Lost Password Recovery - Thank you for @ned @dan @arhag and The Steemit team.

in #steemit8 years ago (edited)

Losing your password has been an unrecoverable sin for cryptocurrency users. The root of the problem is that anyone with the power to reset your password also has the power to steal your account.

Steem's account recovery process can help you recover your account only if you know a password from the last 30 days. This can help you recover if you forget it shortly after changing your password, but doesn't help in cases where your password is gone for ever.

Proving a Negative

It is impossible to prove a negative. Namely, it is impossible to prove that you lost your password. All you can do is prove that you "didn't lose" your password.

One thing we do know is that the probability of a lost password increases with time. This means that in theory abandoned or inactive accounts are likely to be "lost" and the funds unrecoverable.

Identity Verification

Account recovery depends upon a 2nd factor of identity verification. Typically this second factor is trusted by the account holder to not collude with the hacker, but is not trusted enough to have control over the funds. Furthermore, few organizations would want the liability of having authority to reset your password.

Compromise

Allow your account recovery agent to request a change in account ownership after 60 days of inactivity with the active key. Once the request is made, the owner of the account has another 30 days to use their active key and "cancel" the request.

Any account can "opt-out" of password recovery which would disable this feature and make the account holder fully liable.

Security Analysis

Changing a lost owner key is the equivalent of the Recovery Agent hacking your owner key and then colluding with the hacker to change your account while denying you the ability to recover your account.

The recovery agent would have no opportunity to hack your account if you remain active once every 60 days, and then you have 30 days to react to a corrupt recovery agent before any funds are at risk.

All told, if you lose your password and go through this process it will take 3 months to get your account back. For accounts with significant value / reputation it will clearly be worth the wait.

https://github.com/steemit/steem/issues/240

Thank you for @ned @dan @arhag and The Steemit team.

https://steemit.com/steem/@arhag/proposal-for-new-steem-feature-deadman-switch-will-recovering-accounts-from-lost-passwords

#password #steem #blockchain
8 years ago in #steemit by
$0.00
    4 votes
    Reply 0

    Coin Marketplace

    STEEM 0.17
    TRX 0.13
    JST 0.027
    BTC 58906.05
    ETH 2666.51
    USDT 1.00
    SBD 2.44