Steemit tells you to save your password to a text file. Seriously?!? Instead, hide it.

in #steemit8 years ago



The first time I hacked a PC it took me about 9 minutes and a set of instructions from the internet.

All cryptocurrency is hackable, and for that matter, all passwords are hackable. Last year, the top secret clearance database for the U.S. was hacked, opening a significant portion of the U.S. population and almost everyone with U.S. security clearance to blackmail. How secure is your .txt file? The Iranian government had offline computers setup to control their nuclear material Centrifuges, but they were still hacked via USB drives brought in by unsuspecting employees. How safe is your PC or Mac with standard hardware and software or paid antiviruses used by millions of people; or worse, your phone?

Last year a webserver at my current company was hacked, over and over again. I did not sleep for three weeks (okay, that’s an exaggeration, but you get the point). It turns out we had two legacy websites out of hundreds that happen to have a particular program and a particular Windows server 2008 IIS default setting that create the vulnerability. When the two were combined, the hacker was able to upload a file and slowly take over the system. Through trials, I have become very adept at tracking down hackers. This hacker happened to be from China. The country where most of these hackers seem to work from, including China, have no laws (or unenforced laws). There is really no way for the U.S. government to stop them or enforce anti-hacking laws in these countries. In fact, in China, I personally believe they are usually state sponsored. Look it up, the Chinese government has skyscrapers full of hackers.

So, what is the burgeoning blogger to do? For most sites, I would suggest memorize your password and make them complex. There is a very simple way to do this that most people don’t know: “Every good monkey climbs ladders 376 times a day! To stay big and strong!” What does that mean? The truth is, it is a simple way to memorize this password: “Egmcl376tad!Tsbas!” It is the first letter of every word from a bizarre and simple to remember phrase. The best password is a memorized password. When I need to fix a computer and someone forgets to give me a password, the first thing I look for is a sticky note on their computer. Seniors tend to have a larger printed list of all these passwords, well-labeled for each site in their desk.

Here’s the problem: Steemit generates your password. Unless you have an eidetic memory, you probably can’t memorize a 50+ character randomly generated password. Do not have your browser save your password. Anyone who hacks into your computer gets almost free reign. Besides, they probably have access to your email now and can reset most of your other non-Steemit passwords with a forgot password email. Honestly, Steemit has one of the best password programs I have ever seen. However, Steemit has a fatal flaw. Saving your password to a document makes it super easy to find.

Many devices back up directly to the “cloud.” Think Chromebook, One Drive, Android and iPhones - all of them. The cloud is just a network of hackable servers with all kinds of information - Turbo Tax backups, social security numbers, and I imagine, a fair amount of Steemit passwords as well. Cloud servers have been hacked and they will be hacked again. Personal computers are vulnerable to hacks and so are top security government servers.

So maybe at this point you decide to print out your ridiculous password and type it in every time. Of course, then it can be key logged or found by anyone in your office. So what’s the most reasonably safe solution? Hide it.

Hiding a password is easier than you think. Just about every file on your computer can be opened with notepad or text edit. So open the picture from your last family vacation (unless, of course, you’re a famous actress – then that is prime hacker territory) and hide your password in the code. It’s super easy. Here are the PC instructions:

  1. Open note pad.
  2. Under file, hit open…
  3. In the bottom right change “Text Documents (*.txt) to All files.
  4. Select your image file – this should be a copy of your picture, not the original.
  5. Paste in your password.
  6. Remember where you put it.
  7. Press file, save (not save as…).
  8. Now your image file is saved where you had it with the password in it.

That’s it. You have now dramatically decreased the likelihood of your password getting hacked.

If you want Mac instructions, post a comment and I will add them.

Sort:  

Use a secure password manager. This will keep your password safe, not just hidden, and can be easily accessible to you when and where you need it. Several are available for free on every platform.

But those are still vulnerable to viruses and anything else that can infiltrate your computer. If you really want to be secure, offline is the best solution.

Password managers don't solve all problems related to securing credentials. They do however, reduce many of the risks. There is no such thing as perfectly secure. But by reducing the vulnerabilities and weaknesses, you can improve your situation and greatly reduce the risks of loss.

For example, a password manager allows people to create different passwords, which are very strong, for different sites. One of the biggest risks is the repeated use of a single password across many different services. Although one password is convenient to remember, if an attacker finds out your password to one site, they can then login to many more. Your loss is therefore multiplied. There are other benefits, but I won't bore you unless you want more detail (I could write a blog on it if there was interest).

Please google how to hack KeePass. You won't use it anymore.

Just googled a suggestion lmao, I dont use any of them, my password is inside my best location to keep??? My BRAIN!!!!:)

How secure is any free program? I've found many people who use these get all their accounts hacked and sometimes their online bank accounts as well.

I upvoted You

I would think the best way would instead of even having it on a device that interfaces with the web to instead put it just on good old fashion pen and paper and hide it. That prevents electronic measures from retrieving it.

I wrote the article based on industry experience and the research backs up my opinion. Here is some research suggesting that writing down passwords is a bad idea and you still have to worry about simple key loggers when typing it back in. If you still think writing it down is the best idea, you might want to make sure your password is in a secure fire rated safe (Amazon sells some great ones).

https://www.microsoft.com/en-us/research/wp-content/uploads/2006/11/www2007.pdf

http://www.guanotronic.com/~serge/papers/chi11b.pdf


https://www.wired.com/2016/03/want-safer-passwords-dont-change-often/

https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes

http://www.scmagazineuk.com/study-one-third-of-employees-still-write-down-passwords/article/106916/

http://passwordresearch.com/stats/statindex.html

https://www.microsoft.com/en-us/research/wp-content/uploads/2006/11/www2007.pdf

http://www.guanotronic.com/~serge/papers/chi11b.pdf

Yes Keyloggers are a problem, interfacing with any computer that has been connected with the internet is a risk. The best way would be to setup a dummy account and transfer any sizable funds there, of course that removes the option to up vote with your power, but still saved. Thank you for responding, and great post!

Thanks for the replies and reading the post.

Very clever! Thanks for the tip, never thought of that before!! I personally keep my passwords on an external usb, but that has it's obvious flaws as well. Of course you can hash a random memorized password and then use the new hash as the password and never save it, just remember the password you used to hash and then remember how many times you hashed it and what hashing algo you used. But super inconvenient. Seems convenience is the inverse of security and visa versa.

best location keep it is to write it down and burn it and drink it, it will be forever with u :D

Steem is ultimately secured by the password recovery and time-locked funds.

Multifactor authentication can also be used in the future. In the mean time, users are their own worse enemies. Forgetting / losing passwords is far more common than hacking.

Unfortunately, even with a 16+ character password people are too stupid (in general) to pick secure passwords. Any system that assumes people will be smart and use techniques that allow them to remember their password is flawed. Hell, I cannot even remember my own passwords for services most of the time.

I still think this way better as it is... I still trust myself more than those trying to hack my accounts and those mail recovery, makes it even worst. Choosing our own secure password manager makes it better and easier imo. easier to customize to each one needs.

I really couldn't say for sure.

A textfile is indeed very bad. I memorize all my passwords and so can you. With memory techniques you can remember very secure and long passwords. Today I posted about a new free ebook from a memory coach friend of mine. Follow me for more about memory and get the book as long as it is free: https://steemit.com/security/@flauwy/new-ebook-free-for-limited-time-the-hack-proof-password-system

thanks for your method, it looks secure to me. :)