How to set an own password, which is not generated by Steemit

in #security7 years ago (edited)

Ok, we are going fast with our Steem Security series, but it is fun, so let's continue and learn today something very useful :)

part4.jpg

Let's start with a quick recap of what we already learned from previous articles:

In the first article, I mentioned, that to use your Steem account, you do not need to use your password at all.

So why I need a Master Password at all?

Technically speaking, you don't need it. If you have your all private keys (posting, active, owner, memo) then you can do everything without a password, even create a new password and a new set of all keys.

Why is that? Because in the whole Steem ecosystem, a password is used only to generate public and private keys from it. But exactly this is done under the hood

From the 2nd article you should remember, that transaction pushed to Steem blockchain are authorized by signing each transaction with a proper individual private key. This works only because Steem Blockchain stores a corresponding public key of every user.

And the most important: Steem Blockchain do not store your password. It only stores your public keys generated from your password.

Conclusion: If you want to change a password, a new set of keys has to be generated from it. The password changes when new public keys are upload to Steem Blockchain.

Scenario: Changing a password with Steemit.com website

  1. User @noisy3 want to change an old, long, and hard to remember password from P5KB2ir4BaDTeeBe5SUW16F6NYGeYSVaUBn261kDPLGGCSiNahtm to a new password
  2. From user's menu, user choose option "change password" and he is redirected to https://steemit.com/@noisy3/password
  3. User has to provide an old password, but he cannot provide a new password, because it is generated by steemit website.
  4. If user want to change password, he ends up with long, hard to remember but very secure new password, like this: P5KMpYPGmVMkWgaDBX337eo3nULEq3MwrEtURydXbdS213exrKbx

Question

  1. Why user cannot set an own password?

    Steemit changed a password policy in last year. Before that, users were able to set any password. The only requirement was, that it had to be at least 16-characters long.

    But the truth was, that if a user set as a password a string of characters like: 1234567890123456, then this password wasn't secure at all, because it was very easy to guess or brute forced using the most common password patterns.

  2. Why I need so hard to remember password?

    What you actually need is a very secure password, and secure passwords are often very hard to remember. Probably you treat Steemit as another social media website, so you might be surprised, why your Facebook password is not strong and good enough. (BTW, I hope, that you do not use exactly the same password on all type of services - that is very dangerous!)

    The reason why your password has to be so secure is simply because with this password you also manage all your funds. So your Steem password should be as hard to guess as your password to your bank account!

Concerns

Generated passwords are very secure, but there are at least 3 big problems with them:

  1. They are hard to remember, and the truth is, that they do not have to be:

  2. You need to trust a Steemit website, that this password is generated randomly, and it is not saved anywhere

  3. Generated in such way passwords follow very well described and known specification. Every Steem user can easily recognize that those random string of letters is probably Steem passwords:
    - P5JcPfXayxiaFYPPKrt2BJGajtpACHoh35WZcgP6YKWuvovAYfb1
    - P5K6j5G7tp6B9JsR6HVJf7NE828Ms3oMvYhReDrXMZe1dohiPdg4
    - P5JigoK5v3E7E2ChbVhjb3Ji9USKz5vJBu9m2Yubf3aeJE1mxAmt

    So guess what will happen if you by accident publish your password somewhere, because you copied it from password manager or a file, and you forgot, that your password is still in your clipboard. This might happen:
    Screenshot from 2017-08-10 16:52:19.png
    or this:

The screen above shows a real live example of a situation, where a user exposed a password by accident.

Setting own password with Python Script

With script below, you can set any password, and you can do that without Steemit website.

# requirements: python3.5, steem==0.18.8

import json
from steem import Steem
from steembase.account import PasswordKey
from steembase import operations


old_password = 'P5KMpYPGmVMkWgaDBX337eo3nULEq3MwrEtURydXbdS213exrKbx'
new_password = 'smooth lesson hawk initial promote critic'
account = 'noisy3'


old_owner_key = str(
    PasswordKey(account, old_password, "owner").get_private_key()
)

s = Steem(keys=[old_owner_key])

new_public_keys = {}

for role in ["owner", "active", "posting", "memo"]:
    private_key = PasswordKey(account, new_password, role).get_private_key()
    new_public_keys[role] = str(private_key.pubkey)

new_data = {
    "account": account,
    "json_metadata": {},
    "owner": {
        "key_auths": [
            [new_public_keys["owner"], 1]
        ],
        "account_auths": [],
        "weight_threshold": 1
    },
    "active": {
        "key_auths": [
            [new_public_keys["active"], 1]
        ],
        "account_auths": [],
        "weight_threshold": 1
    },
    "posting": {
        "key_auths": [
            [new_public_keys["posting"], 1]
        ],
        "account_auths": [],
        "weight_threshold": 1
    },
    "memo_key": new_public_keys["memo"]
}

print("New data:")
print(json.dumps(new_data, sort_keys=True, indent=4))

op = operations.AccountUpdate(**new_data)
result = s.commit.finalizeOp(op, account, "owner")

print("Result:")
print(json.dumps(result, sort_keys=True, indent=4))

This script could be much shorter, but I think for educational purposes, script above is better

Script in action


This article belongs to series of articles which describes security on Steemit:

  1. What is the difference between a password and a private key(s) on Steemit? How to make your account more secure, by using them correctly.
  2. Public and Private Keys - how they are used by Steem, making all of these possible?
  3. How to generate all Steem user's keys from master password, without a Steemit website, being OFFLINE
  4. How to set own password, which is not generated by Steemit (this article)
  5. How passwords are stored by Steemit in your browser, and why it is secure.
  6. How to setup multisig/multiple authorities for your account
  7. ...

Make sure to follow my account, if you don't want to miss any of these :)

Sort:  

I recommend using a password manager like 1Password. That way you only have to remember one password and your encrypted password file is backed up on dropbox. More security tips here, for those who are interested.

Exactly! I am talking about that also in attached video in this post :)

Ah good! I haven't watched the video yet. :)

Hmm. I have been hearing about password managers for years but I have always been afraid that by using one I exchange multiple point of failure for single point of failure.

Are you saying they are actually trustworthy?

In my experience, yes. Depends on which one you use and how you manage it, your computer, etc (more in the video I linked to above). Alternatives to the single point of failure, from what I've seen, create more risk.

Lastpass is good option too

Yep! I haven't used it myself and there was one scare a while back with some concerns about a potential exploit, but from what I know it's solid.

Judging by daily usage, I have nothing to complain about it.

I have set my own password with steem-js. I was thinking of creating a user-friendly front-end and open source tool on github for everyone to use and explain to them why I don't trust generated passwords. I think you did a pretty good job in this article explaining some of the reasons, so thanks :]

No more copy and paste for me. Thank you :)

@paco hahahaha i thought i was alone copying and pasting.We nolonger need the old way,thanks to @noisy .

Thank you for taking the time to write this series @noisy. I paid the expensive lesson by doing the final mistake you showed only 2 days ago when transferring 493 steem from bittrex to steemit. All gone 10 minutes later, and I am just lucky to have my account back already. ( My story )

I wish I had read an in depth tutorial like yours the very first day I got into steemit. But at least now I have.

Keep it up!

Wow sorry to hear that. Where did you expose it?

Here is a small tip

tip! 2.0

Thank you very much for that. It's both greatly appreciated and half the reason why I think STEEM will eventually go to the Moon when I see how great this community is.

I really did two mistakes.

  1. I thought sending funds to a steemit account required the use of the public memo key as an ID for which account to send the funds to.
  2. I mistakenly copied the wrong key from the word file where I had saved them. Posting my main password instead of the public memo key (which was unnecessary in the first place), and thus making it visible on the Blockchain (dunno if they saw it on my wallet, on Steemd, or just had a bot searching for it).

10 minutes later someone had spotted my error, changed all my keys, and sent the 493 STEEM I had just received to Blocktrades. At least I got my Account Recovery done very quickly, mostly thanks to a good community here helping me reach the right individuals, and knowing some myself that could help.

Anyhow, it was really awful, and I just hope I can help others not do the same grave mistake.

Thank you for the detailed explanation. Once again sorry for your loss but I'm glad you were able to recover your account.

Hi @fredrikaa! You have just received a 2.0 SBD tip from @sneakgeekz!

@tipU - send tips by writing tip! in the comment and get share in service profit :)
By upvoting this comment you support the service - thanks!

Password safe is one good way also in storing password.

I heard its important to change your steemit password because they all start with the same first few letters

Great overview very valuable.
I m not a programmer what is that interface you are using to run the script?
Please let me know if you have a resource that starts at downloading or accessing the app to run the script?

Thank you
resteeming

what is that interface you are using to run the script?

if you are asking about IDE, then this was a PyCharm. But IDE in that case was needed only to show step-by-step debugging. If you have python installed on your computer, then you should be able to run this script from the console, after changing account, old_password and new_password variables.

But if you do not know how to do that, I would recommend rather to wait a little bit for a user-friendly interface

Great post.

thats awesome....meaningful info..keep going up man