You are viewing a single comment's thread from:

RE: How to join the HERO Challenge as Leader and Participant

in #bitshares8 years ago
  1. Click Here to Open your Account
  2. use Account Model
  3. Sign-Up

Is BitShares going to have to learn the hard way to not allow users to choose their own password?

Please, please, please... to BitShares users who decide to use the account model: use machine-generated, high-entropy (256 bit) passwords. Otherwise you will get hacked. See this post for more information (although it is about Steem and steemit.com, the same concept applies to BitShares when using the account model rather than the wallet model to create an account.)

Sort:  

yup, this should work like steem/peerplays, how much work is it to implement?

Just curious, would you say that the loss of convenience with a random strong power is worth the extra security? I read your the other post you linked and I understand how vulnerable weak passwords are when on the Steem blockchain, but do you think there is a middlepoint between accesibility and security?

Just curious, would you say that the loss of convenience with a random strong power is worth the extra security?

Yes. 100% yes.

but do you think there is a middlepoint between accesibility and security?

Yes, there is always a trade-off. But in this case, based on actual practical experience dealing with real world users, the trade-off seems clear to me. The choice basically comes down to one of the following two options:

  1. force users to learn how to use a password manager to securely use these blockchain systems, possibly scaring some of them away initially; or,
  2. make it slightly easier for them to start using the system and then piss them off and likely permanently drive them away from the system when they get hacked and all their money is stolen because of their insecure password.

I hadn't thught of #2, but now that you mention it, it makes sense. Perhaps education for the user is the key, but wouldn't you say that's a rather difficult task? Not everyone is willing to learn, for they own reasons, I guess.

It isn't very easy. But I think there are enough well designed tools (password manager services with automatic synchronization and convenient browser plugins) that make it not too difficult to use either. Education absolutely is key; and the guides and tools to help with that can likely always get better. But the biggest factor to teaching new users how to use these tools and why it is important to do so is motivation. With sufficient motivation I don't think learning these things is that big of a barrier.

That motivation comes in the form of money. Sure if the user is just dealing with data that they don't care much about (maybe they just don't value their privacy all that much) then the motivation isn't very strong to learn how to properly secure your account. But when we are talking about people protecting their hard earned money, that motivation shouldn't be that difficult to find.

That is one of the beautiful things about Steem. There is a financial incentive to motivate people to jump through various hoops to learn these new and difficult things that people in the blockchain space are forced to deal with (things like securing passwords / private keys and using cryptocurrency exchanges). If you want to actually get this money in a usable form to spend it on things you need like rent and food, you have to spend some time and effort to learn these new processes and tools. (But hey, you normally need to spend time and effort to earn money from your job anyway.) And when these things are learned once, it becomes easy to transfer those new skills to other applications/services in the blockchain space.

I see. Do you have a specific example of an app or tool that would make it easier to manage passwords? I definetely agree with the idea of motivation, and I think that's a great entry point when explaning to other people why difficult passwords are important.

I've seen various posts on Steem of people recommending various password managers that they like (you can try searching for those). My preferred password manager would probably not be ideal in this case because it doesn't have a browser plugin and automatic synchronization (but I am more techy so I don't mind giving up a little convenience for other things I value more such as using a free open source tool I can trust).

For regular users, they should probably use a tool that does the synchronization/backups automatically and has convenient browser plugins that will autofill their passwords for them. Some common options include 1Password and LastPass. But I can't really speak to how good these actually are since I don't personally use them.

I appreciate the suggestion regardless. Thanks for taking the time to answer all of my questions. ^^ You seem like a pretty savvy guy, I'll follow you. Thanks a lot for yout help.

Passwords that are hard to remember are generally a bad idea. That way you need to have them written down somewhere and always carry them around, and that's not safe either.

What I've seen recommended is memorizing an arbitrary phrase made out of a string of words.