, the fundamental job is authentication, passwords are just one tool. And they're a poor tool. When a user authenticates they care about two things: convenience and security. A password can be very convenient, it's really easy to type in p-a-s-s-w-o-r-d into Facebook and have access to your profile instantly. And millions do! The most popular password is "123456" followed by "password". Due to a lack of awareness, people take huge risks with their information security, with identity theft growing at an exponential rate.

Identity theft is still a relatively small problem in scale, but account security is even more important in SteemIt than on Facebook and most other websites people use, because access to a SteemIt account increasingly means direct access to funds which can be sent irreversibly in an instant. It's money dangling out there on the internet, just begging for a hacker to come and pilfer it.

But what about making my password more secure?

Security-minded people have many ways they adapt to the insecurity of the password system. Stronger passwords. More passwords. Password managers. Password managers hidden in a virtual machine disconnected from the internet which you can only access with a USB key. Even the best attempts to improve password security make your passwords less convenient. XKCD passwords are great until you have to remember one for every website you use because you're a sucker for phishing emails! Even one-time-only passwords with Google Authenticator can be intercepted on the fly and used in a way which you didn't intend.

Back to my sister's experiences before, SteemIt passwords in particular are difficult. The site now forces you to choose a long random string, which is fantastic for security, and necessary because the data goes straight to a public blockchain. But securing and using such a long string is a large cognitive hurdle, one which we have seen stop many new users who would otherwise appreciate this site.

Stop Thinking about Passwords, Start Thinking about Keys

If you live in a house, it's a good bet that you don't secure it with a password. You probably have a house key. If you have a car, you likely have a car key. So why do we apply such different thinking to the internet? We can have keys to the internet, and today they have gotten quite advanced.

Keys aren't perfect, but all the problems associated with passwords above do not apply to keys. And most of the problems with keys can be solved by using just one relatively simple password in conjunction with them. The hurdle for having a key to the internet is that so far, nobody has been willing to buy one for you. When you started renting your house, your landlord likely gave you a set of keys, you didn't have to go out and get one yourself. The same is true when you bought a car. But Google and Facebook were not willing to give you a key when you signed up, so you don't have a key to the internet. Let's start changing that!

My suggestion may need some ironing out, but this is what I think are the first steps:
(1) SteemIt.com needs to support the U2F protocol so that this can be done at all.
(2) When you're getting your friend onto SteemIt, which you certainly are trying to do, get them to get a key! Maybe even buy one for them, they are not expensive at all. They may be apprehensive about buying something when they are just starting, but you are likely invested in the site and know the value of getting them onto it. Not only will it help them change their thinking about how they use the internet, but it also proves that you think SteemIt is so valuable that you're willing to go to the effort of getting them a physical item to have them as part of the network.

I would appreciate some feedback on this idea. It's often the case that someone recognizes the problem, but the solution they propose isn't ideal either. So let's discuss and refine to the point that we have something we can really do.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

One of the biggest barriers to Steemit getting serious traction is the 32-character password requirement, so this is a good idea. Most people who like crypto stuff know that long passwords = good. But back in the real world, most other people have terrible security habits and reuse bad passwords all the time.

Any low-barrier thing that improves people's security habits ("install and learn to use a password manager" is not low-barrier for most people), is good for the brand, so Steemit should promote this sort of thing.

And it would be optional so you wouldn't have to buy one, but you would certainly have an easier time with one

I think that's basically the main thing with UX. Don't force people to learn something they don't already understand. Keys are something everyone already understands. I know from experience that using a password manager securely generally involves lots of technicalities you have to be aware of.

Is storing the password locally really so insecure? Malware has to get into the file system in order to access files. Keep it on a non-shared folder. Copy and paste. Now Chrome offers to save passwords for you. This is arguably more secure because it will automatically fill for you when you do go to the site you are looking for but not some other. This automated password writing prevents phishing.

Mint requires my login passw

  ·  8 years ago (edited)

With Facebook accounts, hackers generally go for the low hanging fruit. If we're talking about money, yes it is insecure. There was a string of thefts of Bitcoin in 2015 when hackers got local access to people's machines and used keyloggers.

Using a local file is also pretty inconvenient if you use the same accounts over many devices, including public ones. You can use Dropbox, but that introduces new risks as well.

Copy and paste.

Clipboard is also a common point of attack both on desktop and on Android, in the latter because it requires no special permissions to access.

I concede all of these points. If I had to type in my passwords, I would have to have shorter passwords. Google authenticator is something I enable where ever I can. I have heard good things about Last Pass.

  ·  7 years ago (edited)

It's an absolute drag. It means if my computer gets stolen, they have my passwords and I do not! If I make retrievable copies eg email them to myself or put them on dropbox etc then I have to hide them behind a really insecure password in order to know I can get them back. Which means back to square one. And as for logging on with my mobile phone so I can use Steemit on the move - forget it. Do I seriously have to type that in on a little touchscreen? And then heaven knows what a strategic mistake it is for the company to generate the password for you. There is a big fat trust issue right there, and if somehow my security got cracked, how could I trust that it wasn't Steemit itself who failed? It is my responsibility and my risk so it has to be my choice. I thought this was a minor thing, but frankly it is becoming a deterrent, especially when there is a lot of choice out there. I have no idea what buying a key means in this instance. Sounds like just another drag. Password managers etc, all very well, but I always avoided using them so far why do I want one now? Just another thing to get my head around, another barrier to use, and yes, another drag. I'm off to minds

Passwords in a file mean you also backup your passwords when you back up the file. You keep them on a flash drive and then maybe they steal your flash drive. Log into condenser.steem.vc with testuser with the password barman and try to change the master password. I created a system where you can have another password and only the active, posting and memo keys work. The owner key doesn't. You won't be able to change the master password.

  ·  7 years ago (edited)

Thanks, but why bother? I don't need to fill my head with this crap

Although I understand it was necessary to make accounts more secure, I have found from the people who tried to sign up through reading my posts or from my recommendation that the new random password generator has definitely been a problem for everybody. As you've said I was lucky to get in before this so I initially didn't understand why people were having a problem until I helped somebody to get signed up. Now I understand why some of my friends rang me to tell me their regret at taking so much time to log in immediately after registering, and why others gave up half way through after entering a digit wrong.

Keys make total sense to me and I think even non techy people can understand keys better than awfully long passwords where a 0 could be an O and an I could be an l or a 1!

The fact that Google already does this gives me hope for better security on steemit that could still be user-friendly.

Thanks @beanz.

Yeah, Google as well as Dropbox already support these kinds of keys, but I wish they would go further. Google actually only tends to ask me for my key when I am starting to use a new device, but they are convenient enough that I could authenticate much more often. This would mean there's less need to keep your computers fully secure as well.

You can see some companies which support U2F keys already here:
https://www.yubico.com/about/background/fido/

I got a Yubikey sent to me from Mt Gox for free. I think that was after one of the earlier hacks. Others who joined later had to pay for their key. In that case, having a secure key didn't help when the lock was smashed in.

Would it be possible to reuse my now worthless (other than Bitcoin-nostalgia collector value) Gox Yubikey for other purposes? I think I recall hearing they had a slightly different implementation of the standard.

I do not know what Yubi keys was distributed by Mt Gox, but generally you should be able to reuse it (I don't think I heard anything about some other hardware versions, that ones the Yubico are selling). If you are using Chrome browser, you can use it as U2F for example for Google and GitHub accounts. Other sites and other browser will join there soon.
Download and install YubiKey Personalisation Tool and you should be able to determine what hardware version of YubiKey you have.
And even more - with this software you should be able to program Steemit master password or better Posting Private Key (read why) on YubiKey! How about that :-).

I don't know. You could try setting it up with gmail, if it doesn't work maybe it's not the same as the U2F standard.

U2F is great, except it's beyond useless for sites like Steemit.

It would have to be used as nothing more than a part of 2FA, since your password on Steemit is actually used to generate the private keys, i.e. posting, active, memo, owner.

For U2F to work, Steemit would have to be holding your private keys, in plain text. U2F works by sending the Yubikey public key to the server. The server sends some text to the key to sign, and then when the Yubikey sends it back to the server signed, the server knows that the Yubikey is legitimate.

Perhaps it needs to be a customized device then. In principle all that is required is that the device signs the transactions without exposing the private key.

Yeah, something like a TREZOR or KeepKey could probably be adapted to storing STEEM keys.

Alternatively I believe you could get a normal Yubikey and write your long password to the memory bank, so when you put the button, it enters your master password.

@demotruk my password is over 26 letters words and characters. So I would say there is a little problem. I think we will eventually have to go to some combo of password and some bio-metric like voice. Any how, check out this story I posted on STEEMIT ADS, let me know what you think. Much appreicate the support. Thanks.
Full $teem Ahead!
@streetstyle

  ·  8 years ago (edited)

Voices, fingerprints and the like can easily be recorded. The reason why U2F keys are secure is because they work on the same principles as Bitcoin transactions, the server challenges you to sign a message, and only the correct key can do it, and the device does not expose sensitive data in the process. In the case of the YubiKey I linked, it won't even sign such a challenge unless the user explicitly gives consent by tapping it. Something like a trezor could go even further while still being convenient, but the YubiKey is inexpensive and 99% of the way there.

Yeah, i don't have much confidence in bio-metrics, there are simpler solutions, keys are a concept people are familiar with that still allow psudonyminity. Biometry is invasive and not wholly secure.

I was really hoping to use my Trezor password manager, but I was very disappointed to discover that Steemit has a non standard method of logging in and my Trezor doesn't work here :(

When the Trezor team recognize that "You can now log on to SteemIt.com with your Trezor!" is an instant $10,000 post, I'm sure it will be remedied pretty quickly. Someone should tell them that.

I sent some feedback to the makers of Trezor and asked them to work with steemit. I can't find how to message or inform the steemit programmers to examine how to standardize their log in method to work with the Trezor.

Just because i had to read up on U2F, here is a link that makes sense of it: https://fidoalliance.org/specifications/overview/

I'm looking forward to the use of keys on Steemit.com

I already have a key for my Bitcoin and have a huge level of both security and convenience.

Why would any site allow any connection to guess passwords at 1000 times a second forever is my question. If that is not allowed do we still need passwords more than 8 characters?

It's not a choice when a password database gets leaked online. In the case of Steemit there is no private database, everything is public in the Steem Blockchain, meaning that passwords must be mathematically secure from the start.

Thx, learn something everyday! Just hope we don't need to change password ever! I can't even ensure I can write it down correctly on apaper let alone typing it in

  ·  7 years ago (edited)

I find its just a problem of lack of instructions on steemit. If you are a youtube member moving over to dtube, it doesn't say when you register where you have to go in your wallet to get all the specific passwords you need and how you activate them. Some simple prompters would be useful.

  ·  7 years ago (edited)

Steemit.chat has a separate account system. It's not related to Steemit.com except that it is linked from this website (it's not run by Steemit Inc either).

DTube only allows you to use your posting key, not your master password. This is to help prevent you from leaking your master password by accident.

How to find your posting key

I don't know what Grammarly is, never heard of it.

hi @demotruk Thanls for post. i saw your 'Dublin' meetup call out. Im from Tyrone now in Co.Antrim and on here for a few months 'sniffing' around. Can you message me. I have some interesting ideas with regards to Irish branch of steemit and had spoke with steemit founders themselves on skype about 3 weeks ago regarding it, got side tracked since, but back online now. Ping me? Wheres the 'DublinMeetUp' hang outs happening? Thanks. J.

  ·  7 years ago Reveal Comment
  ·  8 years ago Reveal Comment