How to set an own password, which is not generated by Steemit

in #security7 years ago (edited)

Ok, we are going fast with our Steem Security series, but it is fun, so let's continue and learn today something very useful :)

part4.jpg

Let's start with a quick recap of what we already learned from previous articles:

In the first article, I mentioned, that to use your Steem account, you do not need to use your password at all.

So why I need a Master Password at all?

Technically speaking, you don't need it. If you have your all private keys (posting, active, owner, memo) then you can do everything without a password, even create a new password and a new set of all keys.

Why is that? Because in the whole Steem ecosystem, a password is used only to generate public and private keys from it. But exactly this is done under the hood

From the 2nd article you should remember, that transaction pushed to Steem blockchain are authorized by signing each transaction with a proper individual private key. This works only because Steem Blockchain stores a corresponding public key of every user.

And the most important: Steem Blockchain do not store your password. It only stores your public keys generated from your password.

Conclusion: If you want to change a password, a new set of keys has to be generated from it. The password changes when new public keys are upload to Steem Blockchain.

Scenario: Changing a password with Steemit.com website

  1. User @noisy3 want to change an old, long, and hard to remember password from P5KB2ir4BaDTeeBe5SUW16F6NYGeYSVaUBn261kDPLGGCSiNahtm to a new password
  2. From user's menu, user choose option "change password" and he is redirected to https://steemit.com/@noisy3/password
  3. User has to provide an old password, but he cannot provide a new password, because it is generated by steemit website.
  4. If user want to change password, he ends up with long, hard to remember but very secure new password, like this: P5KMpYPGmVMkWgaDBX337eo3nULEq3MwrEtURydXbdS213exrKbx

Question

  1. Why user cannot set an own password?

    Steemit changed a password policy in last year. Before that, users were able to set any password. The only requirement was, that it had to be at least 16-characters long.

    But the truth was, that if a user set as a password a string of characters like: 1234567890123456, then this password wasn't secure at all, because it was very easy to guess or brute forced using the most common password patterns.

  2. Why I need so hard to remember password?

    What you actually need is a very secure password, and secure passwords are often very hard to remember. Probably you treat Steemit as another social media website, so you might be surprised, why your Facebook password is not strong and good enough. (BTW, I hope, that you do not use exactly the same password on all type of services - that is very dangerous!)

    The reason why your password has to be so secure is simply because with this password you also manage all your funds. So your Steem password should be as hard to guess as your password to your bank account!

Concerns

Generated passwords are very secure, but there are at least 3 big problems with them:

  1. They are hard to remember, and the truth is, that they do not have to be:

  2. You need to trust a Steemit website, that this password is generated randomly, and it is not saved anywhere

  3. Generated in such way passwords follow very well described and known specification. Every Steem user can easily recognize that those random string of letters is probably Steem passwords:
    - P5JcPfXayxiaFYPPKrt2BJGajtpACHoh35WZcgP6YKWuvovAYfb1
    - P5K6j5G7tp6B9JsR6HVJf7NE828Ms3oMvYhReDrXMZe1dohiPdg4
    - P5JigoK5v3E7E2ChbVhjb3Ji9USKz5vJBu9m2Yubf3aeJE1mxAmt

    So guess what will happen if you by accident publish your password somewhere, because you copied it from password manager or a file, and you forgot, that your password is still in your clipboard. This might happen:
    Screenshot from 2017-08-10 16:52:19.png
    or this:

The screen above shows a real live example of a situation, where a user exposed a password by accident.

Setting own password with Python Script

With script below, you can set any password, and you can do that without Steemit website.

# requirements: python3.5, steem==0.18.8

import json
from steem import Steem
from steembase.account import PasswordKey
from steembase import operations


old_password = 'P5KMpYPGmVMkWgaDBX337eo3nULEq3MwrEtURydXbdS213exrKbx'
new_password = 'smooth lesson hawk initial promote critic'
account = 'noisy3'


old_owner_key = str(
    PasswordKey(account, old_password, "owner").get_private_key()
)

s = Steem(keys=[old_owner_key])

new_public_keys = {}

for role in ["owner", "active", "posting", "memo"]:
    private_key = PasswordKey(account, new_password, role).get_private_key()
    new_public_keys[role] = str(private_key.pubkey)

new_data = {
    "account": account,
    "json_metadata": {},
    "owner": {
        "key_auths": [
            [new_public_keys["owner"], 1]
        ],
        "account_auths": [],
        "weight_threshold": 1
    },
    "active": {
        "key_auths": [
            [new_public_keys["active"], 1]
        ],
        "account_auths": [],
        "weight_threshold": 1
    },
    "posting": {
        "key_auths": [
            [new_public_keys["posting"], 1]
        ],
        "account_auths": [],
        "weight_threshold": 1
    },
    "memo_key": new_public_keys["memo"]
}

print("New data:")
print(json.dumps(new_data, sort_keys=True, indent=4))

op = operations.AccountUpdate(**new_data)
result = s.commit.finalizeOp(op, account, "owner")

print("Result:")
print(json.dumps(result, sort_keys=True, indent=4))

This script could be much shorter, but I think for educational purposes, script above is better

Script in action


This article belongs to series of articles which describes security on Steemit:

  1. What is the difference between a password and a private key(s) on Steemit? How to make your account more secure, by using them correctly.
  2. Public and Private Keys - how they are used by Steem, making all of these possible?
  3. How to generate all Steem user's keys from master password, without a Steemit website, being OFFLINE
  4. How to set own password, which is not generated by Steemit (this article)
  5. How passwords are stored by Steemit in your browser, and why it is secure.
  6. How to setup multisig/multiple authorities for your account
  7. ...

Make sure to follow my account, if you don't want to miss any of these :)

Sort:  

I recommend using a password manager like 1Password. That way you only have to remember one password and your encrypted password file is backed up on dropbox. More security tips here, for those who are interested.

Exactly! I am talking about that also in attached video in this post :)

Ah good! I haven't watched the video yet. :)

Hmm. I have been hearing about password managers for years but I have always been afraid that by using one I exchange multiple point of failure for single point of failure.

Are you saying they are actually trustworthy?

In my experience, yes. Depends on which one you use and how you manage it, your computer, etc (more in the video I linked to above). Alternatives to the single point of failure, from what I've seen, create more risk.

Lastpass is good option too

Yep! I haven't used it myself and there was one scare a while back with some concerns about a potential exploit, but from what I know it's solid.

Judging by daily usage, I have nothing to complain about it.

I have set my own password with steem-js. I was thinking of creating a user-friendly front-end and open source tool on github for everyone to use and explain to them why I don't trust generated passwords. I think you did a pretty good job in this article explaining some of the reasons, so thanks :]

No more copy and paste for me. Thank you :)

@paco hahahaha i thought i was alone copying and pasting.We nolonger need the old way,thanks to @noisy .

Thank you for taking the time to write this series @noisy. I paid the expensive lesson by doing the final mistake you showed only 2 days ago when transferring 493 steem from bittrex to steemit. All gone 10 minutes later, and I am just lucky to have my account back already. ( My story )

I wish I had read an in depth tutorial like yours the very first day I got into steemit. But at least now I have.

Keep it up!

Wow sorry to hear that. Where did you expose it?

Here is a small tip

tip! 2.0

Thank you very much for that. It's both greatly appreciated and half the reason why I think STEEM will eventually go to the Moon when I see how great this community is.

I really did two mistakes.

  1. I thought sending funds to a steemit account required the use of the public memo key as an ID for which account to send the funds to.
  2. I mistakenly copied the wrong key from the word file where I had saved them. Posting my main password instead of the public memo key (which was unnecessary in the first place), and thus making it visible on the Blockchain (dunno if they saw it on my wallet, on Steemd, or just had a bot searching for it).

10 minutes later someone had spotted my error, changed all my keys, and sent the 493 STEEM I had just received to Blocktrades. At least I got my Account Recovery done very quickly, mostly thanks to a good community here helping me reach the right individuals, and knowing some myself that could help.

Anyhow, it was really awful, and I just hope I can help others not do the same grave mistake.

Thank you for the detailed explanation. Once again sorry for your loss but I'm glad you were able to recover your account.

Hi @fredrikaa! You have just received a 2.0 SBD tip from @sneakgeekz!

@tipU - send tips by writing tip! in the comment and get share in service profit :)
By upvoting this comment you support the service - thanks!

Password safe is one good way also in storing password.

I heard its important to change your steemit password because they all start with the same first few letters

Great overview very valuable.
I m not a programmer what is that interface you are using to run the script?
Please let me know if you have a resource that starts at downloading or accessing the app to run the script?

Thank you
resteeming

what is that interface you are using to run the script?

if you are asking about IDE, then this was a PyCharm. But IDE in that case was needed only to show step-by-step debugging. If you have python installed on your computer, then you should be able to run this script from the console, after changing account, old_password and new_password variables.

But if you do not know how to do that, I would recommend rather to wait a little bit for a user-friendly interface

Great post.

thats awesome....meaningful info..keep going up man

very useful information, will resteem right now as I did before with your post about private keys :)

Hello my dear friend ❤️
I am following your account every day { 🙏🤝 }
@haji

Very useful information - I was wondering about it and now I know! Thanks!

Little bit complicated:)

im using my default password which is generated by steemit ...
thnkxx for this information... :)
upvoted you and following you for more information which you will share with us.... dont forget to upvote and follow back... :)

im not super techie... im not getting it... can someone help me with it

Yeeees.. I really wanted to do that , I just found it here..
Thank you dear for your so useful material.. Continue please..
Followed and upvoted done.
Have a look into my blog, you may like any of my posts :-)

its not possible to send a passwptf in memo see GitHub steem fix.

I'm too lazy to remember passwords. I recommend getting a good password manager.

great post, resteemed

Thank you for such cool tips, we really appreciate that! Upvoted and Resteemed

some people are very proud because they remember the number π up to 10, 20, 50 character... soon they will be defeated by the greatness of people who remember their steemit passwords :D

What you actually need is a very secure password, and secure passwords are often very hard to remember. Probably you treat Steemit as another social media website, so you might be surprised, why your Facebook password is not strong and good enough. (BTW, I hope, that you do not use exactly the same password on all type of services - that is very dangerous!)

The reason why your password has to be so secure is simply because with this password you also manage all your funds. So your Steem password should be as hard to guess as your password to your bank account!

That's awesome. I think I might try this; being able to make a long password in mixed Igbo and English poetry would be nice. Good luck to Mr. Hacker :D

Setting own password is a good idea but we need to trust steemit though. But very informative article. Thanks for sharing it. Resteemed

i am upvoted and reply your post plz visit me
upvoted,reply,follow and resteem when you work in steemit thanks alot,
my id = https://steemit.com/@pranashroy

Thx @noisy for sharing.
I also using a password manage like LastPass coz it is free and can work on both desktop and your phone.

Thanks you for sharing @noisy. I am from Aceh.

Interesting :) I go and look more this info, then I know what I must think :)

Thanks for this article. Tis is my first day at steemit and I am still a bit lost about passwords. Everytime I try to change the password, it randomly does another long string one for me. I am not good technically with python script. So I am stuck with this long string password? Thanks for your help. Rosa

Congratulations @noisy! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the total payout received

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!

Thanks for this! I agree with what you mentioned about copy pasting being a security issue and this kind of forced pass makes it impossible to remember. So... help a noob.. the script you posted seems clear what to do, I downloaded python on windows 10 runs ok, I suppose I need to download and run some steemit core for the script to do its work on? how, from where and how to broadcast new core with new password?.. I know, not being programmer perhaps should not dig into this but I would very much prefer a simpler solution rather than have to rely on password manager to remember chaos string of characters

Why is there no resteem arrow so that i can resteem this?

Either it doesn't work on mobile or the post is too old.

Thanks. I usually can resteem on my tablet so must be old post.

@noisy I have traveled some distance only to discover that my cell phone login only allows me to do everything with the exception of powering up, transfer steem, etc. The check box on my account is checked "Keep me logged in" and I still can't do anything with funds
Help!

If you do not have master password, you will never be able to recover it or withdraw your funds. This is blockchain - no one except you have your keys/password or a right to generate new key/pass for you.

In theory, if you would use beneficiary rewards to redirect all new rewards to your new account, then you could at least still use and utilize all your follower base and at least withdrawn all new funds.

Thanks for the reply. I have my passwords secured... they are just 1,500 miles away at the moment. I can post with the posting key, but just cannot deal monetarily. I want to power up, but can't. It looks like I might have to wait until I return to Guam in two months.

@noisy, you seem to be very knowledgeable about the steem blockchain. I have a quick question that you may be able to answer. @someguy123, created a very nice service which allows users to create STEEM accounts much faster than following the normal process - anon steem network. I know others that have used this service. This site creates the account, gives directions to change the new password via steemit.com and once the user updates to the new password/keys, then the user is instructed to go back to the anon site and click a link to destroy the old password and keys which presumably deletes the old passwords and keys. My question is this, if the original/old passwords/keys were not actually deleted from the server, could @someguy123 actually re-store the account using the old credentials and actually take over the account within the 30 day limit window? He seems to have a very good reputation, so i doubt that is the case but one never knows for sure and wanted to find out if that is a possible risk.

But how can I trust Steemit not to use the auth they generated in an identity theft? If I can use my own 256-bit key in a password manager, then I could trust the site better.

Thanks for sharing @noysi its very useful article. I enjoy it.

Lets visit my page if you aren't busy.