Clickbaity title, I know. But this is an important message, so I have to grab people's attention. I hope you read it fully.
Are you familiar with that situation when the (centralized) website you use gets hacked, and the hackers grab the entire database full of the website's (hopefully hashed) passwords?
What do they always tell you to do in that situation? Change your password.
In fact, ideally, they shouldn't even let you login to the website unless you first change your password, simply as a way to just force you to do the right thing and change your damn password.
Do you also know how the experts always seem to tell you to not reuse passwords? Why is that?
It is because when (not if) the websites you use get hacked and their database of (hopefully hashed) passwords is stolen, the hackers could then use that recovered password to log in to the other services for which you use that same password. So the one website you use that got hacked ends up being a central point of failure for all the websites you use (that you use the same password for). Even if the password database stored salted and hashed passwords (which is the standard procedure), the actual plain-text password can be brute forced.
Brute forcing the password under normal circumstances is not typically a big worry. This is because the hashed password is kept by the centralized website operator only (until they get hacked of course). The website operator can then rate-limit attempts at guessing the password, thus making brute-forcing infeasible.
But when the database of hashed passwords is hacked, the hackers have the entire database offline available for them to brute force at the fastest rate their available computing power allows them to guess passwords. There is no rate-limiting possible anymore under this condition. This is why it is urgent for the user to change their password quickly because eventually the hacker will discover the password and be able to log in unless it is a really really strong password (Note: if you are not sure what makes a strong password, or you don't understand what the word "entropy" is, you almost certainly do not have a really strong password as used within this context.)
But the hackers can keep their CPUs busy brute-forcing the password even after you have already changed your password on the website, assuming they are interested in doing so. You have to assume when the database of hashed passwords was compromised, that the hacker will eventually discover your (not strong) password if they wish to do so. So changing the password on the service that got hacked is not good enough if you are the type of person that reuses passwords (and most unfortunately do). You need to make sure that nothing you care about or depend on uses that (not-so-)secret information (your old password) as authorization. In other words, you need to change that compromised password on any services that use them, whether those services were hacked or not.
So what does this have to do with Steemit? Well Steemit is not like a traditional website you may be used to. Steemit puts its entire database (including the database of hashed passwords) on the public blockchain. That's right. The normal operating state of Steemit is the state in which most typical centralized websites are in after they get hacked.
Now this is actually a good thing in most situations because Steemit (the company) does not have a monopoly over your data. Free market competition can exist within this space. A competitor can create their own front-end to the Steem blockchain that perhaps has a better user experience or nicer features. And you would be free to move over to that service without giving up all your data or social network of friends and followers.
The downside, however, is that the hashed password database is on the public blockchain for everyone (including malicious hackers) to see and have fun with. This puts incredibly demanding requirements on the password used to derive your Steem keys that are not typical of other (centralized) services. You may have been surprised by the 16 character requirements when signing up for steemit.com. Now there is talk of moving to 32 character passwords. Unfortunately, that is not likely to be enough. Some idio... err beloved user... may decide to get around that length requirement by choosing the password "passwordpasswordpasswordpassword" which would likely get cracked in a brute-force attempt in seconds. Even if the entropy checker catches that and refuses to allow the user to use that password, there are always ways around it that are nearly as bad. The user may decide to repeat their name backwards 4 times instead (a name which they may have published in their introduction post by the way). This too will likely be cracked in a relatively short time period by moderately sophisticated brute force tools.
At this point you may be sighing in desperation asking "But arhag, what am I supposed to do? If I choose a password that actually is strong, there is no way my memory is good enough to actually remember it."
EXACTLY
That's the point. You aren't supposed to remember it. It should be strong enough that you cannot remember it.
(I found this image meme from this post and I thought it was great.)
I don't know nearly all of my passwords, with the exception of the master password for my password manager and just a few other passwords/passphrases for decrypting the encrypted volumes on my devices or for unlocking the screen of my devices.
The big idea is to use a password manager. You use the password manager to generate random high-entropy passwords to use on any website or service. In the case of your Steem/Steemit password, you ideally want to have 256-bits of entropy (many password managers have easy settings to generate this for you). You also use the password manager to store your passwords and other secret authorization information that you don't trust yourself to properly remember.
You may ask what is the point in having a strong 256-bit entropy Steemit password stored in your encrypted password manager database, when the passphrase to decrypt that password database has to be memorizable and therefore likely to be much less than 256-bits of entropy. Well besides the fact that you have to remember less unique passwords assuming you use the password manager for more than just one website/service, the major benefit is that your encrypted password database isn't stored on a public blockchain! The encrypted password database is either stored on your local computer, meaning your computer would need to be hacked (or stolen if you don't use disk encryption) before the hackers could begin brute-forcing the passphrase, or it is stored on a password manager service provider's servers, in which case they can rate-limit brute-force attempts to make brute-forcing infeasible and perhaps additionally require two-factor authentication for better security.
There are a few posts floating around steemit.com talking about password managers. So I recommend you use the search function to find them and read up on them. Here is one as an example. Personally, I like to use KeePass. But for convenience and ease of use, I would actually recommend something that takes care of the syncing problem for you and has good browser support, such as Lastpass (but you may prefer some other similar service).
So in conclusion, if you are currently using a password on steemit.com that you remember, you are doing it all very very wrong. You will almost certainly eventually get hacked, assuming you haven't already. The solution is to use a password manager to generate a random 256-bit entropy password for steemit.com and to save and manage that password using your password manager app/service. More generally, it isn't a good idea to use memorizable passwords for any website or service when you have the much better option of using a password manager. It actually becomes less of a burden on you (in terms of remembering and managing passwords) when you take that leap and start using a password manager. You only end up needing to remember one good password (or better yet a passphrase). And it makes it super easy to use best practices (very strong passwords that are unique to each website and service) because you just let the password manager generate a new password for you for every website/service.
Now go out there and find a password manager that works for you, generate a strong password, and change your steemit.com password as soon as possible. Think about how hard you likely work to earn a good amount of money. Learning how to properly use a password manager in comparison is very unlikely to be anywhere near as hard. A lot of you may have a decent amount of money in your accounts that are at risk by your use of a password that your brain came up with rather than a password the computer (i.e. the password manager) comes up with it. So by continuing to not use a password manager for your steemit.com password, you are essentially devaluing your own hard work.
Hey @arhag, that post you're looking for is right here: https://steemit.com/steemit/@lukestokes/upvote-if-you-changed-your-owner-password-active-password-posting-password-and-memo-password
THANK YOU for raising awareness on this issue! I've been saying it over and over again in comments all over the place. Password managers are how we need to Internet in 2016. Every other approach is unsafe. We all need to skill up and get with the program. Email used to be too hard for people, but now it's common. Same thing goes for password management, OS security updates, and up-to-date antivirus software. We have to get it done if we want to use the new shiny tools the future has to offer.
I made a Diceware based password generator for those who are too lazy to do it themselves :D
https://steemit.com/steemit/@d3m0t3x/diceware-password-generator-or-shortcut-to-a-safer-password
Typical example of the out of the box way of thinking, and I like it!
I'm not sure whether this's a right place to ask but maybe someone will answer. How much time does the new user have to copy the private owner key?
Well I remember my password, and it's 88 chars and 360 bits of entropy. I think it's pretty secure...
This post helped a lot of people. The first I heard that there was an intrusion, I changed my owner and active key, which saved me.
I also tried to make a FAQ (look me up) for other issues to stop the junk posts.
Arhag, thanks again.
https://xkcd.com/936/
I will leave this here
In case you didn't notice, I actually already linked to it in the post. : )
https://steemit.com/steem/@conda/lpt-how-to-create-a-long-hard-to-crack-password-you-can-remember
Just wrote this based on this post. At the very least this is a good way to create a password you may want to use for your password manager.
Thanks , very informative. I have a job to do now :D
This is so true and great advice!! I was hacked yesterday and guess why...my awful choice of a password. Happy to say my new PW would probably give most a head ache just looking at! I guess the only mistakes we make are the ones we don't learn from. clearing throat "um, lesson learned I took a screen shot of my success minutes before I was hacked check out that dollar amount...yeah it stung.
Had it not been for this post, I would have probably not changed my password and eventually gotten hacked. Thank you so much arhag! You are a life saver. Thank you so much!!
Thank you for your attention. It's very important to steemit user
For now a password generator should be used but this place really needs two-factor.
Great advice, I have been using a password manager for a while now, it really is much simpler than trying to make up and remember passwords for each site and as you say it is much more secure. I have a friend that actually runs his finger along his keyboard as a password (string of number and letters) and he proudly proclaims to me that it is uncrackable and then he follows on to say he is so sure about this that he is using the same password for all of his account, I literally burt out laughing and tried to explain the folly in his ways... He remains convinced. Time will tell, lol...
yeah,I forgot passwords,so I must use a neu count.
Wow I wasn't aware of this, thanks a lot for the interesting post!
Interesting article
Very informative!
Thanks for the heads up - good article
Good post. For the moment I don't have much to fear. There is not much to steal from me.
your digital identity here at steemit isn't much?
Hello @argh, this is very important topic to change the password.
I have made a video tutorial and share my own experiences why a password change can be so difficult for our minds.
https://steemit.com/tutorial/@lichtblick/how-to-change-your-password-on-steemit-my-own-experiences-and-a-video-tutorial
Great post, thank you, i strongly suggest to use a 16 non repeated characters alphanumeric with some characters, it should be enought
Thanks for the suggestion! When I made the PW I wasn't thinking about securing my earnings.
Brilliant @arhag, the title isn't clickbait, it's spot on, I can't remember any of my passwords and use weird symbols, that you have to press various combinations of keys.
A website told me recently that my password would take several times the age of the universe to brute force guess.
:-D
CG
Great post @arhag !!!
I always use KeePass as my password manager and saved my encrypted pass database on dropbox so I can access it anywhere along with KeeFox and ChromeIpass browser extension.
o'man.. that meme was hilarious to me! My account got hacked so I just said "screw it" and ate a bunch of fortune cookies (like 100 of them) then I gave all the paper slips to a blind man and instructed him to take the 3rd letter of every slip and stutter them a-sequentially and then to take the 6th letter in each slip of paper and decipher the numeric value from the letter and do likewise. Then some random symbols were thrown in and BAM! I got my new password.
Okay, I just had a piece of software generate it for me and it looks crazy as hell but if I had my first choice I'd totally do it that way!
If someone gets your password, doesn't this mean they now have the private WIF keys to the account that never changes?
make sure everyone participates in the first steemit lottery
https://steemit.com/money/@nabilov/the-first-steem-lottery-hosted-by-member-nabilov#comments
Thank you for the excelent advice.
Great post! Very informative and helpful.
Read my previous post about Password Security if you have the chance :)
https://steemit.com/steemit/@decryptson/in-wake-of-steemit-hack-important
yesterday I can not access my account, my account has been fortunately these days can be fixed
Dash lane is a very good password manager which encrypts your account, personal, and even credit card info if you wish to use it for those cases.
Another cool trick is that it allows you to sync in between your devices.
P.S don't use last pass, their security is bad, keepassx is also good
This was a very good, and a very informative post thank you.
Can somebody help me understand why it is I cannot set a password for each individual key anymore, and must only change all the keys, thereby negating every security convention suggested by the community? https://steemit.com/steemit/@sandwich/having-issues-creating-separate-passwords-for-owner-and-active-posting-meta-keys-is-this-still-possible
Kudos to Steemit devs on lost password recovery. Note: KeePass password manager does not 'auto save'. Did you ever spend all day writing a school paper and have to program crash before you saved? Careful with those password managers! Print your keys just in case.
i will strongly recommend that you have password keeper app, that is for those who can not keep thier password. a very app i use is called( keeper app)
Why don't you just use four completely different random words from the dictionary and put them together. Ex: treespacecarpetgrass That would take hackers ages to decipher .
Thanx for a post👌🏻
Is it safe, when using something like KeePass with Chrome, to let Chrome remember your password for you?
I've always wondered about that...
Went from a lowercase alphabetical 16 letter password to a uppercase, lowercase, numbers and symbols 40 digit password. Now I can't remember it. Good I wrote it down in physically. :P
password ussually the main feature thats we use to securing our account, but rightnow a lot of reputable socialnetwork or website adding another feature on their services to increase security of their member.
Basically from my experience i ever lost my phone and use another phone to login to my social account, when i try to login this website asking me to answer some question, verify photo or verify my phone number.
thats why i use Laspass
Thank you for this... ;)
Thank you @arhag totally agree
I've just started out with Steemit, check out my first post.
https://steemit.com/introduceyourself/@dka/from-south-africa-to-laos-introduceyourself
Most people don't know how easy it is to hack an unsecure password. I memorize all my passwords and so can you. With memory techniques you can remember very secure and long passwords. Today I posted about a new free ebook from a memory coach friend of mine. Follow me for more about memory and get the book as long as it is free: https://steemit.com/security/@flauwy/new-ebook-free-for-limited-time-the-hack-proof-password-system
So I will just keep remembering all my passwords, different for all sites and I think safe (probably should get it checked)
I do it like this https://steemit.com/passwords/@iobates/passwords-the-right-way
Thanks again.
Great post! I have always had a problem with password managers that I didn't know what the problem was. But, with this explanation of password managers, I am going to get a password manager/service now.
Need a Job and I ask please that you see my post https://steemit.com/crowdfunding/@webocel/58kd3g-my-dream-needs-your-vote-crowdfunding with your vote I can put my business and thus have a job and be able to feed my children. With just a few clicks you can change my life.
(voting this comment you are also helping)
sorry for the spam but I'm desperate for funds to be self employed
Thanks in advance. Nicolas