You are viewing a single comment's thread from:

RE: Offline Attack on Steem User Credentials

in #steem9 years ago (edited)

OK, i was a little pissy bittrex is fucking with my money.
anyway
1 yeah, i get that the private key obviates the need for the password here... my concern at the time was that after the users got their accounts back, the hacker could take the key, work their way backward to the users password, then use that password to attack other accounts.

2 SO what happens if the value of their assets decreases by 50% while theyre messing around with password recovery?

3 You could have proved your point by contacting tptb with the password list. Or upvoting this post.. or running some kind of script to make them all post horse pornography every few hours until they changed their password.

I know if it happened to me, id be pissed (even though i dont keep a ton of money here)... i guess im not behind it but i realize it was well intentioned.

Sort:  
  1. This is true. However, your point actually unscores another reason why machine-generated passwords are urgently needed. Any steemit user who has used his steemit username/password elsewhere has now given any attacker in the world a means to recover these credentials via offline attack since the steemit blockchain is forever public. I doubt most users appreciated this fact when steemit prompted them to choose a password at signup.
  2. There were very few accounts with significant liquid assets and I wagered they would prefer a recovery delay to getting robbed. IMHO Steem has gotten enough buzz recently that I can guarantee there's a pointy mustached blackhat somewhere silently cursing me for doing this before he had a chance to run the heist script he was working on.
  3. Conspicuously signaling which accounts had weak passwords but not updating their keys would have made it even more trivial for black hats to hijack these accounts since the scrambled passwords in the blockchain are essentially salted (making targeted attacks orders of magnitude more efficient). To your other point, there are several issues with sending an out-of-the-blue email to support@ with a boatload of user creds and an opinionated rant about password UI design; although, originally that was my plan. However, the more I thought about it, the more it seemed likely the current design is a conscious decision that unwisely (especially given point 1) trades off security to optimize signup completion rate and if that's the case a little bit of hand-forcing is useful.