How to set an own password, which is not generated by Steemit

8 days ago
63 in security

Ok, we are going fast with our Steem Security series, but it is fun, so let's continue and learn today something very useful :)

part4.jpg

Let's start with a quick recap of what we already learned from previous articles:

In the first article, I mentioned, that to use your Steem account, you do not need to use your password at all.

So why I need a Master Password at all?

Technically speaking, you don't need it. If you have your all private keys (posting, active, owner, memo) then you can do everything without a password, even create a new password and a new set of all keys.

Why is that? Because in the whole Steem ecosystem, a password is used only to generate public and private keys from it. But exactly this is done under the hood

From the 2nd article you should remember, that transaction pushed to Steem blockchain are authorized by signing each transaction with a proper individual private key. This works only because Steem Blockchain stores a corresponding public key of every user.

And the most important: Steem Blockchain do not store your password. It only stores your public keys generated from your password.

Conclusion: If you want to change a password, a new set of keys has to be generated from it. The password changes when new public keys are upload to Steem Blockchain.

Scenario: Changing a password with Steemit.com website

  1. User @noisy3 want to change an old, long, and hard to remember password from P5KB2ir4BaDTeeBe5SUW16F6NYGeYSVaUBn261kDPLGGCSiNahtm to a new password
  2. From user's menu, user choose option "change password" and he is redirected to https://steemit.com/@noisy3/password
  3. User has to provide an old password, but he cannot provide a new password, because it is generated by steemit website.
  4. If user want to change password, he ends up with long, hard to remember but very secure new password, like this: P5KMpYPGmVMkWgaDBX337eo3nULEq3MwrEtURydXbdS213exrKbx

Question

  1. Why user cannot set an own password?

    Steemit changed a password policy in last year. Before that, users were able to set any password. The only requirement was, that it had to be at least 16-characters long.

    But the truth was, that if a user set as a password a string of characters like: 1234567890123456, then this password wasn't secure at all, because it was very easy to guess or brute forced using the most common password patterns.

  2. Why I need so hard to remember password?

    What you actually need is a very secure password, and secure passwords are often very hard to remember. Probably you treat Steemit as another social media website, so you might be surprised, why your Facebook password is not strong and good enough. (BTW, I hope, that you do not use exactly the same password on all type of services - that is very dangerous!)

    The reason why your password has to be so secure is simply because with this password you also manage all your funds. So your Steem password should be as hard to guess as your password to your bank account!

Concerns

Generated passwords are very secure, but there are at least 3 big problems with them:

  1. They are hard to remember, and the truth is, that they do not have to be:

  2. You need to trust a Steemit website, that this password is generated randomly, and it is not saved anywhere

  3. Generated in such way passwords follow very well described and known specification. Every Steem user can easily recognize that those random string of letters is probably Steem passwords:
    - P5JcPfXayxiaFYPPKrt2BJGajtpACHoh35WZcgP6YKWuvovAYfb1
    - P5K6j5G7tp6B9JsR6HVJf7NE828Ms3oMvYhReDrXMZe1dohiPdg4
    - P5JigoK5v3E7E2ChbVhjb3Ji9USKz5vJBu9m2Yubf3aeJE1mxAmt

    So guess what will happen if you by accident publish your password somewhere, because you copied it from password manager or a file, and you forgot, that your password is still in your clipboard. This might happen:
    Screenshot from 2017-08-10 16:52:19.png
    or this:

The screen above shows a real live example of a situation, where a user exposed a password by accident.

Setting own password with Python Script

With script below, you can set any password, and you can do that without Steemit website.

# requirements: python3.5, steem==0.18.8

import json
from steem import Steem
from steembase.account import PasswordKey
from steembase import operations


old_password = 'P5KMpYPGmVMkWgaDBX337eo3nULEq3MwrEtURydXbdS213exrKbx'
new_password = 'smooth lesson hawk initial promote critic'
account = 'noisy3'


old_owner_key = str(
    PasswordKey(account, old_password, "owner").get_private_key()
)

s = Steem(keys=[old_owner_key])

new_public_keys = {}

for role in ["owner", "active", "posting", "memo"]:
    private_key = PasswordKey(account, new_password, role).get_private_key()
    new_public_keys[role] = str(private_key.pubkey)

new_data = {
    "account": account,
    "json_metadata": {},
    "owner": {
        "key_auths": [
            [new_public_keys["owner"], 1]
        ],
        "account_auths": [],
        "weight_threshold": 1
    },
    "active": {
        "key_auths": [
            [new_public_keys["active"], 1]
        ],
        "account_auths": [],
        "weight_threshold": 1
    },
    "posting": {
        "key_auths": [
            [new_public_keys["posting"], 1]
        ],
        "account_auths": [],
        "weight_threshold": 1
    },
    "memo_key": new_public_keys["memo"]
}

print("New data:")
print(json.dumps(new_data, sort_keys=True, indent=4))

op = operations.AccountUpdate(**new_data)
result = s.commit.finalizeOp(op, account, "owner")

print("Result:")
print(json.dumps(result, sort_keys=True, indent=4))

This script could be much shorter, but I think for educational purposes, script above is better

Script in action


This article belongs to series of articles which describes security on Steemit:

  1. What is the difference between a password and a private key(s) on Steemit? How to make your account more secure, by using them correctly.
  2. Public and Private Keys - how they are used by Steem, making all of these possible?
  3. How to generate all Steem user's keys from master password, without a Steemit website, being OFFLINE
  4. How to set own password, which is not generated by Steemit (this article)
  5. How passwords are stored by Steemit in your browser, and why it is secure.
  6. How to setup multisig/multiple authorities for your account
  7. ...

Make sure to follow my account, if you don't want to miss any of these :)

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  trending
72
  ·  8 days ago

I recommend using a password manager like 1Password. That way you only have to remember one password and your encrypted password file is backed up on dropbox. More security tips here, for those who are interested.

·
63
  ·  8 days ago

Exactly! I am talking about that also in attached video in this post :)

·
·
72
  ·  8 days ago

Ah good! I haven't watched the video yet. :)

·
43
  ·  8 days ago

Hmm. I have been hearing about password managers for years but I have always been afraid that by using one I exchange multiple point of failure for single point of failure.

Are you saying they are actually trustworthy?

·
·
72
  ·  8 days ago

In my experience, yes. Depends on which one you use and how you manage it, your computer, etc (more in the video I linked to above). Alternatives to the single point of failure, from what I've seen, create more risk.

·
50
  ·  7 days ago

Lastpass is good option too

·
·
72
  ·  7 days ago

Yep! I haven't used it myself and there was one scare a while back with some concerns about a potential exploit, but from what I know it's solid.

59
  ·  8 days ago

I have set my own password with steem-js. I was thinking of creating a user-friendly front-end and open source tool on github for everyone to use and explain to them why I don't trust generated passwords. I think you did a pretty good job in this article explaining some of the reasons, so thanks :]

56
  ·  8 days ago

No more copy and paste for me. Thank you :)

·
37
  ·  8 days ago

@paco hahahaha i thought i was alone copying and pasting.We nolonger need the old way,thanks to @noisy .

58
  ·  8 days ago

Thank you for taking the time to write this series @noisy. I paid the expensive lesson by doing the final mistake you showed only 2 days ago when transferring 493 steem from bittrex to steemit. All gone 10 minutes later, and I am just lucky to have my account back already. ( My story )

I wish I had read an in depth tutorial like yours the very first day I got into steemit. But at least now I have.

Keep it up!

·
53
  ·  8 days ago

Wow sorry to hear that. Where did you expose it?

Here is a small tip

tip! 2.0

·
·
58
  ·  8 days ago

Thank you very much for that. It's both greatly appreciated and half the reason why I think STEEM will eventually go to the Moon when I see how great this community is.

I really did two mistakes.

  1. I thought sending funds to a steemit account required the use of the public memo key as an ID for which account to send the funds to.
  2. I mistakenly copied the wrong key from the word file where I had saved them. Posting my main password instead of the public memo key (which was unnecessary in the first place), and thus making it visible on the Blockchain (dunno if they saw it on my wallet, on Steemd, or just had a bot searching for it).

10 minutes later someone had spotted my error, changed all my keys, and sent the 493 STEEM I had just received to Blocktrades. At least I got my Account Recovery done very quickly, mostly thanks to a good community here helping me reach the right individuals, and knowing some myself that could help.

Anyhow, it was really awful, and I just hope I can help others not do the same grave mistake.

·
·
·
53
  ·  8 days ago

Thank you for the detailed explanation. Once again sorry for your loss but I'm glad you were able to recover your account.

·
56
  ·  8 days ago

Hi @fredrikaa! You have just received a 2.0 SBD tip from @sneakgeekz!

@tipU - send tips by writing tip! in the comment and get share in service profit :)
By upvoting this comment you support the service - thanks!

56
  ·  8 days ago

I heard its important to change your steemit password because they all start with the same first few letters

53
  ·  8 days ago

Great overview very valuable.
I m not a programmer what is that interface you are using to run the script?
Please let me know if you have a resource that starts at downloading or accessing the app to run the script?

Thank you
resteeming

·
63
  ·  8 days ago

what is that interface you are using to run the script?

if you are asking about IDE, then this was a PyCharm. But IDE in that case was needed only to show step-by-step debugging. If you have python installed on your computer, then you should be able to run this script from the console, after changing account, old_password and new_password variables.

But if you do not know how to do that, I would recommend rather to wait a little bit for a user-friendly interface

40
  ·  8 days ago

Great post.

44
  ·  8 days ago

great post, resteemed

41
  ·  3 days ago

Thanks for this article. Tis is my first day at steemit and I am still a bit lost about passwords. Everytime I try to change the password, it randomly does another long string one for me. I am not good technically with python script. So I am stuck with this long string password? Thanks for your help. Rosa

46
  ·  8 days ago

very useful information, will resteem right now as I did before with your post about private keys :)

25
  ·  8 days ago

im using my default password which is generated by steemit ...
thnkxx for this information... :)
upvoted you and following you for more information which you will share with us.... dont forget to upvote and follow back... :)

41
  ·  8 days ago

im not super techie... im not getting it... can someone help me with it

39
  ·  8 days ago

Yeeees.. I really wanted to do that , I just found it here..
Thank you dear for your so useful material.. Continue please..
Followed and upvoted done.
Have a look into my blog, you may like any of my posts :-)

5
  ·  8 days ago

Thanks for sharing this tips and information. I'm sure this post will be the first in Steemit

58
  ·  8 days ago

its not possible to send a passwptf in memo see GitHub steem fix.

56
  ·  8 days ago

I'm too lazy to remember passwords. I recommend getting a good password manager.

33
  ·  8 days ago

Very useful information - I was wondering about it and now I know! Thanks!

53
  ·  8 days ago

Hello my dear friend ❤️
I am following your account every day { 🙏🤝 }
@haji

60
  ·  4 days ago

Interesting :) I go and look more this info, then I know what I must think :)

50
  ·  8 days ago

Thank you for such cool tips, we really appreciate that! Upvoted and Resteemed

39
  ·  8 days ago

Little bit complicated:)

49
  ·  8 days ago

some people are very proud because they remember the number π up to 10, 20, 50 character... soon they will be defeated by the greatness of people who remember their steemit passwords :D

32
  ·  8 days ago

What you actually need is a very secure password, and secure passwords are often very hard to remember. Probably you treat Steemit as another social media website, so you might be surprised, why your Facebook password is not strong and good enough. (BTW, I hope, that you do not use exactly the same password on all type of services - that is very dangerous!)

The reason why your password has to be so secure is simply because with this password you also manage all your funds. So your Steem password should be as hard to guess as your password to your bank account!

43
  ·  8 days ago

That's awesome. I think I might try this; being able to make a long password in mixed Igbo and English poetry would be nice. Good luck to Mr. Hacker :D

31
  ·  8 days ago

thats awesome....meaningful info..keep going up man

33
  ·  7 days ago

Setting own password is a good idea but we need to trust steemit though. But very informative article. Thanks for sharing it. Resteemed

34
  ·  7 days ago

i am upvoted and reply your post plz visit me
upvoted,reply,follow and resteem when you work in steemit thanks alot,
my id = https://steemit.com/@pranashroy

45
  ·  7 days ago

Thx @noisy for sharing.
I also using a password manage like LastPass coz it is free and can work on both desktop and your phone.

67
  ·  6 days ago

Password safe is one good way also in storing password.

44
  ·  5 days ago

Thanks you for sharing @noisy. I am from Aceh.

57
  ·  3 days ago

Congratulations @noisy! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the total payout received

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!

50
  ·  8 days ago

Thanks for sharing @noysi its very useful article. I enjoy it.

Lets visit my page if you aren't busy.