That's pretty terrifying, and it's a good job that you posted this... It hadn't occurred that of course hashed passwords are going to be freely available offline because in using a web UI you're used to the assumptions of a traditional web model.

Good on you (assuming you did what you said) for just reassigning back to Steemit. Sounds like we do really need 2FA or generated only passwords... It's a shame that browser tooling around SSL client certs is so user unfriendly, having a client cert as a per-browser alternative to the generated password would be a good way of removing the usability barrier. Users would obviously still have to store their password but they could use the installed client cert for day-to-day auth and just use the password for requesting new certs for new devices.