You are viewing a single comment's thread from:
RE: [SECURITY HOW-TO] How anyone can avoid losing access to their Steemit Account with LastPass and Duo
@robrigo I'm concerned that by insisting people have huge/complex passwords for Steemit, they may simply be replacing the hacked passwords problem with a new one - lost/forgotten passwords.
My worry with using a third party password management service (online or in software) is that peoples laptops die, or get stolen. Also, when people have huge passwords for certain services, some will end up emailing the passwords to themselves! It's also open to abuse via phishing scams.
I wish there was a way to have a 2 step verification process, or that STEEM accounts could only be accessed a limited number of times per day before going into a safe mode for 24 hours.
Very keen to hear your thoughts on all this.
@condra these are all real world concerns to have. Thanks for raising the question- I'll try my best to address it.
The impetus is definitely on the user to understand the risks of using cryptocurrency and understand how to secure it properly. This can be a large burden for people, but it's important they make an honest effort to take the proper precautionary measures. The key is to strike a balance between security and usability. Password managers and out-of-band 2FA help to achieve this balance. There's actually an interesting research paper that concludes it is not worth it economically for users to try following the vast swathes of security advice, but this paper doesn't take into account the fact that password recovery mechanisms don't work for everything, such as services like LastPass and Steemit.
When you make a master passphrase for your password manager, you need to make an effort to change your behaviors to remember that. Like I said, store a copy of it written down in a safe. Or just brainwash yourself to remember it by typing it in over and over again. Like a muscle, remember your passphrases can be viewed as something that needs to be trained. It's a skill that requires practice and dilligence.
One benefit to LastPass is that your vault can be accessed from any device, making it convenient. But this property also means you should put 2FA in front of it, to prevent attackers that are able to successfully guess your username and password for LastPass. By using a password manager, they don't actually have to remember the huge passwords. You let the extension do that lifting by "autofilling" the password into the correct forms. When you store a site into lastpass, when you go to the login form for that site, there should be an autofill icon in to the right in the text input, that will detect the correct login to use for the site that you're on based on the domain.
Also, by using 2FA on your password manager, you only have to 2FA the first time you log into it. Now, best practice would be to log out of the password manager when you are done using it, so it isn't left open, but that's up to you. This way, you don't need to 2FA everytime you log into Steemit if you don't want to. I personally like to log out of my Steemit account when I'm not on it, as well as my LastPass account. This gives me the peace of mind that my accounts are not accessible by someone who has gained access to my laptop.
Oh man. Thanks for such a comprehensive answer. That's a whole post unto itself!
You're very welcome.
Someone tried to add me on Facebook today, using my friends name. They even chatted to me briefly before I busted them.
I've written an article about phishing and social engineering side of things, somewhat separate from password security.
https://steemit.com/steemit/@condra/public-wallets-and-the-target-on-your-back-original-article
Anyway, if you have anything to contribute in the comment section, I'll be sure to credit you in the article.