How Steemit Generates Secure Random Passwords
Some users have expressed concern over how secure the random password generator is.
The foundation of our random password generator is the secure-random npm package. This package normalizes the behavior used by CryptoCoinJS and BitcoinJS.
We combine this with data unique to each browser / session including the date, screen resolution, and result of a quick performance benchmark. After all of this data is collected we hash it with sha256 to generate the password.
This means the security of Steemit’s password generation algorithm is as secure as other platforms. In the future we will also add in entropy from mouse movements.
Sweet. This password business has definitely spooked a ton of users
That's for sure
The secure-random is designed to find
window.crypto
and use it (you guessed it, Internet Explorer does not use the standard location) .. This is an HTML spec for providing:If the browser does not provide
window.crypto
, a key will not be generated. Because there have been poor implementations ofwindow.crypto
in the past, (mostly as Bitcoin was coming of age), we do what most people do and combine the data with the other sources described above and hash it all together to create the key.Steemit needs Two-factor.
I feel pretty safe after changing all my keys. I just use the posting key day to day, the active one very briefly when doing market transfers and will not have to touch my owner key password which is ridiculously long and random.
Maybe I'm fooling myself.. I don't know
I've never heard of basing data collected by mouse movement into generating a password. Including entropy....wow I'm actually mind blown.
very good my password 32 karakter