You should NEVER transmit *ANY* password or key.
- The Steem block-chain has security as good as that of any other block-chain -- but it could easily be better.
- I trust Steemit.com -- but a number of the conveniences that it offers by default leads most users to do some very unwise things.
- Giving your password or keys to *anyone* is just begging to have your money stolen.
Have you *ever* given your Steemit password to *anyone* other than Steemit.com? Maybe https://squeek.io/ or https://steemconnect.com?
If you have, go to Steemit and CHANGE YOUR PASSWORD IMMEDIATELY!
Have you *ever* given your active key to anyone?
If you have, go to Steemit and CHANGE YOUR PASSWORD IMMEDIATELY!
Would you fall for the following pitch (made by one of the entries in the "official" Steem App Center)?
Log in with your steemit credentials. The whole website is in Javascript and is open source, so don't worry about username and password security.
If so, petition @DanTheMan and the other developers to implement two-factor authentication as a required part of the block-chain protocol.
Actually -- Do you ever use your Steemit password or your active key (hint: you must if you ever do *anything* with your SBD or STEEM)?
EVERYONE should petition for two-factor authentication (2FA) as a required part of the block-chain protocol.
Without 2FA, you are always exposing your password and/or keys -- and once they are hijacked, you are vulnerable until you change them (assuming you know that they have been hijacked). With 2FA, you enter your password and/or keys into your phone once and, forever after, use a time-based key that is only good for one minute.
Even with 2FA, your password and keys should NEVER leave your machine.
@Digital-Wisdom just released a Steem SafePay prototype that keeps your keys on your machine -- to a deafening silence and a near-total lack of interest. Please check it out and PLEASE support their steem-browserify initiative.
Steemit.com needs to do a better job promoting security.
Steemit.com should NEVER accept the owner password/key for anything other than account recovery.
Steem has many features that make it the least hackable of any of the cryptocurrencies, but that doesn't mean that you/we can afford to be careless (or that it shouldn't be made even better with 2FA).
Well, if a third-party app is open source, you can host it yourself and audit the javascript provided you know how to. Otherwise, most of the sites just ask for the posting key, which yes, could be bad, but better than the active or owner key.
That is what is so awesome about SafePay and steem-browserify. They are open source and hosted in the browser so YOU DON'T NEED TO KNOW ANYTHING except that someone you trust (hopefully steemit.com) has audited it and is willing to host the audited version . . . .
Did you check out @digital-wisdom's post?
Yes, those are really useful for those one don't want to or know how to set up the cli_wallet or piston!
Security has to be a top priority. There are large sums at stake and some passwords will leak out. I'm very wary of using third-party tools that require a password. Their intentions may be good, but I can't know how good their security is.
2-factor is not perfect, but it's an extra layer that can help. There are also alternatives such as the SQRL system from security guru Steve Gibson https://www.grc.com/sqrl/sqrl.htm
SQRL is awesome but is basically the same as 2FA.
You should never use a tool that lets any password leave your machine.
I would support implementing two-factor authentication.
Great points, re-Steemed :) @nonlinearone
Seems like we were thinking similar things :)
https://steemit.com/security/@timcliff/steem-tools-development-centralized-steemit-com-vs-decentralized-app-center-security-concerns