You are viewing a single comment's thread from:
RE: New App to Secure Your Steem Account
Great work , All the terms sound too techie for me but I will give the app a go. Any form of security is better than no security. One question though. When I registered for an account with steemit, a very long, I mean Very Long alpha-numeric password was generated for me. How is it possible that the hackers are able to guess the password and hack into my account. within a short time frame ? And can't they hack into Steem Pressure too? Thanks.
No one is going to guess the password Steemit made for you; however, that password is stored in your web browser making it vulnerable to XSS attacks (like has already happened) and any other attack which compromises your browser. A browser is a huge attack surface. Also, if Steemit.com's servers get hacked, they can be corrupted to steal your password as well. Browser plugins/extensions could steal your password too, etc, etc.
Steem Pressure is not built using web technologies, and does not run in a browser, so it's a very, very small attack surface. I am also well trained in software exploitation, and I take care in all of my software to ensure that I use secure coding practices and handle data safely. That being said, I'm only human and I can and do make mistakes, so it is possible that Steem Pressure could be hacked despite my best efforts, but doing this would be even more difficult and time-consuming than hacking Steemit's servers.
Attacking Steem Pressure is also comparatively low-reward, since an attacker would have to start over from scratch for each user he attacked, whereas if he compromised Steemit.com he'd get all the users who keep their passwords in the browser at once.
This implies that Steem Pressure is never going to be turned into a browser plugin, right? I guess this would be good in terms of UX but it will make Steem Pressure less secure. Do I understand it correctly?