You are viewing a single comment's thread from:

RE: Offline Attack on Steem User Credentials

in #steem8 years ago
  1. This is true. However, your point actually unscores another reason why machine-generated passwords are urgently needed. Any steemit user who has used his steemit username/password elsewhere has now given any attacker in the world a means to recover these credentials via offline attack since the steemit blockchain is forever public. I doubt most users appreciated this fact when steemit prompted them to choose a password at signup.
  2. There were very few accounts with significant liquid assets and I wagered they would prefer a recovery delay to getting robbed. IMHO Steem has gotten enough buzz recently that I can guarantee there's a pointy mustached blackhat somewhere silently cursing me for doing this before he had a chance to run the heist script he was working on.
  3. Conspicuously signaling which accounts had weak passwords but not updating their keys would have made it even more trivial for black hats to hijack these accounts since the scrambled passwords in the blockchain are essentially salted (making targeted attacks orders of magnitude more efficient). To your other point, there are several issues with sending an out-of-the-blue email to support@ with a boatload of user creds and an opinionated rant about password UI design; although, originally that was my plan. However, the more I thought about it, the more it seemed likely the current design is a conscious decision that unwisely (especially given point 1) trades off security to optimize signup completion rate and if that's the case a little bit of hand-forcing is useful.