Passwords: A Rant!

Background: I'm currently writing a "Zero to Witness" series where I'm trying to provide every piece of knowledge required to become a Steem Witness, as I learn myself.

I found myself writing a long rant about server password choices that's probably better as its own post, so here it is.

Choose a strong password. We're in cryptoland. Transactions are irreversible. There's nobody to appeal to, and your wallet is a target. That's the stark truth of it, but the tech that makes those facts true is the same tech that provides the great advantages that come from solving the Byzantine General problem and cutting out the middleman in our dealings with each other.

I quite like this password generator from LastPass, but the ideal password is one that you neither need to copy and paste from somewhere, nor trust a password manager app with. It's really much better if a critical password is only recorded in your head (though a paper backup in a safe is also acceptable, in my opinion).

Please don't trust any password manager with crypto passwords. Another harsh truth: As an end user of one of these products, it is impossible to assess whether the app has the best intentions, or is designed to out-and-out steal your credentials. Your actual vulnerability level is impossible to judge, and therefore must be considered equal whether you are using a legitimate app or a shady one. This applies just as much to a mainstream commercial product as to a community-vetted open source solution. The open source app may have vulnerabilities due to not enough eyes verifying it; the commercial one may have to bow to governmental or other intervention, or through sheer exposure might become a target for skilled attackers.

The old saying that there's no security through obscurity can be applied in a completely different context here. Turn it on its head; there is security in clarity. In pragmatic terms, that means we should strive to limit the layers of abstraction in our solutions. A password manager represents an additional layer of abstraction, and it's one we can well do without.

If you share my perspective, and would prefer a password that you can remember without assistance, the "correct horse battery staple" generator works very well. If you're wondering where that name's from, check out this XKCD comic! Passwords generated this way are considered by some to be more secure than hard-to-remember gibberish ones. However, to prevent dictionary attacks, it's always best to add your own twist to the formula.

Sometimes, you don't control the password. Your Steem keys are something that ultimately, you need to paste into something in order to interact with the blockchain. Do you trust your browser to remember your Steem posting key? What about your active key?

Do you trust steemit.com to use those keys to post to the Steem blockchain on your behalf?

Do you trust that the password generator sites are really generating those passwords on the clientside, in the browser, without exfiltrating them to a server that is hoovering them up? If you happen to be a competent web developer, that one's at least easy to check. (Did you check with a competent web developer?... I could go on and on.)

I might preach this stuff, but I'm not perfect. For my part, I do trust Steemit, and I trust my browser with my posting key but no other key. I just want you to have your eyes open to every potential security choke point.