Incorrect Password
this is me right now
Incorrect Password
This post is to draw community attention to a black hole in how steemit recognizes people. I no longer have access to my account named @jlwkolb, and I don’t believe it is my fault. The bottom line is that I want my account back. I followed all recommended practices, including generating a very strong password and carefully storing it in a secure password keeper.
I hope that the steemit community can get behind me on this issue and put some pressure on those who run steemit to help find a resolution. I believe I will not be the last individual who will experience a technical issue not of their doing that prevents access to their account.
I have spent a lot of time trying to regain access to my account on my own. In the process, I have befriended individuals with significant technical knowledge of steemit and security in general.
The most helpful among them have told me that they have seen no holes in my approach to security or managing my passwords. In fact, they have praised me for my use of a strong password keeper, keepass, to generate and store passwords.
I joined steemit on July 7th at the suggestion of my friend @stellabelle. I made my password 16 characters as required. It worked fine for just over a week and then a hacker compromised steemit.com. Although my account was not hacked and my password still functioned, the steemit website instructed that I change my passwords. I did this on July 17th and again on July 19th, the second time being a result of worry that I had not made my passwords strong enough previously.
After these changes, I continued to access my @jlwkolb account without issues for two weeks. Anyone can verify this by perusing my posts and voting activity between July 17 and August 2. I was even able to transfer 7,000 steem dollars to @poloniex on July 25.
On July 25, I made a new account called @fairytalelife to re-brand to a name that is a little more memorable than @jlwkolb. At this time, @jlwkolb was working fine. I had been using @jlwkolb in the Safari browser so I decided to use @fairytalelife in Chrome. The motivation was that I wouldn’t need to log in and out of accounts on a single browser because @jlwkolb was still an active account at the time.
I never signed out of Safari except once when a browser crash did it for me around July 30. After the crash, I signed in normally with my posting key password from keepass and everything worked fine.
The trouble started when I tried to transfer steem dollars to poloniex on August 2. Suddenly I was prompted to enter my active password. To my recollection, this step was not required when I transferred the 7,000 steem dollars on July 25. But I thought to myself, “no problem, I’ll go to my keypass account and put it in.”
Incorrect Password.
Oh no!
I tried the posting key password once again. It had worked before, so I thought it should work again.
Incorrect password.
Now it seems I am locked out of my account.
What? Nooo! Go back! Go back!
My active password doesn’t work. Incorrect Password. My posting password doesn’t work. Incorrect password. The owner password doesn’t work. Incorrect password.
Now I’m nervous. I have about $23K worth of steem power in my account. And now I’m out of luck? I did everything right. I wrote down my passwords both in a secret notebook and stored them in keepass.
I tried account recovery.
Password not used within 30 days.
It hasn’t even been 30 days! I joined July 7th!
I now have to accept that my account is frozen and I am unable to access it with a password lost forever in the blockchain?
After the above mentioned hack, everyone was assured that their accounts would be returned to them. It may have taken a while, but I know all accounts were recovered and reimbursed, including @ned, @dan, @dantheman, @bitcube,@stan, @stellabelle, @norbu, @wingz, @rok-sivante to name a few. The expertise I have consulted told me also that, before steemit, account recovery in crypto was unprecedented. The size of some of the accounts lost in the hack meant that new policies would need to be written.
I think it’s good to have victims with enormous pockets so this kind of helpful precedent does get written from time to time. I get it.
But I also think that less wealthy victims are worthy of the same types of consideration. $23K may not be big money to many who read this article. But as a mother trying to raise four teenagers, it is a lot to lose because of a technical error—a technical error that neither I, nor anyone else I have consulted, can determine is my fault.
I love the work I do here on steemit, the new friends I make, and the vibrant community of talent. I interact daily with the community and contribute content that I feel adds value to the steemit ecosystem. But I can’t let go the rewards I worked so hard for without a fight.
Although the financial aspect of the rewards is terribly important to me, no feeling on earth comes close to being fairly compensated for the work I do. In a way, I fight most of all for these feelings of appreciation and justice.
Of course I will continue contributing to this social experiment that I see profoundly changing lives. But like anyone, I also need access to the funds I have earned because I have bills to pay. I seem to be locked from my account because the high security passwords I created and saved suddenly stopped working. I believe this is a machine error that had something to do with how the steemit website worked when I set my passwords after the website got hacked.
Machines have their place but they are no substitute for people. Sometimes humans need to intervene to help other humans rather than relying on some sterile mechanism of technology. We can’t just shrug our shoulders when someone on our team is locked out of an account through no fault of their own.
There must be a way to unlock my account through human intervention. Nothing is impossible—inconvenient, maybe—but not impossible. I understand that steemit wants wrongful transfer of an account to be difficult and to minimize the workload when users casually forget passwords.
But I have not been careless or foolish. I had everything covered according to best practices. After the hack, I downloaded keepass and changed all my passwords. I wrote them down in my secret notebook. I copied them in secure files on my hard drive.
A glitch in the system must have happened when the user interface was changed, and now it seems I’m out of luck. Incorrect password? I don’t buy that. With all the skills in the steemit arena, someone must be able to authenticate me. @jlwkolb is my account. I can prove with government issued documentation that I am the person in the pictures and have lived the life described in the posts. Aliens have not dropped a bodysnatcher to impersonate me. This work has never been posted anywhere online before.
The posts in the account and the rewards they earned are the result of my hard work—and now I must accept that my efforts are lost forever?
Illustration © Johanna Westerman 2016
You may have tried this already but I'll explain an option just in case.
Unless you're trying to verify a transfer, when logging in with your active key you need to use "jlwkolb/active" as your username in the login dialog.
Also please take into account that there's a bug related to the "remember me" button, which makes it so that if you click it after having entered your username you will need to re-enter your username. Even though the input field still shows your username, the code no longer knows it (this is the bug).
@rainman coming in with the signature alley-oop helpful tip of the day wooo. i def have experienced that remember me issue before as well.
The account owner authority on the account was updated twice, which means you may have up to 3 passwords which could be used for recovery. Any owner key or owner key password going as far back as July 14th would allow you to recover the account through the account recovery form.
Last I heard, you were looking for your original signup password. Have you had any luck finding it?
If none of your passwords work:
If you entered in any passwords by hand (i.e. without copy and paste), it's very easy to be off by a character. If it was written down, it's very likely at least one letter was written (or read) incorrectly. If that's the case, the good news is that it may be possible to brute-force. If you know that one one of your passwords is off by no more than 1 or 2 characters, a trusted programmer can help you brute force the password.
Please note, the fact that there are any recovery tools on the STEEM blockchain is a big step forward. This is what can happen in the blockchain world when you lose your private keys: $7.5M Bitcoin fortune buried in landfill. This unforgiving rigidness may be alarming for the average user, but it must be carefully balanced with censorship resistance, because the power to recover is the power to control. So it is important to be very conservative in this respect, though I do expect the team to keep making strides in recovery methods.
There are two possible problems:
Assuming you have your passwords then we should be able to fix any bug with deriving the keys.
Future Password Recovery Options
We recognize that people are use to being able to recover their passwords when they are lost. People who are use to cryptocurrency know that this isn't normally possible. We have a proposed solution to this here:
https://github.com/steemit/steem/issues/240
Unfortunately, it will probably be opt-in which means this future solution may not be able to help you.
You can contact me, dan at steemit.com, and I will try to get to the bottom of things.
Has Steem recently started sanitizing username/password inputs in a way different than before the hack?..
Just a thought.
I hope that this can be resolved. $23K is definitely not a little loss.
I wonder if @dan and @ned have considered another way of logging in and confirming withdrawals that could be both secure and user friendly.
Any chance that if they used the same exact password to create the new account, that they may have generated the same public / private keys as their first account uses, effectively nullifying that old account? I remember one other user a month or so ago had the same issue as this person: everything worked fine, until they created a new secondary account. I think I recall that other user said they used the same password.
I hope on the future, there is better option to recover lost password
@fairytalelife Very sorry to hear of your problem. I think I had the same issue that you are experiencing. Shortly after the updating of the site after the hack, my password become in effective. I reached out to @pfunk on slack and he walked me though how to recover access to my account. I was quite technical and I had to use one of Xerox's new tools to enter my password and have it produce the associated Keys for entry. .....for some reason the password would not work, but the keys were there and worked perfectly! Big thinks to @pfunk ! I'm thinking that you have the same issue. I know the very minimum of the technical stuff, but if you want to jump in SteemChat and send me a DM maybe we can get @pfunk to walk you through the same process. Minewhile I will try to find the notes I took and post them.
EDIT: I just sent a DM to @pfunk. Hopefully he will see this post and confirm if it is the same issue.
EDIT: If I'm not mistaken, this is the tool that we used to resolve the issue (thanks @xeroc ):
https://steemit.com/steem/@xeroc/paperwallet-easily-secure-your-account-with-steem-paperwallet-generator
I had nearly the exact same experience. There must be some kind of bug. I created a pseudononymous account using a Reddit login. A couple day later I created this account from which I am posting now using a Facebook login. All worked fine for a couple days. And then suddenly it started telling me Incorrect Password on my first account. I KNOW I'm using the right password. Like you I saved in in a password keeper. Plus I memorized it.
There has to be some type of bug when people register multiple accounts from the same computer.
Anyway, if you figure it out, please let me know. I will do the same.
My simular experience happened with only one registered account on Steemit
Read @arhag post's about password recovery....
https://steemit.com/steem/@arhag/proposal-for-new-steem-feature-deadman-switch-will-recovering-accounts-from-lost-passwords
https://steemit.com/witness-category/@arhag/witness-arhag-update-aug-1-2016-to-aug-8-2016
The post title is just begging me to do this, I can't help it.
Brilliant! I have to go change all my passwords to this right away.
PS Don't tell anyone I'm changing my password to this... It's our little secret.
Quick question... the active password youre using... what does it look like.? Does it begin with the letters 5K, or is it P something (like the ones generated by the site)... or is it one you made up yourself? I think i know what the problem is and its fixable with the CLI wallett. To make sure i understand though, none of the PWs you have even work to login?
Further explaination?
I've had this happen at other sites to me, but they all allowed me to change the password as long as I could authenticate (verify) that I'm the owner of the email that was used to sign-up for the account in question.
I too use KeePass (KP) and write the password details down, triple and quadruple checking to make sure that I write them down correctly and that the password stored in KP is the one that's stored with the site as the password being used with my account, so I knew for a fact that I wasn't in the wrong in all cases.
I really hope that you find a resolution that will at least get your monies back.
I think something like a "2 factor verification" like Coinbase uses would work perfectly for Steemit. Make it so that you have to verify both that you own the email associated with the account and the phone that is associated with it (by texting the big string of numbers that they send to that email in order to verify your identity). I don't know how something like this could be coded into Steemit, or if it can even be done, but I know for sure that it would give Steemit users much greater peace of mind knowing that they have that as an option if the shit hits the fan.
I don't think that it's too much to ask from the developers that there should be some type of fail-safe built into the system of users and passwords, just in case something like what's happened to you occurs. Based on my experience, these weird kind of situations pop up a whole lot more than we'd like to believe that they should (ideally, never), so it only makes sense to have that fail-safe, especially with such high investments being placed into this and what we all hope to be future investors with big pockets.
Thanks, @jamesbrown. Me too.
Very much agreed. I can't believe they don't have a 2FA system in place. I'm new here and have been reading all this. Makes me wonder.
It is a sad story. But I see that the community is listening and changing.