My Experience: Biggest Barrier to 'Signing up Friends'

in #steem8 years ago (edited)

Let me introduce Matthew. A good friend of mine who just cannot get through the sign up process. But why??

I've been singing the Steemit name from the rooftops, but come up against one recurring problem which will be hard to solve...

The minimum 16 character length password..

I know, to a lot of us in the crypto world used to having extraordinary length key's to take care of, a 16 character length password would be seen as a prudent security measure (especially where Reward/Money is involved), but whilst pitching this site to many of my friends, this has been enough for most of them to give up and move on.

To put some perspective on this, I have pitched this site to 10 of my friends, 2 were just not interested by the concept, 8 of them were VERY interested, but only 2 of the 8 managed to make it through the sign up phase. 6 of them sighted the 16 character length password as the reason they didn't proceed.

Quote from Matthew "I probably won't ever sign up until they change their 16 character password policy". I kid you not, he is in the majority of people I have asked.

Would it be in Steemit's interests to allow users to set their security parameters? Or, is this a measure that is saving ignorant people for hack attacks (especially when hackers can see the account balances of other users)...

Interested to hear others thoughts?

Sort:  

Thanks for your feedback and for recruiting! We didn't pick 16 characters because we thought it would be super secure, we picked it because it is the minimal level of security that doesn't require users to backup anything else and doesn't make us responsible for securing user data.

Unlike traditional services, the "password database" of Steem is public. This means hackers can trivially brute force passwords against any account they like. Normally each password submission must go to a server and the server can rate-limit hackers. With Steemit your password is your private key. Attackers can try millions or billions of passwords per second. An 8 character password could be brute forced in a couple of days assuming it was perfectly random.

A 16 character randomly generated password containing upper and lowercase letters and numbers contains just 96 bits of entropy. Normal private key security requires 256 bits. Keep in mind that each bit of entropy DOUBLES the security and you will see that a 16 character password is actually incredibly weak.

In 2007 there was estimation that cost to crack 88 bits using brute force is $300M if you apply Moore's law you reduce this price by factor 16 or you might get 4 extra bits by now.

All of that said, just because it is difficult doesn't mean we shouldn't attempt to find a better solution.

This means hackers can trivially brute force passwords against any account they like. Normally each password submission must go to a server and the server can rate-limit hackers. With Steemit your password is your private key. Attackers can try millions or billions of passwords per second. An 8 character password could be brute forced in a couple of days assuming it was perfectly random.

what about hard code on steem a 1-3 second delay after password is asked before accepting it? Like keepass makes with "Key transformation"....

@dan, what would be best practice for securing our account beyond the 16char password, with the private keys? I can only assume that as Steemit gains popularity we're going to be attacked in some way if we aren't already.

The issue seems a little distant for me as I always use random passwords of more than 16 characters and then use a password manager to store them all. It does seem to be more of an issue than I thought with most people who just browse social media sites .

I don't think the solution would be to reduce the security - maybe just a message when signing up briefly explaining why it's important?
I guess it's quite unusual for most people to be asked for a password that's 16 characters long.

Same here I've never picked password shorter then that. I didn't know this was an issue, seems like a lethargic problem to me. How about a big disclaimer "you are becoming your own bank, would you want a shit security system or one of high quality, pick a secure password" 👍 Lol.

Autogenerate passwords.
Boom.
Problem solved.

I'm not sure that's a good idea. Users will more than likely forget auto-generated passwords.

No one remembers an auto generated password, the point is you auto generate a random password, put it in a password manager that you can use on your phone and computer then just remember the 'master password' that unlocks them all.

but my question is, can a hacker not then target the password rememberer program?

Tell them that we are in 2016 and they need a service like lastpass to generate and save their passwords without having to remember them. Once they get $10k in their account, they'll be happy that they had a 16 digits password so they can sleep without worrying that someone steal their money.

Since it's blockchain, we cannot change our passwords...it's irreversible, so better be safe than sorry.

actually, you can change your password. The public keys on your account are completely configurable.

Hello Dan. I know this seems like a silly issue, but considering there are people walking away from Steemit because of it, is there anything you could/would do about it?

For password they can just use a sequence of words with space between

Also remember, the new suggest a password / backup feature we have on the create account page. My Dad can't get into his account anymore because he does not remember how to work lastpass. Maybe we can still figure it out, but it could be a bit much for someone who has not used lastpass before and is going into a new platform.

keepass is also a great option for a password manager!
(I remember I picked them up because they used not a server to store all customers password like lastpass back then...)

You are 100% correct, an engineer friend of mine said basically the same thing, and he's not exactly a luddite. Everyone who is suggesting that the public be educated or is suggesting alternate solutions obviously has no entrepreneurial experience, period. You don't blame your customer for your product being hard to use, period. You don't judge whether your product is hard to use based on your own opinion, period (not saying @dan is doing that, he acknowledges something should be done). You judge based on customer feedback. The long password is a sticking point, obviously. It didn't bother me AT ALL. I use Dashlane, I literally just banged my keyboard until I reached the magic number and then Dashlane automatically saved it for me. Telling people to use Dashlane is not a solution. Telling people to use a Word doc is not a solution. What you are telling them is that Steemit requires effort. When you do that you actually hurt the platform, not help it. Regardless of whether you know you are doing this or not. This product will not be adopted by the mainstream until this problem is resolved. Period. Thanks for posting this, I thought my experience was unique.

Yep, I work with Oil Traders who are reasonable tech savvy, and for some reason they hate the idea of a password that long. It's good to see @dan is open to change. The problem isn't Steemit, it more the fact that people are getting frustrated with a amount of passwords they have, the variation they are having to come up with to satisfy certain websites criteria, and Steemit's 16-character minimum is too stressful to think about.. Thanks for your contribution.

I never thought twice about the long password. In fact I appreciated that it was more security- focused. I'm used to managing them. However my friends who are hesitant still don't believe/grasp crypto. It's too far out for them. It is my belief that we continue to attract peaceful warrior types who can lead the way for the masses. As we refine, work together and build real trust these issues will get resolved.
And I'm already doing this. I've formed 3 strong alliances so far which are proving extremely beneficial to us.

My girlfriend gave me a look of disbelief at being asked to pick such a long password. I found that the (obligatory) XKCD comic (https://xkcd.com/936/) on password strength; hard to remember / easy to hack VS easy to remember / hard to hack was enough to convince her.
It seems that there is still a lot of educating that needs to be done to bring people around to understanding why these longer passwords are better.

I agree. I might be kinda cool to incorporate that xkcd link into the password generation process. It educates in a very entertaining way.

I'm not particularly technical, but would reCAPTCHA be a way of mitigating hacking risk? Does this prevent brut force password hacks?

It seems crazy that this issue is turning away potential community members. There must be ab better way...

I believe that the point in reCAPTURE is to make it more difficult for bots to complete the log in process - to prevent lots of spam accounts being created or perhaps to slow down a brute force attack.
The problem is that authenticating doesn't necessarily have to happen through this web page - it wouodn't stop a bot that went via an API.
Although, you could perhaps add layers of security like locking an account after 5 failed attempts to authenticate or two factor authentication for some actions.

I just took a Word doc and wrote random letters, numbers, and characters until I had 16. I'm glad it's 16 characters and not 8 to 10 especially since dealing with money that people could hack into and steal. I'll grant you that it's still not impossible with 16 characters but it's harder than for eight or 10.

someone who want to find an excuse will find one.

I love the extra long passwords! I cannot tell you how many times at work I get a "cannot use special characters" or "password too long" . This drives me insane. I'm shouting the website as well all over to all my friends. Keep it up!

Ugh, this reminds me of my friends who skipped kraken registration cause they couldn't get through the fucking password. Just use it twice in a row from your normal one, idiots.

I agree, but the best thing for the Steemit Community is to have a growing user base. I think we are in the minority, it make no sense, but the psychology exists. I would suggest a 8 character password with a 4 digit pin or a personal question... That might make the sign up process less 'scary' for those who are put off by the 16 character length...

HA! That's just the start of it. There isn't a password recovery option either. And while that understandable if you care about the tech behind it - users do not care, nor should they.

Applications like steemit need to simplify the benefits of blockchain, not fully adopt the complexities.

I agree. The great thing is, this is still early days, things are going great, they have a little time to iron out these issue. I'm sure the guys will address these problems...

hello matthew have a nice day

:) Vote back sir

Have a nice day

I don't get what's so difficult about creating a password that is 16 characters long? You just randomly bash on your keyboard a few times and hey presto, there's your password! Seriously, it's child's play!

We have added a "suggest a password" feature. This also leads you to a backup page.

Good idea 16 digit password that you can sleep peacefully.I think that all will appreciate it and rush to register!

hey welcome to steemit!