In another post, the founder (@quochuy) of the @TeamVN community and bot discussed the about trust in term of Password sharing for an online community administration. In the comment section, he responded that many users “still use their master password instead of their posting key which is a security issue which is something non-tech people don’t understand yet.” I am here to say I am one of the non-tech people. But I think there is more. Please note that I don't have the expertise to judge the system. This is how I feel about things and my interpretation of it.
When you first sign up for steemit, you received a master password, a posting password, an active password, an owner password, and a memo password. Within the posting password, you have to click to “show private key” of the posting password. For the active key, you have to “login to show” which I assume you use the master password. So in essence, you’re getting a total of 7 randomly generated passwords that have different usages.
I understand the security risk of using the wrong password for the wrong reason. That if my password gets into the wrong hand, the perpetrator can take over my account, clear out my steem balance, and I would have no way of recovering it because this is a public blockchain. Theoretically that sounds really motivating to understand which of the passwords to use and which one to lock down in a safe. However, it doesn’t fluidly correspond with how I go about my day posting on the steemit it blockchain.
First of all, there are 7 passwords that I have differentiate between their usages. That’s a lot of passwords. It seems quite convenient to use the one that works for all functions. What exactly is the function of the memo password anyway?
Secondly, these passwords are randomly generated characters. So I can’t ever remember them. I have to save them somewhere to be able to access them. So what do I do? I put them on my online email inbox so that I can copy and paste them as I need them. I also save a copy on my iPhone note app. I am sure that is what the developers of steemit would want its users to do. I work on different machines throughout the day. So I want easy access to them. So I probably broke the cardinal rule of "Don't" in putting passwords on a potentially hack-able site. In addition, I perform multiple functions on the site during the day, sometimes more than others. My primary activity on the site is posting, but I also transfer funds between accounts and other users as well as collect funds that are deposited from posting and curation activities (by the way, why can't these automatically be added to the balance.. why do the developers make us claim the funds?.. Doesn't seem convenient at all.)
Thirdly, I think as additional services are added and different sites hooking up the blockchain, this will even get more confusing. I use busy.org, esteem, tasteem, smartsteem, and a host of other services that require a password login. I think I found a combination that works. But in the back of my mind, I am always thinking what if today is the day that I posted the wrong password to the wrong site.
Steemit expert users often share with me links to understanding the steemit password differences such as this one. For many early adopters learning about steem and steemit community, this is part of the learning process. They're comfortable with the nuances. As we think about mainstream users, that a huge hurdle for them to jump to adopt the technology. I believe many will not make that leap and use the password system as it is intended in its current iteration.
In conclusion, I think that the password module in steemit is confusing to non-technical users such as myself. I hope that as the community becomes more developed and new users come on board, that we think about it differently. Who knows, maybe in eighteen months, someone will think of a brilliant way to solve this issue. For now, I'm probably playing with fire.
Source of image password
Ahh! So your email provider has your password. Shit. If you're going to put your password on the cloud, at least client-side encrypt it.
Sounds like you need to start using a password manager, such as LastPass.
Most passwords you can remember are not secure enough. Ideally, you switch to having one master password for your password manager that is very secure AND you remember. The rest of your passwords are long strings of random characters/numbers and are remembered by the password manager.
I have to go try LastPass. Are the passwords stored locally or on a cloud? Meaning if I change devices, do I have to remember to put back everything or I just need to remember the LastPass's password?
Passwords are backed up to the cloud, but in an encrypted way. Therefore your passwords will sync across all or your devices (which I agree is essential convenience). However, your master password never leaves your computer. A good litmus test is that if you loose your master password, there is no way for LastPass to reset it. They may have a less secure option in which they can reset your password (and hence have access).
My only gripe with LastPass is that it's not fully open source, which is a BIG GRIPE when it comes to security critical software. But I'm not aware of an open source option that provides syncing across devices.
Also never use the same password on multiple sites. The password manager helps here as well.
Congratulations! This post has been upvoted from the communal account, @minnowsupport, by bayzora from the Minnow Support Project. It's a witness project run by aggroed, ausbitbank, teamsteem, someguy123, neoxian, followbtcnews, and netuoso. The goal is to help Steemit grow by supporting Minnows. Please find us at the Peace, Abundance, and Liberty Network (PALnet) Discord Channel. It's a completely public and open space to all members of the Steemit community who voluntarily choose to be there.
If you would like to delegate to the Minnow Support Project you can do so by clicking on the following links: 50SP, 100SP, 250SP, 500SP, 1000SP, 5000SP.
Be sure to leave at least 50SP undelegated on your account.
Thank you for your post!
I think it has been4 months that I’ve used Steemit. But I didn’t bother about other keys as I am a nontech person too! Still now, it is annoying to login to different computers.